diff --git a/.github/acme2certifier.pem b/.github/acme2certifier.pem
index 6d15eeaa..1d2438e2 100644
--- a/.github/acme2certifier.pem
+++ b/.github/acme2certifier.pem
@@ -26,29 +26,31 @@ y9EOGEZMZAIwdzOlHqaFt937o0dqNy2tY1VQ9YtpJ234JbS2whG8PjoqMeTMmgDG
 jhv3T8V79bS/dQ3eiFdqtgHnDzjfCV/4LSBsDGRHOSHU2qxXiETTfT4=
 -----END RSA PRIVATE KEY-----
 -----BEGIN CERTIFICATE-----
-MIIESzCCAjOgAwIBAgIIfsWXGpYTi+8wDQYJKoZIhvcNAQELBQAwETEPMA0GA1UE
-AxMGc3ViLWNhMB4XDTIzMDcxNjE1MzYwMFoXDTI0MDcxNTE1MzYwMFowEzERMA8G
-A1UEAwwIYWNtZV9zcnYwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCz
-IvzlRkotxA+eHQrwe8Zy/yoFXv3kSPwkDPSYJ0QueyTk5WQq/DcPPuWpszn99OR7
-CGYe+Wy22KvLEwIR6VZmFByCDnWD7t03FFN1iNhH+ECU1FIDBdWD1LfJ4/ZdiKT7
-w7rNghivvm+YtvqkMXtFaWkVaUIu44IYdZDXsnFNR5ACWJGmdGxkhJwH28f6dQUw
-JgyBUKbvP28Y8Q6+eCavLFsZad2Oq9xh8HO8Qb+jFGA2OdzhTd+PrEU0fy9pVSzB
-XLyrzcKa0PUlt69IL0YzZyPpN0sO3Xvgv7AyvUrwZJlbz+K6vs1u5ZQP5Y/1f2fn
-Jt1ozflpIuBKKG2iOEVTAgMBAAGjgaQwgaEwDAYDVR0TAQH/BAIwADAWBgNVHSUB
-Af8EDDAKBggrBgEFBQcDATBGBgNVHREEPzA9gghhY21lX3NydoINYWNtZV9zcnYu
-YWNtZYIJbG9jYWxob3N0gghhY21lLXNydoINYWNtZS1zcnYuYWNtZTARBglghkgB
-hvhCAQEEBAMCBkAwHgYJYIZIAYb4QgENBBEWD3hjYSBjZXJ0aWZpY2F0ZTANBgkq
-hkiG9w0BAQsFAAOCAgEAZ9xErDtqOtf4tXcZC5kpV+PzEfj6iI17r94Z4aGb6plv
-2LXFcldwrNe+wyvpaMLgyAgei1eIWKUw4aknHJwcymYxWkV+YEkUW0q43NztA6oY
-o7zJDX9ltIlmnbWP+Sqpe051Ln5uoTjc6xvD61EEdYAu/eInT+lsQHTjhxbCtSkk
-twYoeiXXI34PHSQqahuVRT8DThuMsxNC7v8eRKfbvCRAv1obD+KDE2P4YvIqy1Lc
-HwHV7X6ipcYDTCDv9dCoLSer1pTidZGGtTbSA8KVlaPgWV405m3gROkxSDPuuFgN
-5y2oTxQIdKsFtT2iIJj0gbzk3SduVQ4OPEnM1x800HmTRdzJbv83IswoSEt30nkZ
-v1+fKtVokxJA9IliciUdvmoSs806G/4tRTfwK2eHhZjfvbotG5uCshRSvHEHuDlb
-HLcv34h07nKh1QhDjurf6EIpk2Z6b7tQCprNMoVFiACYX6h524ZkB4pvhvF8i5Rt
-HESu0iuxUZk49OsheOl5V/SqHMhr2fFKSqSgBdDRrthpE1MvHdYzBLT7xGm1oxK0
-40et7iEqScSxbI5ic6WG6rJ5pZeqp9cjDdTvM194EMPgmhc8UqN8nkpIeJ0yBZC1
-ve1n0pi6S0TuaVlTo71wX49YwFEq/z3nbjIzi0YYmlmRAYjffE7px4b0a3VDLQA=
+MIIEkDCCAnigAwIBAgIINem9Fn3yI2cwDQYJKoZIhvcNAQELBQAwKjEXMBUGA1UE
+CxMOYWNtZTJjZXJ0aWZpZXIxDzANBgNVBAMTBnN1Yi1jYTAeFw0yNDA3MjMwNjE2
+MDBaFw0yNjA3MjMwNjE2MDBaMBMxETAPBgNVBAMMCGFjbWVfc3J2MIIBIjANBgkq
+hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAsyL85UZKLcQPnh0K8HvGcv8qBV795Ej8
+JAz0mCdELnsk5OVkKvw3Dz7lqbM5/fTkewhmHvlsttiryxMCEelWZhQcgg51g+7d
+NxRTdYjYR/hAlNRSAwXVg9S3yeP2XYik+8O6zYIYr75vmLb6pDF7RWlpFWlCLuOC
+GHWQ17JxTUeQAliRpnRsZIScB9vH+nUFMCYMgVCm7z9vGPEOvngmryxbGWndjqvc
+YfBzvEG/oxRgNjnc4U3fj6xFNH8vaVUswVy8q83CmtD1JbevSC9GM2cj6TdLDt17
+4L+wMr1K8GSZW8/iur7NbuWUD+WP9X9n5ybdaM35aSLgSihtojhFUwIDAQABo4HQ
+MIHNMAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYEFCBBm1m0llstSbjZx9CypR7hfh0I
+MAsGA1UdDwQEAwIEsDAWBgNVHSUBAf8EDDAKBggrBgEFBQcDATBGBgNVHREEPzA9
+gghhY21lX3NydoINYWNtZV9zcnYuYWNtZYIJbG9jYWxob3N0gghhY21lLXNydoIN
+YWNtZS1zcnYuYWNtZTARBglghkgBhvhCAQEEBAMCB4AwHgYJYIZIAYb4QgENBBEW
+D3hjYSBjZXJ0aWZpY2F0ZTANBgkqhkiG9w0BAQsFAAOCAgEAgKxcS2L507h+c7XD
+14oY4xbGcuGd/4RPKHz7VV5xxybZHGHjJ+WAq5Hd89FqjkaZ6gBB4hfpHqXMLPv2
+aFX9mXoW5ilH1BGZAEn3xMefdfkrnqCAvr3iKFasmqdTQovyVBEUsE6Zb2A5rhA9
+yWoHPBkcMhP5XYkGVaCWfOh5XUrt6HAD0+wJPb57nxBXRctJK5aF/Jl/tFoJrUVg
+t9penQ3TuVnZqdFI5ofwR/DUZIGqoTRjatAjwHgg5yc07erwMuu0nhqAINVlQm7v
+phgc2gkXXwcsAQvlRcY5017cHB9IDYsEczVh0DHdhWNvkcKvIqoO8sx+3Thi6wzb
+/pnvbq1T8C59YhCk5MkmQXMKyvI5ik+sY+aDtVsyc9+G6A9qhU7BL7stFI/tuFwA
+KVsqeDVPv/QYXleV/Ys3WqbxXrLRJv8qWpxEKIE3TKCJYUg6LOBPNmR2VtWEaBoA
+ItkUNm1UHbbidCMo9nZqupzeyVC0RcXrwfBNqONT9B90AvRnyHqlIuVY6LZKIEfi
+rSUzyL8eGON5wXv/dPr7fUqrzAFWTn3eLhh+KXY9a1e5uK95T2A7/kOuDoIAlM0v
+ueREv5XaK2dp7M1yynzlGxRAtDWtify1W2p1TOMQoI+SpB5bWJ8jP9N0CR5m8Q4I
+/oPqgSi1uZzgN2kOOSLkZcy8QUE=
 -----END CERTIFICATE-----
 -----BEGIN CERTIFICATE-----
 MIIFTzCCAzegAwIBAgIIAzHyhSyrXfMwDQYJKoZIhvcNAQELBQAwKzEXMBUGA1UE
diff --git a/.github/acme2certifier_cabundle.pem b/.github/acme2certifier_cabundle.pem
index bfafedca..45f865f4 100644
--- a/.github/acme2certifier_cabundle.pem
+++ b/.github/acme2certifier_cabundle.pem
@@ -1,61 +1,64 @@
 -----BEGIN CERTIFICATE-----
-MIIFHjCCAwagAwIBAgIIcFUYZLICUHowDQYJKoZIhvcNAQELBQAwEjEQMA4GA1UE
-AxMHcm9vdC1jYTAeFw0yMDA2MDkxNzE4MDBaFw0zMDA2MDkxNzE3MDBaMBExDzAN
-BgNVBAMTBnN1Yi1jYTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAO2x
-CXITgVcFJuqh5ibdBUwaNJgI3lBmG2aLjvIaBXbH3ocH6WsXO1d5i37PepArmTpG
-fd+Ew3FvUmyiPzFO3WJSwgk096yoLVQHwAcxyuy1dBXemGFBm3v5ofTK+MyINxJP
-PkRWbJLhSETofzCo/vbFkBqIkFoarh8uEwfxzhpDq3cWjROaJhHhT+6GsbDMGouL
-za9J1HVs4Fn5fkmFxB9g7st5Z19TVIKCisPP4VQNmbhaWuHJMkaXDkaVAUcw6QQy
-quwfdl78jndh14D8tFuoLZcRxT/cfQPmqhcjjkkTelMk/5OfYlk+1wjoAEToXDzG
-HTkXS/zkGMdZeZFstXAFhy0THlSMO5RTuKwSXxIObvKKM2WdNVpnYOD5XaZnvFJx
-5fQu13HiNrprQKQAssihKqz9iCeJ0xuwuIydkrmjXSU0KtyzSZXBgaaMSeRYx+dG
-hVfv1f6U+MQjBq+QEbkuafcFs3TnuRcbbWA4H+T4cJK3krg9m9s1P2tTAFYuNDAR
-Df6IgPPyeSglcMpKPqg7uZWR5e/0wQj29XLUgrkFoIPsLEML6aKTMOdiCUcdAdne
-mkwcB7JIth+HAeSjNpW1lRb14QNxbf52qxN0X8HsDNYmg++rxxOOwEMzYuo7Ch1C
-lzI0RGaRHHbkWymj+doyXvVwnV4ZZwRXXpeJmhmTAgMBAAGjeTB3MBIGA1UdEwEB
-/wQIMAYBAf8CAQEwHQYDVR0OBBYEFIMnznmJq0PWTssJTOYznKF7gjN4MB8GA1Ud
-IwQYMBaAFL/OiI9h7taWfyqsHzQwwiq3NBvOMA4GA1UdDwEB/wQEAwIBBjARBglg
-hkgBhvhCAQEEBAMCAAcwDQYJKoZIhvcNAQELBQADggIBAJMwQ33+tL2yO+tePbDZ
-b5ZiASeAI6FmHWLtTpx3YeDBXR1NFtMGR1jYiWO5Mc6BAmLC2KPevXt+VM7RWeQU
-PlMKfcbxX5XdrhMWyC0HSvGQtg0/Ftc6do8Mj3wOIrmlskJPDX9s4VT0ersabRdZ
-2Djkcyub5PipMcJcPR7IpnfLJLcK1/QxrAHZtdseUuOyvXelAoPWTPLk4uMxEzGk
-lTDhqjCzVc3+sRJOwV9QQopOX3tB5vijAzC96jrRj90UNDZBt9IJu0sBIYro/a9O
-AqxFbQXcsr6rUZgvktWgghqJOai/iidTCA0TM4SqJUuaok4guJmMTGc8mJZ+EfmV
-8JPJ/8OaP2KU2VcMDzqN4/KeZt7+tfG7GB3h6l3D7M/q8qkSYYo2nzQ405EB/KVY
-ohhw85RcJw3zqnziFuTmTTSqu4zOLlGFwSri7VgH3JfmgGWmjQ6B8wP3V0jKydFb
-JaIM4PLPRZeCHfexJ3Iu2a174saShxBwBsfCVah+9j6PJ8Pvx8LzPW+WeyW56NpF
-FamwsJJKqafvBMuZPjCR+burDPJh9Y7IrPZNDsgmBcUzB9BCxB1Qlj4fdkieuHJM
-5m6jaOeUlnECprkyutyh5lEY0BVw5RO+v9SqtI/6cbFrclMcb1SpF5W0slEX3xTG
-02BvBlCOKrZlqnp/jSdmAZ9s
+MIIFTzCCAzegAwIBAgIIAzHyhSyrXfMwDQYJKoZIhvcNAQELBQAwKzEXMBUGA1UE
+CxMOYWNtZTJjZXJ0aWZpZXIxEDAOBgNVBAMTB3Jvb3QtY2EwHhcNMjAwNTI3MTM1
+NDAwWhcNMzAwNTI2MjM1OTAwWjAqMRcwFQYDVQQLEw5hY21lMmNlcnRpZmllcjEP
+MA0GA1UEAxMGc3ViLWNhMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA
+xXHaGZsolXe+PBdUryngHP9VbBC1mehqeTtYI+hqsqGNH7q9a7bSrxMwFuF1kYL8
+jqqxkJdtl0L94xcxJg/ZdMx7Nt0vGI+BaAuTpEpUEHeN4tqS6NhB/m/0LGkAELc/
+qkzmoO4B1FDwEEj/3IXtZcupqG80oDt7jWSGXdtF7NTjzcumznMeRXidCdhxRxT/
+/WrsChaytXo0xWZ56oeNwd6x6Dr8/39PBOWtj4fldyDcg+Q+alci2tx9pxmu2bCV
+XcB9ftCLKhDk2WEHE88bgKSp7fV2RCmq9po+Tx8JJ7qecLunUsK/F0XN4kpoQLm9
+hcymqchnMSncSiyin1dQHGHWgXDtBDdq6A2Z6rx26Qk5H9HTYvcNSe1YwFEDoGLB
+ZQjbCPWiaqoaH4agBQTclPvrrSCRaVmhUSO+pBtSXDkmN4t3MDZxfgRkp8ixwkB1
+5Y5f0LTpCyAJsdQDw8+Ea0aDqO30eskh4CErnm9+Fejd9Ew2cwpdwfBXzVSbYilM
+GueQihZHvJmVRxAwU69aO2Qs8B0tQ60CfWKVlmWPiakrvYYlPp0FBsM61G6LZEN8
+hH2CKnS8hHv5IWEXZvp0Pk8V3P5h6bWN0Tl+x/V1Prt7Wp8NoiPETE8XyDDxe6dm
+KxztWBH/mTsJyMGb6ZiUoXdPU9TFUKqHxTRLHaxfsPsCAwEAAaN4MHYwEgYDVR0T
+AQH/BAgwBgEB/wIBATAdBgNVHQ4EFgQUv96OjgYiIqutQ8jd1E+oq0hBPtUwDgYD
+VR0PAQH/BAQDAgGGMBEGCWCGSAGG+EIBAQQEAwIABzAeBglghkgBhvhCAQ0EERYP
+eGNhIGNlcnRpZmljYXRlMA0GCSqGSIb3DQEBCwUAA4ICAQBbHLEVyg4f9uEujroc
+31UVyDRLMdPgEPLjOenSBCBmH0N81whDmxNI/7JAAB6J14WMX8OLF0HkZnb7G77W
+vDhy1aFvQFbXHBz3/zUO9Mw9J4L2XEW6ond3Nsh1m2oXeBde3R3ANxuIzHqZDlP9
+6YrRcHjnf4+1/5AKDJAvJD+gFb5YnYUKH2iSvHUvG17xcZx98Rf2eo8LealG4JqH
+Jh4sKRy0VjDQD7jXSCbweTHEb8wz+6OfNGrIo+BhTFP5vPcwE4nlJwYBoaOJ5cVa
+7gdQJ7WkLSxvwHxuxzvSVK73u3jl3I9SqTrbMLG/jeJyV0P8EvdljOaGnCtQVRwC
+zM4ptXUvKhKOHy7/nyTF/Bc35ZwwL/2xWvNK1+NibgE/6CFxupwWpdmxQbVVuoQ3
+2tUil9ty0yC6m5GKE8+t1lrZuxyA+b/TBnYNO5xo8UEMbkpxaNYSwmw+f/loxXP/
+M7sIBcLvy2ugHEBxwd9o/kLXeXT2DaRvxPjp4yk8MpJRpNmz3aB5HJwaUnaRLVo5
+Z3XWWXmjMGZ6/m0AAoDbDz/pXtOoJZT8BJdD1DuDdszVsQnLVn4B/LtIXL6FbXsF
+zfv6ERP9a5gpKUZ+4NjgrnlGtdccNZpwyWF0IXcvaq3b8hXIRO4hMjzHeHfzJN4t
+jX1vlY35Ofonc4+6dRVamBiF9A==
 -----END CERTIFICATE-----
 -----BEGIN CERTIFICATE-----
-MIIFHzCCAwegAwIBAgIISRJolCjaE+8wDQYJKoZIhvcNAQELBQAwEjEQMA4GA1UE
-AxMHcm9vdC1jYTAeFw0yMDA2MDkxNzE3MDBaFw0zMDA2MDkxNzE3MDBaMBIxEDAO
-BgNVBAMTB3Jvb3QtY2EwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDk
-UX6DpcKks9qIbIstBjYvDAcU0hvypQwILvDpCFSy9uZ8SO9PRSfK0ltxljmu3ESS
-62OuGO8s9+HJm7rxkXVX6YttnYU60KrlmiRS9Js0BRj2jfL4E4ydNc6cIE4perh9
-3ydQJmaS16KiNmEC+XE/5mBpI4qQrRm2obYOloyxShFc3CzsJe55iyhtclZf1L/6
-JNgc3t6Q4RGiGnvXv2nJOI0BnnC9QY0DtZITuXK/43RES08MEizgpsTJz0QQ2ugJ
-FJa5SzbPC8f1hzTYctB7LLPc6nFpECESZ4zplAu/5ruD/7jtkwNBWeGo+kPCkyHx
-AL/XQH42VpM8iQbN61CWboV4ibYhP9/ko1oyM5UV5+UPqYEsao4MSJ3oblQEFHta
-SrOsy7Z6ZXW0eYK8Z/iYjXZ2wSskJis3K7sh/9oPrm1jlAXwpEGsJlE6xobrnWHz
-5c3/PxNvKj3U5jdiJhVcJxvMFpHL5fLqLQU4aXwsZIvPOyM7wZyLrmWbkzvmcg2t
-4TWwJSlVf2QGIZ4C8HsXnZJoM+GhVMGJpNJAJ7XzmI6ExmCwEcBbfkPQXHuB9hGb
-fRQRRR+/eXXjU62VyxpbwWNygxHsigV3bc1GGwK613Y9t5l1I4DMTB150dliNT7f
-+nWzsA3GdBTj/frBOclVjXRLqt5sE/SvMkHwYd7+7QIDAQABo3kwdzASBgNVHRMB
-Af8ECDAGAQH/AgECMB0GA1UdDgQWBBS/zoiPYe7Wln8qrB80MMIqtzQbzjAfBgNV
-HSMEGDAWgBS/zoiPYe7Wln8qrB80MMIqtzQbzjAOBgNVHQ8BAf8EBAMCAQYwEQYJ
-YIZIAYb4QgEBBAQDAgAHMA0GCSqGSIb3DQEBCwUAA4ICAQCkJd69cYr4CKechyDM
-TGivDBmqmEt3WDo5jNSbckJ+4gSUD+TcSfyUqXbKGAM5d9unZrnDLfh256IsYyyz
-oAkzDi5LhS2umKK6cc5XyZFZ6c6JwYfwjw3+7GMSKrzLPwCqQYcJjjs/W9OppKkB
-mWwsDA6H5124sQLeHFwFYmjm2LFlNZ+tsYsAPJVmxFnodLjOPEbbFbrDHq5fgbd+
-VKfC9UCXd7OuP6J2MQ6D8SEaynWKp/PsXHk4xAzMrRdg3UjvHMLEcuQXzogzy84V
-1gYTMrrLDPg/wXCzUM1lZbHhFriQAWXGCDu3tpr1yS08K7YayHo32QbSMzfXnWCp
-LhAV2AI5DA9lBJ8O6ImyNyIm0xiWbiofBmEUw0MaKgTRWWMnIFvLgZH70PJOZw9o
-dIHPnXy0aLYm/6jePIg/MYmGW4+3LJMG9AmA3QgzFEvJUIT4NFxh0eNOCEh9cmoz
-oISMy0toJRm7YbY2AvtuKoEASWkAyHgPaF7NDvHCqySXTsxzE5O+hiFp3X1byiRm
-csixfvC0BVYX4CpxLWUX8Et3mrv42Pd/ZtxtCpwv0G5w+X4OAlOg1DBX5gsf1i+3
-YIIt3y0Bsw1UsRSRgUvaMZCWvKOtCfBYc5HjLS74RijIm9OaiDc2LDQOUloiT3xd
-pLo0ga8P7AMdeSpyJF1qdsTqxA==
+MIIFcDCCA1igAwIBAgIIevLTTxOMoZgwDQYJKoZIhvcNAQELBQAwKzEXMBUGA1UE
+CxMOYWNtZTJjZXJ0aWZpZXIxEDAOBgNVBAMTB3Jvb3QtY2EwHhcNMjAwNTI3MDAw
+MDAwWhcNMzAwNTI2MjM1OTU5WjArMRcwFQYDVQQLEw5hY21lMmNlcnRpZmllcjEQ
+MA4GA1UEAxMHcm9vdC1jYTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIB
+AJy4UZHdZgYt64k/rFamoC676tYvtabeuiqVw1c6oVZI897cFLG6BYwyr2Eaj7tF
+rqTJDeMN4vZSudLsmLDq6m8KwX/riPzUTIlcjM5aIMANZr9rLEs3NWtcivolB5aQ
+1slhdVitUPLuxsFnYeQTyxFyP7lng9M/Z403KLG8phdmKjM0vJkaj4OuKOXf3UsW
+qWQYyRl/ms07xVj02uq08LkoeO+jtQisvyVXURdaCceZtyK/ZBQ7NFCsbK112cVR
+1e2aJol7NJAA6Wm6iBzAdkAA2l3kh40SLoEbaiaVMixLN2vilIZOOAoDXX4+T6ir
++KnDVSJ2yu5c/OJMwuXwHrh7Lgg1vsFR5TNehknhjUuWOUO+0TkKPg2A7KTg72OZ
+2mOcLZIbxzr1P5RRvdmLQLPrTF2EJvpQPNmbXqN3ZVWEvfHTjkkTFY/dsOTvFTgS
+ri15zYKch8votcU7z+BQhgmMtwO2JhPMmZ6ABd9skI7ijWpwOltAhxtdoBO6T6CB
+CrE2yXc6V/PyyAKcFglNmIght5oXsnE+ub/dtx8f9Iea/xNPdo5aGy8fdaitolDK
+16kd3Kb7OE4HMHIwOxxF1BEAqerxxhbLMRBr8hRSZI5cvLzWLvpAQ5zuhjD6V3b9
+BYFd4ujAu3zl3mbzdbYjFoGOX6aBZaGDxlc4O2W7HxntAgMBAAGjgZcwgZQwDwYD
+VR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUDGVvuTFYZtEAkz3af9wRKDDvAswwHwYD
+VR0jBBgwFoAUDGVvuTFYZtEAkz3af9wRKDDvAswwDgYDVR0PAQH/BAQDAgGGMBEG
+CWCGSAGG+EIBAQQEAwIABzAeBglghkgBhvhCAQ0EERYPeGNhIGNlcnRpZmljYXRl
+MA0GCSqGSIb3DQEBCwUAA4ICAQAjko7dX+iCgT+m3Iy1Vg6j7MRevPAzq1lqHRRN
+Ndt2ct530pIut7Fv5V2xYk35ka+i/G+XyOvTXa9vAUKiBtiRnUPsXu4UcS7CcrCX
+EzHx4eOtHnp5wDhO0Fx5/OUZTaP+L7Pd1GD/j953ibx5bMa/M9Rj+S486nst57tu
+DRmEAavFDiMd6L3jH4YSckjmIH2uSeDIaRa9k6ag077XmWhvVYQ9tuR7RGbSuuV3
+Fc6pqcFbbWpoLhNRcFc+hbUKOsKl2cP+QEKP/H2s3WMllqgAKKZeO+1KOsGo1CDs
+475bIXyCBpFbH2HOPatmu3yZRQ9fj9ta9EW46n33DFRNLinFWa4WJs4yLVP1juge
+2TCOyA1t61iy++RRXSG3e7NFYrEZuCht1EdDAdzIUY89m9NCPwoDYS4CahgnfkkO
+7YQe6f6yqK6isyf8ZFcp1uF58eERDiF/FDqS8nLmCdURuI56DDoNvDpig5J/9RNW
+G8vEvt2p7QrjeZ3EAatx5JuYty/NKTHZwJWk51CgzEgzDwzE2JIiqeldtL5d0Sl6
+eVuv0G04BEyuXxEWpgVVzBS4qEFIBSnTJzgu1PXmId3yLvg2Nr8NKvwyZmN5xKFp
+0A9BWo15zW1PXDaD+l39oTYD7agjXkzTAjYIcfNJ7ATIYFD0xAvNAOf70s7aNupF
+fvkG2Q==
 -----END CERTIFICATE-----
 
diff --git a/.github/acme2certifier_cert.pem b/.github/acme2certifier_cert.pem
index 3db631bf..5ee3cdbf 100644
--- a/.github/acme2certifier_cert.pem
+++ b/.github/acme2certifier_cert.pem
@@ -1,25 +1,27 @@
 -----BEGIN CERTIFICATE-----
-MIIESzCCAjOgAwIBAgIIfsWXGpYTi+8wDQYJKoZIhvcNAQELBQAwETEPMA0GA1UE
-AxMGc3ViLWNhMB4XDTIzMDcxNjE1MzYwMFoXDTI0MDcxNTE1MzYwMFowEzERMA8G
-A1UEAwwIYWNtZV9zcnYwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCz
-IvzlRkotxA+eHQrwe8Zy/yoFXv3kSPwkDPSYJ0QueyTk5WQq/DcPPuWpszn99OR7
-CGYe+Wy22KvLEwIR6VZmFByCDnWD7t03FFN1iNhH+ECU1FIDBdWD1LfJ4/ZdiKT7
-w7rNghivvm+YtvqkMXtFaWkVaUIu44IYdZDXsnFNR5ACWJGmdGxkhJwH28f6dQUw
-JgyBUKbvP28Y8Q6+eCavLFsZad2Oq9xh8HO8Qb+jFGA2OdzhTd+PrEU0fy9pVSzB
-XLyrzcKa0PUlt69IL0YzZyPpN0sO3Xvgv7AyvUrwZJlbz+K6vs1u5ZQP5Y/1f2fn
-Jt1ozflpIuBKKG2iOEVTAgMBAAGjgaQwgaEwDAYDVR0TAQH/BAIwADAWBgNVHSUB
-Af8EDDAKBggrBgEFBQcDATBGBgNVHREEPzA9gghhY21lX3NydoINYWNtZV9zcnYu
-YWNtZYIJbG9jYWxob3N0gghhY21lLXNydoINYWNtZS1zcnYuYWNtZTARBglghkgB
-hvhCAQEEBAMCBkAwHgYJYIZIAYb4QgENBBEWD3hjYSBjZXJ0aWZpY2F0ZTANBgkq
-hkiG9w0BAQsFAAOCAgEAZ9xErDtqOtf4tXcZC5kpV+PzEfj6iI17r94Z4aGb6plv
-2LXFcldwrNe+wyvpaMLgyAgei1eIWKUw4aknHJwcymYxWkV+YEkUW0q43NztA6oY
-o7zJDX9ltIlmnbWP+Sqpe051Ln5uoTjc6xvD61EEdYAu/eInT+lsQHTjhxbCtSkk
-twYoeiXXI34PHSQqahuVRT8DThuMsxNC7v8eRKfbvCRAv1obD+KDE2P4YvIqy1Lc
-HwHV7X6ipcYDTCDv9dCoLSer1pTidZGGtTbSA8KVlaPgWV405m3gROkxSDPuuFgN
-5y2oTxQIdKsFtT2iIJj0gbzk3SduVQ4OPEnM1x800HmTRdzJbv83IswoSEt30nkZ
-v1+fKtVokxJA9IliciUdvmoSs806G/4tRTfwK2eHhZjfvbotG5uCshRSvHEHuDlb
-HLcv34h07nKh1QhDjurf6EIpk2Z6b7tQCprNMoVFiACYX6h524ZkB4pvhvF8i5Rt
-HESu0iuxUZk49OsheOl5V/SqHMhr2fFKSqSgBdDRrthpE1MvHdYzBLT7xGm1oxK0
-40et7iEqScSxbI5ic6WG6rJ5pZeqp9cjDdTvM194EMPgmhc8UqN8nkpIeJ0yBZC1
-ve1n0pi6S0TuaVlTo71wX49YwFEq/z3nbjIzi0YYmlmRAYjffE7px4b0a3VDLQA=
+MIIEkDCCAnigAwIBAgIINem9Fn3yI2cwDQYJKoZIhvcNAQELBQAwKjEXMBUGA1UE
+CxMOYWNtZTJjZXJ0aWZpZXIxDzANBgNVBAMTBnN1Yi1jYTAeFw0yNDA3MjMwNjE2
+MDBaFw0yNjA3MjMwNjE2MDBaMBMxETAPBgNVBAMMCGFjbWVfc3J2MIIBIjANBgkq
+hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAsyL85UZKLcQPnh0K8HvGcv8qBV795Ej8
+JAz0mCdELnsk5OVkKvw3Dz7lqbM5/fTkewhmHvlsttiryxMCEelWZhQcgg51g+7d
+NxRTdYjYR/hAlNRSAwXVg9S3yeP2XYik+8O6zYIYr75vmLb6pDF7RWlpFWlCLuOC
+GHWQ17JxTUeQAliRpnRsZIScB9vH+nUFMCYMgVCm7z9vGPEOvngmryxbGWndjqvc
+YfBzvEG/oxRgNjnc4U3fj6xFNH8vaVUswVy8q83CmtD1JbevSC9GM2cj6TdLDt17
+4L+wMr1K8GSZW8/iur7NbuWUD+WP9X9n5ybdaM35aSLgSihtojhFUwIDAQABo4HQ
+MIHNMAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYEFCBBm1m0llstSbjZx9CypR7hfh0I
+MAsGA1UdDwQEAwIEsDAWBgNVHSUBAf8EDDAKBggrBgEFBQcDATBGBgNVHREEPzA9
+gghhY21lX3NydoINYWNtZV9zcnYuYWNtZYIJbG9jYWxob3N0gghhY21lLXNydoIN
+YWNtZS1zcnYuYWNtZTARBglghkgBhvhCAQEEBAMCB4AwHgYJYIZIAYb4QgENBBEW
+D3hjYSBjZXJ0aWZpY2F0ZTANBgkqhkiG9w0BAQsFAAOCAgEAgKxcS2L507h+c7XD
+14oY4xbGcuGd/4RPKHz7VV5xxybZHGHjJ+WAq5Hd89FqjkaZ6gBB4hfpHqXMLPv2
+aFX9mXoW5ilH1BGZAEn3xMefdfkrnqCAvr3iKFasmqdTQovyVBEUsE6Zb2A5rhA9
+yWoHPBkcMhP5XYkGVaCWfOh5XUrt6HAD0+wJPb57nxBXRctJK5aF/Jl/tFoJrUVg
+t9penQ3TuVnZqdFI5ofwR/DUZIGqoTRjatAjwHgg5yc07erwMuu0nhqAINVlQm7v
+phgc2gkXXwcsAQvlRcY5017cHB9IDYsEczVh0DHdhWNvkcKvIqoO8sx+3Thi6wzb
+/pnvbq1T8C59YhCk5MkmQXMKyvI5ik+sY+aDtVsyc9+G6A9qhU7BL7stFI/tuFwA
+KVsqeDVPv/QYXleV/Ys3WqbxXrLRJv8qWpxEKIE3TKCJYUg6LOBPNmR2VtWEaBoA
+ItkUNm1UHbbidCMo9nZqupzeyVC0RcXrwfBNqONT9B90AvRnyHqlIuVY6LZKIEfi
+rSUzyL8eGON5wXv/dPr7fUqrzAFWTn3eLhh+KXY9a1e5uK95T2A7/kOuDoIAlM0v
+ueREv5XaK2dp7M1yynzlGxRAtDWtify1W2p1TOMQoI+SpB5bWJ8jP9N0CR5m8Q4I
+/oPqgSi1uZzgN2kOOSLkZcy8QUE=
 -----END CERTIFICATE-----
\ No newline at end of file
diff --git a/.github/actions/acme_clients/action.yml b/.github/actions/acme_clients/action.yml
new file mode 100644
index 00000000..230527de
--- /dev/null
+++ b/.github/actions/acme_clients/action.yml
@@ -0,0 +1,464 @@
+name: "acme_clients - enroll, renew and revoke certificates"
+description: "Test if acme.sh, certbot and lego can enroll, renew and certificates"
+inputs:
+  ACME_SERVER:
+    description: "ACME server URL"
+    required: true
+    default: "acme-srv"
+  REVOCATION:
+    description: "Revocation method"
+    required: true
+    default: "true"
+  RENEWAL:
+    description: "Renewal method"
+    required: true
+    default: "true"
+  VERIFY_CERT:
+    description: "Verify certificate"
+    required: true
+    default: "true"
+  USE_CERTBOT:
+    description: "Use certbot"
+    required: true
+    default: "true"
+  USE_RSA:
+    description: "Use RSA"
+    required: true
+    default: "false"
+  HTTP_PORT:
+    description: "HTTP port"
+    required: true
+    default: "80"
+  HTTPS_PORT:
+    description: "HTTPS port"
+    required: true
+    default: "443"
+  HOSTNAME_SUFFIX:
+    description: "Hostname suffix"
+    required: true
+  NAME_SPACE:
+    description: "Namespace"
+    required: true
+    default: "acme"
+
+runs:
+  using: "composite"
+  steps:
+
+    - name: "Create directories"
+      run: |
+        mkdir -p acme-sh/
+        sudo mkdir -p certbot/
+        sudo mkdir -p lego/ca
+        sudo cp .github/acme2certifier_cabundle.pem certbot/
+        sudo cp .github/acme2certifier_cabundle.pem lego/
+        if [ -f cert-2.pem ]; then
+          echo "delete cert-2.pem"
+          rm -f cert-2.pem
+        fi
+        if [ -f cert-1.pem ]; then
+          echo "delete cert-1.pem"
+          rm -f cert-1.pem
+        fi
+        ls -la
+      shell: bash
+
+    - name: "Sleep for 5s"
+      uses: juliangruber/sleep-action@v2.0.3
+      with:
+        time: 5s
+
+    - name: "Test if http://acme-srv/directory is accessible"
+      run: docker run -i --rm --network $NAME_SPACE curlimages/curl -f http://$ACME_SERVER:$HTTP_PORT/directory
+      shell: bash
+      env:
+        ACME_SERVER: ${{ inputs.ACME_SERVER }}
+        HTTP_PORT: ${{ inputs.HTTP_PORT }}
+        HTTPS_PORT: ${{ inputs.HTTPS_PORT }}
+        NAME_SPACE: ${{ inputs.NAME_SPACE }}
+
+    - name: "Test if https://acme-srv/directory is accessible"
+      run: docker run -i --rm --network $NAME_SPACE curlimages/curl --insecure -f https://$ACME_SERVER:$HTTPS_PORT/directory
+      shell: bash
+      env:
+        ACME_SERVER: ${{ inputs.ACME_SERVER }}
+        HTTP_PORT: ${{ inputs.HTTP_PORT }}
+        HTTPS_PORT: ${{ inputs.HTTPS_PORT }}
+        NAME_SPACE: ${{ inputs.NAME_SPACE }}
+
+    - name: "HTTP - Enroll lego"
+      run: |
+        echo "##### HTTP - Enroll lego #####"
+        if [ "$USE_RSA" == "false" ]; then
+          echo "use ECC"
+          docker run -i --rm -e LEGO_CA_CERTIFICATES=.lego/acme2certifier_cabundle.pem -v $PWD/lego:/.lego/ --name lego$HOSTNAME_SUFFIX --network $NAME_SPACE goacme/lego -s http://$ACME_SERVER:$HTTP_PORT -a --email "lego@example.com" -d lego$HOSTNAME_SUFFIX.$NAME_SPACE --tls run
+        else
+          echo "use RSA"
+          docker run -i --rm -e LEGO_CA_CERTIFICATES=.lego/acme2certifier_cabundle.pem -v $PWD/lego:/.lego/ --name lego$HOSTNAME_SUFFIX --network $NAME_SPACE goacme/lego -s http://$ACME_SERVER:$HTTP_PORT -a --email "lego@example.com" --key-type=rsa2048 -d lego$HOSTNAME_SUFFIX.$NAME_SPACE --tls run
+        fi
+      shell: bash
+      env:
+        ACME_SERVER: ${{ inputs.ACME_SERVER }}
+        HTTP_PORT: ${{ inputs.HTTP_PORT }}
+        HTTPS_PORT: ${{ inputs.HTTPS_PORT }}
+        USE_RSA: ${{ inputs.USE_RSA }}
+        HOSTNAME_SUFFIX: ${{ inputs.HOSTNAME_SUFFIX }}
+        NAME_SPACE: ${{ inputs.NAME_SPACE }}
+
+    - name: "HTTP - Revoke lego"
+      if: ${{ inputs.REVOCATION == 'true' }}
+      run: |
+        echo "#### HTTP - Revoke lego"
+        docker run -i -v $PWD/lego:/.lego/ --rm --name lego$HOSTNAME_SUFFIX --network $NAME_SPACE goacme/lego -s http://$ACME_SERVER:$HTTP_PORT -a --email "lego@example.com" -d lego$HOSTNAME_SUFFIX.$NAME_SPACE revoke
+      shell: bash
+      env:
+        ACME_SERVER: ${{ inputs.ACME_SERVER }}
+        HTTP_PORT: ${{ inputs.HTTP_PORT }}
+        HTTPS_PORT: ${{ inputs.HTTPS_PORT }}
+        HOSTNAME_SUFFIX: ${{ inputs.HOSTNAME_SUFFIX }}
+        NAME_SPACE: ${{ inputs.NAME_SPACE }}
+
+    - name: "HTTPS - Enroll acme.sh"
+      run: |
+        echo "##### HTTPS - Enroll acme.sh #####"
+        if [ "$USE_RSA" == "false" ]; then
+          echo "use ECC"
+          docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network $NAME_SPACE --name acme-sh$HOSTNAME_SUFFIX neilpang/acme.sh:latest --issue --server https://$ACME_SERVER:$HTTPS_PORT --accountemail 'acme-sh@example.com' -d acme-sh$HOSTNAME_SUFFIX.$NAME_SPACE --alpn --standalone --debug 1 --output-insecure --insecure
+          ECC="_ecc"
+        else
+          echo "use RSA"
+          docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network $NAME_SPACE --name acme-sh$HOSTNAME_SUFFIX neilpang/acme.sh:latest --issue --server https://$ACME_SERVER:$HTTPS_PORT --accountemail 'acme-sh@example.com' -d acme-sh$HOSTNAME_SUFFIX.$NAME_SPACE --alpn --standalone --keylength 2048 --debug 1 --output-insecure --insecure
+        fi
+
+        awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "cert-" c ".pem"}' < acme-sh/acme-sh$HOSTNAME_SUFFIX.$NAME_SPACE${ECC}/ca.cer
+        if [ "$VERIFY_CERT" == "true" ]; then
+          if [ -f cert-2.pem ]; then
+            echo "Multiple CA certs"
+            openssl verify -CAfile cert-2.pem -untrusted cert-1.pem acme-sh/acme-sh$HOSTNAME_SUFFIX.$NAME_SPACE${ECC}/acme-sh$HOSTNAME_SUFFIX.$NAME_SPACE.cer
+          else
+            echo "Single Root ca"
+            openssl verify -CAfile cert-1.pem acme-sh/acme-sh$HOSTNAME_SUFFIX.$NAME_SPACE${ECC}/acme-sh$HOSTNAME_SUFFIX.$NAME_SPACE.cer
+          fi
+        fi
+      shell: bash
+      env:
+        VERIFY_CERT: ${{ inputs.VERIFY_CERT }}
+        ACME_SERVER: ${{ inputs.ACME_SERVER }}
+        HTTP_PORT: ${{ inputs.HTTP_PORT }}
+        HTTPS_PORT: ${{ inputs.HTTPS_PORT }}
+        USE_RSA: ${{ inputs.USE_RSA }}
+        HOSTNAME_SUFFIX: ${{ inputs.HOSTNAME_SUFFIX }}
+        NAME_SPACE: ${{ inputs.NAME_SPACE }}
+
+    - name: "HTTPS - Renew acme.sh"
+      if: ${{ inputs.RENEWAL == 'true' }}
+      run: |
+        echo "##### HTTPS - Renew acme.sh #####"
+        if [ "$USE_RSA" == "false" ]; then
+          echo "use ECC"
+           ECC="_ecc"
+        else
+          echo "use RSA"
+        fi
+        docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network $NAME_SPACE --name acme-sh$HOSTNAME_SUFFIX neilpang/acme.sh:latest --renew --server https://$ACME_SERVER:$HTTPS_PORT  --force --accountemail 'acme-sh@example.com' -d acme-sh$HOSTNAME_SUFFIX.$NAME_SPACE --alpn --standalone --debug 1 --output-insecure --insecure
+        awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "cert-" c ".pem"}' < acme-sh/acme-sh$HOSTNAME_SUFFIX.$NAME_SPACE${ECC}/ca.cer
+        if [ "$VERIFY_CERT" == "true" ]; then
+          if [ -f cert-2.pem ]; then
+            echo "Multiple CA certs"
+            openssl verify -CAfile cert-2.pem -untrusted cert-1.pem acme-sh/acme-sh$HOSTNAME_SUFFIX.$NAME_SPACE${ECC}/acme-sh$HOSTNAME_SUFFIX.$NAME_SPACE.cer
+          else
+            echo "Single Root ca"
+            openssl verify -CAfile cert-1.pem acme-sh/acme-sh$HOSTNAME_SUFFIX.$NAME_SPACE${ECC}/acme-sh$HOSTNAME_SUFFIX.$NAME_SPACE.cer
+          fi
+        fi
+      shell: bash
+      env:
+        VERIFY_CERT: ${{ inputs.VERIFY_CERT }}
+        ACME_SERVER: ${{ inputs.ACME_SERVER }}
+        HTTP_PORT: ${{ inputs.HTTP_PORT }}
+        HTTPS_PORT: ${{ inputs.HTTPS_PORT }}
+        USE_RSA: ${{ inputs.USE_RSA }}
+        HOSTNAME_SUFFIX: ${{ inputs.HOSTNAME_SUFFIX }}
+        NAME_SPACE: ${{ inputs.NAME_SPACE }}
+
+    - name: "HTTPS - Revoke HTTP-01 single domain acme.sh"
+      if: ${{ inputs.REVOCATION == 'true' }}
+      run: |
+        echo "##### HTTPS - Revoke HTTP-01 single domain acme.sh #####"
+        docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --name acme-sh$HOSTNAME_SUFFIX --network $NAME_SPACE neilpang/acme.sh:latest --revoke --server https://$ACME_SERVER:$HTTPS_PORT --revoke -d acme-sh$HOSTNAME_SUFFIX.$NAME_SPACE --standalone --debug 2 --output-insecure  --insecure
+      shell: bash
+      env:
+        ACME_SERVER: ${{ inputs.ACME_SERVER }}
+        HTTP_PORT: ${{ inputs.HTTP_PORT }}
+        HTTPS_PORT: ${{ inputs.HTTPS_PORT }}
+        HOSTNAME_SUFFIX: ${{ inputs.HOSTNAME_SUFFIX }}
+        NAME_SPACE: ${{ inputs.NAME_SPACE }}
+
+    - name: "HTTPS - Decativate acme.sh #####"
+      run: |
+        echo "##### HTTPS - Decativate acme.sh"
+        docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --name acme-sh$HOSTNAME_SUFFIX --network $NAME_SPACE neilpang/acme.sh:latest --deactivate-account --server https://$ACME_SERVER:$HTTPS_PORT --debug 2 --output-insecure --insecure
+      shell: bash
+      env:
+        ACME_SERVER: ${{ inputs.ACME_SERVER }}
+        HTTP_PORT: ${{ inputs.HTTP_PORT }}
+        HTTPS_PORT: ${{ inputs.HTTPS_PORT }}
+        HOSTNAME_SUFFIX: ${{ inputs.HOSTNAME_SUFFIX }}
+        NAME_SPACE: ${{ inputs.NAME_SPACE }}
+
+    - name: "HTTP - Enroll acme.sh"
+      run: |
+        echo "##### HTTP - Enroll acme.sh #####"
+        sudo rm -rf acme-sh/*
+        if [ "$USE_RSA" == "false" ]; then
+          echo "use ECC"
+          docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network $NAME_SPACE --name acme-sh$HOSTNAME_SUFFIX neilpang/acme.sh:latest --issue --server http://$ACME_SERVER:$HTTP_PORT  --accountemail 'acme-sh@example.com' -d acme-sh$HOSTNAME_SUFFIX.$NAME_SPACE --standalone --debug 1 --output-insecure --insecure
+          ECC="_ecc"
+         else
+          echo "use RSA"
+          docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network $NAME_SPACE --name acme-sh$HOSTNAME_SUFFIX neilpang/acme.sh:latest --issue --server http://$ACME_SERVER:$HTTP_PORT  --accountemail 'acme-sh@example.com' -d acme-sh$HOSTNAME_SUFFIX.$NAME_SPACE --standalone --keylength 2048 --debug 1 --output-insecure --insecure
+        fi
+        awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "cert-" c ".pem"}' < acme-sh/acme-sh$HOSTNAME_SUFFIX.$NAME_SPACE${ECC}/ca.cer
+        if [ "$VERIFY_CERT" == "true" ]; then
+          if [ -f cert-2.pem ]; then
+            openssl verify -CAfile cert-2.pem -untrusted cert-1.pem acme-sh/acme-sh$HOSTNAME_SUFFIX.$NAME_SPACE${ECC}/acme-sh$HOSTNAME_SUFFIX.$NAME_SPACE.cer
+          else
+            echo "single root ca"
+            openssl verify -CAfile cert-1.pem acme-sh/acme-sh$HOSTNAME_SUFFIX.$NAME_SPACE${ECC}/acme-sh$HOSTNAME_SUFFIX.$NAME_SPACE.cer
+          fi
+        fi
+      shell: bash
+      env:
+        VERIFY_CERT: ${{ inputs.VERIFY_CERT }}
+        ACME_SERVER: ${{ inputs.ACME_SERVER }}
+        HTTP_PORT: ${{ inputs.HTTP_PORT }}
+        HTTPS_PORT: ${{ inputs.HTTPS_PORT }}
+        USE_RSA: ${{ inputs.USE_RSA }}
+        HOSTNAME_SUFFIX: ${{ inputs.HOSTNAME_SUFFIX }}
+        NAME_SPACE: ${{ inputs.NAME_SPACE }}
+
+    - name: "HTTP - Renew acme.sh"
+      if: ${{ inputs.RENEWAL == 'true' }}
+      run: |
+        echo "##### HTTP - Renew acme.sh #####"
+        if [ "$USE_RSA" == "false" ]; then
+          echo "use ECC"
+           ECC="_ecc"
+        else
+          echo "use RSA"
+        fi
+        docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network $NAME_SPACE --name acme-sh$HOSTNAME_SUFFIX neilpang/acme.sh:latest --renew --server http://$ACME_SERVER:$HTTP_PORT  --force --accountemail 'acme-sh@example.com' -d acme-sh$HOSTNAME_SUFFIX.$NAME_SPACE --standalone --debug 1 --output-insecure --insecure
+        awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "cert-" c ".pem"}' < acme-sh/acme-sh$HOSTNAME_SUFFIX.$NAME_SPACE${ECC}/ca.cer
+        if [ "$VERIFY_CERT" == "true" ]; then
+          if [ -f cert-2.pem ]; then
+            openssl verify -CAfile cert-2.pem -untrusted cert-1.pem acme-sh/acme-sh$HOSTNAME_SUFFIX.$NAME_SPACE${ECC}/acme-sh$HOSTNAME_SUFFIX.$NAME_SPACE.cer
+          else
+            echo "single root ca"
+            openssl verify -CAfile cert-1.pem acme-sh/acme-sh$HOSTNAME_SUFFIX.$NAME_SPACE${ECC}/acme-sh$HOSTNAME_SUFFIX.$NAME_SPACE.cer
+          fi
+        fi
+      shell: bash
+      env:
+        VERIFY_CERT: ${{ inputs.VERIFY_CERT }}
+        ACME_SERVER: ${{ inputs.ACME_SERVER }}
+        HTTP_PORT: ${{ inputs.HTTP_PORT }}
+        HTTPS_PORT: ${{ inputs.HTTPS_PORT }}
+        USE_RSA: ${{ inputs.USE_RSA }}
+        HOSTNAME_SUFFIX: ${{ inputs.HOSTNAME_SUFFIX }}
+        NAME_SPACE: ${{ inputs.NAME_SPACE }}
+
+    - name: "HTTP - Revoke HTTP-01 single domain acme.sh"
+      if: ${{ inputs.REVOCATION == 'true' }}
+      run: |
+        echo "##### HTTP - Revoke HTTP-01 single domain acme.sh #####"
+        docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --name acme-sh$HOSTNAME_SUFFIX --network $NAME_SPACE neilpang/acme.sh:latest --revoke --server http://$ACME_SERVER:$HTTP_PORT --revoke -d acme-sh$HOSTNAME_SUFFIX.$NAME_SPACE --standalone --debug 2 --output-insecure  --insecure
+      shell: bash
+      env:
+        ACME_SERVER: ${{ inputs.ACME_SERVER }}
+        HTTP_PORT: ${{ inputs.HTTP_PORT }}
+        HTTPS_PORT: ${{ inputs.HTTPS_PORT }}
+        HOSTNAME_SUFFIX: ${{ inputs.HOSTNAME_SUFFIX }}
+        NAME_SPACE: ${{ inputs.NAME_SPACE }}
+
+    - name: "HTTP - Decativate acme.sh"
+      run: |
+        echo "##### HTTP - Decativate acme.sh #####"
+        docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --name acme-sh$HOSTNAME_SUFFIX --network $NAME_SPACE neilpang/acme.sh:latest --deactivate-account --server http://$ACME_SERVER:$HTTP_PORT --debug 2 --output-insecure --insecure
+      shell: bash
+      env:
+        ACME_SERVER: ${{ inputs.ACME_SERVER }}
+        HTTP_PORT: ${{ inputs.HTTP_PORT }}
+        HTTPS_PORT: ${{ inputs.HTTPS_PORT }}
+        HOSTNAME_SUFFIX: ${{ inputs.HOSTNAME_SUFFIX }}
+        NAME_SPACE: ${{ inputs.NAME_SPACE }}
+
+    - name: "HTTPS - Enroll certbot"
+      if: ${{ inputs.USE_CERTBOT == 'true' }}
+      run: |
+        echo "##### HTTPS - Enroll certbot #####"
+        if [ "$USE_RSA" == "false" ]; then
+          docker run -i --rm --name certbot$HOSTNAME_SUFFIX --network $NAME_SPACE -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot certonly --server https://$ACME_SERVER:$HTTPS_PORT --standalone --preferred-challenges http --no-verify-ssl --agree-tos -m 'certbot@example.com' -d certbot$HOSTNAME_SUFFIX.$NAME_SPACE --cert-name certbot --issuance-timeout 120
+        else
+          docker run -i --rm --name certbot$HOSTNAME_SUFFIX --network $NAME_SPACE -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot certonly --server https://$ACME_SERVER:$HTTPS_PORT --standalone --preferred-challenges http --no-verify-ssl --agree-tos -m 'certbot@example.com' --key-type rsa -d certbot$HOSTNAME_SUFFIX.$NAME_SPACE --cert-name certbot --issuance-timeout 120
+        fi
+
+        if [ "$VERIFY_CERT" == "true" ]; then
+          if [ -f cert-2.pem ]; then
+            sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem certbot/live/certbot/cert.pem
+          else
+            echo "single root ca"
+            sudo openssl verify -CAfile cert-1.pem certbot/live/certbot/cert.pem
+          fi
+        fi
+      shell: bash
+      env:
+        VERIFY_CERT: ${{ inputs.VERIFY_CERT }}
+        ACME_SERVER: ${{ inputs.ACME_SERVER }}
+        HTTPS_PORT: ${{ inputs.HTTPS_PORT }}
+        USE_RSA: ${{ inputs.USE_RSA }}
+        HOSTNAME_SUFFIX: ${{ inputs.HOSTNAME_SUFFIX }}
+        NAME_SPACE: ${{ inputs.NAME_SPACE }}
+
+    - name: "HTTPS - Revoke certbot"
+      if: ${{ (inputs.USE_CERTBOT == 'true') && (inputs.REVOCATION == 'true') }}
+      run: |
+        echo "##### HTTPS - Revoke certbot #####"
+        docker run -i --rm --name certbot$HOSTNAME_SUFFIX --network $NAME_SPACE -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot revoke --server https://$ACME_SERVER:$HTTPS_PORT --no-verify-ssl --delete-after-revoke --cert-name certbot
+      shell: bash
+      env:
+        ACME_SERVER: ${{ inputs.ACME_SERVER }}
+        HTTP_PORT: ${{ inputs.HTTP_PORT }}
+        HTTPS_PORT: ${{ inputs.HTTPS_PORT }}
+        HOSTNAME_SUFFIX: ${{ inputs.HOSTNAME_SUFFIX }}
+        NAME_SPACE: ${{ inputs.NAME_SPACE }}
+
+    - name: "HTTP - Enroll certbot #####"
+      if: ${{ inputs.USE_CERTBOT == 'true' }}
+      run: |
+        echo "##### HTTP - Enroll certbot #####"
+        if [ "$USE_RSA" == "false" ]; then
+          docker run -i --rm --name certbot$HOSTNAME_SUFFIX --network $NAME_SPACE -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot certonly --server http://$ACME_SERVER:$HTTP_PORT --standalone --preferred-challenges http --agree-tos -m 'certbot@example.com' -d certbot$HOSTNAME_SUFFIX.$NAME_SPACE --cert-name certbot --issuance-timeout 120
+        else
+          docker run -i --rm --name certbot$HOSTNAME_SUFFIX --network $NAME_SPACE -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot certonly --server http://$ACME_SERVER:$HTTP_PORT --standalone --preferred-challenges http --agree-tos -m 'certbot@example.com' --key-type rsa -d certbot$HOSTNAME_SUFFIX.$NAME_SPACE --cert-name certbot --issuance-timeout 120
+        fi
+
+        if [ "$VERIFY_CERT" == "true" ]; then
+          if [ -f cert-2.pem ]; then
+            sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem certbot/live/certbot/cert.pem
+          else
+            echo "single root ca"
+            sudo openssl verify -CAfile cert-1.pem certbot/live/certbot/cert.pem
+          fi
+        fi
+      shell: bash
+      env:
+        VERIFY_CERT: ${{ inputs.VERIFY_CERT }}
+        ACME_SERVER: ${{ inputs.ACME_SERVER }}
+        HTTP_PORT: ${{ inputs.HTTP_PORT }}
+        HTTPS_PORT: ${{ inputs.HTTPS_PORT }}
+        HOSTNAME_SUFFIX: ${{ inputs.HOSTNAME_SUFFIX }}
+        NAME_SPACE: ${{ inputs.NAME_SPACE }}
+
+    - name: "HTTP - Revoke certbot"
+      if: ${{ (inputs.USE_CERTBOT == 'true') && (inputs.REVOCATION == 'true') }}
+      run: |
+        echo "##### HTTP - Revoke certbot #####"
+        docker run -i --rm --name certbot$HOSTNAME_SUFFIX --network $NAME_SPACE -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot revoke --server http://$ACME_SERVER:$HTTP_PORT --delete-after-revoke --cert-name certbot
+      shell: bash
+      env:
+        ACME_SERVER: ${{ inputs.ACME_SERVER }}
+        HTTP_PORT: ${{ inputs.HTTP_PORT }}
+        HTTPS_PORT: ${{ inputs.HTTPS_PORT }}
+        HOSTNAME_SUFFIX: ${{ inputs.HOSTNAME_SUFFIX }}
+        NAME_SPACE: ${{ inputs.NAME_SPACE }}
+
+    - name: "HTTPS - Enroll lego"
+      run: |
+        echo "##### HTTPS - Enroll lego #####"
+        if [ "$USE_RSA" == "false" ]; then
+          echo "use ECC"
+          docker run -i --rm -e LEGO_CA_CERTIFICATES=.lego/acme2certifier_cabundle.pem -v $PWD/lego:/.lego/ --name lego$HOSTNAME_SUFFIX --network $NAME_SPACE goacme/lego -s https://$ACME_SERVER:$HTTPS_PORT -a --email "lego@example.com" -d lego$HOSTNAME_SUFFIX.$NAME_SPACE --tls run
+         else
+          echo "use RSA"
+          docker run -i --rm -e LEGO_CA_CERTIFICATES=.lego/acme2certifier_cabundle.pem -v $PWD/lego:/.lego/ --name lego$HOSTNAME_SUFFIX --network $NAME_SPACE goacme/lego -s https://$ACME_SERVER:$HTTPS_PORT -a --email "lego@example.com" --key-type=rsa2048 -d lego$HOSTNAME_SUFFIX.$NAME_SPACE --tls run
+        fi
+
+        if [ "$VERIFY_CERT" == "true" ]; then
+          if [ -f cert-2.pem ]; then
+            sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem lego/certificates/lego$HOSTNAME_SUFFIX.$NAME_SPACE.crt
+          else
+            echo "single root ca"
+            sudo openssl verify -CAfile cert-1.pem lego/certificates/lego$HOSTNAME_SUFFIX.$NAME_SPACE.crt
+          fi
+        fi
+      shell: bash
+      env:
+        VERIFY_CERT: ${{ inputs.VERIFY_CERT }}
+        ACME_SERVER: ${{ inputs.ACME_SERVER }}
+        HTTP_PORT: ${{ inputs.HTTP_PORT }}
+        HTTPS_PORT: ${{ inputs.HTTPS_PORT }}
+        USE_RSA: ${{ inputs.USE_RSA }}
+        HOSTNAME_SUFFIX: ${{ inputs.HOSTNAME_SUFFIX }}
+        NAME_SPACE: ${{ inputs.NAME_SPACE }}
+
+    - name: "HTTPS - Revoke lego"
+      if: ${{ inputs.REVOCATION == 'true' }}
+      run: |
+        echo "##### HTTPS - Revoke lego #####"
+        docker run -i --rm -e LEGO_CA_CERTIFICATES=.lego/acme2certifier_cabundle.pem -v $PWD/lego:/.lego/ --name lego$HOSTNAME_SUFFIX --network $NAME_SPACE goacme/lego -s https://$ACME_SERVER:$HTTPS_PORT -a --email "lego@example.com" -d lego$HOSTNAME_SUFFIX.$NAME_SPACE revoke
+      shell: bash
+      env:
+        ACME_SERVER: ${{ inputs.ACME_SERVER }}
+        HTTP_PORT: ${{ inputs.HTTP_PORT }}
+        HTTPS_PORT: ${{ inputs.HTTPS_PORT }}
+        HOSTNAME_SUFFIX: ${{ inputs.HOSTNAME_SUFFIX }}
+        NAME_SPACE: ${{ inputs.NAME_SPACE }}
+
+    - name: "HTTP - Enroll lego"
+      run: |
+        echo "##### HTTP - Enroll lego #####"
+        sudo rm -rf lego/*
+        if [ "$USE_RSA" == "false" ]; then
+          echo "use ECC"
+          docker run -i -v $PWD/lego:/.lego/ --rm --name lego$HOSTNAME_SUFFIX --network $NAME_SPACE goacme/lego -s http://$ACME_SERVER:$HTTP_PORT -a --email "lego@example.com" -d lego$HOSTNAME_SUFFIX.$NAME_SPACE --http run
+         else
+          echo "use RSA"
+          docker run -i -v $PWD/lego:/.lego/ --rm --name lego$HOSTNAME_SUFFIX --network $NAME_SPACE goacme/lego -s http://$ACME_SERVER:$HTTP_PORT -a --email "lego@example.com" --key-type=rsa2048 -d lego$HOSTNAME_SUFFIX.$NAME_SPACE --http run
+        fi
+        if [ "$VERIFY_CERT" == "true" ]; then
+          if [ -f cert-2.pem ]; then
+            sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem lego/certificates/lego$HOSTNAME_SUFFIX.$NAME_SPACE.crt
+          else
+            echo "single root ca"
+            sudo openssl verify -CAfile cert-1.pem lego/certificates/lego$HOSTNAME_SUFFIX.$NAME_SPACE.crt
+          fi
+        fi
+      shell: bash
+      env:
+        VERIFY_CERT: ${{ inputs.VERIFY_CERT }}
+        ACME_SERVER: ${{ inputs.ACME_SERVER }}
+        HTTP_PORT: ${{ inputs.HTTP_PORT }}
+        HTTPS_PORT: ${{ inputs.HTTPS_PORT }}
+        USE_RSA: ${{ inputs.USE_RSA }}
+        HOSTNAME_SUFFIX: ${{ inputs.HOSTNAME_SUFFIX }}
+        NAME_SPACE: ${{ inputs.NAME_SPACE }}
+
+    - name: "HTTP - Revoke lego"
+      if: ${{ inputs.REVOCATION == 'true' }}
+      run: |
+        echo "#### HTTP - Revoke lego"
+        docker run -i -v $PWD/lego:/.lego/ --rm --name lego$HOSTNAME_SUFFIX --network $NAME_SPACE goacme/lego -s http://$ACME_SERVER:$HTTP_PORT -a --email "lego@example.com" -d lego$HOSTNAME_SUFFIX.$NAME_SPACE revoke
+      shell: bash
+      env:
+        ACME_SERVER: ${{ inputs.ACME_SERVER }}
+        HTTP_PORT: ${{ inputs.HTTP_PORT }}
+        HTTPS_PORT: ${{ inputs.HTTPS_PORT }}
+        HOSTNAME_SUFFIX: ${{ inputs.HOSTNAME_SUFFIX }}
+        NAME_SPACE: ${{ inputs.NAME_SPACE }}
+
+    - name: "Delete acme-sh, letsencypt and lego folders"
+      run: |
+        sudo rm -rf  lego/*
+        sudo rm -rf  acme-sh/*
+        sudo rm -rf  certbot/*
+      shell: bash
\ No newline at end of file
diff --git a/.github/actions/container_build/action.yml b/.github/actions/container_build/action.yml
new file mode 100644
index 00000000..921ed6e2
--- /dev/null
+++ b/.github/actions/container_build/action.yml
@@ -0,0 +1,31 @@
+name: "container_build"
+description: "Build Container"
+inputs:
+  DB_HANDLER:
+    description: "Database handler"
+    required: true
+    default: "wsgi"
+  WEB_SRV:
+    description: "Web server"
+    required: true
+    default: "apache2"
+  DOCKER_COMPOSE_FILE_PATH:
+    description: "Path to the docker-compose file"
+    required: false
+    default: "examples/Docker/"
+
+runs:
+  using: "composite"
+  steps:
+    - name: "Build docker-compose (${{ inputs.WEB_SRV }}_${{ inputs.DB_HANDLER }})"
+      working-directory: ${{ inputs.DOCKER_COMPOSE_FILE_PATH }}
+      run: |
+        sudo apt-get install -y docker-compose
+        sed -i "s/wsgi/$DB_HANDLER/g" .env
+        sed -i "s/apache2/$WEB_SRV/g" .env
+        # cat .env
+        docker-compose build
+      shell: bash
+      env:
+        WEB_SRV: ${{ inputs.WEB_SRV }}
+        DB_HANDLER: ${{ inputs.DB_HANDLER }}
diff --git a/.github/actions/container_build_upload/action.yml b/.github/actions/container_build_upload/action.yml
new file mode 100644
index 00000000..ea3c75d3
--- /dev/null
+++ b/.github/actions/container_build_upload/action.yml
@@ -0,0 +1,37 @@
+name: "container_build_upload"
+description: "Build and Upload Container"
+inputs:
+  DB_HANDLER:
+    description: "Database handler"
+    required: true
+    default: "wsgi"
+  WEB_SRV:
+    description: "Web server"
+    required: true
+    default: "apache2"
+
+runs:
+  using: "composite"
+  steps:
+  - name: "Build container"
+    uses: ./.github/actions/container_build
+    with:
+      DB_HANDLER: ${{ inputs.DB_HANDLER }}
+      WEB_SRV: ${{ inputs.WEB_SRV }}
+
+  - name: "Save container"
+    run: |
+      docker images
+      mkdir -p /tmp/a2c
+      docker save acme2certifier/$DB_HANDLER > /tmp/a2c/a2c-${{ github.run_id }}.$WEB_SRV.$DB_HANDLER.tar
+      gzip /tmp/a2c/a2c-${{ github.run_id }}.$WEB_SRV.$DB_HANDLER.tar
+    shell: bash
+    env:
+      DB_HANDLER: ${{ inputs.DB_HANDLER }}
+      WEB_SRV: ${{ inputs.WEB_SRV }}
+
+  - name: "Upload container package"
+    uses: actions/upload-artifact@master
+    with:
+      name: a2c-${{ github.run_id }}.${{ inputs.WEB_SRV }}.${{ inputs.DB_HANDLER }}.tar.gz
+      path: /tmp/a2c
diff --git a/.github/actions/container_check/action.yml b/.github/actions/container_check/action.yml
new file mode 100644
index 00000000..4bc12b2e
--- /dev/null
+++ b/.github/actions/container_check/action.yml
@@ -0,0 +1,32 @@
+name: "container_check"
+description: "Check container configuration"
+inputs:
+  DB_HANDLER:
+    description: "Database handler"
+    required: true
+    default: "wsgi"
+  WEB_SRV:
+    description: "Web server"
+    required: true
+    default: "apache2"
+  DOCKER_COMPOSE_FILE_PATH:
+    description: "Path to the docker-compose file"
+    required: false
+    default: "examples/Docker/"
+
+runs:
+  using: "composite"
+  steps:
+    - name: "Logs"
+      working-directory: ${{ inputs.DOCKER_COMPOSE_FILE_PATH }}
+      run: |
+          docker-compose logs | grep -i $WEB_SRV
+          if [ "$DB_HANDLER" == "django" ]; then
+              docker-compose logs | grep -i migrations
+          else
+            docker-compose logs | grep -i $DB_HANDLER
+          fi
+      env:
+        WEB_SRV: ${{ inputs.WEB_SRV }}
+        DB_HANDLER: ${{ inputs.DB_HANDLER }}
+      shell: bash
\ No newline at end of file
diff --git a/.github/actions/container_prep/action.yml b/.github/actions/container_prep/action.yml
new file mode 100644
index 00000000..75a6f30a
--- /dev/null
+++ b/.github/actions/container_prep/action.yml
@@ -0,0 +1,92 @@
+name: "container_prep"
+description: "Prepare environment for container installation"
+inputs:
+  DB_HANDLER:
+    description: "Database handler"
+    required: true
+    default: "wsgi"
+  WEB_SRV:
+    description: "Web server"
+    required: true
+    default: "apache2"
+  DJANGO_DB:
+    description: "Django database"
+    required: false
+  CONTAINER_BUILD:
+    description: "Build container"
+    required: true
+    default: "true"
+  NAME_SPACE:
+    description: "namespace"
+    required: true
+    default: "acme"
+  IPV6:
+    description: "IPv6"
+    required: true
+    default: "false"
+
+runs:
+  using: "composite"
+  steps:
+    - name: "Setup environment"
+      run: |
+        echo "IPv6 is $IPV6"
+        if [ "$IPV6" == "false" ]; then
+          echo "create v4 namespace"
+          docker network create $NAME_SPACE
+        else
+          echo "create v6 namespace"
+          docker network create $NAME_SPACE --ipv6 --subnet "fdbb:6445:65b4:0a60::/64"
+        fi
+        sudo mkdir -p examples/Docker/data
+        sudo cp .github/acme2certifier.pem examples/Docker/data/acme2certifier.pem
+        sudo cp .github/acme2certifier_cert.pem examples/Docker/data/acme2certifier_cert.pem
+        sudo cp .github/acme2certifier_key.pem examples/Docker/data/acme2certifier_key.pem
+        if [ -z "$DJANGO_DB" ]; then
+            sudo cp .github/django_settings.py examples/Docker/data/settings.py
+        else
+            sudo cp .github/django_settings_$DJANGO_DB.py examples/Docker/data/settings.py
+        fi
+      env:
+        DJANGO_DB: ${{ inputs.DJANGO_DB }}
+        NAME_SPACE: ${{ inputs.NAME_SPACE }}
+        IPV6: ${{ inputs.IPV6 }}
+      shell: bash
+
+    - name: "Build docker-compose (${{ inputs.WEB_SRV }}_${{ inputs.DB_HANDLER }})"
+      if: inputs.CONTAINER_BUILD == 'true'
+      uses: ./.github/actions/container_build
+      with:
+        WEB_SRV: ${{ inputs.WEB_SRV }}
+        DB_HANDLER: ${{ inputs.DB_HANDLER }}
+
+    - name: "Prepare container environment file (${{ inputs.WEB_SRV }}_${{ inputs.DB_HANDLER }})"
+      if: inputs.CONTAINER_BUILD != 'true'
+      working-directory: examples/Docker/
+      run: |
+        sed -i "s/wsgi/$DB_HANDLER/g" .env
+        sed -i "s/apache2/$WEB_SRV/g" .env
+      env:
+        WEB_SRV: ${{ inputs.WEB_SRV }}
+        DB_HANDLER: ${{ inputs.DB_HANDLER }}
+      shell: bash
+
+    - name: "Spin-up a2c instance (${{ inputs.WEB_SRV }}_${{ inputs.DB_HANDLER }})"
+      if: inputs.CONTAINER_BUILD == 'true'
+      uses: ./.github/actions/container_up
+      with:
+        WEB_SRV: ${{ inputs.WEB_SRV }}
+        DB_HANDLER: ${{ inputs.DB_HANDLER }}
+        NAME_SPACE: ${{ inputs.NAME_SPACE }}
+
+    - name: "Instanciate Mariadb"
+      if: inputs.DJANGO_DB == 'mariadb'
+      uses: ./.github/actions/mariadb_prep
+      with:
+        NAME_SPACE: ${{ inputs.NAME_SPACE }}
+
+    - name: "Instanciate Postgres"
+      if: inputs.DJANGO_DB == 'psql'
+      uses: ./.github/actions/psql_prep
+      with:
+        NAME_SPACE: ${{ inputs.NAME_SPACE }}
\ No newline at end of file
diff --git a/.github/actions/container_up/action.yml b/.github/actions/container_up/action.yml
new file mode 100644
index 00000000..8be2dc9f
--- /dev/null
+++ b/.github/actions/container_up/action.yml
@@ -0,0 +1,31 @@
+name: "container_up"
+description: "instanciate a2c container"
+inputs:
+  DB_HANDLER:
+    description: "Database handler"
+    required: true
+    default: "wsgi"
+  WEB_SRV:
+    description: "Web server"
+    required: true
+    default: "apache2"
+  DOCKER_COMPOSE_FILE_PATH:
+    description: "Path to the docker-compose file"
+    required: false
+    default: "examples/Docker/"
+  NAME_SPACE:
+    description: "namespace"
+    required: true
+    default: "acme"
+
+runs:
+  using: "composite"
+  steps:
+    - name: "Spin-up a2c instance (${{ inputs.WEB_SRV }}_${{ inputs.DB_HANDLER }})"
+      working-directory: ${{ inputs.DOCKER_COMPOSE_FILE_PATH }}
+      run: |
+          sed -i "s/name: acme/name: $NAME_SPACE/g" docker-compose.yml
+          docker-compose up -d --no-build
+      env:
+        NAME_SPACE: ${{ inputs.NAME_SPACE }}
+      shell: bash
\ No newline at end of file
diff --git a/.github/actions/deb_build/action.yml b/.github/actions/deb_build/action.yml
new file mode 100644
index 00000000..cb41df40
--- /dev/null
+++ b/.github/actions/deb_build/action.yml
@@ -0,0 +1,72 @@
+name: "deb_build"
+description: "Build deb package"
+outputs:
+  deb_file_name:
+    description: "Name of the debian package file"
+    value: acme2certifier_${{ env.TAG_NAME }}-1_all.deb
+
+runs:
+  using: "composite"
+  steps:
+
+    - name: Retrieve Version from version.py
+      run: |
+        echo TAG_NAME=$(cat acme_srv/version.py | grep -i __version__ | head -n 1 | sed 's/__version__ = //g' | sed s/\'//g) >> $GITHUB_ENV
+      shell: bash
+
+    - run: echo "Latest tag is ${{ env.TAG_NAME }}"
+      shell: bash
+
+    - name: "Install Firefox from Mozilla"
+      run: |
+        sudo apt-get update
+        sudo install -d -m 0755 /etc/apt/keyrings
+        wget -q https://packages.mozilla.org/apt/repo-signing-key.gpg -O- | sudo tee /etc/apt/keyrings/packages.mozilla.org.asc > /dev/null
+        echo "deb [signed-by=/etc/apt/keyrings/packages.mozilla.org.asc] https://packages.mozilla.org/apt mozilla main" | sudo tee -a /etc/apt/sources.list.d/mozilla.list > /dev/null
+        echo '
+        Package: *
+        Pin: origin packages.mozilla.org
+        Pin-Priority: 1000
+        ' | sudo tee /etc/apt/preferences.d/mozilla
+        sudo apt update && sudo apt install -y firefox --allow-downgrades
+      shell: bash
+
+    - name: "Prepare environment to build deb package"
+      run: |
+        sudo apt-get update && sudo apt-get -y upgrade
+        sudo apt-get -y install build-essential fakeroot dpkg-dev devscripts debhelper  --allow-downgrades
+        rm setup.py
+        rm -f examples/ngnix/acme2certifier.te
+        rm -f examples/nginx/supervisord.conf
+        rm -f examples/nginx/uwsgi.service
+        sed -i "s/run\/uwsgi\/acme.sock/var\/www\/acme2certifier\/acme.sock/g" examples/nginx/nginx_acme_srv.conf
+        sed -i "s/run\/uwsgi\/acme.sock/var\/www\/acme2certifier\/acme.sock/g" examples/nginx/nginx_acme_srv_ssl.conf
+        sed -i "s/\/run\/uwsgi\/acme.sock/acme.sock/g" examples/nginx/acme2certifier.ini
+        sed -i "s/nginx/www-data/g" examples/nginx/acme2certifier.ini
+        echo "plugins=python3" >> examples/nginx/acme2certifier.ini
+        cat <<EOT > examples/nginx/acme2certifier.service
+        [Unit]
+        Description=uWSGI instance to serve acme2certifier
+        After=network.target
+
+        [Service]
+        User=www-data
+        Group=www-data
+        WorkingDirectory=/var/www/acme2certifier
+        Environment="PATH=/var/www/acme2certifier"
+        ExecStart=uwsgi --ini /var/www/acme2certifier/acme2certifier.ini
+
+        [Install]
+        WantedBy=multi-user.target
+        EOT
+        cp -R examples/install_scripts/debian ./
+        sudo sed -i "s/__version__/${{ env.TAG_NAME }}/g" debian/changelog
+        cd ../
+        tar cvfz ../acme2certifier_${{ env.TAG_NAME }}.orig.tar.gz ./
+      shell: bash
+
+    - name: "Build debian package"
+      run: |
+        dpkg-buildpackage -uc -us
+        dpkg -c ../acme2certifier_${{ env.TAG_NAME }}-1_all.deb
+      shell: bash
diff --git a/.github/actions/deb_build_upload/action.yml b/.github/actions/deb_build_upload/action.yml
new file mode 100644
index 00000000..5ffd4a7b
--- /dev/null
+++ b/.github/actions/deb_build_upload/action.yml
@@ -0,0 +1,27 @@
+name: "rpm_build_upload"
+description: "Build and Upload package"
+outputs:
+  deb_file_name:
+    description: "Name of the RPM package file"
+    value: acme2certifier_${{ env.TAG_NAME }}-${{ github.run_id }}-1_all.deb
+
+runs:
+  using: "composite"
+  steps:
+
+  - name: "Build deb package"
+    id: deb_build
+    uses: ./.github/actions/deb_build
+
+  - name: "Rename deb package"
+    run: |
+      sudo mv ../acme2certifier_${{ env.TAG_NAME }}-1_all.deb ./acme2certifier_${{ env.TAG_NAME }}-${{ github.run_id }}-1_all.deb
+    shell: bash
+
+  - name: "Upload deb package"
+    uses: actions/upload-artifact@v4
+    with:
+      name: acme2certifier_${{ env.TAG_NAME }}-${{ github.run_id }}-1_all.deb
+      path: acme2certifier_${{ env.TAG_NAME }}-${{ github.run_id }}-1_all.deb
+
+
diff --git a/.github/actions/deb_prep/action.yml b/.github/actions/deb_prep/action.yml
new file mode 100644
index 00000000..e12aa39d
--- /dev/null
+++ b/.github/actions/deb_prep/action.yml
@@ -0,0 +1,85 @@
+name: "deb_prep"
+description: "Prepare environment for deb installation"
+inputs:
+  GH_SBOM_USER:
+    description: "GIT user for SBOM repo"
+    required: true
+  GH_SBOM_TOKEN:
+    description: "GIT token for SBOM repo"
+    required: true
+  DJANGO_DB:
+    description: "Django database"
+  DEB_BUILD:
+    description: "Build DEB"
+    required: true
+    default: "true"
+  NAME_SPACE:
+    description: "Name space"
+    required: true
+    default: "acme"
+  IPV6:
+    description: "IPv6"
+    required: true
+    default: "false"
+
+runs:
+  using: "composite"
+  steps:
+
+    - name: "Build deb package"
+      if: inputs.DEB_BUILD == 'true'
+      id: deb_build
+      uses: ./.github/actions/deb_build
+
+    - name: "Setup environment for ubuntu installation"
+      run: |
+        echo "IPv6 is $IPV6"
+        if [ "$IPV6" == "false" ]; then
+          echo "create v4 namespace"
+          docker network create $NAME_SPACE
+        else
+          echo "create v6 namespace"
+          docker network create $NAME_SPACE --ipv6 --subnet "fdbb:6445:65b4:0a60::/64"
+        fi
+        sudo mkdir -p data/volume/acme2certifier
+        sudo mkdir -p data/nginx
+        sudo chmod -R 777 data
+        sudo cp examples/Docker/ubuntu-systemd/deb_tester.sh data
+        sudo cp examples/Docker/ubuntu-systemd/django_tester.sh data
+        sudo cp .github/acme2certifier_cert.pem data/volume/acme2certifier_cert.pem
+        sudo cp .github/acme2certifier_key.pem data/volume/acme2certifier_key.pem
+        sudo cp .github/acme2certifier.pem data/volume/acme2certifier.pem
+
+        if [ -z "$DJANGO_DB" ]; then
+            sudo cp .github/django_settings.py data/volume/acme2certifier/settings.py
+        else
+            sudo cp .github/django_settings_$DJANGO_DB.py data/volume/acme2certifier/settings.py
+        fi
+      env:
+        DJANGO_DB: ${{ inputs.DJANGO_DB }}
+        NAME_SPACE: ${{ inputs.NAME_SPACE }}
+        IPV6: ${{ inputs.IPV6 }}
+      shell: bash
+
+    - name: "Instanciate Ubuntu 22.04"
+      run: |
+        docker run -d --name acme-srv --network $NAME_SPACE --privileged -v /sys/fs/cgroup:/sys/fs/cgroup:rw --cgroupns=host -v "$(pwd)/data":/tmp/acme2certifier jrei/systemd-ubuntu:22.04
+      shell: bash
+      env:
+        NAME_SPACE: ${{ inputs.NAME_SPACE }}
+
+    - name: "Instanciate Mariadb"
+      if: inputs.DJANGO_DB == 'mariadb'
+      uses: ./.github/actions/mariadb_prep
+      with:
+        NAME_SPACE: ${{ inputs.NAME_SPACE }}
+
+    - name: "Instanciate Postgres"
+      if: inputs.DJANGO_DB == 'psql'
+      uses: ./.github/actions/psql_prep
+      with:
+        NAME_SPACE: ${{ inputs.NAME_SPACE }}
+
+
+
+
diff --git a/.github/actions/mariadb_prep/action.yml b/.github/actions/mariadb_prep/action.yml
new file mode 100644
index 00000000..95cba61b
--- /dev/null
+++ b/.github/actions/mariadb_prep/action.yml
@@ -0,0 +1,36 @@
+name: "maria_prep"
+description: "bring up and configure mariadb instance"
+inputs:
+  NAME_SPACE:
+    description: "Name space"
+    required: true
+    default: "acme"
+
+runs:
+  using: "composite"
+  steps:
+    - name: "Instanciate Mariadb"
+      run: |
+        # sudo mkdir -p data/mysql
+        docker run --name mariadbsrv --network acme -e MARIADB_ROOT_PASSWORD=foobar -d mariadb
+      shell: bash
+      env:
+        NAME_SPACE: ${{ inputs.NAME_SPACE }}
+
+    - name: "Sleep for 10s"
+      uses: juliangruber/sleep-action@v2.0.3
+      with:
+        time: 10s
+
+    - name: "Configure mariadb"
+      working-directory: examples/Docker/
+      run: |
+        docker exec mariadbsrv mariadb -u root --password=foobar -e"CREATE DATABASE acme2certifier CHARACTER SET UTF8;"
+        docker exec mariadbsrv mariadb -u root --password=foobar -e"GRANT ALL PRIVILEGES ON acme2certifier.* TO 'acme2certifier'@'%' IDENTIFIED BY '1mmSvDFl';"
+        docker exec mariadbsrv mariadb -u root --password=foobar -e"FLUSH PRIVILEGES;"
+      shell: bash
+
+    - name: "Sleep for 5s"
+      uses: juliangruber/sleep-action@v2.0.3
+      with:
+        time: 5s
\ No newline at end of file
diff --git a/.github/actions/psql_prep/action.yml b/.github/actions/psql_prep/action.yml
new file mode 100644
index 00000000..573cc29b
--- /dev/null
+++ b/.github/actions/psql_prep/action.yml
@@ -0,0 +1,45 @@
+name: "psql_prep"
+description: "bring up and configure psql instance"
+inputs:
+  NAME_SPACE:
+    description: "Name space"
+    required: true
+    default: "acme"
+
+runs:
+  using: "composite"
+  steps:
+
+    - name: "postgres environment"
+      run: |
+        sudo mkdir -p /tmp/data/pgsql
+        sudo cp .github/a2c.psql /tmp/data/pgsql/a2c.psql
+        sudo cp .github/pgpass /tmp//data/pgsql/pgpass
+        sudo chmod 600 /tmp/data/pgsql/pgpass
+      shell: bash
+
+    - name: "Install postgres"
+      working-directory: /tmp
+      run: |
+        docker run --name postgresdbsrv --network $NAME_SPACE -e POSTGRES_PASSWORD=foobar -d postgres
+      shell: bash
+      env:
+        NAME_SPACE: ${{ inputs.NAME_SPACE }}
+
+    - name: "Sleep for 10s"
+      uses: juliangruber/sleep-action@v2.0.3
+      with:
+        time: 10s
+
+    - name: "Configure postgres"
+      working-directory: /tmp
+      run: |
+        docker run -v "$(pwd)/data/pgsql/a2c.psql":/tmp/a2c.psql -v "$(pwd)/data/pgsql/pgpass:/root/.pgpass" --rm --network $NAME_SPACE postgres psql -U postgres -h postgresdbsrv -f /tmp/a2c.psql
+      shell: bash
+      env:
+        NAME_SPACE: ${{ inputs.NAME_SPACE }}
+
+    - name: "Sleep for 5s"
+      uses: juliangruber/sleep-action@v2.0.3
+      with:
+        time: 5s
\ No newline at end of file
diff --git a/.github/actions/rpm_build/action.yml b/.github/actions/rpm_build/action.yml
new file mode 100644
index 00000000..05777323
--- /dev/null
+++ b/.github/actions/rpm_build/action.yml
@@ -0,0 +1,41 @@
+name: "rpm_build"
+description: "Build RPM package"
+outputs:
+  rpm_dir_path:
+    description: "Path to the directory containing the RPM package"
+    value: ${{ steps.rpm.outputs.rpm_dir_path }}
+  rpm_file_name:
+    description: "Name of the RPM package file"
+    value: acme2certifier-${{ env.TAG_NAME }}-1.0.noarch.rpm
+
+runs:
+  using: "composite"
+  steps:
+
+    - name: "Retrieve Version from version.py"
+      run: |
+        echo TAG_NAME=$(cat acme_srv/version.py | grep -i __version__ | head -n 1 | sed 's/__version__ = //g' | sed s/\'//g) >> $GITHUB_ENV
+      shell: bash
+
+    - run: echo "Latest tag is ${{ env.TAG_NAME }}"
+      shell: bash
+
+    - name: "Update version number in spec file and path in nginx ssl config"
+      run: |
+        sudo sed -i "s/__version__/${{ env.TAG_NAME }}/g" examples/install_scripts/rpm/acme2certifier.spec
+        sudo sed -i "s/\/var\/www\/acme2certifier\/volume/\/etc\/nginx/g" examples/nginx/nginx_acme_srv_ssl.conf
+        git config --global user.email "grindelsack@gmail.com"
+        git config --global user.name "rpm update"
+        git add examples/nginx
+        git commit -a -m "rpm update"
+      shell: bash
+
+    - name: "Build RPM package"
+      id: rpm
+      uses: grindsa/rpmbuild@alma9
+      with:
+        spec_file: "examples/install_scripts/rpm/acme2certifier.spec"
+
+    - run: echo "path is ${{ steps.rpm.outputs.rpm_dir_path }}"
+      shell: bash
+
diff --git a/.github/actions/rpm_build_upload/action.yml b/.github/actions/rpm_build_upload/action.yml
new file mode 100644
index 00000000..4fee394f
--- /dev/null
+++ b/.github/actions/rpm_build_upload/action.yml
@@ -0,0 +1,26 @@
+name: "rpm_build_upload"
+description: "Build and Upload package"
+outputs:
+  rpm_file_name:
+    description: "Name of the RPM package file"
+    value: acme2certifier-${{ github.run_id }}.noarch.rpm
+
+runs:
+  using: "composite"
+  steps:
+
+  - name: "Build rpm package"
+    id: rpm_build
+    uses: ./.github/actions/rpm_build
+
+  - name: "Rename rpm package"
+    run: |
+      sudo mv ${{ steps.rpm_build.outputs.rpm_dir_path }}/noarch/acme2certifier-*.noarch.rpm ${{ steps.rpm_build.outputs.rpm_dir_path }}/noarch/acme2certifier-${{ github.run_id }}.noarch.rpm
+    shell: bash
+
+  - name: "Upload RPM package"
+    uses: actions/upload-artifact@master
+    with:
+      name: acme2certifier-${{ github.run_id }}.noarch.rpm
+      path: ${{ steps.rpm_build.outputs.rpm_dir_path }}/noarch/
+
diff --git a/.github/actions/rpm_prep/action.yml b/.github/actions/rpm_prep/action.yml
new file mode 100644
index 00000000..2e9cd363
--- /dev/null
+++ b/.github/actions/rpm_prep/action.yml
@@ -0,0 +1,109 @@
+name: "rpm_prep"
+description: "Prepare environment for RPM installation"
+inputs:
+  GH_SBOM_USER:
+    description: "GIT user for SBOM repo"
+    required: true
+  GH_SBOM_TOKEN:
+    description: "GIT token for SBOM repo"
+    required: true
+  RH_VERSION:
+    description: "RHEL version"
+    required: true
+  DJANGO_DB:
+    description: "Django database"
+  RPM_BUILD:
+    description: "Build RPM"
+    required: true
+    default: "true"
+  NAME_SPACE:
+    description: "Name space"
+    required: true
+    default: "acme"
+  IPV6:
+    description: "IPv6"
+    required: true
+    default: "false"
+
+runs:
+  using: "composite"
+  steps:
+
+    - name: "Build rpm package"
+      if: inputs.RPM_BUILD == 'true'
+      id: rpm_build
+      uses: ./.github/actions/rpm_build
+
+    - name: "Setup environment for alma installation"
+      run: |
+        echo "IPv6 is $IPV6"
+        if [ "$IPV6" == "false" ]; then
+          echo "create v4 namespace"
+          docker network create $NAME_SPACE
+        else
+          echo "create v6 namespace"
+          docker network create $NAME_SPACE --ipv6 --subnet "fdbb:6445:65b4:0a60::/64"
+        fi
+        sudo mkdir -p data/volume
+        sudo mkdir -p data/acme2certifier
+        sudo mkdir -p data/nginx
+        sudo chmod -R 777 data
+        sudo cp examples/Docker/almalinux-systemd/django_tester.sh data
+        sudo cp examples/Docker/almalinux-systemd/rpm_tester.sh data
+        sudo cp .github/acme2certifier_cert.pem data/nginx/acme2certifier_cert.pem
+        sudo cp .github/acme2certifier_key.pem data/nginx/acme2certifier_key.pem
+        if [ -f ${{ steps.rpm_build.outputs.rpm_dir_path }}noarch/acme2certifier-${{ env.TAG_NAME }}-1.0.noarch.rpm ]; then
+          echo "RPM exists"
+          sudo cp ${{ steps.rpm_build.outputs.rpm_dir_path }}noarch/acme2certifier-${{ env.TAG_NAME }}-1.0.noarch.rpm data
+        else
+          echo "RPM does not exist"
+        fi
+        if [ -z "$DJANGO_DB" ]; then
+            sudo cp .github/django_settings.py data/acme2certifier/settings.py
+        else
+            sudo cp .github/django_settings_$DJANGO_DB.py data/acme2certifier/settings.py
+        fi
+        sudo sed -i "s/\/var\/www\//\/opt\//g" data/acme2certifier/settings.py
+        sudo sed -i "s/USE_I18N = True/USE_I18N = False/g" data/acme2certifier/settings.py
+      env:
+        DJANGO_DB: ${{ inputs.DJANGO_DB }}
+        NAME_SPACE: ${{ inputs.NAME_SPACE }}
+        IPV6: ${{ inputs.IPV6 }}
+
+      shell: bash
+
+    - run: echo "RH_VERSION is ${{ inputs.RH_VERSION }}"
+      shell: bash
+
+    - name: "Retrieve rpms from SBOM repo"
+      run: |
+        git clone https://$GH_SBOM_USER:$GH_SBOM_TOKEN@github.com/$GH_SBOM_USER/sbom /tmp/sbom
+        cp /tmp/sbom/rpm-repo/RPMs/rhel$RH_VERSION/*.rpm  data
+      env:
+        GH_SBOM_USER: ${{ inputs.GH_SBOM_USER }}
+        GH_SBOM_TOKEN: ${{ inputs.GH_SBOM_TOKEN }}
+        RH_VERSION: ${{ inputs.RH_VERSION }}
+      shell: bash
+
+    - name: "Spin-up alma instance"
+      run: |
+        sudo cp examples/Docker/almalinux-systemd/Dockerfile data
+        sudo sed -i "s/FROM almalinux:9/FROM almalinux:$RH_VERSION/g" data/Dockerfile
+        cat data/Dockerfile | docker build -t almalinux-systemd -f - . --no-cache
+        docker run -d -id --privileged --network $NAME_SPACE -p 22280:80 --name=acme-srv -v "$(pwd)/data":/tmp/acme2certifier almalinux-systemd
+      env:
+        RH_VERSION: ${{ inputs.RH_VERSION }}
+        NAME_SPACE: ${{ inputs.NAME_SPACE }}
+      shell: bash
+
+    - name: "Instanciate Mariadb"
+      if: inputs.DJANGO_DB == 'mariadb'
+      uses: ./.github/actions/mariadb_prep
+      with:
+        NAME_SPACE: ${{ inputs.NAME_SPACE }}
+
+    - name: "Instanciate Postgres"
+      if: inputs.DJANGO_DB == 'psql'
+      uses: ./.github/actions/psql_prep
+      with:
+        NAME_SPACE: ${{ inputs.NAME_SPACE }}
\ No newline at end of file
diff --git a/.github/actions/wf_specific/acme_ca_handler/enrollment_profiling/action.yml b/.github/actions/wf_specific/acme_ca_handler/enrollment_profiling/action.yml
new file mode 100644
index 00000000..279d89f5
--- /dev/null
+++ b/.github/actions/wf_specific/acme_ca_handler/enrollment_profiling/action.yml
@@ -0,0 +1,150 @@
+name: "enrollment_profiling"
+description: "le-enrollment_profiling"
+
+runs:
+  using: "composite"
+  steps:
+
+  - name: "Sleep for 10s"
+    uses: juliangruber/sleep-action@v2.0.3
+    with:
+      time: 10s
+
+  - name: "Test http://acme-srv/directory is accessible"
+    run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory
+    shell: bash
+
+  - name: "EAB - 01 - Enroll acme.sh without acme_url"
+    run: |
+      sudo rm -rf acme-sh/*
+      docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --register-account --server http://acme-srv --accountemail 'acme-sh@example.com' --eab-kid keyid_00 --eab-hmac-key V2VfbmVlZF9hbm90aGVyX3ZlcnkfX2xvbmdfaG1hY190b19jaGVja19lYWJfZm9yX2tleWlkXzAwX2FzX2xlZ29fZW5mb3JjZXNfYW5faG1hY19sb25nZXJfdGhhbl8yNTZfYml0cw --debug 3
+      docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv -d acme-sh.acme --standalone --debug 3 --output-insecure
+      openssl x509 -in acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer -issuer --noout | grep -i root-ca
+    shell: bash
+
+  - name: "EAB - 01 - Enroll lego without acme_url"
+    run: |
+      sudo rm -rf lego/*
+      docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" --eab --kid keyid_00 --hmac V2VfbmVlZF9hbm90aGVyX3ZlcnkfX2xvbmdfaG1hY190b19jaGVja19lYWJfZm9yX2tleWlkXzAwX2FzX2xlZ29fZW5mb3JjZXNfYW5faG1hY19sb25nZXJfdGhhbl8yNTZfYml0cw -d lego.acme --http run
+      sudo openssl x509 -in lego/certificates/lego.acme.crt -issuer --noout | grep -i root-ca
+    shell: bash
+
+  - name: "EAB with headerinfo - 02a - Enroll acme with a template_name taken from header_info NOT included in kid.json (to fail)"
+    id: acmefail01
+    continue-on-error: true
+    run: |
+      sudo rm -rf acme-sh/*
+      docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --register-account --server http://acme-srv --accountemail 'acme-sh@example.com' --eab-kid keyid_00 --eab-hmac-key V2VfbmVlZF9hbm90aGVyX3ZlcnkfX2xvbmdfaG1hY190b19jaGVja19lYWJfZm9yX2tleWlkXzAwX2FzX2xlZ29fZW5mb3JjZXNfYW5faG1hY19sb25nZXJfdGhhbl8yNTZfYml0cw --debug 3
+      docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv --useragent acme_url=http://foo.bar -d acme-sh.acme --standalone --debug 3 --output-insecure
+    shell: bash
+
+  - name: "EAB with headerinfo - 02a - check  result "
+    if: steps.acmefail01.outcome != 'failure'
+    run: |
+      echo "acmefail outcome is ${{steps.acmefail01.outcome }}"
+      exit 1
+    shell: bash
+
+  - name: "EAB with headerinfo - 02b - Enroll acme with a template_name taken from header_info included in kid.json"
+    run: |
+      sudo rm -rf acme-sh/*
+      docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --register-account --server http://acme-srv --accountemail 'acme-sh@example.com' --eab-kid keyid_00 --eab-hmac-key V2VfbmVlZF9hbm90aGVyX3ZlcnkfX2xvbmdfaG1hY190b19jaGVja19lYWJfZm9yX2tleWlkXzAwX2FzX2xlZ29fZW5mb3JjZXNfYW5faG1hY19sb25nZXJfdGhhbl8yNTZfYml0cw --debug 3
+      docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv --useragent acme_url=http://acme-le-sim-1.acme -d acme-sh.acme --standalone --debug 3 --output-insecure
+      awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "cert-" c ".pem"}' < acme-sh/acme-sh.acme_ecc/ca.cer
+      openssl verify -CAfile cert-2.pem -untrusted cert-1.pem  acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer
+      openssl x509 -in acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer -text -noout
+      openssl x509 -in acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer -issuer --noout | grep -i sub-ca
+    shell: bash
+
+  - name: "EAB with headerinfo - 02a - Enroll lego with a template_name taken from header_info NOT included in kid.json (to fail)"
+    id: legofail01
+    continue-on-error: true
+    run: |
+      sudo rm -rf lego/*
+      docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" --eab --kid keyid_00 --hmac V2VfbmVlZF9hbm90aGVyX3ZlcnkfX2xvbmdfaG1hY190b19jaGVja19lYWJfZm9yX2tleWlkXzAwX2FzX2xlZ29fZW5mb3JjZXNfYW5faG1hY19sb25nZXJfdGhhbl8yNTZfYml0cw --user-agent acme_url=http://foo.bar -d lego.acme --http run
+    shell: bash
+
+  - name: "EAB with headerinfo - 02a - check  result "
+    if: steps.legofail01.outcome != 'failure'
+    run: |
+      echo "legofail outcome is ${{steps.legofail01.outcome }}"
+      exit 1
+    shell: bash
+
+  - name: "EAB with headerinfo - 02b - Enroll lego with a template_name taken from header_info included in kid.json"
+    run: |
+      sudo rm -rf lego/*
+      docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" --eab --kid keyid_00 --hmac V2VfbmVlZF9hbm90aGVyX3ZlcnkfX2xvbmdfaG1hY190b19jaGVja19lYWJfZm9yX2tleWlkXzAwX2FzX2xlZ29fZW5mb3JjZXNfYW5faG1hY19sb25nZXJfdGhhbl8yNTZfYml0cw --user-agent acme_url=http://acme-le-sim-1.acme -d lego.acme --http run
+      sudo openssl x509 -in lego/certificates/lego.acme.crt -ext extendedKeyUsage -noout
+      sudo openssl x509 -in lego/certificates/lego.acme.crt -issuer --noout
+      sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem  lego/certificates/lego.acme.crt
+      sudo openssl x509 -in lego/certificates/lego.acme.crt -issuer --noout | grep -i sub-ca
+    shell: bash
+
+  - name: "EAB - 03 - Enroll acme with a acme_url and key taken from kid.json"
+    run: |
+      sudo rm -rf acme-sh/*
+      docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --register-account --server http://acme-srv --accountemail 'acme-sh@example.com' --eab-kid keyid_01 --eab-hmac-key YW5vdXRoZXJfdmVyeV9sb25nX2htYWNfZm9yX2tleWlkXzAxX3doaWNoIHdpbGxfYmUgdXNlZF9kdXJpbmcgcmVncmVzc2lvbg --debug 3
+      docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv -d acme-sh.acme --standalone --debug 3 --output-insecure
+      openssl x509 -in acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer -text -noout
+      openssl x509 -in acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer -issuer --noout | grep -i root-ca
+    shell: bash
+
+  - name: "EAB without headerinfo - 03 - Enroll lego with a profile_name/ca_name taken from kid.json"
+    run: |
+      sudo rm -rf lego/*
+      docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" --eab --kid keyid_01 --hmac YW5vdXRoZXJfdmVyeV9sb25nX2htYWNfZm9yX2tleWlkXzAxX3doaWNoIHdpbGxfYmUgdXNlZF9kdXJpbmcgcmVncmVzc2lvbg  -k rsa2048 -d lego.acme --http run
+      sudo openssl x509 -in lego/certificates/lego.acme.crt -text -noout
+      sudo openssl x509 -in lego/certificates/lego.acme.crt -issuer --noout | grep -i root-ca
+    shell: bash
+
+  - name: "EAB with headerinfo - 04 - Enroll acme with a not allowed fqdn in kid.json (to fail)"
+    id: acmefail02
+    continue-on-error: true
+    run: |
+      sudo rm -rf acme-sh/*
+      docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --register-account --server http://acme-srv --accountemail 'acme-sh@example.com' --eab-kid keyid_02 --eab-hmac-key dGhpc19pc19hX3ZlcnlfbG9uZ19obWFjX3RvX21ha2Vfc3VyZV90aGF0X2l0c19tb3JlX3RoYW5fMjU2X2JpdHM --debug 3
+      docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv  -d acme-sh. --standalone --keylength 2048 --debug 3 --output-insecure
+    shell: bash
+
+  - name: "EAB with headerinfo - 04 - check  result "
+    if: steps.acmefail02.outcome != 'failure'
+    run: |
+      echo "acmefail outcome is ${{steps.acmefail02.outcome }}"
+      exit 1
+    shell: bash
+
+  - name: "EAB with headerinfo - 04 - Enroll lego with a not allowed fqdn in kid.json (to fail)"
+    id: legofail02
+    continue-on-error: true
+    run: |
+      sudo rm -rf lego/*
+      docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" --eab --kid keyid_02 --hmac dGhpc19pc19hX3ZlcnlfbG9uZ19obWFjX3RvX21ha2Vfc3VyZV90aGF0X2l0c19tb3JlX3RoYW5fMjU2X2JpdHM -k rsa2048 -d lego.acme --http run
+    shell: bash
+
+  - name: "EAB with headerinfo - 04a - check  result "
+    if: steps.legofail02.outcome != 'failure'
+    run: |
+      echo "legofail outcome is ${{steps.legofail02.outcome }}"
+      exit 1
+    shell: bash
+
+  - name: "EAB with headerinfo - 05 - Enroll acme with default values from acme.cfg"
+    run: |
+      sudo rm -rf acme-sh/*
+      docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --register-account --server http://acme-srv --accountemail 'acme-sh@example.com' --eab-kid keyid_03 --eab-hmac-key YW5kX2ZpbmFsbHlfdGhlX2xhc3RfaG1hY19rZXlfd2hpY2hfaXNfbG9uZ2VyX3RoYW5fMjU2X2JpdHNfYW5kX3Nob3VsZF93b3Jr --debug 3
+      docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv -d acme-sh.acme --standalone --keylength 2048 --debug 3 --output-insecure
+      awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "cert-" c ".pem"}' < acme-sh/acme-sh.acme/ca.cer
+      openssl verify -CAfile cert-2.pem -untrusted cert-1.pem  acme-sh/acme-sh.acme/acme-sh.acme.cer
+      openssl x509 -in acme-sh/acme-sh.acme/acme-sh.acme.cer -text -noout
+      openssl x509 -in acme-sh/acme-sh.acme/acme-sh.acme.cer -issuer --noout | grep -i sub-ca
+    shell: bash
+
+  - name: "EAB with headerinfo - 05 - Enroll lego with default values from acme.cfg"
+    run: |
+      sudo rm -rf lego/*
+      docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" --eab --kid keyid_03 --hmac YW5kX2ZpbmFsbHlfdGhlX2xhc3RfaG1hY19rZXlfd2hpY2hfaXNfbG9uZ2VyX3RoYW5fMjU2X2JpdHNfYW5kX3Nob3VsZF93b3Jr -k rsa2048 -d lego.acme --http run
+      sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem  lego/certificates/lego.acme.crt
+      sudo openssl x509 -in lego/certificates/lego.acme.crt -text -noout
+      sudo openssl x509 -in lego/certificates/lego.acme.crt -issuer --noout | grep -i sub-ca
+    shell: bash
\ No newline at end of file
diff --git a/.github/actions/wf_specific/acme_ca_handler/le-sim_prep/action.yml b/.github/actions/wf_specific/acme_ca_handler/le-sim_prep/action.yml
new file mode 100644
index 00000000..a207b839
--- /dev/null
+++ b/.github/actions/wf_specific/acme_ca_handler/le-sim_prep/action.yml
@@ -0,0 +1,53 @@
+name: "le-sim_prep"
+description: "le-sim_prep"
+inputs:
+  LESIM_NAME:
+    description: "Name of the le-sim"
+    required: true
+    default: "le-sim"
+  NAME_SPACE:
+    description: "Name space of the le-sim"
+    required: true
+    default: "acme"
+  SECTIGO_SIM:
+    description: "Sectigo sim"
+    required: true
+    default: "false"
+
+runs:
+  using: "composite"
+  steps:
+
+  - name: "Setup le-sim"
+    run: |
+      sudo mkdir -p ${{ inputs.LESIM_NAME }}/acme_ca/certs
+      sudo cp examples/ca_handler/openssl_ca_handler.py ${{ inputs.LESIM_NAME }}/ca_handler.py
+      sudo cp test/ca/sub-ca-key.pem test/ca/sub-ca-crl.pem test/ca/sub-ca-cert.pem test/ca/root-ca-cert.pem ${{ inputs.LESIM_NAME }}/acme_ca/
+      sudo cp .github/openssl_ca_handler.py_acme_srv_choosen_handler.cfg ${{ inputs.LESIM_NAME }}/acme_srv.cfg
+      sudo chmod 777 ${{ inputs.LESIM_NAME }}/acme_srv.cfg
+      if [ "${{ inputs.SECTIGO_SIM }}" == "true" ]; then
+        echo "Sectigo sim enabled"
+        sudo sed -i "s/challenge_validation_disable: False/challenge_validation_disable: True\nsectigo_sim: True/g" ${{ inputs.LESIM_NAME }}/acme_srv.cfg
+      fi
+      sudo sed -i "s/challenge_validation_disable: False/challenge_validation_disable: True/g" ${{ inputs.LESIM_NAME }}/acme_srv.cfg
+      docker run -d --rm -id --network ${{ inputs.NAME_SPACE }} --name=${{ inputs.LESIM_NAME }} -v "$(pwd)/${{ inputs.LESIM_NAME }}":/var/www/acme2certifier/volume/ grindsa/acme2certifier:apache2-wsgi
+      cat ${{ inputs.LESIM_NAME }}/acme_srv.cfg
+    shell: bash
+
+  - name: "Sleep for 10s"
+    uses: juliangruber/sleep-action@v2.0.3
+    with:
+      time: 10s
+
+  - name: "Test http://acme-le-sim/directory is accessible"
+    run: docker run -i --rm --network ${{ inputs.NAME_SPACE }} curlimages/curl -f http://${{ inputs.LESIM_NAME }}/directory
+    shell: bash
+
+  - name: "Enroll from le-sim"
+    run: |
+      mkdir -p acme-sh/
+      docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http:///${{ inputs.LESIM_NAME }} --accountemail 'acme-sh@example.com' -d acme-sh.acme --standalone --debug 3 --output-insecure --force
+      awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "cert-" c ".pem"}' < acme-sh/acme-sh.acme_ecc/ca.cer
+      openssl verify -CAfile cert-2.pem -untrusted cert-1.pem acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer
+      sudo rm -rf acme-sh/*
+    shell: bash
\ No newline at end of file
diff --git a/.github/actions/wf_specific/acme_ca_handler/smallstep_prep/action.yml b/.github/actions/wf_specific/acme_ca_handler/smallstep_prep/action.yml
new file mode 100644
index 00000000..c614973b
--- /dev/null
+++ b/.github/actions/wf_specific/acme_ca_handler/smallstep_prep/action.yml
@@ -0,0 +1,49 @@
+name: "smallstep_prep"
+description: "smallstep_prep"
+
+runs:
+  using: "composite"
+  steps:
+
+  - name: "Setup smallstep"
+    run: |
+      sudo mkdir -p step
+      sudo chmod -R 777 step
+      docker run -d -v "$(pwd)/step":/home/step \
+          -p 9000:9000 -p 443:443 \
+          --network acme \
+          --name step-ca \
+          -e "DOCKER_STEPCA_INIT_NAME=Smallstep" \
+          -e "DOCKER_STEPCA_INIT_DNS_NAMES=localhost,$(hostname -f)" \
+          smallstep/step-ca
+    shell: bash
+
+  - name: "Sleep for 20s"
+    uses: juliangruber/sleep-action@v2.0.3
+    with:
+      time: 20s
+
+  - name: "Configure smallstep"
+    run: |
+      docker ps
+      docker exec -i step-ca step ca provisioner add acme --type ACME
+      docker exec -i step-ca step ca provisioner update acme --remove-challenge=tls-alpn-01
+      docker exec -i step-ca step ca provisioner update acme --remove-challenge=dns-01
+      docker restart step-ca
+    shell: bash
+
+  - name: "Sleep for 20s"
+    uses: juliangruber/sleep-action@v2.0.3
+    with:
+      time: 20s
+
+  - name: "Test https://step-ca.acme/acme/acme/directory is accessible"
+    run: docker run -i --rm --network acme curlimages/curl -f https://step-ca:9000/acme/acme/directory --insecure
+    shell: bash
+
+  - name: "Enroll from smallstep using acme-sh"
+    run: |
+      mkdir -p acme-sh
+      docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server https://step-ca:9000/acme/acme/directory --accountemail 'acme-sh@example.com' -d acme-sh.acme --standalone --debug 3 --insecure --output-insecure --force
+      sudo rm -rf acme-sh/*
+    shell: bash
\ No newline at end of file
diff --git a/.github/actions/wf_specific/asa_ca_handler/enroll_eab_w_headerinfo/action.yml b/.github/actions/wf_specific/asa_ca_handler/enroll_eab_w_headerinfo/action.yml
new file mode 100644
index 00000000..bb0c6bf6
--- /dev/null
+++ b/.github/actions/wf_specific/asa_ca_handler/enroll_eab_w_headerinfo/action.yml
@@ -0,0 +1,206 @@
+name: "enroll_w_headerinfo"
+description: "enroll_w_headerinfo"
+inputs:
+  ASA_CA_NAME1:
+    description: "ASA CA 1"
+    required: true
+  ASA_CA_NAME2:
+    description: "ASA CA 2"
+    required: true
+
+runs:
+  using: "composite"
+  steps:
+  - name: "EAB with headerinfo - Sleep for 10s"
+    uses: juliangruber/sleep-action@v2.0.3
+    with:
+      time: 10s
+
+  - name: "EAB with headerinfo - Test http://acme-srv/directory is accessible"
+    run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory
+    shell: bash
+
+  - name: "EAB with headerinfo - Test if https://acme-srv/directory is accessible"
+    run: docker run -i --rm --network acme curlimages/curl --insecure -f https://acme-srv/directory
+    shell: bash
+
+  - name: "EAB with headerinfo - 01 - Enroll acme.sh without profile_name"
+    run: |
+      sudo rm -rf acme-sh/*
+      docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --register-account --server http://acme-srv --accountemail 'acme-sh@example.com' --eab-kid keyid_00 --eab-hmac-key V2VfbmVlZF9hbm90aGVyX3ZlcnkfX2xvbmdfaG1hY190b19jaGVja19lYWJfZm9yX2tleWlkXzAwX2FzX2xlZ29fZW5mb3JjZXNfYW5faG1hY19sb25nZXJfdGhhbl8yNTZfYml0cw --debug 3
+      docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv -d acme-sh.acme --standalone --keylength 2048 --debug 3 --output-insecure
+      awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "cert-" c ".pem"}' < acme-sh/acme-sh.acme/ca.cer
+      openssl verify -CAfile cert-2.pem -untrusted cert-1.pem  acme-sh/acme-sh.acme/acme-sh.acme.cer
+      openssl x509 -in acme-sh/acme-sh.acme/acme-sh.acme.cer -text -noout
+      openssl x509 -in acme-sh/acme-sh.acme/acme-sh.acme.cer -issuer --noout | grep -i "${{ inputs.ASA_CA_NAME1 }}"
+      openssl x509 -in acme-sh/acme-sh.acme/acme-sh.acme.cer -ext keyUsage -noout | grep -i "Key Encipherment, Data Encipherment"
+    shell: bash
+
+  - name: "EAB with headerinfo - 01 - Enroll lego without profile_name"
+    run: |
+      sudo rm -rf lego/*
+      docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" --eab --kid keyid_00 --hmac V2VfbmVlZF9hbm90aGVyX3ZlcnkfX2xvbmdfaG1hY190b19jaGVja19lYWJfZm9yX2tleWlkXzAwX2FzX2xlZ29fZW5mb3JjZXNfYW5faG1hY19sb25nZXJfdGhhbl8yNTZfYml0cw -k rsa2048 -d lego.acme --http run
+      sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem  lego/certificates/lego.acme.crt
+      sudo openssl x509 -in lego/certificates/lego.acme.crt -text -noout
+      sudo openssl x509 -in lego/certificates/lego.acme.crt -issuer --noout | grep -i "${{ inputs.ASA_CA_NAME1 }}"
+      sudo openssl x509 -in lego/certificates/lego.acme.crt -ext keyUsage -noout | grep -i "Key Encipherment, Data Encipherment"
+    shell: bash
+
+  - name: "EAB with headerinfo - 02a - Enroll acme with a profile_name taken from header_info NOT included in kid.json (to fail)"
+    id: acmefail01
+    continue-on-error: true
+    run: |
+      sudo rm -rf acme-sh/*
+      docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --register-account --server http://acme-srv --accountemail 'acme-sh@example.com' --eab-kid keyid_00 --eab-hmac-key V2VfbmVlZF9hbm90aGVyX3ZlcnkfX2xvbmdfaG1hY190b19jaGVja19lYWJfZm9yX2tleWlkXzAwX2FzX2xlZ29fZW5mb3JjZXNfYW5faG1hY19sb25nZXJfdGhhbl8yNTZfYml0cw --debug 3
+      docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv --useragent profile_name=unknown -d acme-sh.acme --standalone --keylength 2048 --debug 3 --output-insecure
+    shell: bash
+
+  - name: "EAB with headerinfo - 02a - check  result "
+    if: steps.acmefail01.outcome != 'failure'
+    run: |
+      echo "acmefail outcome is ${{steps.acmefail01.outcome }}"
+      exit 1
+    shell: bash
+
+  - name: "EAB with headerinfo - 02b - Enroll acme with a profile_name taken from header_info included in kid.json"
+    run: |
+      sudo rm -rf acme-sh/*
+      docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --register-account --server http://acme-srv --accountemail 'acme-sh@example.com' --eab-kid keyid_00 --eab-hmac-key V2VfbmVlZF9hbm90aGVyX3ZlcnkfX2xvbmdfaG1hY190b19jaGVja19lYWJfZm9yX2tleWlkXzAwX2FzX2xlZ29fZW5mb3JjZXNfYW5faG1hY19sb25nZXJfdGhhbl8yNTZfYml0cw --debug 3
+      docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv --useragent profile_name=ACME -d acme-sh.acme --standalone --keylength 2048 --debug 3 --output-insecure
+      awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "cert-" c ".pem"}' < acme-sh/acme-sh.acme/ca.cer
+      openssl verify -CAfile cert-2.pem -untrusted cert-1.pem  acme-sh/acme-sh.acme/acme-sh.acme.cer
+      openssl x509 -in acme-sh/acme-sh.acme/acme-sh.acme.cer -text -noout
+      openssl x509 -in acme-sh/acme-sh.acme/acme-sh.acme.cer -issuer --noout | grep -i "${{ inputs.ASA_CA_NAME1 }}"
+      openssl x509 -in acme-sh/acme-sh.acme/acme-sh.acme.cer -ext keyUsage -noout | grep "Digital Signature"
+    shell: bash
+
+  - name: "EAB with headerinfo - 02a - Enroll lego with a profile_name taken from header_info NOT included in kid.json (to fail)"
+    id: legofail01
+    continue-on-error: true
+    run: |
+      sudo rm -rf lego/*
+      docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" --eab --kid keyid_00 --hmac V2VfbmVlZF9hbm90aGVyX3ZlcnkfX2xvbmdfaG1hY190b19jaGVja19lYWJfZm9yX2tleWlkXzAwX2FzX2xlZ29fZW5mb3JjZXNfYW5faG1hY19sb25nZXJfdGhhbl8yNTZfYml0cw --user-agent profile_name=unknown -k rsa2048 -d lego.acme --http run
+    shell: bash
+
+  - name: "EAB with headerinfo - 02a - check  result "
+    if: steps.legofail01.outcome != 'failure'
+    run: |
+      echo "legofail outcome is ${{steps.legofail01.outcome }}"
+      exit 1
+    shell: bash
+
+  - name: "EAB with headerinfo - 02b - Enroll lego with a profile_name taken from header_info included in kid.json"
+    run: |
+      sudo rm -rf lego/*
+      docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" --eab --kid keyid_00 --hmac V2VfbmVlZF9hbm90aGVyX3ZlcnkfX2xvbmdfaG1hY190b19jaGVja19lYWJfZm9yX2tleWlkXzAwX2FzX2xlZ29fZW5mb3JjZXNfYW5faG1hY19sb25nZXJfdGhhbl8yNTZfYml0cw --user-agent profile_name=ACME -k rsa2048 -d lego.acme --http run
+      sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem  lego/certificates/lego.acme.crt
+      sudo openssl x509 -in lego/certificates/lego.acme.crt -text -noout
+      sudo openssl x509 -in lego/certificates/lego.acme.crt -issuer --noout | grep -i "${{ inputs.ASA_CA_NAME1 }}"
+      sudo openssl x509 -in lego/certificates/lego.acme.crt -ext keyUsage -noout | grep "Digital Signature"
+    shell: bash
+
+  - name: "EAB with headerinfo - 03 - Enroll acme with a profile_name/ca_name taken from kid.json"
+    run: |
+      sudo rm -rf acme-sh/*
+      docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --register-account --server http://acme-srv --accountemail 'acme-sh@example.com' --eab-kid keyid_01 --eab-hmac-key YW5vdXRoZXJfdmVyeV9sb25nX2htYWNfZm9yX2tleWlkXzAxX3doaWNoIHdpbGxfYmUgdXNlZF9kdXJpbmcgcmVncmVzc2lvbg --debug 3
+      docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv -d acme-sh.acme --standalone  --keylength 2048 --debug 3 --output-insecure
+      awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "cert-" c ".pem"}' < acme-sh/acme-sh.acme/ca.cer
+      openssl verify -CAfile cert-2.pem -untrusted cert-1.pem  acme-sh/acme-sh.acme/acme-sh.acme.cer
+      openssl x509 -in acme-sh/acme-sh.acme/acme-sh.acme.cer -text -noout
+      openssl x509 -in acme-sh/acme-sh.acme/acme-sh.acme.cer -issuer --noout | grep -i "${{ inputs.ASA_CA_NAME2 }}"
+      openssl x509 -in acme-sh/acme-sh.acme/acme-sh.acme.cer -ext keyUsage -noout | grep -i "Digital Signature"
+    shell: bash
+
+  - name: "EAB with headerinfo - 03 - Enroll lego with a profile_name/ca_name taken from kid.json"
+    run: |
+      sudo rm -rf lego/*
+      docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" --eab --kid keyid_01 --hmac YW5vdXRoZXJfdmVyeV9sb25nX2htYWNfZm9yX2tleWlkXzAxX3doaWNoIHdpbGxfYmUgdXNlZF9kdXJpbmcgcmVncmVzc2lvbg  -k rsa2048 -d lego.acme --http run
+      sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem  lego/certificates/lego.acme.crt
+      sudo openssl x509 -in lego/certificates/lego.acme.crt -text -noout
+      sudo openssl x509 -in lego/certificates/lego.acme.crt -issuer --noout | grep -i "${{ inputs.ASA_CA_NAME2 }}"
+      sudo openssl x509 -in lego/certificates/lego.acme.crt -text -ext keyUsage | grep -i "Digital Signature"
+    shell: bash
+
+  - name: "EAB with headerinfo - 04 - Enroll acme with a not allowed fqdn in kid.json (to fail)"
+    id: acmefail021
+    continue-on-error: true
+    run: |
+      sudo rm -rf acme-sh/*
+      docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --register-account --server http://acme-srv --accountemail 'acme-sh@example.com' --eab-kid keyid_02 --eab-hmac-key dGhpc19pc19hX3ZlcnlfbG9uZ19obWFjX3RvX21ha2Vfc3VyZV90aGF0X2l0c19tb3JlX3RoYW5fMjU2X2JpdHM --debug 3
+      docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv  -d acme-sh.acme --standalone --keylength 2048 --debug 3 --output-insecure
+    shell: bash
+
+  - name: "EAB with headerinfo - 04 - check  result "
+    if: steps.acmefail021.outcome != 'failure'
+    run: |
+      echo "acmefail outcome is ${{steps.acmefail021.outcome }}"
+      exit 1
+    shell: bash
+
+  - name: "EAB with headerinfo - 04 - Enroll lego with a not allowed fqdn in kid.json (to fail)"
+    id: legofail021
+    continue-on-error: true
+    run: |
+      sudo rm -rf lego/*
+      docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" --eab --kid keyid_02 --hmac dGhpc19pc19hX3ZlcnlfbG9uZ19obWFjX3RvX21ha2Vfc3VyZV90aGF0X2l0c19tb3JlX3RoYW5fMjU2X2JpdHM -k rsa2048 -d lego.acme --http run
+    shell: bash
+
+  - name: "EAB with headerinfo - 04a - check  result "
+    if: steps.legofail021.outcome != 'failure'
+    run: |
+      echo "legofail outcome is ${{steps.legofail021.outcome }}"
+      exit 1
+    shell: bash
+
+  - name: "EAB with headerinfo - 05 - Enroll acme with default values from acme.cfg"
+    run: |
+      sudo rm -rf acme-sh/*
+      docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --register-account --server http://acme-srv --accountemail 'acme-sh@example.com' --eab-kid keyid_03 --eab-hmac-key YW5kX2ZpbmFsbHlfdGhlX2xhc3RfaG1hY19rZXlfd2hpY2hfaXNfbG9uZ2VyX3RoYW5fMjU2X2JpdHNfYW5kX3Nob3VsZF93b3Jr --debug 3
+      docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv -d acme-sh.acme --standalone --keylength 2048 --debug 3 --output-insecure
+      awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "cert-" c ".pem"}' < acme-sh/acme-sh.acme/ca.cer
+      openssl verify -CAfile cert-2.pem -untrusted cert-1.pem  acme-sh/acme-sh.acme/acme-sh.acme.cer
+      openssl x509 -in acme-sh/acme-sh.acme/acme-sh.acme.cer -text -noout
+      openssl x509 -in acme-sh/acme-sh.acme/acme-sh.acme.cer -issuer --noout | grep -i "${{ inputs.ASA_CA_NAME1 }}"
+      openssl x509 -in acme-sh/acme-sh.acme/acme-sh.acme.cer -ext keyUsage -noout | grep "Digital Signature"
+    shell: bash
+
+  - name: "EAB with headerinfo - 05 - Enroll lego with default values from acme.cfg"
+    run: |
+      sudo rm -rf lego/*
+      docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" --eab --kid keyid_03 --hmac YW5kX2ZpbmFsbHlfdGhlX2xhc3RfaG1hY19rZXlfd2hpY2hfaXNfbG9uZ2VyX3RoYW5fMjU2X2JpdHNfYW5kX3Nob3VsZF93b3Jr -k rsa2048 -d lego.acme --http run
+      sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem  lego/certificates/lego.acme.crt
+      sudo openssl x509 -in lego/certificates/lego.acme.crt -text -noout
+      sudo openssl x509 -in lego/certificates/lego.acme.crt -issuer --noout | grep -i "${{ inputs.ASA_CA_NAME1 }}"
+      sudo openssl x509 -in lego/certificates/lego.acme.crt -text -ext keyUsage | grep "Digital Signature"
+    shell: bash
+
+  - name: "EAB with headerinfo - 06 - Enroll acme with not allowed headerinfo-field (should fail)"
+    id: acmefail03
+    continue-on-error: true
+    run: |
+      sudo rm -rf acme-sh/*
+      docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --register-account --server http://acme-srv --accountemail 'acme-sh@example.com' --eab-kid keyid_02 --eab-hmac-key dGhpc19pc19hX3ZlcnlfbG9uZ19obWFjX3RvX21ha2Vfc3VyZV90aGF0X2l0c19tb3JlX3RoYW5fMjU2X2JpdHM --debug 3
+      docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv --useragent profile_id=101 -d acme-sh.acme --keylength 2048  --standalone --debug 3 --output-insecure
+    shell: bash
+
+  - name: "EAB with headerinfo - 06 - check  result "
+    if: steps.acmefail03.outcome != 'failure'
+    run: |
+      echo "acmefail outcome is ${{steps.acmefail03.outcome }}"
+      exit 1
+    shell: bash
+
+  - name: "EAB with headerinfo - 06 - Enroll lego with not allowed headerinfo-field (should fail)"
+    id: legofail03
+    continue-on-error: true
+    run: |
+      sudo rm -rf lego/*
+      docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" --eab --kid keyid_02 --hmac dGhpc19pc19hX3ZlcnlfbG9uZ19obWFjX3RvX21ha2Vfc3VyZV90aGF0X2l0c19tb3JlX3RoYW5fMjU2X2JpdHM --user-agent profile_id=101 -k rsa2048 -d lego.acme --http run
+    shell: bash
+
+  - name: "EAB with headerinfo - 06 - check  result "
+    if: steps.legofail03.outcome != 'failure'
+    run: |
+      echo "legofail outcome is ${{steps.legofail03.outcome }}"
+      exit 1
+    shell: bash
diff --git a/.github/actions/wf_specific/asa_ca_handler/enroll_eab_wo_headerinfo/action.yml b/.github/actions/wf_specific/asa_ca_handler/enroll_eab_wo_headerinfo/action.yml
new file mode 100644
index 00000000..96956930
--- /dev/null
+++ b/.github/actions/wf_specific/asa_ca_handler/enroll_eab_wo_headerinfo/action.yml
@@ -0,0 +1,143 @@
+name: "enroll_wo_headerinfo"
+description: "enroll_wo_headerinfo"
+inputs:
+  ASA_CA_NAME1:
+    description: "ASA CA 1"
+    required: true
+  ASA_CA_NAME2:
+    description: "ASA CA 2"
+    required: true
+
+runs:
+  using: "composite"
+  steps:
+  - name: "EAB without headerinfo -  Sleep for 10s"
+    uses: juliangruber/sleep-action@v2.0.3
+    with:
+      time: 10s
+
+  - name: "EAB without headerinfo - Test http://acme-srv/directory is accessible"
+    run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory
+    shell: bash
+
+  - name: "EAB without headerinfo -  Test if https://acme-srv/directory is accessible"
+    run: docker run -i --rm --network acme curlimages/curl --insecure -f https://acme-srv/directory
+    shell: bash
+
+  - name: "EAB without headerinfo - 01 - Enroll acme.sh without profile_name"
+    run: |
+      sudo rm -rf acme-sh/*
+      docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --register-account --server http://acme-srv --accountemail 'acme-sh@example.com' --eab-kid keyid_00 --eab-hmac-key V2VfbmVlZF9hbm90aGVyX3ZlcnkfX2xvbmdfaG1hY190b19jaGVja19lYWJfZm9yX2tleWlkXzAwX2FzX2xlZ29fZW5mb3JjZXNfYW5faG1hY19sb25nZXJfdGhhbl8yNTZfYml0cw --debug 3
+      docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv -d acme-sh.acme --standalone --keylength 2048 --debug 3 --output-insecure
+      awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "cert-" c ".pem"}' < acme-sh/acme-sh.acme/ca.cer
+      openssl verify -CAfile cert-2.pem -untrusted cert-1.pem  acme-sh/acme-sh.acme/acme-sh.acme.cer
+      openssl x509 -in acme-sh/acme-sh.acme/acme-sh.acme.cer -text -noout
+      openssl x509 -in acme-sh/acme-sh.acme/acme-sh.acme.cer -issuer --noout | grep -i "${{ inputs.ASA_CA_NAME1 }}"
+      openssl x509 -in acme-sh/acme-sh.acme/acme-sh.acme.cer -ext keyUsage -noout | grep -i "Key Encipherment, Data Encipherment"
+    shell: bash
+
+  - name: "EAB without headerinfo - 01 - Enroll lego without profile_name"
+    run: |
+      sudo rm -rf lego/*
+      docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" --eab --kid keyid_00 --hmac V2VfbmVlZF9hbm90aGVyX3ZlcnkfX2xvbmdfaG1hY190b19jaGVja19lYWJfZm9yX2tleWlkXzAwX2FzX2xlZ29fZW5mb3JjZXNfYW5faG1hY19sb25nZXJfdGhhbl8yNTZfYml0cw -k rsa2048 -d lego.acme --http run
+      sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem  lego/certificates/lego.acme.crt
+      sudo openssl x509 -in lego/certificates/lego.acme.crt -text -noout
+      sudo openssl x509 -in lego/certificates/lego.acme.crt -issuer --noout | grep -i "${{ inputs.ASA_CA_NAME1 }}"
+      sudo openssl x509 -in lego/certificates/lego.acme.crt -ext keyUsage -noout | grep -i "Key Encipherment, Data Encipherment"
+    shell: bash
+
+  - name: "EAB without headerinfo - 02 - Enroll acme with a profile_name taken from header_info NOT included in kid.json (to be ignored)"
+    run: |
+      sudo rm -rf acme-sh/*
+      docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --register-account --server http://acme-srv --accountemail 'acme-sh@example.com' --eab-kid keyid_00 --eab-hmac-key V2VfbmVlZF9hbm90aGVyX3ZlcnkfX2xvbmdfaG1hY190b19jaGVja19lYWJfZm9yX2tleWlkXzAwX2FzX2xlZ29fZW5mb3JjZXNfYW5faG1hY19sb25nZXJfdGhhbl8yNTZfYml0cw --debug 3
+      docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv --useragent profile_name=unknown -d acme-sh.acme --standalone --keylength 2048 --debug 3 --output-insecure
+      openssl verify -CAfile cert-2.pem -untrusted cert-1.pem  acme-sh/acme-sh.acme/acme-sh.acme.cer
+      openssl x509 -in acme-sh/acme-sh.acme/acme-sh.acme.cer -text -noout
+      openssl x509 -in acme-sh/acme-sh.acme/acme-sh.acme.cer -issuer --noout | grep -i "${{ inputs.ASA_CA_NAME1 }}"
+      openssl x509 -in acme-sh/acme-sh.acme/acme-sh.acme.cer -ext keyUsage -noout | grep -i "Key Encipherment, Data Encipherment"
+    shell: bash
+
+  - name: "EAB without headerinfo - 02 - Enroll lego  with a profile_name taken from header_info NOT included in kid.json (to be ignored)"
+    run: |
+      sudo rm -rf lego/*
+      docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" --eab --kid keyid_00 --hmac V2VfbmVlZF9hbm90aGVyX3ZlcnkfX2xvbmdfaG1hY190b19jaGVja19lYWJfZm9yX2tleWlkXzAwX2FzX2xlZ29fZW5mb3JjZXNfYW5faG1hY19sb25nZXJfdGhhbl8yNTZfYml0cw --user-agent profile_name=unknown -k rsa2048 -d lego.acme --http run
+      sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem  lego/certificates/lego.acme.crt
+      sudo openssl x509 -in lego/certificates/lego.acme.crt -text -noout
+      sudo openssl x509 -in lego/certificates/lego.acme.crt -issuer --noout | grep -i "${{ inputs.ASA_CA_NAME1 }}"
+      sudo openssl x509 -in lego/certificates/lego.acme.crt -ext keyUsage -noout | grep "Key Encipherment, Data Encipherment"
+    shell: bash
+
+  - name: "EAB without headerinfo - 03 - Enroll acme with a profile_name/ca_name taken from kid.json"
+    run: |
+      sudo rm -rf acme-sh/*
+      docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --register-account --server http://acme-srv --accountemail 'acme-sh@example.com' --eab-kid keyid_01 --eab-hmac-key YW5vdXRoZXJfdmVyeV9sb25nX2htYWNfZm9yX2tleWlkXzAxX3doaWNoIHdpbGxfYmUgdXNlZF9kdXJpbmcgcmVncmVzc2lvbg --debug 3
+      docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv -d acme-sh.acme --standalone  --keylength 2048 --debug 3 --output-insecure
+      awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "cert-" c ".pem"}' < acme-sh/acme-sh.acme/ca.cer
+      openssl verify -CAfile cert-2.pem -untrusted cert-1.pem  acme-sh/acme-sh.acme/acme-sh.acme.cer
+      openssl x509 -in acme-sh/acme-sh.acme/acme-sh.acme.cer -text -noout
+      openssl x509 -in acme-sh/acme-sh.acme/acme-sh.acme.cer -issuer --noout | grep -i "${{ inputs.ASA_CA_NAME2 }}"
+      openssl x509 -in acme-sh/acme-sh.acme/acme-sh.acme.cer -ext keyUsage -noout | grep -i "Digital Signature"
+    shell: bash
+
+  - name: "EAB without headerinfo - 03 - Enroll lego with a profile_name/ca_name taken from kid.json"
+    run: |
+      sudo rm -rf lego/*
+      docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" --eab --kid keyid_01 --hmac YW5vdXRoZXJfdmVyeV9sb25nX2htYWNfZm9yX2tleWlkXzAxX3doaWNoIHdpbGxfYmUgdXNlZF9kdXJpbmcgcmVncmVzc2lvbg  -k rsa2048 -d lego.acme --http run
+      sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem  lego/certificates/lego.acme.crt
+      sudo openssl x509 -in lego/certificates/lego.acme.crt -text -noout
+      sudo openssl x509 -in lego/certificates/lego.acme.crt -issuer --noout | grep -i "${{ inputs.ASA_CA_NAME2 }}"
+      sudo openssl x509 -in lego/certificates/lego.acme.crt -text -ext keyUsage | grep -i "Digital Signature"
+    shell: bash
+
+  - name: "EAB without headerinfo - 04 - Enroll acme with a not allowed fqdn in kid.json (to fail)"
+    id: acmefail02
+    continue-on-error: true
+    run: |
+      sudo rm -rf acme-sh/*
+      docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --register-account --server http://acme-srv --accountemail 'acme-sh@example.com' --eab-kid keyid_02 --eab-hmac-key dGhpc19pc19hX3ZlcnlfbG9uZ19obWFjX3RvX21ha2Vfc3VyZV90aGF0X2l0c19tb3JlX3RoYW5fMjU2X2JpdHM --debug 3
+      docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv  -d acme-sh.acme --standalone --keylength 2048 --debug 3 --output-insecure
+    shell: bash
+
+  - name: "EAB without headerinfo - 04 - check  result "
+    if: steps.acmefail02.outcome != 'failure'
+    run: |
+      echo "acmefail outcome is ${{steps.acmefail02.outcome }}"
+      exit 1
+    shell: bash
+
+  - name: "EAB without headerinfo - 04 - Enroll lego with a not allowed fqdn in kid.json (to fail)"
+    id: legofail02
+    continue-on-error: true
+    run: |
+      sudo rm -rf lego/*
+      docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" --eab --kid keyid_02 --hmac dGhpc19pc19hX3ZlcnlfbG9uZ19obWFjX3RvX21ha2Vfc3VyZV90aGF0X2l0c19tb3JlX3RoYW5fMjU2X2JpdHM -k rsa2048 -d lego.acme --http run
+    shell: bash
+
+  - name: "EAB without headerinfo - 04a - check  result "
+    if: steps.legofail02.outcome != 'failure'
+    run: |
+      echo "legofail outcome is ${{steps.legofail02.outcome }}"
+      exit 1
+    shell: bash
+
+  - name: "EAB without headerinfo - 05 - Enroll acme with default values from acme.cfg"
+    run: |
+      sudo rm -rf acme-sh/*
+      docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --register-account --server http://acme-srv --accountemail 'acme-sh@example.com' --eab-kid keyid_03 --eab-hmac-key YW5kX2ZpbmFsbHlfdGhlX2xhc3RfaG1hY19rZXlfd2hpY2hfaXNfbG9uZ2VyX3RoYW5fMjU2X2JpdHNfYW5kX3Nob3VsZF93b3Jr --debug 3
+      docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv -d acme-sh.acme --standalone --keylength 2048 --debug 3 --output-insecure
+      awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "cert-" c ".pem"}' < acme-sh/acme-sh.acme/ca.cer
+      openssl verify -CAfile cert-2.pem -untrusted cert-1.pem  acme-sh/acme-sh.acme/acme-sh.acme.cer
+      openssl x509 -in acme-sh/acme-sh.acme/acme-sh.acme.cer -text -noout
+      openssl x509 -in acme-sh/acme-sh.acme/acme-sh.acme.cer -issuer --noout | grep -i "${{ inputs.ASA_CA_NAME1 }}"
+      openssl x509 -in acme-sh/acme-sh.acme/acme-sh.acme.cer -ext keyUsage -noout | grep "Digital Signature"
+    shell: bash
+
+  - name: "EAB without headerinfo - 05 - Enroll lego with default values from acme.cfg"
+    run: |
+      sudo rm -rf lego/*
+      docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" --eab --kid keyid_03 --hmac YW5kX2ZpbmFsbHlfdGhlX2xhc3RfaG1hY19rZXlfd2hpY2hfaXNfbG9uZ2VyX3RoYW5fMjU2X2JpdHNfYW5kX3Nob3VsZF93b3Jr -k rsa2048 -d lego.acme --http run
+      sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem  lego/certificates/lego.acme.crt
+      sudo openssl x509 -in lego/certificates/lego.acme.crt -text -noout
+      sudo openssl x509 -in lego/certificates/lego.acme.crt -issuer --noout | grep -i "${{ inputs.ASA_CA_NAME1 }}"
+      sudo openssl x509 -in lego/certificates/lego.acme.crt -text -ext keyUsage | grep "Digital Signature"
+    shell: bash
\ No newline at end of file
diff --git a/.github/actions/wf_specific/asa_ca_handler/enroll_headerinfo/action.yml b/.github/actions/wf_specific/asa_ca_handler/enroll_headerinfo/action.yml
new file mode 100644
index 00000000..d5c6e75a
--- /dev/null
+++ b/.github/actions/wf_specific/asa_ca_handler/enroll_headerinfo/action.yml
@@ -0,0 +1,63 @@
+name: "enroll_102_profile"
+description: "wf enrollment 102 profile"
+inputs:
+  ASA_PROFILE1:
+    description: "ASA Profile 1"
+    required: true
+  ASA_PROFILE2:
+    description: "ASA Profile 2"
+    required: true
+
+runs:
+  using: "composite"
+  steps:
+  - name: "Sleep for 10s"
+    uses: juliangruber/sleep-action@v2.0.3
+    with:
+      time: 10s
+
+  - name: "Header-info - Test http://acme-srv/directory is accessible"
+    run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory
+    shell: bash
+
+  - name: "Header-info - Test if https://acme-srv/directory is accessible"
+    run: docker run -i --rm --network acme curlimages/curl --insecure -f https://acme-srv/directory
+    shell: bash
+
+  - name: "Header-info - 01 - Enroll acme.sh with Profile 1"
+    run: |
+      sudo rm  -rf acme-sh/*
+      docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv  --accountemail 'acme-sh@example.com' --useragent profile_name=${{ inputs.ASA_PROFILE1 }} -d acme-sh.acme --alpn --standalone --keylength 2048 --debug 3 --output-insecure
+      awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "cert-" c ".pem"}' < acme-sh/acme-sh.acme/ca.cer
+      openssl verify -CAfile cert-2.pem -untrusted cert-1.pem acme-sh/acme-sh.acme/acme-sh.acme.cer
+      openssl x509 -in acme-sh/acme-sh.acme/acme-sh.acme.cer -texte -noout
+      openssl x509 -in acme-sh/acme-sh.acme/acme-sh.acme.cer -ext keyUsage -noout | grep "Digital Signature"
+    shell: bash
+
+  - name: "Header-info - 01 - Enroll lego with Profile 1"
+    run: |
+      sudo rm -rf lego/*
+      docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" --user-agent profile_name=${{ inputs.ASA_PROFILE1 }} -d lego.acme --key-type rsa2048 --http run
+      sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem lego/certificates/lego.acme.crt
+      sudo openssl x509 -in lego/certificates/lego.acme.crt -text -noout
+      sudo openssl x509 -in lego/certificates/lego.acme.crt -ext keyUsage -noout | grep "Digital Signature"
+    shell: bash
+
+  - name: "Header-info - 02 - Enroll acme.sh with Profile 2"
+    run: |
+      sudo rm  -rf acme-sh/*
+      docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv  --accountemail 'acme-sh@example.com' --useragent profile_name=${{ inputs.ASA_PROFILE2 }} -d acme-sh.acme --alpn --standalone --keylength 2048 --debug 3 --output-insecure
+      awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "cert-" c ".pem"}' < acme-sh/acme-sh.acme/ca.cer
+      openssl verify -CAfile cert-2.pem -untrusted cert-1.pem acme-sh/acme-sh.acme/acme-sh.acme.cer
+      openssl x509 -in acme-sh/acme-sh.acme/acme-sh.acme.cer -texte -noout
+      openssl x509 -in acme-sh/acme-sh.acme/acme-sh.acme.cer -ext keyUsage -noout | grep "Key Encipherment, Data Encipherment"
+    shell: bash
+
+  - name: "Header-info - 02 - Enroll lego with Profile 2"
+    run: |
+      sudo rm -rf lego/*
+      docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" --user-agent profile_name=${{ inputs.ASA_PROFILE2 }} -d lego.acme --key-type rsa2048 --http run
+      sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem lego/certificates/lego.acme.crt
+      # sudo openssl x509 -in lego/certificates/lego.acme.crt -text -noout
+      sudo openssl x509 -in lego/certificates/lego.acme.crt -ext keyUsage -noout | grep "Key Encipherment, Data Encipherment"
+    shell: bash
\ No newline at end of file
diff --git a/.github/actions/wf_specific/asa_ca_handler/enroll_profile_1/action.yml b/.github/actions/wf_specific/asa_ca_handler/enroll_profile_1/action.yml
new file mode 100644
index 00000000..456c5a71
--- /dev/null
+++ b/.github/actions/wf_specific/asa_ca_handler/enroll_profile_1/action.yml
@@ -0,0 +1,61 @@
+name: "enroll_profile_1"
+description: "wf enroll_profile_1"
+runs:
+  using: "composite"
+  steps:
+  - name: "Profile 1 - Sleep for 10s"
+    uses: juliangruber/sleep-action@v2.0.3
+    with:
+      time: 10s
+
+  - name: "Profile 1 - Test http://acme-srv/directory is accessible"
+    run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory
+    shell: bash
+
+  - name: "Profile 1 - Test if https://acme-srv/directory is accessible"
+    run: docker run -i --rm --network acme curlimages/curl --insecure -f https://acme-srv/directory
+    shell: bash
+
+  - name: "Profile 1 - Enroll acme.sh"
+    run: |
+      docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv  --accountemail 'acme-sh@example.com' -d acme-sh.acme --alpn --standalone --keylength 2048 --debug 3 --output-insecure
+      awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "cert-" c ".pem"}' < acme-sh/acme-sh.acme/ca.cer
+      openssl verify -CAfile cert-2.pem -untrusted cert-1.pem acme-sh/acme-sh.acme/acme-sh.acme.cer
+      openssl x509 -in acme-sh/acme-sh.acme/acme-sh.acme.cer -ext keyUsage -noout | grep "Digital Signature"
+    shell: bash
+
+  - name: "Profile 1 - Revoke via acme.sh"
+    run: |
+      docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --revoke --server http://acme-srv -d acme-sh.acme --standalone --debug 3 --output-insecure
+    shell: bash
+
+  - name: "Profile 1 - Register certbot"
+    run: |
+      docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot register --agree-tos -m 'certbot@example.com' --server http://acme-srv --no-eff-email
+    shell: bash
+
+  - name: "Profile 1 - Enroll HTTP-01 single domain certbot"
+    run: |
+      docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot certonly --server http://acme-srv --standalone --preferred-challenges http -d certbot.acme --cert-name certbot  --key-type rsa --rsa-key-size 2048
+      sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem certbot/live/certbot/cert.pem
+      sudo openssl x509 -in certbot/live/certbot/cert.pem -ext keyUsage -noout | grep "Digital Signature"
+      # sudo openssl x509 -in certbot/live/certbot/cert.pem -text -noout
+    shell: bash
+
+  - name: "Profile 1 - Revoke HTTP-01 single domain certbot"
+    run: |
+      docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot revoke --delete-after-revoke --server http://acme-srv  -d certbot.acme --cert-name certbot
+    shell: bash
+
+  - name: "Profile 1 - Enroll lego"
+    run: |
+      docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" -d lego.acme  --key-type rsa2048 --http run
+      sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem lego/certificates/lego.acme.crt
+      sudo openssl x509 -in lego/certificates/lego.acme.crt -ext keyUsage -noout | grep "Digital Signature"
+      # sudo openssl x509 -in lego/certificates/lego.acme.crt -text -noout
+    shell: bash
+
+  - name: "Profile 1 - revoke HTTP-01 single domain lego"
+    run: |
+      docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" -d lego.acme revoke
+    shell: bash
diff --git a/.github/actions/wf_specific/asa_ca_handler/enroll_profile_2/action.yml b/.github/actions/wf_specific/asa_ca_handler/enroll_profile_2/action.yml
new file mode 100644
index 00000000..ad08ac92
--- /dev/null
+++ b/.github/actions/wf_specific/asa_ca_handler/enroll_profile_2/action.yml
@@ -0,0 +1,59 @@
+name: "enroll_2_profile"
+description: "wf enrollment 2 profile"
+
+runs:
+  using: "composite"
+  steps:
+  - name: "Profile 2 - Sleep for 10s"
+    uses: juliangruber/sleep-action@v2.0.3
+    with:
+      time: 10s
+
+  - name: "Profile 2 -  create letsencrypt and lego folder"
+    run: |
+      sudo rm -rf certbot/*
+      sudo rm -rf lego/*
+      sudo rm -rf acme-sh/*
+    shell: bash
+
+  - name: "Profile 2 - Enroll acme.sh"
+    run: |
+      docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv  --accountemail 'acme-sh@example.com' -d acme-sh.acme --alpn --standalone --keylength 2048 --debug 3 --output-insecure
+      awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "cert-" c ".pem"}' < acme-sh/acme-sh.acme/ca.cer
+      openssl verify -CAfile cert-2.pem -untrusted cert-1.pem acme-sh/acme-sh.acme/acme-sh.acme.cer
+      openssl x509 -in acme-sh/acme-sh.acme/acme-sh.acme.cer -ext keyUsage -noout | grep "Key Encipherment, Data Encipherment"
+    shell: bash
+
+  - name: "Profile 2 - Revoke via acme.sh"
+    run: |
+      docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --revoke --server http://acme-srv -d acme-sh.acme --standalone --debug 3 --output-insecure
+    shell: bash
+
+  - name: "Profile 2 - Register certbot"
+    run: |
+      docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot register --agree-tos -m 'certbot@example.com' --server http://acme-srv --no-eff-email
+    shell: bash
+
+  - name: "Profile 2 - Enroll HTTP-01 single domain certbot"
+    run: |
+      docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot certonly --server http://acme-srv --standalone --preferred-challenges http -d certbot.acme --cert-name certbot --force-renewal --key-type rsa --rsa-key-size 2048
+      sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem certbot/live/certbot/cert.pem
+      sudo openssl x509 -in certbot/live/certbot/cert.pem -ext keyUsage -noout | grep "Key Encipherment, Data Encipherment"
+    shell: bash
+
+  - name: "Profile 2 - Revoke HTTP-01 single domain certbot"
+    run: |
+      docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot revoke --delete-after-revoke --server http://acme-srv  -d certbot.acme --cert-name certbot
+    shell: bash
+
+  - name: "Profile 2 - Enroll lego"
+    run: |
+      docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" -d lego.acme  --key-type rsa2048 --http run
+      sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem lego/certificates/lego.acme.crt
+      sudo openssl x509 -in lego/certificates/lego.acme.crt -ext keyUsage -noout | grep "Key Encipherment, Data Encipherment"
+    shell: bash
+
+  - name: "Profile 2 - Revoke HTTP-01 single domain lego"
+    run: |
+      docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" -d lego.acme revoke
+    shell: bash
diff --git a/.github/actions/wf_specific/certifier_ca_handler/certifier_setup_no_profile/action.yml b/.github/actions/wf_specific/certifier_ca_handler/certifier_setup_no_profile/action.yml
new file mode 100644
index 00000000..ad1ebd31
--- /dev/null
+++ b/.github/actions/wf_specific/certifier_ca_handler/certifier_setup_no_profile/action.yml
@@ -0,0 +1,81 @@
+name: "certifier_setup_no_profile"
+description: "certifier_setup_no_profile"
+inputs:
+  WCCE_SSH_ACCESS_KEY:
+    description: "SSH access key"
+    required: true
+  WCCE_SSH_KNOWN_HOSTS:
+    description: "SSH known hosts"
+    required: true
+  WCCE_SSH_USER:
+    description: "SSH user"
+    required: true
+  WCCE_SSH_HOST:
+    description: "SSH host"
+    required: true
+  WCCE_SSH_PORT:
+    description: "SSH port"
+    required: true
+  NAME_SPACE:
+    description: "namespace"
+    required: true
+    default: "acme"
+  NCM_API_HOST:
+    description: "NCM API host"
+    required: true
+  NCM_API_USER:
+    description: "NCM API user"
+    required: true
+  NCM_API_PASSWORD:
+    description: "NCM API password"
+    required: true
+  ACME_SRV_CFG:
+    description: "acme_srv.cfg"
+    required: true
+    default: "acme_srv.cfg"
+  DATA_PATH:
+    description: "data path"
+    required: true
+  ACME_SRV_SRC:
+    description: "acme_srv.cfg source file"
+    required: true
+    default: ".github/openssl_ca_handler.py_acme_srv_default_handler.cfg"
+
+runs:
+  using: "composite"
+  steps:
+  - name: "Setup tunnel"
+    uses: ./.github/actions/wf_specific/certifier_ca_handler/tunnel_setup
+    with:
+      WCCE_SSH_USER: ${{ inputs.WCCE_SSH_USER }}
+      WCCE_SSH_HOST: ${{ inputs.WCCE_SSH_HOST }}
+      WCCE_SSH_PORT: ${{ inputs.WCCE_SSH_PORT }}
+      NCM_API_HOST: ${{ inputs.NCM_API_HOST }}
+      WCCE_SSH_KNOWN_HOSTS: ${{ inputs.WCCE_SSH_KNOWN_HOSTS }}
+      WCCE_SSH_ACCESS_KEY: ${{ inputs.WCCE_SSH_ACCESS_KEY }}
+      NCM_API_USER: ${{ inputs.NCM_API_USER }}
+      NCM_API_PASSWORD: ${{ inputs.NCM_API_PASSWORD }}
+
+  - name: "Setup a2c with certifier_ca_handler"
+    run: |
+      sudo cp .github/openssl_ca_handler.py_acme_srv_default_handler.cfg $DATA_PATH/$ACME_SRV_CFG
+      sudo chmod 777 $DATA_PATH/$ACME_SRV_CFG
+      sudo cp test/ca/certsrv_ca_certs.pem $DATA_PATH/ca_certs.pem
+      sudo head -n -8 $ACME_SRV_SRC > $DATA_PATH/$ACME_SRV_CFG
+      sudo echo "handler_file: examples/ca_handler/certifier_ca_handler.py" >> $DATA_PATH/$ACME_SRV_CFG
+      sudo echo "api_host: https://forwarder.acme:8084" >> $DATA_PATH/$ACME_SRV_CFG
+      sudo echo "ca_bundle: False" >> $DATA_PATH/$ACME_SRV_CFG
+      sudo echo "api_user: $NCM_API_USER" >> $DATA_PATH/$ACME_SRV_CFG
+      sudo echo "api_password: $NCM_API_PASSWORD" >> $DATA_PATH/$ACME_SRV_CFG
+      sudo echo "ca_name: $NCM_CA_NAME" >> $DATA_PATH/$ACME_SRV_CFG
+      # sudo echo "ca_bundle: $NCM_CA_BUNDLE" >> $DATA_PATH/$ACME_SRV_CFG
+    env:
+      NCM_API_HOST: ${{ inputs.NCM_API_HOST }}
+      NCM_API_USER: ${{ inputs.NCM_API_USER }}
+      NCM_API_PASSWORD: ${{ inputs.NCM_API_PASSWORD }}
+      NCM_CA_NAME: ${{ inputs.NCM_CA_NAME }}
+      NCM_CA_BUNDLE: ${{ inputs.NCM_CA_BUNDLE }}
+      DATA_PATH: ${{ inputs.DATA_PATH }}
+      ACME_SRV_CFG: ${{ inputs.ACME_SRV_CFG }}
+      ACME_SRV_SRC: ${{ inputs.ACME_SRV_SRC }}
+    shell: bash
\ No newline at end of file
diff --git a/.github/actions/wf_specific/certifier_ca_handler/enroll_101_profile/action.yml b/.github/actions/wf_specific/certifier_ca_handler/enroll_101_profile/action.yml
new file mode 100644
index 00000000..69cc9627
--- /dev/null
+++ b/.github/actions/wf_specific/certifier_ca_handler/enroll_101_profile/action.yml
@@ -0,0 +1,61 @@
+name: "enroll_101_profile"
+description: "wf enrollment 101 profile"
+
+runs:
+  using: "composite"
+  steps:
+  - name: "Profile 101 - Sleep for 10s"
+    uses: juliangruber/sleep-action@v2.0.3
+    with:
+      time: 10s
+
+  - name: "Profile 101 - Test http://acme-srv/directory is accessible"
+    run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory
+    shell: bash
+
+  - name: "Profile 101 - Test if https://acme-srv/directory is accessible"
+    run: docker run -i --rm --network acme curlimages/curl --insecure -f https://acme-srv/directory
+    shell: bash
+
+  - name: "Profile 101 - Enroll acme.sh"
+    run: |
+      sudo rm -rf acme-sh/*
+      docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv  --accountemail 'acme-sh@example.com' -d acme-sh.acme --alpn --standalone --debug 3 --output-insecure
+      awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "cert-" c ".pem"}' < acme-sh/acme-sh.acme_ecc/ca.cer
+      openssl verify -CAfile cert-2.pem -untrusted cert-1.pem acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer
+    shell: bash
+
+  - name: "Profile 101 - Revoke via acme.sh"
+    run: |
+      docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --revoke --server http://acme-srv -d acme-sh.acme --standalone --debug 3 --output-insecure
+    shell: bash
+
+  - name: "Profile 101 - Register certbot"
+    run: |
+      sudo rm -rf certbot/*
+      docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot register --agree-tos -m 'certbot@example.com' --server http://acme-srv --no-eff-email
+    shell: bash
+
+  - name: "Profile 101 - Enroll HTTP-01 single domain certbot"
+    run: |
+      docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot certonly --server http://acme-srv --standalone --preferred-challenges http -d certbot.acme --cert-name certbot
+      sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem certbot/live/certbot/cert.pem
+      sudo openssl x509 -in certbot/live/certbot/cert.pem -ext extendedKeyUsage  -noout | grep -i "TLS Web Client"
+    shell: bash
+
+  - name: "Profile 101 - Revoke HTTP-01 single domain certbot"
+    run: |
+      docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot revoke --delete-after-revoke --server http://acme-srv  -d certbot.acme --cert-name certbot
+    shell: bash
+
+  - name: "Profile 101 - Enroll lego"
+    run: |
+      docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" -d lego.acme --http run
+      sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem lego/certificates/lego.acme.crt
+      sudo openssl x509 -in lego/certificates/lego.acme.crt -ext extendedKeyUsage  -noout | grep -i "TLS Web Client"
+    shell: bash
+
+  - name: "Profile 101 - Revoke HTTP-01 single domain lego"
+    run: |
+      docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" -d lego.acme revoke
+    shell: bash
\ No newline at end of file
diff --git a/.github/actions/wf_specific/certifier_ca_handler/enroll_102_profile/action.yml b/.github/actions/wf_specific/certifier_ca_handler/enroll_102_profile/action.yml
new file mode 100644
index 00000000..9362a05f
--- /dev/null
+++ b/.github/actions/wf_specific/certifier_ca_handler/enroll_102_profile/action.yml
@@ -0,0 +1,61 @@
+name: "enroll_102_profile"
+description: "wf enrollment 102 profile"
+
+runs:
+  using: "composite"
+  steps:
+  - name: "Profile 102 - Sleep for 10s"
+    uses: juliangruber/sleep-action@v2.0.3
+    with:
+      time: 10s
+
+  - name: "Profile 102 - Test http://acme-srv/directory is accessible"
+    run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory
+    shell: bash
+
+  - name: "Profile 102 - Test if https://acme-srv/directory is accessible"
+    run: docker run -i --rm --network acme curlimages/curl --insecure -f https://acme-srv/directory
+    shell: bash
+
+  - name: "Profile 102 - Enroll acme.sh"
+    run: |
+      sudo rm -rf acme-sh/*
+      docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv  --accountemail 'acme-sh@example.com' -d acme-sh.acme --alpn --standalone --debug 3 --output-insecure
+      awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "cert-" c ".pem"}' < acme-sh/acme-sh.acme_ecc/ca.cer
+      openssl verify -CAfile cert-2.pem -untrusted cert-1.pem acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer
+    shell: bash
+
+  - name: "Profile 102 - Revoke via acme.sh"
+    run: |
+      docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --revoke --server http://acme-srv -d acme-sh.acme --standalone --debug 3 --output-insecure
+    shell: bash
+
+  - name: "Profile 102 - Register certbot"
+    run: |
+      sudo rm -rf certbot/*
+      docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot register --agree-tos -m 'certbot@example.com' --server http://acme-srv --no-eff-email
+    shell: bash
+
+  - name: "Profile 102 - Enroll HTTP-01 single domain certbot"
+    run: |
+      docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot certonly --server http://acme-srv --standalone --preferred-challenges http -d certbot.acme --cert-name certbot
+      sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem certbot/live/certbot/cert.pem
+      sudo openssl x509 -in certbot/live/certbot/cert.pem -ext extendedKeyUsage  -noout | grep -i "TLS Web Server"
+    shell: bash
+
+  - name: "Profile 102 - Revoke HTTP-01 single domain certbot"
+    run: |
+      docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot revoke --delete-after-revoke --server http://acme-srv  -d certbot.acme --cert-name certbot
+    shell: bash
+
+  - name: "Profile 102 - Enroll lego"
+    run: |
+      docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" -d lego.acme --http run
+      sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem lego/certificates/lego.acme.crt
+      sudo openssl x509 -in lego/certificates/lego.acme.crt -ext extendedKeyUsage  -noout | grep -i "TLS Web Server"
+    shell: bash
+
+  - name: "Profile 102 - Revoke HTTP-01 single domain lego"
+    run: |
+      docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" -d lego.acme revoke
+    shell: bash
\ No newline at end of file
diff --git a/.github/actions/wf_specific/certifier_ca_handler/enroll_eab_w_headerinfo/action.yml b/.github/actions/wf_specific/certifier_ca_handler/enroll_eab_w_headerinfo/action.yml
new file mode 100644
index 00000000..45f98fa9
--- /dev/null
+++ b/.github/actions/wf_specific/certifier_ca_handler/enroll_eab_w_headerinfo/action.yml
@@ -0,0 +1,219 @@
+name: "enroll_102_profile"
+description: "wf enrollment 102 profile"
+inputs:
+  RECONFIGURE:
+    description: "Reconfigure the workflow"
+    required: true
+    default: "false"
+
+runs:
+  using: "composite"
+  steps:
+  - name: "EAB with headerinfo - Sleep for 10s"
+    uses: juliangruber/sleep-action@v2.0.3
+    with:
+      time: 10s
+
+  - name: "EAB with headerinfo - Test http://acme-srv/directory is accessible"
+    run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory
+    shell: bash
+
+  - name: "EAB with headerinfo - Test if https://acme-srv/directory is accessible"
+    run: docker run -i --rm --network acme curlimages/curl --insecure -f https://acme-srv/directory
+    shell: bash
+
+  - name: "EAB with headerinfo - 01 - Enroll acme.sh without profile_id"
+    run: |
+      sudo rm -rf acme-sh/*
+      docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --register-account --server http://acme-srv --accountemail 'acme-sh@example.com' --eab-kid keyid_00 --eab-hmac-key V2VfbmVlZF9hbm90aGVyX3ZlcnkfX2xvbmdfaG1hY190b19jaGVja19lYWJfZm9yX2tleWlkXzAwX2FzX2xlZ29fZW5mb3JjZXNfYW5faG1hY19sb25nZXJfdGhhbl8yNTZfYml0cw --debug 3
+      docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv -d acme-sh.acme --standalone --debug 3 --output-insecure
+      awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "cert-" c ".pem"}' < acme-sh/acme-sh.acme_ecc/ca.cer
+      openssl verify -CAfile cert-2.pem -untrusted cert-1.pem  acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer
+      openssl x509 -in acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer -text -noout
+      openssl x509 -in acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer -ext extendedKeyUsage -noout | grep -i "TLS Web Server Authentication"
+    shell: bash
+
+  - name: "EAB with headerinfo - 01 - Enroll lego without profile_id"
+    run: |
+      sudo rm -rf lego/*
+      docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" --eab --kid keyid_00 --hmac V2VfbmVlZF9hbm90aGVyX3ZlcnkfX2xvbmdfaG1hY190b19jaGVja19lYWJfZm9yX2tleWlkXzAwX2FzX2xlZ29fZW5mb3JjZXNfYW5faG1hY19sb25nZXJfdGhhbl8yNTZfYml0cw -d lego.acme --http run
+      sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem  lego/certificates/lego.acme.crt
+      sudo openssl x509 -in lego/certificates/lego.acme.crt -text -noout
+      sudo openssl x509 -in lego/certificates/lego.acme.crt -ext extendedKeyUsage  -noout | grep -i "TLS Web Server Authentication"
+    shell: bash
+
+  - name: "EAB with headerinfo - 02a - Enroll acme with a template_name taken from header_info NOT included in kid.json (to fail)"
+    id: acmefail01
+    continue-on-error: true
+    run: |
+      sudo rm -rf acme-sh/*
+      docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --register-account --server http://acme-srv --accountemail 'acme-sh@example.com' --eab-kid keyid_00 --eab-hmac-key V2VfbmVlZF9hbm90aGVyX3ZlcnkfX2xvbmdfaG1hY190b19jaGVja19lYWJfZm9yX2tleWlkXzAwX2FzX2xlZ29fZW5mb3JjZXNfYW5faG1hY19sb25nZXJfdGhhbl8yNTZfYml0cw --debug 3
+      docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv --useragent profile_id=unknown -d acme-sh.acme --standalone --debug 3 --output-insecure
+    shell: bash
+
+  - name: "EAB with headerinfo - 02a - check  result "
+    if: steps.acmefail01.outcome != 'failure'
+    run: |
+      echo "acmefail outcome is ${{steps.acmefail01.outcome }}"
+      exit 1
+    shell: bash
+
+  - name: "EAB with headerinfo - 02b - Enroll acme with a template_name taken from header_info included in kid.json"
+    run: |
+      sudo rm -rf acme-sh/*
+      docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --register-account --server http://acme-srv --accountemail 'acme-sh@example.com' --eab-kid keyid_00 --eab-hmac-key V2VfbmVlZF9hbm90aGVyX3ZlcnkfX2xvbmdfaG1hY190b19jaGVja19lYWJfZm9yX2tleWlkXzAwX2FzX2xlZ29fZW5mb3JjZXNfYW5faG1hY19sb25nZXJfdGhhbl8yNTZfYml0cw --debug 3
+      docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv --useragent profile_id=101 -d acme-sh.acme --standalone --debug 3 --output-insecure
+      awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "cert-" c ".pem"}' < acme-sh/acme-sh.acme_ecc/ca.cer
+      openssl verify -CAfile cert-2.pem -untrusted cert-1.pem  acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer
+      openssl x509 -in acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer -text -noout
+      openssl x509 -in acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer -ext extendedKeyUsage -noout | grep "TLS Web Client Authentication"
+    shell: bash
+
+  - name: "EAB with headerinfo - 02a - Enroll lego with a template_name taken from header_info NOT included in kid.json (to fail)"
+    id: legofail01
+    continue-on-error: true
+    run: |
+      sudo rm -rf lego/*
+      docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" --eab --kid keyid_00 --hmac V2VfbmVlZF9hbm90aGVyX3ZlcnkfX2xvbmdfaG1hY190b19jaGVja19lYWJfZm9yX2tleWlkXzAwX2FzX2xlZ29fZW5mb3JjZXNfYW5faG1hY19sb25nZXJfdGhhbl8yNTZfYml0cw --user-agent profile_id=unknown -d lego.acme --http run
+    shell: bash
+
+  - name: "EAB with headerinfo - 02a - check  result "
+    if: steps.legofail01.outcome != 'failure'
+    run: |
+      echo "legofail outcome is ${{steps.legofail01.outcome }}"
+      exit 1
+    shell: bash
+
+  - name: "EAB with headerinfo - 02b - Enroll lego with a template_name taken from header_info included in kid.json"
+    run: |
+      sudo rm -rf lego/*
+      docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" --eab --kid keyid_00 --hmac V2VfbmVlZF9hbm90aGVyX3ZlcnkfX2xvbmdfaG1hY190b19jaGVja19lYWJfZm9yX2tleWlkXzAwX2FzX2xlZ29fZW5mb3JjZXNfYW5faG1hY19sb25nZXJfdGhhbl8yNTZfYml0cw --user-agent profile_id=101 -d lego.acme --http run
+      sudo openssl x509 -in lego/certificates/lego.acme.crt -ext extendedKeyUsage -noout
+      sudo openssl x509 -in lego/certificates/lego.acme.crt -issuer --noout
+      sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem  lego/certificates/lego.acme.crt
+      sudo openssl x509 -in lego/certificates/lego.acme.crt -text -noout
+      sudo openssl x509 -in lego/certificates/lego.acme.crt -text -ext extendedKeyUsage | grep "TLS Web Client Authentication"
+    shell: bash
+
+  - name: "EAB with headerinfo - 03 - Enroll acme with a template_name/ca_name taken from kid.json"
+    run: |
+      sudo rm -rf acme-sh/*
+      docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --register-account --server http://acme-srv --accountemail 'acme-sh@example.com' --eab-kid keyid_01 --eab-hmac-key YW5vdXRoZXJfdmVyeV9sb25nX2htYWNfZm9yX2tleWlkXzAxX3doaWNoIHdpbGxfYmUgdXNlZF9kdXJpbmcgcmVncmVzc2lvbg --debug 3
+      docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv -d acme-sh.acme --standalone --debug 3 --output-insecure
+      awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "cert-" c ".pem"}' < acme-sh/acme-sh.acme_ecc/ca.cer
+      openssl verify -CAfile cert-2.pem -untrusted cert-1.pem  acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer
+      openssl x509 -in acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer -text -noout
+      openssl x509 -in acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer -ext extendedKeyUsage -noout | grep "TLS Web Server Authentication"
+    shell: bash
+
+  - name: "EAB with headerinfo - 03 - Enroll lego with a template_name/ca_name taken from kid.json"
+    run: |
+      sudo rm -rf lego/*
+      docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" --eab --kid keyid_01 --hmac YW5vdXRoZXJfdmVyeV9sb25nX2htYWNfZm9yX2tleWlkXzAxX3doaWNoIHdpbGxfYmUgdXNlZF9kdXJpbmcgcmVncmVzc2lvbg -d lego.acme --http run
+      sudo openssl x509 -in lego/certificates/lego.acme.crt -ext extendedKeyUsage -noout
+      sudo openssl x509 -in lego/certificates/lego.acme.crt -issuer --noout
+      sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem  lego/certificates/lego.acme.crt
+      sudo openssl x509 -in lego/certificates/lego.acme.crt -text -noout
+      sudo openssl x509 -in lego/certificates/lego.acme.crt -text -ext extendedKeyUsage | grep "TLS Web Server Authentication"
+    shell: bash
+
+  - name: "EAB with headerinfo - 04 - Enroll acme with a not allowed fqdn in kid.json (to fail)"
+    if: ${{ inputs.RECONFIGURE == 'false' }}
+    id: acmefail02
+    continue-on-error: true
+    run: |
+      sudo rm -rf acme-sh/*
+      docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --register-account --server http://acme-srv --accountemail 'acme-sh@example.com' --eab-kid keyid_02 --eab-hmac-key dGhpc19pc19hX3ZlcnlfbG9uZ19obWFjX3RvX21ha2Vfc3VyZV90aGF0X2l0c19tb3JlX3RoYW5fMjU2X2JpdHM --debug 3
+      docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv  -d acme-sh.acme --standalone --debug 3 --output-insecure
+    shell: bash
+
+  - name: "EAB with headerinfo - 04 - check  result "
+    if: ${{ (inputs.RECONFIGURE == 'false') && (steps.acmefail02.outcome != 'failure') }}
+    run: |
+      echo "acmefail outcome is ${{steps.acmefail02.outcome }}"
+      exit 1
+    shell: bash
+
+  - name: "EAB with headerinfo - 04 - Enroll acme with a allowed fqdn after reconfiguration"
+    if: ${{ inputs.RECONFIGURE == 'true' }}
+    run: |
+      sudo rm -rf acme-sh/*
+      docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --register-account --server http://acme-srv --accountemail 'acme-sh@example.com' --eab-kid keyid_02 --eab-hmac-key dGhpc19pc19hX3ZlcnlfbG9uZ19obWFjX3RvX21ha2Vfc3VyZV90aGF0X2l0c19tb3JlX3RoYW5fMjU2X2JpdHM --debug 3
+      docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv  -d acme-sh.acme --standalone --debug 3 --output-insecure
+    shell: bash
+
+  - name: "EAB with headerinfo - 04 - Enroll lego with a not allowed fqdn in kid.json (to fail)"
+    if: ${{ inputs.RECONFIGURE == 'false' }}
+    id: legofail02
+    continue-on-error: true
+    run: |
+      sudo rm -rf lego/*
+      docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" --eab --kid keyid_02 --hmac dGhpc19pc19hX3ZlcnlfbG9uZ19obWFjX3RvX21ha2Vfc3VyZV90aGF0X2l0c19tb3JlX3RoYW5fMjU2X2JpdHM -d lego.acme --http run
+    shell: bash
+
+  - name: "EAB with headerinfo - 04a - check  result"
+    if: ${{ (inputs.RECONFIGURE == 'false') && (steps.legofail02.outcome != 'failure') }}
+    run: |
+      echo "legofail outcome is ${{steps.legofail02.outcome }}"
+      exit 1
+    shell: bash
+
+  - name: "EAB with headerinfo - 04 - Enroll legowith a allowed fqdn after reconfiguration"
+    if: ${{ inputs.RECONFIGURE == 'true' }}
+    run: |
+      sudo rm -rf lego/*
+      docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" --eab --kid keyid_02 --hmac dGhpc19pc19hX3ZlcnlfbG9uZ19obWFjX3RvX21ha2Vfc3VyZV90aGF0X2l0c19tb3JlX3RoYW5fMjU2X2JpdHM -d lego.acme --http run
+    shell: bash
+
+  - name: "EAB with headerinfo - 05 - Enroll acme with default values from acme.cfg"
+    run: |
+      sudo rm -rf acme-sh/*
+      docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --register-account --server http://acme-srv --accountemail 'acme-sh@example.com' --eab-kid keyid_03 --eab-hmac-key YW5kX2ZpbmFsbHlfdGhlX2xhc3RfaG1hY19rZXlfd2hpY2hfaXNfbG9uZ2VyX3RoYW5fMjU2X2JpdHNfYW5kX3Nob3VsZF93b3Jr --debug 3
+      docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv -d acme-sh.acme --standalone --debug 3 --output-insecure
+      awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "cert-" c ".pem"}' < acme-sh/acme-sh.acme_ecc/ca.cer
+      openssl verify -CAfile cert-2.pem -untrusted cert-1.pem  acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer
+      openssl x509 -in acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer -text -noout
+      openssl x509 -in acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer -ext extendedKeyUsage -noout | grep "Code Signing"
+    shell: bash
+
+  - name: "EAB with headerinfo - 05 - Enroll lego with default values from acme.cfg"
+    run: |
+      sudo rm -rf lego/*
+      docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" --eab --kid keyid_03 --hmac YW5kX2ZpbmFsbHlfdGhlX2xhc3RfaG1hY19rZXlfd2hpY2hfaXNfbG9uZ2VyX3RoYW5fMjU2X2JpdHNfYW5kX3Nob3VsZF93b3Jr -d lego.acme --http run
+      sudo openssl x509 -in lego/certificates/lego.acme.crt -ext extendedKeyUsage -noout
+      sudo openssl x509 -in lego/certificates/lego.acme.crt -issuer --noout
+      sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem  lego/certificates/lego.acme.crt
+      sudo openssl x509 -in lego/certificates/lego.acme.crt -text -noout
+      sudo openssl x509 -in lego/certificates/lego.acme.crt -text -ext extendedKeyUsage | grep "Code Signing"
+    shell: bash
+
+  - name: "EAB with headerinfo - 06 - Enroll acme with not allowed headerinfo-field (should fail)"
+    id: acmefail03
+    continue-on-error: true
+    run: |
+      sudo rm -rf acme-sh/*
+      docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --register-account --server http://acme-srv --accountemail 'acme-sh@example.com' --eab-kid keyid_02 --eab-hmac-key dGhpc19pc19hX3ZlcnlfbG9uZ19obWFjX3RvX21ha2Vfc3VyZV90aGF0X2l0c19tb3JlX3RoYW5fMjU2X2JpdHM --debug 3
+      docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv --useragent profile_id=101 -d acme-sh.acme --standalone --debug 3 --output-insecure
+    shell: bash
+
+  - name: "EAB with headerinfo - 06 - check  result "
+    if: steps.acmefail03.outcome != 'failure'
+    run: |
+      echo "acmefail outcome is ${{steps.acmefail03.outcome }}"
+      exit 1
+    shell: bash
+
+  - name: "EAB with headerinfo - 06 - Enroll lego with not allowed headerinfo-field (should fail)"
+    id: legofail03
+    continue-on-error: true
+    run: |
+      sudo rm -rf lego/*
+      docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" --eab --kid keyid_02 --hmac dGhpc19pc19hX3ZlcnlfbG9uZ19obWFjX3RvX21ha2Vfc3VyZV90aGF0X2l0c19tb3JlX3RoYW5fMjU2X2JpdHM --user-agent profile_id=101 -d lego.acme --http run
+    shell: bash
+
+  - name: "EAB with headerinfo - 06 - check  result "
+    if: steps.legofail03.outcome != 'failure'
+    run: |
+      echo "legofail outcome is ${{steps.legofail03.outcome }}"
+      exit 1
+    shell: bash
\ No newline at end of file
diff --git a/.github/actions/wf_specific/certifier_ca_handler/enroll_eab_wo_headerinfo/action.yml b/.github/actions/wf_specific/certifier_ca_handler/enroll_eab_wo_headerinfo/action.yml
new file mode 100644
index 00000000..3c4554c9
--- /dev/null
+++ b/.github/actions/wf_specific/certifier_ca_handler/enroll_eab_wo_headerinfo/action.yml
@@ -0,0 +1,134 @@
+name: "enroll_102_profile"
+description: "wf enrollment 102 profile"
+
+runs:
+  using: "composite"
+  steps:
+  - name: "EAB without headerinfo - Sleep for 10s"
+    uses: juliangruber/sleep-action@v2.0.3
+    with:
+      time: 10s
+
+  - name: "EAB without headerinfo - Test http://acme-srv/directory is accessible"
+    run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory
+    shell: bash
+
+  - name: "EAB without headerinfo - Test if https://acme-srv/directory is accessible"
+    run: docker run -i --rm --network acme curlimages/curl --insecure -f https://acme-srv/directory
+    shell: bash
+
+  - name: "EAB without headerinfo - Enroll acme.sh without profile_id"
+    run: |
+      sudo rm -rf acme-sh/*
+      docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --register-account --server http://acme-srv --accountemail 'acme-sh@example.com' --eab-kid keyid_00 --eab-hmac-key V2VfbmVlZF9hbm90aGVyX3ZlcnkfX2xvbmdfaG1hY190b19jaGVja19lYWJfZm9yX2tleWlkXzAwX2FzX2xlZ29fZW5mb3JjZXNfYW5faG1hY19sb25nZXJfdGhhbl8yNTZfYml0cw --debug 3
+      docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv -d acme-sh.acme --standalone --debug 3 --output-insecure
+      awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "cert-" c ".pem"}' < acme-sh/acme-sh.acme_ecc/ca.cer
+      openssl verify -CAfile cert-2.pem -untrusted cert-1.pem  acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer
+      openssl x509 -in acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer -text -noout
+      openssl x509 -in acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer -ext extendedKeyUsage -noout | grep -i "TLS Web Server Authentication"
+    shell: bash
+
+  - name: "EAB without headerinfo - Enroll lego without profile_id"
+    run: |
+      sudo rm -rf lego/*
+      docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" --eab --kid keyid_00 --hmac V2VfbmVlZF9hbm90aGVyX3ZlcnkfX2xvbmdfaG1hY190b19jaGVja19lYWJfZm9yX2tleWlkXzAwX2FzX2xlZ29fZW5mb3JjZXNfYW5faG1hY19sb25nZXJfdGhhbl8yNTZfYml0cw -d lego.acme --http run
+      sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem  lego/certificates/lego.acme.crt
+      sudo openssl x509 -in lego/certificates/lego.acme.crt -text -noout
+      sudo openssl x509 -in lego/certificates/lego.acme.crt -ext extendedKeyUsage  -noout | grep -i "TLS Web Server Authentication"
+    shell: bash
+
+  - name: "EAB without headerinfo - 02 - Enroll acme with a template_name taken from header_info NOT included in kid.json (to be ignored)"
+    run: |
+      sudo rm -rf acme-sh/*
+      docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --register-account --server http://acme-srv --accountemail 'acme-sh@example.com' --eab-kid keyid_00 --eab-hmac-key V2VfbmVlZF9hbm90aGVyX3ZlcnkfX2xvbmdfaG1hY190b19jaGVja19lYWJfZm9yX2tleWlkXzAwX2FzX2xlZ29fZW5mb3JjZXNfYW5faG1hY19sb25nZXJfdGhhbl8yNTZfYml0cw --debug 3
+      docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv --useragent profile_id=unknown -d acme-sh.acme --standalone --debug 3 --output-insecure
+      awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "cert-" c ".pem"}' < acme-sh/acme-sh.acme_ecc/ca.cer
+      openssl verify -CAfile cert-2.pem -untrusted cert-1.pem  acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer
+      openssl x509 -in acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer -text -noout
+      openssl x509 -in acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer -ext extendedKeyUsage -noout | grep -i "TLS Web Server Authentication"
+    shell: bash
+
+  - name: "EAB without headerinfo - 02 - Enroll lego with a template_name taken from header_info NOT included in kid.json (to be ignored)"
+    run: |
+      sudo rm -rf lego/*
+      docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" --eab --kid keyid_00 --hmac V2VfbmVlZF9hbm90aGVyX3ZlcnkfX2xvbmdfaG1hY190b19jaGVja19lYWJfZm9yX2tleWlkXzAwX2FzX2xlZ29fZW5mb3JjZXNfYW5faG1hY19sb25nZXJfdGhhbl8yNTZfYml0cw --user-agent profile_id=unknown -d lego.acme --http run
+      docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" --eab --kid keyid_00 --hmac V2VfbmVlZF9hbm90aGVyX3ZlcnkfX2xvbmdfaG1hY190b19jaGVja19lYWJfZm9yX2tleWlkXzAwX2FzX2xlZ29fZW5mb3JjZXNfYW5faG1hY19sb25nZXJfdGhhbl8yNTZfYml0cw --user-agent profile_id=101 -d lego.acme --http run
+      sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem  lego/certificates/lego.acme.crt
+      sudo openssl x509 -in lego/certificates/lego.acme.crt -text -noout
+      sudo openssl x509 -in lego/certificates/lego.acme.crt -text -ext extendedKeyUsage | grep "TLS Web Server Authentication"
+    shell: bash
+
+  - name: "EAB without headerinfo - 03 - Enroll acme with a template_name/ca_name taken from kid.json"
+    run: |
+      sudo rm -rf acme-sh/*
+      docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --register-account --server http://acme-srv --accountemail 'acme-sh@example.com' --eab-kid keyid_01 --eab-hmac-key YW5vdXRoZXJfdmVyeV9sb25nX2htYWNfZm9yX2tleWlkXzAxX3doaWNoIHdpbGxfYmUgdXNlZF9kdXJpbmcgcmVncmVzc2lvbg --debug 3
+      docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv -d acme-sh.acme --standalone --debug 3 --output-insecure
+      awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "cert-" c ".pem"}' < acme-sh/acme-sh.acme_ecc/ca.cer
+      openssl verify -CAfile cert-2.pem -untrusted cert-1.pem  acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer
+      openssl x509 -in acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer -text -noout
+      openssl x509 -in acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer -ext extendedKeyUsage -noout | grep "TLS Web Server Authentication"
+    shell: bash
+
+  - name: "EAB without headerinfo - 03 - Enroll lego with a template_name/ca_name taken from kid.json"
+    run: |
+      sudo rm -rf lego/*
+      docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" --eab --kid keyid_01 --hmac YW5vdXRoZXJfdmVyeV9sb25nX2htYWNfZm9yX2tleWlkXzAxX3doaWNoIHdpbGxfYmUgdXNlZF9kdXJpbmcgcmVncmVzc2lvbg -d lego.acme --http run
+      sudo openssl x509 -in lego/certificates/lego.acme.crt -ext extendedKeyUsage -noout
+      sudo openssl x509 -in lego/certificates/lego.acme.crt -issuer --noout
+      sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem  lego/certificates/lego.acme.crt
+      sudo openssl x509 -in lego/certificates/lego.acme.crt -text -noout
+      sudo openssl x509 -in lego/certificates/lego.acme.crt -text -ext extendedKeyUsage | grep "TLS Web Server Authentication"
+    shell: bash
+
+  - name: "EAB without headerinfo - 04 - Enroll acme with a not allowed fqdn in kid.json (to fail)"
+    id: acmefail021
+    continue-on-error: true
+    run: |
+      sudo rm -rf acme-sh/*
+      docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --register-account --server http://acme-srv --accountemail 'acme-sh@example.com' --eab-kid keyid_02 --eab-hmac-key dGhpc19pc19hX3ZlcnlfbG9uZ19obWFjX3RvX21ha2Vfc3VyZV90aGF0X2l0c19tb3JlX3RoYW5fMjU2X2JpdHM --debug 3
+      docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv  -d acme-sh.acme --standalone --debug 3 --output-insecure
+    shell: bash
+
+  - name: "EAB without headerinfo - 04 - check  result "
+    if: steps.acmefail021.outcome != 'failure'
+    run: |
+      echo "acmefail outcome is ${{steps.acmefail021.outcome }}"
+      exit 1
+    shell: bash
+
+  - name: "EAB without headerinfo - 04 - Enroll lego with a not allowed fqdn in kid.json (to fail)"
+    id: legofail021
+    continue-on-error: true
+    run: |
+      sudo rm -rf lego/*
+      docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" --eab --kid keyid_02 --hmac dGhpc19pc19hX3ZlcnlfbG9uZ19obWFjX3RvX21ha2Vfc3VyZV90aGF0X2l0c19tb3JlX3RoYW5fMjU2X2JpdHM -d lego.acme --http run
+    shell: bash
+
+  - name: "EAB without headerinfo - 04a - check  result "
+    if: steps.legofail021.outcome != 'failure'
+    run: |
+      echo "legofail outcome is ${{steps.legofail021.outcome }}"
+      exit 1
+    shell: bash
+
+  - name: "EAB without headerinfo - 05 - Enroll acme with default values from acme.cfg"
+    run: |
+      sudo rm -rf acme-sh/*
+      docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --register-account --server http://acme-srv --accountemail 'acme-sh@example.com' --eab-kid keyid_03 --eab-hmac-key YW5kX2ZpbmFsbHlfdGhlX2xhc3RfaG1hY19rZXlfd2hpY2hfaXNfbG9uZ2VyX3RoYW5fMjU2X2JpdHNfYW5kX3Nob3VsZF93b3Jr --debug 3
+      docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv -d acme-sh.acme --standalone --debug 3 --output-insecure
+      awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "cert-" c ".pem"}' < acme-sh/acme-sh.acme_ecc/ca.cer
+      openssl verify -CAfile cert-2.pem -untrusted cert-1.pem  acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer
+      openssl x509 -in acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer -text -noout
+      openssl x509 -in acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer -ext extendedKeyUsage -noout | grep "Code Signing"
+    shell: bash
+
+  - name: "EAB without headerinfo - 05 - Enroll lego with default values from acme.cfg"
+    run: |
+      sudo rm -rf lego/*
+      docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" --eab --kid keyid_03 --hmac YW5kX2ZpbmFsbHlfdGhlX2xhc3RfaG1hY19rZXlfd2hpY2hfaXNfbG9uZ2VyX3RoYW5fMjU2X2JpdHNfYW5kX3Nob3VsZF93b3Jr -d lego.acme --http run
+      sudo openssl x509 -in lego/certificates/lego.acme.crt -ext extendedKeyUsage -noout
+      sudo openssl x509 -in lego/certificates/lego.acme.crt -issuer --noout
+      sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem  lego/certificates/lego.acme.crt
+      sudo openssl x509 -in lego/certificates/lego.acme.crt -text -noout
+      sudo openssl x509 -in lego/certificates/lego.acme.crt -text -ext extendedKeyUsage | grep "Code Signing"
+    shell: bash
diff --git a/.github/actions/wf_specific/certifier_ca_handler/enroll_headerinfo/action.yml b/.github/actions/wf_specific/certifier_ca_handler/enroll_headerinfo/action.yml
new file mode 100644
index 00000000..bca8e196
--- /dev/null
+++ b/.github/actions/wf_specific/certifier_ca_handler/enroll_headerinfo/action.yml
@@ -0,0 +1,51 @@
+name: "enroll_102_profile"
+description: "wf enrollment 102 profile"
+
+runs:
+  using: "composite"
+  steps:
+  - name: "Sleep for 10s"
+    uses: juliangruber/sleep-action@v2.0.3
+    with:
+      time: 10s
+
+  - name: "Header-info - Test http://acme-srv/directory is accessible"
+    run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory
+    shell: bash
+
+  - name: "Header-info - Test if https://acme-srv/directory is accessible"
+    run: docker run -i --rm --network acme curlimages/curl --insecure -f https://acme-srv/directory
+    shell: bash
+
+  - name: "Header-info - 01 - Enroll acme.sh with profile_id 101"
+    run: |
+      sudo rm  -rf acme-sh/*
+      docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv  --accountemail 'acme-sh@example.com' --useragent profile_id=101 -d acme-sh.acme --alpn --standalone --debug 3 --output-insecure
+      awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "cert-" c ".pem"}' < acme-sh/acme-sh.acme_ecc/ca.cer
+      openssl verify -CAfile cert-2.pem -untrusted cert-1.pem acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer
+      openssl x509 -in acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer -ext extendedKeyUsage  -noout | grep -i "TLS Web Client"
+    shell: bash
+
+  - name: "Header-info - 01 - Enroll lego with profile_id 101"
+    run: |
+      sudo rm -rf lego/*
+      docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" --user-agent profile_id=101 -d lego.acme --http run
+      sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem lego/certificates/lego.acme.crt
+      sudo openssl x509 -in lego/certificates/lego.acme.crt -ext extendedKeyUsage  -noout | grep -i "TLS Web Client"
+    shell: bash
+
+  - name: "Header-info - 02 - Enroll acme.sh with profile_id 102"
+    run: |
+      sudo rm  -rf acme-sh/*
+      docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv  --accountemail 'acme-sh@example.com' --useragent profile_id=102 -d acme-sh.acme --alpn --standalone --debug 3 --output-insecure
+      openssl verify -CAfile cert-2.pem -untrusted cert-1.pem acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer
+      openssl x509 -in acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer -ext extendedKeyUsage  -noout | grep -i "TLS Web Server"
+    shell: bash
+
+  - name: "Header-info - 02 - Enroll lego with profile_id 102"
+    run: |
+      sudo rm -rf lego/*
+      docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" --user-agent profile_id=102 -d lego.acme --http run
+      sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem lego/certificates/lego.acme.crt
+      sudo openssl x509 -in lego/certificates/lego.acme.crt -ext extendedKeyUsage  -noout | grep -i "TLS Web Server"
+    shell: bash
\ No newline at end of file
diff --git a/.github/actions/wf_specific/certifier_ca_handler/enroll_no_profile/action.yml b/.github/actions/wf_specific/certifier_ca_handler/enroll_no_profile/action.yml
new file mode 100644
index 00000000..50a30fc4
--- /dev/null
+++ b/.github/actions/wf_specific/certifier_ca_handler/enroll_no_profile/action.yml
@@ -0,0 +1,65 @@
+name: "enroll_no_profile"
+description: "wf enrollment without profile"
+
+runs:
+  using: "composite"
+  steps:
+
+  - name: "Create folders"
+    run: |
+      sudo mkdir -p lego
+      sudo mkdir -p acme-sh
+      sudo mkdir -p certbot
+    shell: bash
+
+  - name: "No profile - Sleep for 10s"
+    uses: juliangruber/sleep-action@v2.0.3
+    with:
+      time: 10s
+
+  - name: "No profile - Test http://acme-srv/directory is accessible"
+    run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory
+    shell: bash
+
+  - name: "No profile - Test if https://acme-srv/directory is accessible"
+    run: docker run -i --rm --network acme curlimages/curl --insecure -f https://acme-srv/directory
+    shell: bash
+
+  - name: "No profile - Enroll acme.sh"
+    run: |
+      docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv  --accountemail 'acme-sh@example.com' -d acme-sh.acme --alpn --standalone --debug 3 --output-insecure
+      awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "cert-" c ".pem"}' < acme-sh/acme-sh.acme_ecc/ca.cer
+      openssl verify -CAfile cert-2.pem -untrusted cert-1.pem acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer
+    shell: bash
+
+  - name: "No profile - Revoke via acme.sh"
+    run: |
+      docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --revoke --server http://acme-srv -d acme-sh.acme --standalone --debug 3 --output-insecure
+    shell: bash
+
+  - name: "No profile - Register certbot"
+    run: |
+      docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot register --agree-tos -m 'certbot@example.com' --server http://acme-srv --no-eff-email
+    shell: bash
+
+  - name: "No profile - Enroll HTTP-01 single domain certbot"
+    run: |
+      docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot certonly --server http://acme-srv --standalone --preferred-challenges http -d certbot.acme --cert-name certbot
+      sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem certbot/live/certbot/cert.pem
+    shell: bash
+
+  - name: "No profile - Revoke HTTP-01 single domain certbot"
+    run: |
+      docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot revoke --delete-after-revoke --server http://acme-srv  -d certbot.acme --cert-name certbot
+    shell: bash
+
+  - name: "No profile - Enroll lego"
+    run: |
+      docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" -d lego.acme --http run
+      sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem lego/certificates/lego.acme.crt
+    shell: bash
+
+  - name: "No profile - Revoke HTTP-01 single domain lego"
+    run: |
+      docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" -d lego.acme revoke
+    shell: bash
\ No newline at end of file
diff --git a/.github/actions/wf_specific/certifier_ca_handler/tunnel_setup/action.yml b/.github/actions/wf_specific/certifier_ca_handler/tunnel_setup/action.yml
new file mode 100644
index 00000000..c84961b4
--- /dev/null
+++ b/.github/actions/wf_specific/certifier_ca_handler/tunnel_setup/action.yml
@@ -0,0 +1,71 @@
+name: "tunnel_setup"
+description: "tunnel_setup"
+inputs:
+  WCCE_SSH_ACCESS_KEY:
+    description: "SSH access key"
+    required: true
+  WCCE_SSH_KNOWN_HOSTS:
+    description: "SSH known hosts"
+    required: true
+  WCCE_SSH_USER:
+    description: "SSH user"
+    required: true
+  WCCE_SSH_HOST:
+    description: "SSH host"
+    required: true
+  WCCE_SSH_PORT:
+    description: "SSH port"
+    required: true
+  NAME_SPACE:
+    description: "namespace"
+    required: true
+    default: "acme"
+  NCM_API_HOST:
+    description: "NCM API host"
+    required: true
+  NCM_API_USER:
+    description: "NCM API user"
+    required: true
+  NCM_API_PASSWORD:
+    description: "NCM API password"
+    required: true
+runs:
+  using: "composite"
+  steps:
+  - name: "Prepare ssh environment on ramdisk "
+    run: |
+      sudo mkdir -p /tmp/rd
+      sudo mount -t tmpfs -o size=5M none /tmp/rd
+      sudo echo "$SSH_KEY" > /tmp/rd/ak.tmp
+      sudo chmod 600 /tmp/rd/ak.tmp
+      sudo echo "$KNOWN_HOSTS" > /tmp/rd/known_hosts
+    env:
+      SSH_KEY: ${{ inputs.WCCE_SSH_ACCESS_KEY }}
+      KNOWN_HOSTS: ${{ inputs.WCCE_SSH_KNOWN_HOSTS }}
+    shell: bash
+
+  - name: "Setup ssh forwarder"
+    run: |
+        docker run -d --rm --network $NAME_SPACE --name=forwarder  -e "MAPPINGS=8084:127.0.0.1:8084" -e "SSH_HOST=$SSH_HOST" -e "SSH_PORT=$SSH_PORT" -e "SSH_USER=$SSH_USER" -p 8080:8084 -v "/tmp/rd/ak.tmp:/ssh_key:ro" davidlor/ssh-port-forward-client:dev
+    env:
+      SSH_USER: ${{ inputs.WCCE_SSH_USER }}
+      SSH_HOST: ${{ inputs.WCCE_SSH_HOST }}
+      SSH_PORT: ${{ inputs.WCCE_SSH_PORT }}
+      NAME_SPACE: ${{ inputs.NAME_SPACE }}
+      NCM_API_HOST: ${{ inputs.NCM_API_HOST }}
+    shell: bash
+
+  - name: "Sleep for 5s"
+    uses: juliangruber/sleep-action@v2.0.3
+    with:
+      time: 5s
+
+  - name: "Test conection to mscertsrv via ssh tunnel"
+    run: |
+      docker run -i --rm --network $NAME_SPACE curlimages/curl --insecure https://$NCM_API_USER:$NCM_API_PASSWORD@forwarder.acme:8084
+    env:
+      NCM_API_HOST: ${{ inputs.NCM_API_HOST }}
+      NAME_SPACE: ${{ inputs.NAME_SPACE }}
+      NCM_API_USER: ${{ inputs.NCM_API_USER }}
+      NCM_API_PASSWORD: ${{ inputs.NCM_API_PASSWORD }}
+    shell: bash
\ No newline at end of file
diff --git a/.github/actions/wf_specific/digicert_ca_handler/enroll_eab/action.yml b/.github/actions/wf_specific/digicert_ca_handler/enroll_eab/action.yml
new file mode 100644
index 00000000..cc9e027c
--- /dev/null
+++ b/.github/actions/wf_specific/digicert_ca_handler/enroll_eab/action.yml
@@ -0,0 +1,98 @@
+name: "enroll_eab"
+description: "enroll_eab"
+
+runs:
+  using: "composite"
+  steps:
+  - name: "Sleep for 5s"
+    uses: juliangruber/sleep-action@v2.0.3
+    with:
+      time: 5s
+
+  - name: "EAB - Test http://acme-srv/directory is accessible"
+    run: docker run -i --rm --network acme.dynamop.de curlimages/curl -f http://acme-srv/directory
+    shell: bash
+
+  - name: "EAB - Test if https://acme-srv/directory is accessible"
+    run: docker run -i --rm --network acme.dynamop.de curlimages/curl --insecure -f https://acme-srv/directory
+    shell: bash
+
+  - name: "EAB - 01 - Enroll lego with a template_name taken from list in kid.json"
+    run: |
+      sudo rm -rf lego/*
+      docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme.dynamop.de goacme/lego -s http://acme-srv -a --email "lego@example.com" --eab --kid keyid_00 --hmac V2VfbmVlZF9hbm90aGVyX3ZlcnkfX2xvbmdfaG1hY190b19jaGVja19lYWJfZm9yX2tleWlkXzAwX2FzX2xlZ29fZW5mb3JjZXNfYW5faG1hY19sb25nZXJfdGhhbl8yNTZfYml0cw -d lego.acme.dynamop.de --http run
+      sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem  lego/certificates/lego.acme.dynamop.de.crt
+      sudo openssl x509 -in lego/certificates/lego.acme.dynamop.de.crt -text -noout
+      sudo docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme.dynamop.de goacme/lego -s http://acme-srv -a --email "lego@example.com" --eab --kid keyid_00 --hmac V2VfbmVlZF9hbm90aGVyX3ZlcnkfX2xvbmdfaG1hY190b19jaGVja19lYWJfZm9yX2tleWlkXzAwX2FzX2xlZ29fZW5mb3JjZXNfYW5faG1hY19sb25nZXJfdGhhbl8yNTZfYml0cw -d lego.acme.dynamop.de revoke
+    shell: bash
+
+  - name: "EAB - 02a - Enroll lego with a template_name taken from header_info NOT included in kid.json (to fail)"
+    id: legofail01
+    continue-on-error: true
+    run: |
+      sudo rm -rf lego/*
+      docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme.dynamop.de goacme/lego -s http://acme-srv -a --email "lego@example.com" --eab --kid keyid_00 --hmac V2VfbmVlZF9hbm90aGVyX3ZlcnkfX2xvbmdfaG1hY190b19jaGVja19lYWJfZm9yX2tleWlkXzAwX2FzX2xlZ29fZW5mb3JjZXNfYW5faG1hY19sb25nZXJfdGhhbl8yNTZfYml0cw --user-agent cert_type=unknown -d lego.acme.dynamop.de --http run
+    shell: bash
+
+  - name: "EAB - 02a - check  result "
+    if: steps.legofail01.outcome != 'failure'
+    run: |
+      echo "legofail outcome is ${{steps.legofail01.outcome }}"
+      exit 1
+    shell: bash
+
+  - name: "EAB - 02b - Enroll lego with a template_name taken from header_info included in kid.json"
+    run: |
+      sudo rm -rf lego/*
+      docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme.dynamop.de goacme/lego -s http://acme-srv -a --email "lego@example.com" --eab --kid keyid_00 --hmac V2VfbmVlZF9hbm90aGVyX3ZlcnkfX2xvbmdfaG1hY190b19jaGVja19lYWJfZm9yX2tleWlkXzAwX2FzX2xlZ29fZW5mb3JjZXNfYW5faG1hY19sb25nZXJfdGhhbl8yNTZfYml0cw --user-agent cert_type=ssl_securesite_pro -d lego.acme.dynamop.de --http run
+      sudo openssl x509 -in lego/certificates/lego.acme.dynamop.de.crt -ext extendedKeyUsage -noout
+      sudo openssl x509 -in lego/certificates/lego.acme.dynamop.de.crt -issuer --noout
+      sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem  lego/certificates/lego.acme.dynamop.de.crt
+      sudo docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme.dynamop.de goacme/lego -s http://acme-srv -a --email "lego@example.com" --eab --kid keyid_00 --hmac V2VfbmVlZF9hbm90aGVyX3ZlcnkfX2xvbmdfaG1hY190b19jaGVja19lYWJfZm9yX2tleWlkXzAwX2FzX2xlZ29fZW5mb3JjZXNfYW5faG1hY19sb25nZXJfdGhhbl8yNTZfYml0cw -d lego.acme.dynamop.de revoke
+    shell: bash
+
+  - name: "EAB - 03 - Enroll lego with a template_name/ca_name taken from kid.json"
+    run: |
+      sudo rm -rf lego/*
+      docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme.dynamop.de goacme/lego -s http://acme-srv -a --email "lego@example.com" --eab --kid keyid_01 --hmac YW5vdXRoZXJfdmVyeV9sb25nX2htYWNfZm9yX2tleWlkXzAxX3doaWNoIHdpbGxfYmUgdXNlZF9kdXJpbmcgcmVncmVzc2lvbg -d lego.acme.dynamop.de --http run
+      sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem  lego/certificates/lego.acme.dynamop.de.crt
+      sudo docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme.dynamop.de goacme/lego -s http://acme-srv -a --email "lego@example.com" --eab --kid keyid_00 --hmac V2VfbmVlZF9hbm90aGVyX3ZlcnkfX2xvbmdfaG1hY190b19jaGVja19lYWJfZm9yX2tleWlkXzAwX2FzX2xlZ29fZW5mb3JjZXNfYW5faG1hY19sb25nZXJfdGhhbl8yNTZfYml0cw -d lego.acme.dynamop.de revoke
+    shell: bash
+
+  - name: "EAB - 04 - Enroll lego with a not allowed fqdn in kid.json (to fail)"
+    id: legofail02
+    continue-on-error: true
+    run: |
+      sudo rm -rf lego/*
+      docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme.dynamop.de goacme/lego -s http://acme-srv -a --email "lego@example.com" --eab --kid keyid_02 --hmac dGhpc19pc19hX3ZlcnlfbG9uZ19obWFjX3RvX21ha2Vfc3VyZV90aGF0X2l0c19tb3JlX3RoYW5fMjU2X2JpdHM -d lego.acme1.dynamop.de --http run
+    shell: bash
+
+  - name: "EAB - 04a - check  result "
+    if: steps.legofail02.outcome != 'failure'
+    run: |
+      echo "legofail outcome is ${{steps.legofail02.outcome }}"
+      exit 1
+    shell: bash
+
+  - name: "EAB - 05 - Enroll lego with default values from acme.cfg"
+    run: |
+      sudo rm -rf lego/*
+      docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme.dynamop.de goacme/lego -s http://acme-srv -a --email "lego@example.com" --eab --kid keyid_03 --hmac YW5kX2ZpbmFsbHlfdGhlX2xhc3RfaG1hY19rZXlfd2hpY2hfaXNfbG9uZ2VyX3RoYW5fMjU2X2JpdHNfYW5kX3Nob3VsZF93b3Jr -d lego.acme.dynamop.de --http run
+      sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem  lego/certificates/lego.acme.dynamop.de.crt
+      sudo docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme.dynamop.de goacme/lego -s http://acme-srv -a --email "lego@example.com" --eab --kid keyid_00 --hmac V2VfbmVlZF9hbm90aGVyX3ZlcnkfX2xvbmdfaG1hY190b19jaGVja19lYWJfZm9yX2tleWlkXzAwX2FzX2xlZ29fZW5mb3JjZXNfYW5faG1hY19sb25nZXJfdGhhbl8yNTZfYml0cw -d lego.acme.dynamop.de revoke
+    shell: bash
+
+  - name: "EAB - 06 - Enroll lego with not allowed headerinfo-field (should fail)"
+    id: legofail03
+    continue-on-error: true
+    run: |
+      sudo rm -rf lego/*
+      docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme.dynamop.de goacme/lego -s http://acme-srv -a --email "lego@example.com" --eab --kid keyid_02 --hmac dGhpc19pc19hX3ZlcnlfbG9uZ19obWFjX3RvX21ha2Vfc3VyZV90aGF0X2l0c19tb3JlX3RoYW5fMjU2X2JpdHM --user-agent cert_type=ssl_securesite_pro -d lego.acme.dynamop.de --http run
+    shell: bash
+
+  - name: "EAB - 06 - check  result "
+    if: steps.legofail03.outcome != 'failure'
+    run: |
+      echo "legofail outcome is ${{steps.legofail03.outcome }}"
+      exit 1
+    shell: bash
\ No newline at end of file
diff --git a/.github/actions/wf_specific/ejbca_ca_handler/ejbca_prep/action.yml b/.github/actions/wf_specific/ejbca_ca_handler/ejbca_prep/action.yml
new file mode 100644
index 00000000..11799525
--- /dev/null
+++ b/.github/actions/wf_specific/ejbca_ca_handler/ejbca_prep/action.yml
@@ -0,0 +1,100 @@
+name: "ejbca_prep"
+description: "ejbca_prep"
+inputs:
+  RUNNER_IP:
+    description: "Runner IP"
+    required: true
+  WORKING_DIR:
+    description: "Working directory"
+    required: true
+    default: ${{ github.workspace }}
+outputs:
+  SAEC:
+    description: "Superadmin password"
+    value: ${{ env.SAEC }}
+  CAID:
+    description: "CAID of acmeca"
+    value: ${{ env.CAID }}
+
+runs:
+  using: "composite"
+  steps:
+  - name: "Prepare Environment"
+    working-directory: ${{ inputs.WORKING_DIR }}
+    run: |
+      mkdir -p data/acme_ca
+      sudo chmod -R 777 data/acme_ca
+      sudo sh -c "echo '$EJBCA_IP ejbca' >> /etc/hosts"
+    env:
+      EJBCA_IP: ${{ inputs.RUNNER_IP }}
+    shell: bash
+
+  - name: "Instanciate ejbca server"
+    run: |
+      docker run -id --rm -p 80:8080 -p 443:8443 -e TLS_SETUP_ENABLED=true -v $(pwd)/examples/ejbca:/tmp/data  -v ${{ inputs.WORKING_DIR }}/data:/tmp/store --name "ejbca" -h ejbca keyfactor/ejbca-ce
+    shell: bash
+
+  - name: "Sleep for 180s"
+    uses: juliangruber/sleep-action@v2.0.3
+    with:
+      time: 180s
+
+  - name: "Get randmonly generated Superadmin password for ejbca instance"
+    run: |
+      echo SAEC=$(docker logs ejbca | grep /opt/keyfactor/bin/start.sh | grep Password: | awk -F'Password: ' '{print $2}' | awk -F ' ' '{print $1}') >> $GITHUB_ENV
+    shell: bash
+
+  - run: echo "Randmonly generated Superadmin password is ${{ env.SAEC }}"
+    shell: bash
+
+  - run: sudo echo  ${{ env.SAEC }} >  ${{ inputs.WORKING_DIR }}/data/passphrase.txt
+    shell: bash
+
+  - name: "Configure ejbca"
+    run: |
+      docker exec -i ejbca bin/ejbca.sh ca getcacert --caname ManagementCA -f /tmp/store/acme_ca/ca_bundle.pem
+      docker exec -i ejbca bin/ejbca.sh config protocols enable --name "REST Certificate Management"
+      docker exec -i ejbca bin/ejbca.sh config protocols enable --name "REST Certificate Management V2"
+      docker exec -i ejbca bin/ejbca.sh ca init acmeca "CN=acmeca" soft foo123 4096 RSA -v 365 --policy 2.5.29.32.0 -s SHA256WithRSA
+    shell: bash
+
+  - name: "Get CAID"
+    run: |
+      echo CAID=$(docker logs ejbca | grep "msg=CA with id" | grep "and name acmeca added" | awk -F'with id ' '{print $2}' | awk -F' and name' '{print $1}') >> $GITHUB_ENV
+    shell: bash
+
+  - run: echo "CAID of acmeca is ${{ env.CAID }}"
+    shell: bash
+
+  - name: "Create subca"
+    run: |
+      docker exec -i ejbca bin/ejbca.sh ca init acmesubca "CN=acmesubca" soft foo123 4096 RSA -v 365 --policy 2.5.29.32.0 -s SHA256WithRSA --signedby $CAID
+      docker exec -i ejbca bin/ejbca.sh ca importprofiles -d /tmp/data/
+    env:
+      CAID: ${{ env.CAID }}
+    shell: bash
+
+  - name: "Sleep for 10s"
+    uses: juliangruber/sleep-action@v2.0.3
+    with:
+      time: 10s
+
+  - name: "Fetch superadmin certificate and key"
+    working-directory: ${{ inputs.WORKING_DIR }}
+    run: |
+      docker exec -i ejbca bin/ejbca.sh ra setendentitystatus superadmin 10
+      docker exec -i ejbca bin/ejbca.sh ra setclearpwd superadmin $SAEC
+      docker exec -i ejbca bin/ejbca.sh batch
+      docker cp ejbca:/opt/keyfactor/p12/superadmin.p12 data/acme_ca/
+    env:
+      SAEC: ${{ env.SAEC }}
+    shell: bash
+
+  - name: "Test superadmin  certificate and key"
+    working-directory: ${{ inputs.WORKING_DIR }}
+    run: |
+      curl https://127.0.0.1/ejbca/ejbca-rest-api/v1/certificate/status --cert-type P12 --cert data/acme_ca/superadmin.p12:$SAEC --insecure
+      curl https://ejbca/ejbca/ejbca-rest-api/v1/certificate/status --cert-type P12 --cert data/acme_ca/superadmin.p12:$SAEC --cacert data/acme_ca/ca_bundle.pem
+    env:
+      SAEC: ${{ env.SAEC }}
+    shell: bash
\ No newline at end of file
diff --git a/.github/actions/wf_specific/ejbca_ca_handler/enroll_eab_w_headerinfo/action.yml b/.github/actions/wf_specific/ejbca_ca_handler/enroll_eab_w_headerinfo/action.yml
new file mode 100644
index 00000000..4ebcabe0
--- /dev/null
+++ b/.github/actions/wf_specific/ejbca_ca_handler/enroll_eab_w_headerinfo/action.yml
@@ -0,0 +1,109 @@
+name: "enroll_w_headerinfo"
+description: "enroll_w_headerinfo"
+inputs:
+  ASA_CA_NAME1:
+    description: "ASA CA 1"
+    required: true
+  ASA_CA_NAME2:
+    description: "ASA CA 2"
+    required: true
+
+runs:
+  using: "composite"
+  steps:
+  - name: "Sleep for 10s"
+    uses: juliangruber/sleep-action@v2.0.3
+    with:
+      time: 10s
+
+  - name: "EAB with headerinfo - Test http://acme-srv/directory is accessible"
+    run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory
+    shell: bash
+
+  - name: "EAB wit headerinfo - Test if https://acme-srv/directory is accessible"
+    run: docker run -i --rm --network acme curlimages/curl --insecure -f https://acme-srv/directory
+    shell: bash
+
+  - name: "EAB with headerinfo - 01a - enrollment without header-info field (first value in list)"
+    run: |
+      sudo rm -rf lego/*
+      docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" -d lego.acme --eab --kid keyid_00 --hmac V2VfbmVlZF9hbm90aGVyX3ZlcnkfX2xvbmdfaG1hY190b19jaGVja19lYWJfZm9yX2tleWlkXzAwX2FzX2xlZ29fZW5mb3JjZXNfYW5faG1hY19sb25nZXJfdGhhbl8yNTZfYml0cw --http run
+      sudo openssl x509 -in lego/certificates/lego.acme.crt -text -noout
+      sudo openssl x509 -in lego/certificates/lego.acme.crt -issuer -noout | grep -i acmesubca
+      sudo openssl x509 -in lego/certificates/lego.acme.crt -ext extendedKeyUsage -noout | grep "TLS Web Client"
+    shell: bash
+
+  - name: "EAB with headerinfo - 01b - enrollment with header-info field (pick value from list)"
+    run: |
+      sudo rm -rf lego/*
+      sudo docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com"  --user-agent cert_profile_name=acmeca1 -d lego.acme --eab --kid keyid_00 --hmac V2VfbmVlZF9hbm90aGVyX3ZlcnkfX2xvbmdfaG1hY190b19jaGVja19lYWJfZm9yX2tleWlkXzAwX2FzX2xlZ29fZW5mb3JjZXNfYW5faG1hY19sb25nZXJfdGhhbl8yNTZfYml0cw --http run
+      sudo openssl x509 -in lego/certificates/lego.acme.crt -text -noout
+      sudo openssl x509 -in lego/certificates/lego.acme.crt -issuer -noout | grep -i acmesubca
+      sudo openssl x509 -in lego/certificates/lego.acme.crt -ext extendedKeyUsage -noout | grep "TLS Web Server"
+    shell: bash
+
+  - name: "EAB with headerinfo - 01c - enrollment with header-info field containing value not included in list (to fail)"
+    id: legofail02
+    continue-on-error: true
+    run: |
+      sudo rm -rf lego/*
+      sudo docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com"  --user-agent cert_profile_name=acmeca3 -d lego.acme --eab --kid keyid_00 --hmac V2VfbmVlZF9hbm90aGVyX3ZlcnkfX2xvbmdfaG1hY190b19jaGVja19lYWJfZm9yX2tleWlkXzAwX2FzX2xlZ29fZW5mb3JjZXNfYW5faG1hY19sb25nZXJfdGhhbl8yNTZfYml0cw --http run
+    shell: bash
+
+  - name: EAB with headerinfo 01c - check  result "
+    if: steps.legofail02.outcome != 'failure'
+    run: |
+      echo "legofail outcome is ${{steps.legofail02.outcome }}"
+      exit 1
+    shell: bash
+
+  - name: "EAB with headerinfo - 01d - enrollment with header-info field cotaining an invalid parameter (silent overwrite)"
+    run: |
+      sudo rm -rf lego/*
+      sudo docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com"  --user-agent ca_name=foo -d lego.acme --eab --kid keyid_00 --hmac V2VfbmVlZF9hbm90aGVyX3ZlcnkfX2xvbmdfaG1hY190b19jaGVja19lYWJfZm9yX2tleWlkXzAwX2FzX2xlZ29fZW5mb3JjZXNfYW5faG1hY19sb25nZXJfdGhhbl8yNTZfYml0cw --http run
+      sudo openssl x509 -in lego/certificates/lego.acme.crt -text -noout
+      sudo openssl x509 -in lego/certificates/lego.acme.crt -issuer -noout | grep -i acmesubca
+      sudo openssl x509 -in lego/certificates/lego.acme.crt -ext extendedKeyUsage -noout | grep "TLS Web Client"
+    shell: bash
+
+  - name: "EAB with headerinfo - 01e - enrollment with header-info field containing parameter not in json (silent overwrite)"
+    run: |
+      sudo rm -rf lego/*
+      sudo docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com"  --user-agent cert_profile_name=acmeca2 -d lego.acme --eab --kid keyid_01 --hmac YW5vdXRoZXJfdmVyeV9sb25nX2htYWNfZm9yX2tleWlkXzAxX3doaWNoIHdpbGxfYmUgdXNlZF9kdXJpbmcgcmVncmVzc2lvbg --http run
+      sudo openssl x509 -in lego/certificates/lego.acme.crt -text -noout
+      sudo openssl x509 -in lego/certificates/lego.acme.crt -issuer -noout  | grep -i acmeca
+      sudo openssl x509 -in lego/certificates/lego.acme.crt -ext extendedKeyUsage -noout | grep "TLS Web Client"
+    shell: bash
+
+  - name: "EAB with headerinfo - 02 -  profilinging ca and cert_profile"
+    run: |
+      sudo rm -rf lego/*
+      docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" -d lego.acme --eab --kid keyid_01 --hmac YW5vdXRoZXJfdmVyeV9sb25nX2htYWNfZm9yX2tleWlkXzAxX3doaWNoIHdpbGxfYmUgdXNlZF9kdXJpbmcgcmVncmVzc2lvbg --http run
+      sudo openssl x509 -in lego/certificates/lego.acme.crt -text -noout
+      sudo openssl x509 -in lego/certificates/lego.acme.crt -issuer -noout | grep -i acmeca
+      sudo openssl x509 -in lego/certificates/lego.acme.crt -ext extendedKeyUsage -noout | grep "TLS Web Client"
+    shell: bash
+
+  - name: "EAB with headerinfo - 03 - domainlist validation fails (to fail)"
+    id: legofail03
+    continue-on-error: true
+    run: |
+      sudo rm -rf lego/*
+      docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" -d lego.acme --eab --kid keyid_02 --hmac dGhpc19pc19hX3ZlcnlfbG9uZ19obWFjX3RvX21ha2Vfc3VyZV90aGF0X2l0c19tb3JlX3RoYW5fMjU2X2JpdHM --http run
+    shell: bash
+
+  - name: EAB with headerinfo - 03 - check  result "
+    if: steps.legofail03.outcome != 'failure'
+    run: |
+      echo "legofail outcome is ${{steps.legofail03.outcome }}"
+      exit 1
+    shell: bash
+
+  - name: "EAB with headerinfo - 04 - Settings from acme_srv.cfg"
+    run: |
+      sudo rm -rf lego/*
+      docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" -d lego.acme --eab --kid keyid_03 --hmac YW5kX2ZpbmFsbHlfdGhlX2xhc3RfaG1hY19rZXlfd2hpY2hfaXNfbG9uZ2VyX3RoYW5fMjU2X2JpdHNfYW5kX3Nob3VsZF93b3Jr --http run
+      sudo openssl x509 -in lego/certificates/lego.acme.crt -text -noout
+      sudo openssl x509 -in lego/certificates/lego.acme.crt -issuer -noout | grep -i acmesubca
+      sudo openssl x509 -in lego/certificates/lego.acme.crt -ext extendedKeyUsage -noout | grep "TLS Web Server"
+    shell: bash
\ No newline at end of file
diff --git a/.github/actions/wf_specific/ejbca_ca_handler/enroll_eab_wo_headerinfo/action.yml b/.github/actions/wf_specific/ejbca_ca_handler/enroll_eab_wo_headerinfo/action.yml
new file mode 100644
index 00000000..bbf85f97
--- /dev/null
+++ b/.github/actions/wf_specific/ejbca_ca_handler/enroll_eab_wo_headerinfo/action.yml
@@ -0,0 +1,79 @@
+name: "enroll_wo_headerinfo"
+description: "enroll_wo_headerinfo"
+
+
+runs:
+  using: "composite"
+  steps:
+  - name: "Sleep for 10s"
+    uses: juliangruber/sleep-action@v2.0.3
+    with:
+      time: 10s
+
+  - name: "EAB without headerinfo - Test http://acme-srv/directory is accessible"
+    run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory
+    shell: bash
+
+  - name: "EAB without headerinfo - Test if https://acme-srv/directory is accessible"
+    run: docker run -i --rm --network acme curlimages/curl --insecure -f https://acme-srv/directory
+    shell: bash
+
+  - name: "EAB without headerinfo - 01a - enrollment without header-info field (first value in list)"
+    run: |
+      sudo rm -rf lego/*
+      docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" -d lego.acme --eab --kid keyid_00 --hmac V2VfbmVlZF9hbm90aGVyX3ZlcnkfX2xvbmdfaG1hY190b19jaGVja19lYWJfZm9yX2tleWlkXzAwX2FzX2xlZ29fZW5mb3JjZXNfYW5faG1hY19sb25nZXJfdGhhbl8yNTZfYml0cw --http run
+      sudo openssl x509 -in lego/certificates/lego.acme.crt -text -noout
+      sudo openssl x509 -in lego/certificates/lego.acme.crt -issuer -noout | grep -i acmesubca
+      sudo openssl x509 -in lego/certificates/lego.acme.crt -ext extendedKeyUsage -noout | grep "TLS Web Client"
+    shell: bash
+
+  - name: "EAB without headerinfo - 01b - enrollment with header-info field included in list (silent ignore)"
+    run: |
+      sudo rm -rf lego/*
+      sudo docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com"  --user-agent cert_profile_name=acmeca1 -d lego.acme --eab --kid keyid_00 --hmac V2VfbmVlZF9hbm90aGVyX3ZlcnkfX2xvbmdfaG1hY190b19jaGVja19lYWJfZm9yX2tleWlkXzAwX2FzX2xlZ29fZW5mb3JjZXNfYW5faG1hY19sb25nZXJfdGhhbl8yNTZfYml0cw --http run
+      sudo openssl x509 -in lego/certificates/lego.acme.crt -text -noout
+      sudo openssl x509 -in lego/certificates/lego.acme.crt -issuer -noout | grep -i acmesubca
+      sudo openssl x509 -in lego/certificates/lego.acme.crt -ext extendedKeyUsage -noout | grep "TLS Web Client"
+    shell: bash
+
+  - name: "EAB without headerinfo - 01c - with header-info field containing value not included in list (silent ignore)"
+    run: |
+      sudo rm -rf lego/*
+      sudo docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com"  --user-agent cert_profile_name=acmeca3 -d lego.acme --eab --kid keyid_00 --hmac V2VfbmVlZF9hbm90aGVyX3ZlcnkfX2xvbmdfaG1hY190b19jaGVja19lYWJfZm9yX2tleWlkXzAwX2FzX2xlZ29fZW5mb3JjZXNfYW5faG1hY19sb25nZXJfdGhhbl8yNTZfYml0cw --http run
+      sudo openssl x509 -in lego/certificates/lego.acme.crt -text -noout
+      sudo openssl x509 -in lego/certificates/lego.acme.crt -issuer -noout | grep -i acmesubca
+      sudo openssl x509 -in lego/certificates/lego.acme.crt -ext extendedKeyUsage -noout | grep "TLS Web Client"
+    shell: bash
+
+  - name: "EAB without headerinfo - 02 -  profilinging ca and cert_profile"
+    run: |
+      sudo rm -rf lego/*
+      docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" -d lego.acme --eab --kid keyid_01 --hmac YW5vdXRoZXJfdmVyeV9sb25nX2htYWNfZm9yX2tleWlkXzAxX3doaWNoIHdpbGxfYmUgdXNlZF9kdXJpbmcgcmVncmVzc2lvbg --http run
+      sudo openssl x509 -in lego/certificates/lego.acme.crt -text -noout
+      sudo openssl x509 -in lego/certificates/lego.acme.crt -issuer -noout | grep -i acmeca
+      sudo openssl x509 -in lego/certificates/lego.acme.crt -ext extendedKeyUsage -noout | grep "TLS Web Client"
+    shell: bash
+
+  - name: "EAB without headerinfo - 03 - domainlist validation fails (to fail)"
+    id: legofail01
+    continue-on-error: true
+    run: |
+      sudo rm -rf lego/*
+      docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" -d lego.acme --eab --kid keyid_02 --hmac dGhpc19pc19hX3ZlcnlfbG9uZ19obWFjX3RvX21ha2Vfc3VyZV90aGF0X2l0c19tb3JlX3RoYW5fMjU2X2JpdHM --http run
+    shell: bash
+
+  - name: EAB without headerinfo - 03 - check  result "
+    if: steps.legofail01.outcome != 'failure'
+    run: |
+      echo "legofail outcome is ${{steps.legofail01.outcome }}"
+      exit 1
+    shell: bash
+
+  - name: "EAB without headerinfo - 04 - Settings from acme_srv.cfg"
+    run: |
+      sudo rm -rf lego/*
+      docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" -d lego.acme --eab --kid keyid_03 --hmac YW5kX2ZpbmFsbHlfdGhlX2xhc3RfaG1hY19rZXlfd2hpY2hfaXNfbG9uZ2VyX3RoYW5fMjU2X2JpdHNfYW5kX3Nob3VsZF93b3Jr --http run
+      sudo openssl x509 -in lego/certificates/lego.acme.crt -text -noout
+      sudo openssl x509 -in lego/certificates/lego.acme.crt -issuer -noout | grep -i acmesubca
+      sudo openssl x509 -in lego/certificates/lego.acme.crt -ext extendedKeyUsage -noout | grep "TLS Web Server"
+    shell: bash
\ No newline at end of file
diff --git a/.github/actions/wf_specific/enrollment_timeout/enroll/action.yml b/.github/actions/wf_specific/enrollment_timeout/enroll/action.yml
new file mode 100644
index 00000000..f490f1b1
--- /dev/null
+++ b/.github/actions/wf_specific/enrollment_timeout/enroll/action.yml
@@ -0,0 +1,88 @@
+name: "enroll_102_profile"
+description: "wf enrollment 102 profile"
+inputs:
+  DEPLOYMENT_TYPE:
+    description: "Deployment type"
+    required: true
+    default: "container"
+
+runs:
+  using: "composite"
+  steps:
+
+  - name: "Sleep for 10s"
+    uses: juliangruber/sleep-action@v2.0.3
+    with:
+      time: 10s
+
+  - name: "Test http://acme-srv/directory is accessible"
+    run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory
+    shell: bash
+
+  - name: "Test if https://acme-srv/directory is accessible"
+    run: docker run -i --rm --network acme curlimages/curl --insecure -f https://acme-srv/directory
+    shell: bash
+
+  - name: "Enroll acme.sh"
+    run: |
+      docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme  --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv --keylength 2048 --accountemail 'acme-sh@example.com' -d acme-sh.acme --standalone --debug 3 --output-insecure --force
+    shell: bash
+
+  - name: "Check timeout"
+    working-directory: examples/Docker/
+    run: |
+      if [ ${{ inputs.DEPLOYMENT_TYPE }} == "container" ]; then
+        docker-compose logs | grep "Certificate.enroll_and_store() ended with: None:timeout"
+        sudo truncate -s 0 $(docker inspect --format='{{.LogPath}}' acme2certifier_acme-srv_1)
+      elif [ ${{ inputs.DEPLOYMENT_TYPE }} == "rpm" ]; then
+        docker exec acme-srv grep "Certificate.enroll_and_store() ended with: None:timeout" /var/log/messages
+      fi
+    shell: bash
+
+  - name: "Enroll acme.sh"
+    run: |
+      docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme  --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv --keylength 2048 --accountemail 'acme-sh@example.com' -d acme-sh.acme --standalone --debug 3 --output-insecure --force
+    shell: bash
+
+  - name: "Check certificate reusage"
+    working-directory: examples/Docker/
+    run: |
+      if [ ${{ inputs.DEPLOYMENT_TYPE }} == "container" ]; then
+        docker-compose logs | grep "Certificate._enroll(): reuse existing certificate"
+      elif [ ${{ inputs.DEPLOYMENT_TYPE }} == "rpm" ]; then
+        docker exec acme-srv grep "Certificate._enroll(): reuse existing certificate" /var/log/messages
+      fi
+    shell: bash
+
+  - name: "Enroll Lego"
+    run: |
+      docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" -d lego.acme  --cert.timeout 180 --http run
+    shell: bash
+
+  - name: "Check timeout"
+    working-directory: examples/Docker/
+    run: |
+      if [ ${{ inputs.DEPLOYMENT_TYPE }} == "container" ]; then
+        docker-compose logs | grep "Certificate.enroll_and_store() ended with: None:timeout"
+        sudo truncate -s 0 $(docker inspect --format='{{.LogPath}}' acme2certifier_acme-srv_1)
+      fi
+    shell: bash
+
+  - name: "Register certbot"
+    run: |
+      docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot register --agree-tos -m 'certbot@example.com' --server http://acme-srv --no-eff-email
+    shell: bash
+
+  - name: "Enroll certbot"
+    run: |
+      docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot certonly --server http://acme-srv --standalone --preferred-challenges http -d certbot.acme --cert-name certbot --issuance-timeout 180
+    shell: bash
+
+  - name: "Check timeout"
+    working-directory: examples/Docker/
+    run: |
+      if [ ${{ inputs.DEPLOYMENT_TYPE }} == "container" ]; then
+        docker-compose logs | grep "Certificate.enroll_and_store() ended with: None:timeout"
+        sudo truncate -s 0 $(docker inspect --format='{{.LogPath}}' acme2certifier_acme-srv_1)
+      fi
+    shell: bash
diff --git a/.github/actions/wf_specific/entrust_ca_handler/enroll/action.yml b/.github/actions/wf_specific/entrust_ca_handler/enroll/action.yml
new file mode 100644
index 00000000..697565b0
--- /dev/null
+++ b/.github/actions/wf_specific/entrust_ca_handler/enroll/action.yml
@@ -0,0 +1,237 @@
+name: "acme_clients - enroll, renew and revoke certificates"
+description: "Test if acme.sh, certbot and lego can enroll, renew and certificates"
+inputs:
+  ACME_SERVER:
+    description: "ACME server URL"
+    required: true
+    default: "acme-srv"
+  REVOCATION:
+    description: "Revocation method"
+    required: true
+    default: "true"
+  USE_RSA:
+    description: "Use RSA"
+    required: true
+    default: "false"
+  HTTP_PORT:
+    description: "HTTP port"
+    required: true
+    default: "80"
+  HTTPS_PORT:
+    description: "HTTPS port"
+    required: true
+    default: "443"
+  HOSTNAME_SUFFIX:
+    description: "Hostname suffix"
+    required: true
+  NAME_SPACE:
+    description: "Namespace"
+    required: true
+    default: "acme"
+
+runs:
+  using: "composite"
+  steps:
+
+    - name: "Create directories"
+      run: |
+        sudo mkdir -p certbot/
+        sudo mkdir -p lego/ca
+        sudo cp .github/acme2certifier_cabundle.pem certbot/
+        sudo cp .github/acme2certifier_cabundle.pem lego/
+        if [ -f cert-2.pem ]; then
+          echo "delete cert-2.pem"
+          rm -f cert-2.pem
+        fi
+        if [ -f cert-1.pem ]; then
+          echo "delete cert-1.pem"
+          rm -f cert-1.pem
+        fi
+        ls -la
+      shell: bash
+
+    - name: "Sleep for 5s"
+      uses: juliangruber/sleep-action@v2.0.3
+      with:
+        time: 5s
+
+    - name: "Test if http://acme-srv/directory is accessible"
+      run: docker run -i --rm --network $NAME_SPACE curlimages/curl -f http://$ACME_SERVER:$HTTP_PORT/directory
+      shell: bash
+      env:
+        ACME_SERVER: ${{ inputs.ACME_SERVER }}
+        HTTP_PORT: ${{ inputs.HTTP_PORT }}
+        HTTPS_PORT: ${{ inputs.HTTPS_PORT }}
+        NAME_SPACE: ${{ inputs.NAME_SPACE }}
+
+    - name: "Test if https://acme-srv/directory is accessible"
+      run: docker run -i --rm --network $NAME_SPACE curlimages/curl --insecure -f https://$ACME_SERVER:$HTTPS_PORT/directory
+      shell: bash
+      env:
+        ACME_SERVER: ${{ inputs.ACME_SERVER }}
+        HTTP_PORT: ${{ inputs.HTTP_PORT }}
+        HTTPS_PORT: ${{ inputs.HTTPS_PORT }}
+        NAME_SPACE: ${{ inputs.NAME_SPACE }}
+
+    - name: "HTTP - Enroll lego"
+      run: |
+        echo "##### HTTP - Enroll lego #####"
+        if [ "$USE_RSA" == "false" ]; then
+          echo "use ECC"
+          docker run -i --rm -e LEGO_CA_CERTIFICATES=.lego/acme2certifier_cabundle.pem -v $PWD/lego:/.lego/ --name lego$HOSTNAME_SUFFIX --network $NAME_SPACE goacme/lego -s http://$ACME_SERVER:$HTTP_PORT -a --email "lego@example.com" -d lego$HOSTNAME_SUFFIX.$NAME_SPACE --tls run
+        else
+          echo "use RSA"
+          docker run -i --rm -e LEGO_CA_CERTIFICATES=.lego/acme2certifier_cabundle.pem -v $PWD/lego:/.lego/ --name lego$HOSTNAME_SUFFIX --network $NAME_SPACE goacme/lego -s http://$ACME_SERVER:$HTTP_PORT -a --email "lego@example.com" --key-type=rsa2048 -d lego$HOSTNAME_SUFFIX.$NAME_SPACE --tls run
+        fi
+      shell: bash
+      env:
+        ACME_SERVER: ${{ inputs.ACME_SERVER }}
+        HTTP_PORT: ${{ inputs.HTTP_PORT }}
+        HTTPS_PORT: ${{ inputs.HTTPS_PORT }}
+        USE_RSA: ${{ inputs.USE_RSA }}
+        HOSTNAME_SUFFIX: ${{ inputs.HOSTNAME_SUFFIX }}
+        NAME_SPACE: ${{ inputs.NAME_SPACE }}
+
+    - name: "HTTP - Revoke lego"
+      if: ${{ inputs.REVOCATION == 'true' }}
+      run: |
+        echo "#### HTTP - Revoke lego"
+        docker run -i -v $PWD/lego:/.lego/ --rm --name lego$HOSTNAME_SUFFIX --network $NAME_SPACE goacme/lego -s http://$ACME_SERVER:$HTTP_PORT -a --email "lego@example.com" -d lego$HOSTNAME_SUFFIX.$NAME_SPACE revoke
+      shell: bash
+      env:
+        ACME_SERVER: ${{ inputs.ACME_SERVER }}
+        HTTP_PORT: ${{ inputs.HTTP_PORT }}
+        HTTPS_PORT: ${{ inputs.HTTPS_PORT }}
+        HOSTNAME_SUFFIX: ${{ inputs.HOSTNAME_SUFFIX }}
+        NAME_SPACE: ${{ inputs.NAME_SPACE }}
+
+    - name: "HTTPS - Enroll acme.sh"
+      run: |
+        echo "##### HTTPS - Enroll acme.sh #####"
+        if [ "$USE_RSA" == "false" ]; then
+          echo "use ECC"
+          docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network $NAME_SPACE --name acme-sh$HOSTNAME_SUFFIX neilpang/acme.sh:latest --issue --server https://$ACME_SERVER:$HTTPS_PORT --accountemail 'acme-sh@example.com' -d acme-sh$HOSTNAME_SUFFIX.$NAME_SPACE --alpn --standalone --debug 1 --output-insecure --insecure
+          ECC="_ecc"
+        else
+          echo "use RSA"
+          docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network $NAME_SPACE --name acme-sh$HOSTNAME_SUFFIX neilpang/acme.sh:latest --issue --server https://$ACME_SERVER:$HTTPS_PORT --accountemail 'acme-sh@example.com' -d acme-sh$HOSTNAME_SUFFIX.$NAME_SPACE --alpn --standalone --keylength 2048 --debug 1 --output-insecure --insecure
+        fi
+
+        awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "cert-" c ".pem"}' < acme-sh/acme-sh$HOSTNAME_SUFFIX.$NAME_SPACE${ECC}/ca.cer
+        if [ "$VERIFY_CERT" == "true" ]; then
+          if [ -f cert-2.pem ]; then
+            echo "Multiple CA certs"
+            openssl verify -CAfile cert-2.pem -untrusted cert-1.pem acme-sh/acme-sh$HOSTNAME_SUFFIX.$NAME_SPACE${ECC}/acme-sh$HOSTNAME_SUFFIX.$NAME_SPACE.cer
+          else
+            echo "Single Root ca"
+            openssl verify -CAfile cert-1.pem acme-sh/acme-sh$HOSTNAME_SUFFIX.$NAME_SPACE${ECC}/acme-sh$HOSTNAME_SUFFIX.$NAME_SPACE.cer
+          fi
+        fi
+      shell: bash
+      env:
+        VERIFY_CERT: ${{ inputs.VERIFY_CERT }}
+        ACME_SERVER: ${{ inputs.ACME_SERVER }}
+        HTTP_PORT: ${{ inputs.HTTP_PORT }}
+        HTTPS_PORT: ${{ inputs.HTTPS_PORT }}
+        USE_RSA: ${{ inputs.USE_RSA }}
+        HOSTNAME_SUFFIX: ${{ inputs.HOSTNAME_SUFFIX }}
+        NAME_SPACE: ${{ inputs.NAME_SPACE }}
+
+    - name: "HTTPS - Revoke HTTP-01 single domain acme.sh"
+      if: ${{ inputs.REVOCATION == 'true' }}
+      run: |
+        echo "##### HTTPS - Revoke HTTP-01 single domain acme.sh #####"
+        docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --name acme-sh$HOSTNAME_SUFFIX --network $NAME_SPACE neilpang/acme.sh:latest --revoke --server https://$ACME_SERVER:$HTTPS_PORT --revoke -d acme-sh$HOSTNAME_SUFFIX.$NAME_SPACE --standalone --debug 2 --output-insecure  --insecure
+      shell: bash
+      env:
+        ACME_SERVER: ${{ inputs.ACME_SERVER }}
+        HTTP_PORT: ${{ inputs.HTTP_PORT }}
+        HTTPS_PORT: ${{ inputs.HTTPS_PORT }}
+        HOSTNAME_SUFFIX: ${{ inputs.HOSTNAME_SUFFIX }}
+        NAME_SPACE: ${{ inputs.NAME_SPACE }}
+
+    - name: "HTTPS - Decativate acme.sh #####"
+      run: |
+        echo "##### HTTPS - Decativate acme.sh"
+        docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --name acme-sh$HOSTNAME_SUFFIX --network $NAME_SPACE neilpang/acme.sh:latest --deactivate-account --server https://$ACME_SERVER:$HTTPS_PORT --debug 2 --output-insecure --insecure
+      shell: bash
+      env:
+        ACME_SERVER: ${{ inputs.ACME_SERVER }}
+        HTTP_PORT: ${{ inputs.HTTP_PORT }}
+        HTTPS_PORT: ${{ inputs.HTTPS_PORT }}
+        HOSTNAME_SUFFIX: ${{ inputs.HOSTNAME_SUFFIX }}
+        NAME_SPACE: ${{ inputs.NAME_SPACE }}
+
+    - name: "HTTPS - Enroll certbot"
+      run: |
+        echo "##### HTTPS - Enroll certbot #####"
+        if [ "$USE_RSA" == "false" ]; then
+          docker run -i --rm --name certbot$HOSTNAME_SUFFIX --network $NAME_SPACE -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot certonly --server https://$ACME_SERVER:$HTTPS_PORT --standalone --preferred-challenges http --no-verify-ssl --agree-tos -m 'certbot@example.com' -d certbot$HOSTNAME_SUFFIX.$NAME_SPACE --cert-name certbot --issuance-timeout 120
+        else
+          docker run -i --rm --name certbot$HOSTNAME_SUFFIX --network $NAME_SPACE -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot certonly --server https://$ACME_SERVER:$HTTPS_PORT --standalone --preferred-challenges http --no-verify-ssl --agree-tos -m 'certbot@example.com' --key-type rsa -d certbot$HOSTNAME_SUFFIX.$NAME_SPACE --cert-name certbot --issuance-timeout 120
+        fi
+
+        if [ "$VERIFY_CERT" == "true" ]; then
+          if [ -f cert-2.pem ]; then
+            sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem certbot/live/certbot/cert.pem
+          else
+            echo "single root ca"
+            sudo openssl verify -CAfile cert-1.pem certbot/live/certbot/cert.pem
+          fi
+        fi
+      shell: bash
+      env:
+        VERIFY_CERT: ${{ inputs.VERIFY_CERT }}
+        ACME_SERVER: ${{ inputs.ACME_SERVER }}
+        HTTPS_PORT: ${{ inputs.HTTPS_PORT }}
+        USE_RSA: ${{ inputs.USE_RSA }}
+        HOSTNAME_SUFFIX: ${{ inputs.HOSTNAME_SUFFIX }}
+        NAME_SPACE: ${{ inputs.NAME_SPACE }}
+
+    - name: "HTTPS - Revoke certbot"
+      if: ${{ inputs.REVOCATION == 'true' }}
+      run: |
+        echo "##### HTTPS - Revoke certbot #####"
+        docker run -i --rm --name certbot$HOSTNAME_SUFFIX --network $NAME_SPACE -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot revoke --server https://$ACME_SERVER:$HTTPS_PORT --no-verify-ssl --delete-after-revoke --cert-name certbot
+      shell: bash
+      env:
+        ACME_SERVER: ${{ inputs.ACME_SERVER }}
+        HTTP_PORT: ${{ inputs.HTTP_PORT }}
+        HTTPS_PORT: ${{ inputs.HTTPS_PORT }}
+        HOSTNAME_SUFFIX: ${{ inputs.HOSTNAME_SUFFIX }}
+        NAME_SPACE: ${{ inputs.NAME_SPACE }}
+
+    - name: "HTTP - Enroll lego with wrong domain - should fail"
+      id: legofail01
+      continue-on-error: true
+      run: |
+        echo "##### HTTP - Enroll lego #####"
+        if [ "$USE_RSA" == "false" ]; then
+          echo "use ECC"
+          docker run -i --rm -e LEGO_CA_CERTIFICATES=.lego/acme2certifier_cabundle.pem -v $PWD/lego:/.lego/ --name lego$HOSTNAME_SUFFIX --network $NAME_SPACE goacme/lego -s http://$ACME_SERVER:$HTTP_PORT -a --email "lego@example.com" -d lego$HOSTNAME_SUFFIX.acme --tls run
+        else
+          echo "use RSA"
+          docker run -i --rm -e LEGO_CA_CERTIFICATES=.lego/acme2certifier_cabundle.pem -v $PWD/lego:/.lego/ --name lego$HOSTNAME_SUFFIX --network $NAME_SPACE goacme/lego -s http://$ACME_SERVER:$HTTP_PORT -a --email "lego@example.com" --key-type=rsa2048 -d lego$HOSTNAME_SUFFIX.acme --tls run
+        fi
+      shell: bash
+      env:
+        ACME_SERVER: ${{ inputs.ACME_SERVER }}
+        HTTP_PORT: ${{ inputs.HTTP_PORT }}
+        HTTPS_PORT: ${{ inputs.HTTPS_PORT }}
+        USE_RSA: ${{ inputs.USE_RSA }}
+        HOSTNAME_SUFFIX: ${{ inputs.HOSTNAME_SUFFIX }}
+        NAME_SPACE: ${{ inputs.NAME_SPACE }}
+
+    - name: "Check  result "
+      if: steps.legofail01.outcome != 'failure'
+      run: |
+        echo "legofail outcome is ${{steps.legofail01.outcome }}"
+        exit 1
+      shell: bash
+
+    - name: "Delete acme-sh, letsencypt and lego folders"
+      run: |
+        sudo rm -rf  lego/*
+        sudo rm -rf  acme-sh/*
+        sudo rm -rf  certbot/*
+      shell: bash
\ No newline at end of file
diff --git a/.github/actions/wf_specific/entrust_ca_handler/enroll_eab/action.yml b/.github/actions/wf_specific/entrust_ca_handler/enroll_eab/action.yml
new file mode 100644
index 00000000..1ea5936b
--- /dev/null
+++ b/.github/actions/wf_specific/entrust_ca_handler/enroll_eab/action.yml
@@ -0,0 +1,41 @@
+name: "enroll_eab"
+description: "enroll_eab"
+
+runs:
+  using: "composite"
+  steps:
+  - name: "Sleep for 5s"
+    uses: juliangruber/sleep-action@v2.0.3
+    with:
+      time: 5s
+
+  - name: "EAB - Test http://acme-srv/directory is accessible"
+    run: docker run -i --rm --network rm-rf.ninja curlimages/curl -f http://acme-srv/directory
+    shell: bash
+
+  - name: "EAB - Test if https://acme-srv/directory is accessible"
+    run: docker run -i --rm --network rm-rf.ninja curlimages/curl --insecure -f https://acme-srv/directory
+    shell: bash
+
+  - name: "EAB - 01 - Enroll lego with a template_name taken from list in kid.json"
+    run: |
+      sudo rm -rf lego/*
+      docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network rm-rf.ninja goacme/lego -s http://acme-srv -a --email "lego@example.com"  --key-type=rsa2048 --eab --kid keyid_00 --hmac V2VfbmVlZF9hbm90aGVyX3ZlcnkfX2xvbmdfaG1hY190b19jaGVja19lYWJfZm9yX2tleWlkXzAwX2FzX2xlZ29fZW5mb3JjZXNfYW5faG1hY19sb25nZXJfdGhhbl8yNTZfYml0cw -d lego.rm-rf.ninja --http run
+      sudo docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network rm-rf.ninja goacme/lego -s http://acme-srv -a --email "lego@example.com" --eab --kid keyid_00 --hmac V2VfbmVlZF9hbm90aGVyX3ZlcnkfX2xvbmdfaG1hY190b19jaGVja19lYWJfZm9yX2tleWlkXzAwX2FzX2xlZ29fZW5mb3JjZXNfYW5faG1hY19sb25nZXJfdGhhbl8yNTZfYml0cw -d lego.rm-rf.ninja revoke
+    shell: bash
+
+  - name: "EAB - 02 - Enroll lego with a not allowed fqdn in kid.json (to fail)"
+    id: legofail01
+    continue-on-error: true
+    run: |
+      sudo rm -rf lego/*
+      docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network rm-rf.ninja goacme/lego -s http://acme-srv -a --email "lego@example.com" --key-type=rsa2048 --eab --kid keyid_02 --hmac dGhpc19pc19hX3ZlcnlfbG9uZ19obWFjX3RvX21ha2Vfc3VyZV90aGF0X2l0c19tb3JlX3RoYW5fMjU2X2JpdHM -d lego.rm-rf.ninja --http run
+    shell: bash
+
+  - name: "EAB - 04a - check  result "
+    if: steps.legofail01.outcome != 'failure'
+    run: |
+      echo "legofail outcome is ${{steps.legofail01.outcome }}"
+      exit 1
+    shell: bash
+
diff --git a/.github/actions/wf_specific/ms_ca_handler/enroll_allowed_domain_list/action.yml b/.github/actions/wf_specific/ms_ca_handler/enroll_allowed_domain_list/action.yml
new file mode 100644
index 00000000..fd1c6337
--- /dev/null
+++ b/.github/actions/wf_specific/ms_ca_handler/enroll_allowed_domain_list/action.yml
@@ -0,0 +1,55 @@
+name: "enroll_allowed_domain_list"
+description: "enroll_allowed_domain_list"
+inputs:
+  NAME_SPACE:
+    description: "namespace"
+    required: true
+    default: "acme"
+runs:
+  using: "composite"
+  steps:
+  - name: "Sleep for 10s"
+    uses: juliangruber/sleep-action@v2.0.3
+    with:
+      time: 10s
+
+  - name: "Test http://acme-srv/directory is accessible"
+    run: docker run -i --rm --network $NAME_SPACE curlimages/curl -f http://acme-srv/directory
+    shell: bash
+    env:
+      NAME_SPACE: ${{ inputs.NAME_SPACE }}
+
+  - name: "Test if https://acme-srv/directory is accessible"
+    run: docker run -i --rm --network $NAME_SPACE curlimages/curl --insecure -f https://acme-srv/directory
+    shell: bash
+    env:
+      NAME_SPACE: ${{ inputs.NAME_SPACE }}
+
+  - name: "Enroll acme.sh with fqdn not part of allowed_domainlist (should fail)"
+    id: acmefail01
+    continue-on-error: true
+    run: |
+      sudo rm -rf acme-sh/
+      docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network $NAME_SPACE  --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv  --accountemail 'acme-sh@example.com' -d acme-sh.local --alpn --standalone --debug 3 --output-insecure
+    shell: bash
+    env:
+      NAME_SPACE: ${{ inputs.NAME_SPACE }}
+
+  - name: "Check result "
+    if: steps.acmefail01.outcome != 'failure'
+    run: |
+      echo "acmefail outcome is ${{steps.acmefail01.outcome }}"
+      exit 1
+    shell: bash
+    env:
+      NAME_SPACE: ${{ inputs.NAME_SPACE }}
+
+  - name: "Enroll acme.sh with fqdn part of allowed_domainlist"
+    run: |
+      sudo rm -rf acme-sh/
+      docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network $NAME_SPACE  --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv  --accountemail 'acme-sh@example.com' -d acme-sh.acme --alpn --standalone --debug 3 --output-insecure
+      openssl verify -CAfile cert-1.pem acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer
+      openssl x509 -in acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer -ext extendedKeyUsage  -noout | grep -i "TLS Web Server"
+    shell: bash
+    env:
+      NAME_SPACE: ${{ inputs.NAME_SPACE }}
\ No newline at end of file
diff --git a/.github/actions/wf_specific/ms_ca_handler/enroll_default_headerinfo/action.yml b/.github/actions/wf_specific/ms_ca_handler/enroll_default_headerinfo/action.yml
new file mode 100644
index 00000000..7aa2dc2c
--- /dev/null
+++ b/.github/actions/wf_specific/ms_ca_handler/enroll_default_headerinfo/action.yml
@@ -0,0 +1,59 @@
+name: "enroll_default_headerinfo"
+description: "enroll_default_headerinfo"
+inputs:
+  NAME_SPACE:
+    description: "namespace"
+    required: true
+    default: "acme"
+runs:
+  using: "composite"
+  steps:
+  - name: "Sleep for 10s"
+    uses: juliangruber/sleep-action@v2.0.3
+    with:
+      time: 10s
+
+  - name: "Test http://acme-srv/directory is accessible"
+    run: docker run -i --rm --network ${{ inputs.NAME_SPACE }} curlimages/curl -f http://acme-srv/directory
+    shell: bash
+    env:
+      NAME_SPACE: ${{ inputs.NAME_SPACE }}
+
+  - name: "Test if https://acme-srv/directory is accessible"
+    run: docker run -i --rm --network ${{ inputs.NAME_SPACE }} curlimages/curl --insecure -f https://acme-srv/directory
+    shell: bash
+    env:
+      NAME_SPACE: ${{ inputs.NAME_SPACE }}
+
+  - name: "Enroll acme.sh with template in acme_srv.cfg (WebServer)"
+    run: |
+      sudo rm -rf acme-sh/
+      docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network ${{ inputs.NAME_SPACE }}  --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv  --accountemail 'acme-sh@example.com' -d acme-sh.${{ inputs.NAME_SPACE }} --alpn --standalone --debug 3 --output-insecure
+      awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "cert-" c ".pem"}' < acme-sh/acme-sh.${{ inputs.NAME_SPACE }}_ecc/ca.cer
+      openssl verify -CAfile cert-1.pem acme-sh/acme-sh.${{ inputs.NAME_SPACE }}_ecc/acme-sh.${{ inputs.NAME_SPACE }}.cer
+      openssl x509 -in acme-sh/acme-sh.${{ inputs.NAME_SPACE }}_ecc/acme-sh.${{ inputs.NAME_SPACE }}.cer -ext extendedKeyUsage  -noout | grep -i "TLS Web Server"
+    shell: bash
+
+  - name: "Enroll lego with template in acme_srv.cfg (WebServer)"
+    run: |
+      sudo rm -rf lego/
+      docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network ${{ inputs.NAME_SPACE }} goacme/lego -s http://acme-srv -a --email "lego@example.com" -d lego.${{ inputs.NAME_SPACE }} --http run
+      sudo openssl verify -CAfile cert-1.pem lego/certificates/lego.${{ inputs.NAME_SPACE }}.crt
+      sudo openssl x509 -in lego/certificates/lego.${{ inputs.NAME_SPACE }}.crt -ext extendedKeyUsage  -noout | grep -i "TLS Web Server"
+    shell: bash
+
+  - name: "Enroll acme.sh with template submitted in command line (WebServerModified)"
+    run: |
+      sudo rm -rf acme-sh/
+      docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network ${{ inputs.NAME_SPACE }} --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv  --accountemail 'acme-sh@example.com' -d acme-sh.${{ inputs.NAME_SPACE }} --alpn --standalone --useragent template=WebServerModified --keylength 2048 --debug 3 --output-insecure
+      openssl verify -CAfile cert-1.pem acme-sh/acme-sh.${{ inputs.NAME_SPACE }}/acme-sh.${{ inputs.NAME_SPACE }}.cer
+      openssl x509 -in acme-sh/acme-sh.${{ inputs.NAME_SPACE }}/acme-sh.${{ inputs.NAME_SPACE }}.cer -ext extendedKeyUsage  -noout | grep -i "TLS Web Client"
+    shell: bash
+
+  - name: "Enroll lego with template submitted in command line (WebServerModified)"
+    run: |
+      sudo rm -rf lego/
+      docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network ${{ inputs.NAME_SPACE }} goacme/lego -s http://acme-srv -a --email "lego@example.com" --user-agent template=WebServerModified --key-type=rsa2048 -d lego.${{ inputs.NAME_SPACE }} --http run
+      sudo openssl verify -CAfile cert-1.pem lego/certificates/lego.${{ inputs.NAME_SPACE }}.crt
+      sudo openssl x509 -in lego/certificates/lego.${{ inputs.NAME_SPACE }}.crt -ext extendedKeyUsage  -noout | grep -i "TLS Web Client"
+    shell: bash
diff --git a/.github/actions/wf_specific/ms_ca_handler/enroll_eab/action.yml b/.github/actions/wf_specific/ms_ca_handler/enroll_eab/action.yml
new file mode 100644
index 00000000..ce649c0e
--- /dev/null
+++ b/.github/actions/wf_specific/ms_ca_handler/enroll_eab/action.yml
@@ -0,0 +1,125 @@
+name: "enroll_default_headerinfo"
+description: "enroll_default_headerinfo"
+inputs:
+  NAME_SPACE:
+    description: "namespace"
+    required: true
+    default: "acme"
+
+runs:
+  using: "composite"
+  steps:
+  - name: "Sleep for 10s"
+    uses: juliangruber/sleep-action@v2.0.3
+    with:
+      time: 10s
+
+  - name: "EAB with headerinfo - Test http://acme-srv/directory is accessible"
+    run: docker run -i --rm --network $NAME_SPACE curlimages/curl -f http://acme-srv/directory
+    shell: bash
+    env:
+      NAME_SPACE: ${{ inputs.NAME_SPACE }}
+
+  - name: "EAB with headerinfo - Test if https://acme-srv/directory is accessible"
+    run: docker run -i --rm --network $NAME_SPACE curlimages/curl --insecure -f https://acme-srv/directory
+    shell: bash
+    env:
+      NAME_SPACE: ${{ inputs.NAME_SPACE }}
+
+  - name: "EAB with headerinfo - 01a - enrollment without header-info field (first value in list)"
+    run: |
+      sudo rm -rf lego/*
+      docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network $NAME_SPACE goacme/lego -s http://acme-srv -a --email "lego@example.com" --key-type=rsa2048 -d lego.$NAME_SPACE --eab --kid keyid_00 --hmac V2VfbmVlZF9hbm90aGVyX3ZlcnkfX2xvbmdfaG1hY190b19jaGVja19lYWJfZm9yX2tleWlkXzAwX2FzX2xlZ29fZW5mb3JjZXNfYW5faG1hY19sb25nZXJfdGhhbl8yNTZfYml0cw --http run
+      sudo openssl x509 -in lego/certificates/lego.$NAME_SPACE.crt -text -noout
+      sudo openssl x509 -in lego/certificates/lego.$NAME_SPACE.crt -ext extendedKeyUsage  -noout | grep -i "TLS Web Client"
+    shell: bash
+    env:
+      NAME_SPACE: ${{ inputs.NAME_SPACE }}
+
+  - name: "EAB with headerinfo - 01b - enrollment with header-info field (pick value from list)"
+    run: |
+      sudo rm -rf lego/*
+      sudo docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network $NAME_SPACE goacme/lego -s http://acme-srv -a --email "lego@example.com" --user-agent template=WebServer --key-type=rsa2048 -d lego.$NAME_SPACE --eab --kid keyid_00 --hmac V2VfbmVlZF9hbm90aGVyX3ZlcnkfX2xvbmdfaG1hY190b19jaGVja19lYWJfZm9yX2tleWlkXzAwX2FzX2xlZ29fZW5mb3JjZXNfYW5faG1hY19sb25nZXJfdGhhbl8yNTZfYml0cw --http run
+      sudo openssl x509 -in lego/certificates/lego.$NAME_SPACE.crt -text -noout
+      sudo openssl x509 -in lego/certificates/lego.$NAME_SPACE.crt -ext extendedKeyUsage  -noout | grep -i "TLS Web Server"
+    shell: bash
+    env:
+      NAME_SPACE: ${{ inputs.NAME_SPACE }}
+
+  - name: "EAB with headerinfo - 01c - enrollment with header-info field containing value not included in list (to fail)"
+    id: legofail02
+    continue-on-error: true
+    run: |
+      sudo rm -rf lego/*
+      sudo docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network $NAME_SPACE goacme/lego -s http://acme-srv -a --email "lego@example.com"  --user-agent template=Unknown --key-type=rsa2048 -d lego.$NAME_SPACE --eab --kid keyid_00 --hmac V2VfbmVlZF9hbm90aGVyX3ZlcnkfX2xvbmdfaG1hY190b19jaGVja19lYWJfZm9yX2tleWlkXzAwX2FzX2xlZ29fZW5mb3JjZXNfYW5faG1hY19sb25nZXJfdGhhbl8yNTZfYml0cw --http run
+    shell: bash
+    env:
+      NAME_SPACE: ${{ inputs.NAME_SPACE }}
+
+  - name: EAB with headerinfo 01c - check  result "
+    if: steps.legofail02.outcome != 'failure'
+    run: |
+      echo "legofail outcome is ${{steps.legofail02.outcome }}"
+      exit 1
+    shell: bash
+    env:
+      NAME_SPACE: ${{ inputs.NAME_SPACE }}
+
+  - name: "EAB with headerinfo - 01d - enrollment with header-info field cotaining an invalid parameter (silent overwrite)"
+    run: |
+      sudo rm -rf lego/*
+      sudo docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network $NAME_SPACE goacme/lego -s http://acme-srv -a --email "lego@example.com"  --user-agent ca_name=foo --key-type=rsa2048 -d lego.$NAME_SPACE --eab --kid keyid_00 --hmac V2VfbmVlZF9hbm90aGVyX3ZlcnkfX2xvbmdfaG1hY190b19jaGVja19lYWJfZm9yX2tleWlkXzAwX2FzX2xlZ29fZW5mb3JjZXNfYW5faG1hY19sb25nZXJfdGhhbl8yNTZfYml0cw --http run
+      sudo openssl x509 -in lego/certificates/lego.$NAME_SPACE.crt -text -noout
+      sudo openssl x509 -in lego/certificates/lego.$NAME_SPACE.crt -ext extendedKeyUsage -noout | grep "TLS Web Client"
+    shell: bash
+    env:
+      NAME_SPACE: ${{ inputs.NAME_SPACE }}
+
+  - name: "EAB with headerinfo - 01e - enrollment with header-info field containing parameter not in json (silent overwrite)"
+    run: |
+      sudo rm -rf lego/*
+      sudo docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network $NAME_SPACE goacme/lego -s http://acme-srv -a --email "lego@example.com"  --user-agent user=user --key-type=rsa2048 -d lego.$NAME_SPACE --eab --kid keyid_01 --hmac YW5vdXRoZXJfdmVyeV9sb25nX2htYWNfZm9yX2tleWlkXzAxX3doaWNoIHdpbGxfYmUgdXNlZF9kdXJpbmcgcmVncmVzc2lvbg --http run
+      sudo openssl x509 -in lego/certificates/lego.$NAME_SPACE.crt -text -noout
+      sudo openssl x509 -in lego/certificates/lego.$NAME_SPACE.crt -ext extendedKeyUsage -noout | grep "TLS Web Client"
+    shell: bash
+    env:
+      NAME_SPACE: ${{ inputs.NAME_SPACE }}
+
+  - name: "EAB with headerinfo - 02 -  template from profile"
+    run: |
+      sudo rm -rf lego/*
+      docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network $NAME_SPACE goacme/lego -s http://acme-srv -a --email "lego@example.com" --key-type=rsa2048 -d lego.$NAME_SPACE --eab --kid keyid_01 --hmac YW5vdXRoZXJfdmVyeV9sb25nX2htYWNfZm9yX2tleWlkXzAxX3doaWNoIHdpbGxfYmUgdXNlZF9kdXJpbmcgcmVncmVzc2lvbg --http run
+      sudo openssl x509 -in lego/certificates/lego.$NAME_SPACE.crt -text -noout
+      sudo openssl x509 -in lego/certificates/lego.$NAME_SPACE.crt -ext extendedKeyUsage -noout | grep "TLS Web Client"
+    shell: bash
+    env:
+      NAME_SPACE: ${{ inputs.NAME_SPACE }}
+
+  - name: "EAB with headerinfo - 03 - domainlist validation fails (to fail)"
+    id: legofail03
+    continue-on-error: true
+    run: |
+      sudo rm -rf lego/*
+      docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network $NAME_SPACE goacme/lego -s http://acme-srv -a --email "lego@example.com" --key-type=rsa2048 -d lego.$NAME_SPACE --eab --kid keyid_02 --hmac dGhpc19pc19hX3ZlcnlfbG9uZ19obWFjX3RvX21ha2Vfc3VyZV90aGF0X2l0c19tb3JlX3RoYW5fMjU2X2JpdHM --http run
+    shell: bash
+    env:
+      NAME_SPACE: ${{ inputs.NAME_SPACE }}
+
+  - name: "EAB with headerinfo - 03 - check  result "
+    if: steps.legofail03.outcome != 'failure'
+    run: |
+      echo "legofail outcome is ${{steps.legofail03.outcome }}"
+      exit 1
+    shell: bash
+    env:
+      NAME_SPACE: ${{ inputs.NAME_SPACE }}
+
+  - name: "EAB with headerinfo - 04 - Settings from acme_srv.cfg"
+    run: |
+      sudo rm -rf lego/*
+      docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network $NAME_SPACE goacme/lego -s http://acme-srv -a --email "lego@example.com" --key-type=rsa2048 -d lego.$NAME_SPACE --eab --kid keyid_03 --hmac YW5kX2ZpbmFsbHlfdGhlX2xhc3RfaG1hY19rZXlfd2hpY2hfaXNfbG9uZ2VyX3RoYW5fMjU2X2JpdHNfYW5kX3Nob3VsZF93b3Jr --http run
+      sudo openssl x509 -in lego/certificates/lego.$NAME_SPACE.crt -text -noout
+      sudo openssl x509 -in lego/certificates/lego.$NAME_SPACE.crt -ext extendedKeyUsage -noout | grep "TLS Web Server"
+    shell: bash
+    env:
+      NAME_SPACE: ${{ inputs.NAME_SPACE }}
\ No newline at end of file
diff --git a/.github/actions/wf_specific/ms_ca_handler/tunnel_setup/action.yml b/.github/actions/wf_specific/ms_ca_handler/tunnel_setup/action.yml
new file mode 100644
index 00000000..e3cda1ad
--- /dev/null
+++ b/.github/actions/wf_specific/ms_ca_handler/tunnel_setup/action.yml
@@ -0,0 +1,76 @@
+name: "tunnel_setup"
+description: "tunnel_setup"
+inputs:
+  WCCE_SSH_ACCESS_KEY:
+    description: "SSH access key"
+    required: true
+  WCCE_SSH_KNOWN_HOSTS:
+    description: "SSH known hosts"
+    required: true
+  WCCE_FQDN_WOTLD:
+    description: "FQDN without top level domain"
+    required: true
+  WCCE_FQDN:
+    description: "FQDN"
+    required: true
+  WCCE_HOST:
+    description: "WCCE host"
+    required: true
+  WCCE_SSH_USER:
+    description: "SSH user"
+    required: true
+  WCCE_SSH_HOST:
+    description: "SSH host"
+    required: true
+  WCCE_SSH_PORT:
+    description: "SSH port"
+    required: true
+  NAME_SPACE:
+    description: "namespace"
+    required: true
+    default: "acme"
+
+runs:
+  using: "composite"
+  steps:
+  - name: "Sleep for 10s"
+    uses: juliangruber/sleep-action@v2.0.3
+    with:
+      time: 10s
+
+  - name: "Prepare ssh environment on ramdisk "
+    run: |
+      sudo mkdir -p /tmp/rd
+      sudo mount -t tmpfs -o size=5M none /tmp/rd
+      sudo echo "$SSH_KEY" > /tmp/rd/ak.tmp
+      sudo chmod 600 /tmp/rd/ak.tmp
+      sudo echo "$KNOWN_HOSTS" > /tmp/rd/known_hosts
+    env:
+      SSH_KEY: ${{ inputs.WCCE_SSH_ACCESS_KEY }}
+      KNOWN_HOSTS: ${{ inputs.WCCE_SSH_KNOWN_HOSTS }}
+    shell: bash
+
+  - name: "Setup ssh forwarder"
+    run: |
+        docker run -d --rm --network $NAME_SPACE --name=$WCCE_FQDN_WOTLD  -e "MAPPINGS=445:$WCCE_HOST:445; 443:$WCCE_HOST:443; 88:$WCCE_HOST:88" -e "SSH_HOST=$SSH_HOST" -e "SSH_PORT=$SSH_PORT" -e "SSH_USER=$SSH_USER" -p 443:443 -p 445:445 -p 88:88 -v "/tmp/rd/ak.tmp:/ssh_key:ro" davidlor/ssh-port-forward-client:dev
+    env:
+      SSH_USER: ${{ inputs.WCCE_SSH_USER }}
+      SSH_HOST: ${{ inputs.WCCE_SSH_HOST }}
+      SSH_PORT: ${{ inputs.WCCE_SSH_PORT }}
+      WCCE_HOST: ${{ inputs.WCCE_HOST }}
+      WCCE_FQDN_WOTLD: ${{ inputs.WCCE_FQDN_WOTLD }}
+      NAME_SPACE: ${{ inputs.NAME_SPACE }}
+    shell: bash
+
+  - name: "Sleep for 10s"
+    uses: juliangruber/sleep-action@v2.0.3
+    with:
+      time: 10s
+
+  - name: "Test conection to mscertsrv via ssh tunnel"
+    run: |
+      docker run -i --rm --network $NAME_SPACE curlimages/curl --insecure -f https://$WCCE_FQDN
+    env:
+      WCCE_FQDN: ${{ inputs.WCCE_FQDN }}
+      NAME_SPACE: ${{ inputs.NAME_SPACE }}
+    shell: bash
\ No newline at end of file
diff --git a/.github/actions/wf_specific/openssl_ca_handler/enroll_adjust_cert_validity/action.yml b/.github/actions/wf_specific/openssl_ca_handler/enroll_adjust_cert_validity/action.yml
new file mode 100644
index 00000000..67378dc8
--- /dev/null
+++ b/.github/actions/wf_specific/openssl_ca_handler/enroll_adjust_cert_validity/action.yml
@@ -0,0 +1,44 @@
+name: "enroll_w_headerinfo"
+description: "enroll_w_headerinfo"
+inputs:
+  ASA_CA_NAME1:
+    description: "ASA CA 1"
+    required: true
+  ASA_CA_NAME2:
+    description: "ASA CA 2"
+    required: true
+
+runs:
+  using: "composite"
+  steps:
+  - name: "Sleep for 10s"
+    uses: juliangruber/sleep-action@v2.0.3
+    with:
+      time: 10s
+
+  - name: "Test http://acme-srv/directory is accessible"
+    run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory
+    shell: bash
+
+  - name: "Test if https://acme-srv/directory is accessible"
+    run: docker run -i --rm --network acme curlimages/curl --insecure -f https://acme-srv/directory
+    shell: bash
+
+  - name: "Register certbot"
+    run: |
+      sudo rm -rf certbot/*
+      docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot register --agree-tos -m 'certbot@example.com' --server http://acme-srv --no-eff-email
+    shell: bash
+
+  - name: "Enroll certbot"
+    run: |
+      docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot certonly --server http://acme-srv --standalone --preferred-challenges http -d certbot.acme --cert-name certbot
+      sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem certbot/live/certbot/cert.pem
+      sudo openssl x509 -in certbot/archive/certbot/cert1.pem -text -noout
+      sudo openssl x509 -in certbot/archive/certbot/cert1.pem -text -noout | grep "Not After : Jun  9 17:17:00 2030 GMT"
+    shell: bash
+
+  - name: "Revoke certbot"
+    run: |
+      docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot revoke --delete-after-revoke --server http://acme-srv  -d certbot.acme --cert-name certbot
+    shell: bash
\ No newline at end of file
diff --git a/.github/actions/wf_specific/openssl_ca_handler/enroll_cn_enforce/action.yml b/.github/actions/wf_specific/openssl_ca_handler/enroll_cn_enforce/action.yml
new file mode 100644
index 00000000..55566c3d
--- /dev/null
+++ b/.github/actions/wf_specific/openssl_ca_handler/enroll_cn_enforce/action.yml
@@ -0,0 +1,47 @@
+name: "enroll_w_headerinfo"
+description: "enroll_w_headerinfo"
+inputs:
+  ASA_CA_NAME1:
+    description: "ASA CA 1"
+    required: true
+  ASA_CA_NAME2:
+    description: "ASA CA 2"
+    required: true
+
+runs:
+  using: "composite"
+  steps:
+  - name: "Sleep for 10s"
+    uses: juliangruber/sleep-action@v2.0.3
+    with:
+      time: 10s
+
+  - name: "Test http://acme-srv/directory is accessible"
+    run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory
+    shell: bash
+
+  - name: "Test if https://acme-srv/directory is accessible"
+    run: docker run -i --rm --network acme curlimages/curl --insecure -f https://acme-srv/directory
+    shell: bash
+
+  - name: "Register certbot"
+    run: |
+      sudo rm -rf certbot/*
+      docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot register --agree-tos -m 'certbot@example.com' --server http://acme-srv --no-eff-email
+    shell: bash
+
+  - name: "Enroll certbot"
+    run: |
+      docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot certonly --server http://acme-srv --standalone --preferred-challenges http -d certbot.acme --cert-name certbot
+      sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem certbot/live/certbot/cert.pem
+      sudo openssl x509 -in certbot/archive/certbot/cert1.pem -text -noout
+      sudo openssl x509 -in certbot/archive/certbot/cert1.pem -text -noout | grep "Basic Constraints: critical"
+      sudo openssl x509 -in certbot/archive/certbot/cert1.pem -text -noout | grep "Digital Signature, Key Encipherment"
+      sudo openssl x509 -in certbot/archive/certbot/cert1.pem -text -noout | grep "TLS Web Server Authentication, TLS Web Client Authentication"
+      sudo openssl x509 -in certbot/archive/certbot/cert1.pem -text -noout | grep "Subject: CN = certbot.acme"
+    shell: bash
+
+  - name: "Revoke certbot"
+    run: |
+      docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot revoke --delete-after-revoke --server http://acme-srv  -d certbot.acme --cert-name certbot
+    shell: bash
\ No newline at end of file
diff --git a/.github/actions/wf_specific/openssl_ca_handler/enroll_w_teamplate/action.yml b/.github/actions/wf_specific/openssl_ca_handler/enroll_w_teamplate/action.yml
new file mode 100644
index 00000000..d21fd789
--- /dev/null
+++ b/.github/actions/wf_specific/openssl_ca_handler/enroll_w_teamplate/action.yml
@@ -0,0 +1,78 @@
+name: "enroll_w_headerinfo"
+description: "enroll_w_headerinfo"
+inputs:
+  ASA_CA_NAME1:
+    description: "ASA CA 1"
+    required: true
+  ASA_CA_NAME2:
+    description: "ASA CA 2"
+    required: true
+
+runs:
+  using: "composite"
+  steps:
+  - name: "Sleep for 5s"
+    uses: juliangruber/sleep-action@v2.0.3
+    with:
+      time: 5s
+
+  - name: "Test http://acme-srv/directory is accessible"
+    run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory
+    shell: bash
+
+  - name: "Test if https://acme-srv/directory is accessible"
+    run: docker run -i --rm --network acme curlimages/curl --insecure -f https://acme-srv/directory
+    shell: bash
+
+  - name: "Enroll acme.sh"
+    run: |
+      sudo rm -rf acme-sh/*
+      docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv --accountemail 'acme-sh@example.com' -d acme-sh.acme --alpn --standalone --debug 3 --output-insecure --force
+      awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "cert-" c ".pem"}' < acme-sh/acme-sh.acme_ecc/ca.cer
+      # verify aborts due to unhandled critical extension
+      openssl x509 -in acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer -text -noout
+      openssl x509 -in acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer -text -noout | grep "Basic Constraints: critical"
+      openssl x509 -in acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer -text -noout | grep "Digital Signature, Non Repudiation, Key Encipherment, Key Agreement"
+      openssl x509 -in acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer -text -noout | grep "TLS Web Server Authentication, OCSP Signing"
+    shell: bash
+
+  - name: "Revoke via acme.sh"
+    run: |
+      docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --revoke --server http://acme-srv -d acme-sh.acme --standalone --debug 3 --output-insecure
+    shell: bash
+
+  - name: "Register certbot"
+    run: |
+      sudo rm -rf certbot/*
+      docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot register --agree-tos -m 'certbot@example.com' --server http://acme-srv --no-eff-email
+    shell: bash
+
+  - name: "Enroll certbot"
+    run: |
+      docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot certonly --server http://acme-srv --standalone --preferred-challenges http -d certbot.acme --cert-name certbot
+      # verify aborts due to unhandled critical extension
+      sudo openssl x509 -in certbot/archive/certbot/cert1.pem -text -noout
+      sudo openssl x509 -in certbot/archive/certbot/cert1.pem -text -noout | grep "Basic Constraints: critical"
+      sudo openssl x509 -in certbot/archive/certbot/cert1.pem -text -noout | grep "Digital Signature, Non Repudiation, Key Encipherment, Key Agreement"
+      sudo openssl x509 -in certbot/archive/certbot/cert1.pem -text -noout | grep "TLS Web Server Authentication, OCSP Signing"
+    shell: bash
+
+  - name: "Revoke certbot"
+    run: |
+      docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot revoke --delete-after-revoke --server http://acme-srv  -d certbot.acme --cert-name certbot
+    shell: bash
+
+  - name: "Enroll lego"
+    run: |
+      docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" -d lego.acme --http run
+      # verify aborts due to unhandled critical extension
+      sudo openssl x509 -in lego/certificates/lego.acme.crt -text -noout
+      sudo openssl x509 -in lego/certificates/lego.acme.crt -text -noout | grep "Basic Constraints: critical"
+      sudo openssl x509 -in lego/certificates/lego.acme.crt -text -noout | grep "Digital Signature, Non Repudiation, Key Encipherment, Key Agreement"
+      sudo openssl x509 -in lego/certificates/lego.acme.crt -text -noout | grep "TLS Web Server Authentication, OCSP Signing"
+    shell: bash
+
+  - name: "Revoke lego"
+    run: |
+      docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" -d lego.acme revoke
+    shell: bash
\ No newline at end of file
diff --git a/.github/actions/wf_specific/openxpki_ca_handler/openxpki_prep/action.yml b/.github/actions/wf_specific/openxpki_ca_handler/openxpki_prep/action.yml
new file mode 100644
index 00000000..a887d318
--- /dev/null
+++ b/.github/actions/wf_specific/openxpki_ca_handler/openxpki_prep/action.yml
@@ -0,0 +1,97 @@
+name: "ejbca_prep"
+description: "ejbca_prep"
+inputs:
+  RUNNER_IP:
+    description: "Runner IP"
+    required: true
+  WORKING_DIR:
+    description: "Working directory"
+    required: true
+    default: ${{ github.workspace }}
+
+runs:
+  using: "composite"
+  steps:
+
+  - name: "Prepare Environment"
+    working-directory: ${{ inputs.WORKING_DIR }}
+    run: |
+      mkdir -p data/acme_ca
+      mkdir -p /tmp/openxpki
+      sudo chmod -R 777 data
+      sudo sh -c "echo '$OPENXPKI_IP openxpki' >> /etc/hosts"
+      sudo cat /etc/hosts
+    env:
+      OPENXPKI_IP: ${{ inputs.RUNNER_IP }}
+    shell: bash
+
+  - name: "Instanciate OpenXPKI server"
+    working-directory: /tmp/openxpki
+    run: |
+      sudo apt-get install -y docker-compose
+      git clone https://github.com/openxpki/openxpki-docker.git
+      cd openxpki-docker/
+      git clone https://github.com/openxpki/openxpki-config.git  --single-branch --branch=community
+      cd openxpki-config/
+      # git checkout a86981e2929e68f3fe3530a83bdb7a4436dfd604
+      cd ..
+      sed -i "s/value: 0/value: 1/g"  openxpki-config/config.d/realm/democa/est/default.yaml
+      sed -i "s/cert_profile: tls_server/cert_profile: tls_client/g"  openxpki-config/config.d/realm/democa/est/default.yaml
+      sed -i "s/approval_points: 1/approval_points: 0/g" openxpki-config/config.d/realm/democa/rpc/enroll.yaml
+      sed -i "s/export_certificate: chain/export_certificate: fullchain/g" openxpki-config/config.d/realm/democa/rpc/enroll.yaml
+      sed -i "s/dn: CN=\[\% CN.0 \%\],DC=Test Deployment,DC=OpenXPKI,DC=org/dn: CN=\[\% SAN_DNS.0 \%\]/g" openxpki-config/config.d/realm.tpl/profile/tls_server.yaml
+      cp contrib/wait_on_init.yaml  openxpki-config/config.d/system/local.yam
+      docker-compose up &
+    shell: bash
+
+  - name: "Sleep for 60s"
+    uses: juliangruber/sleep-action@v2.0.3
+    with:
+      time: 60s
+
+  - name: "Fix 1st time start issues with OpenXPKI server"
+    working-directory: /tmp/openxpki/openxpki-docker
+    run: |
+      docker ps
+      docker stop openxpki-docker_openxpki-server_1
+      docker start openxpki-docker_openxpki-server_1
+    shell: bash
+
+  - name: "Sleep for 10s"
+    uses: juliangruber/sleep-action@v2.0.3
+    with:
+      time: 10s
+
+  - name: "Configure OpenXPKI server"
+    working-directory: /tmp/openxpki
+    run: |
+      docker ps
+      docker exec -id openxpki-docker_openxpki-server_1 /bin/bash /etc/openxpki/contrib/sampleconfig.sh
+      docker exec -id openxpki-docker_openxpki-client_1 apt-get install -y libjson-pp-perl
+    shell: bash
+
+  - name: "Sleep for 45s"
+    uses: juliangruber/sleep-action@v2.0.3
+    with:
+      time: 45s
+
+  - name: "Enroll keys for Client-authentication via scep"
+    working-directory: ${{ inputs.WORKING_DIR }}
+    run: |
+      sudo openssl genrsa -out data/acme_ca/client_key.pem 2048
+      sudo openssl req -new -key data/acme_ca/client_key.pem -subj '/CN=a2c:pkiclient,O=acme' -outform der | base64 > /tmp/request.pem
+      curl -v -H "Content-Type: application/pkcs10" --data @/tmp/request.pem  https://$OPENXPKI_IP:8443/.well-known/est/simpleenroll --insecure  | base64 -d > /tmp/cert.p7b
+      sudo openssl pkcs7 -print_certs -in /tmp/cert.p7b -inform der -out data/acme_ca/client_crt.pem
+      sudo openssl pkcs12 -export -out data/acme_ca/client_crt.p12 -inkey  data/acme_ca/client_key.pem -in data/acme_ca/client_crt.pem -passout pass:Test1234
+      sudo openssl rsa -noout -modulus -in data/acme_ca/client_key.pem | openssl md5
+      sudo openssl x509 -noout -modulus -in data/acme_ca/client_crt.pem  | openssl md5
+      sudo chmod a+r data/acme_ca/client_key.pem
+      sudo chmod a+r data/acme_ca/client_crt.pem
+      sudo chmod a+r data/acme_ca/client_crt.p12
+      curl https://$OPENXPKI_IP:8443/.well-known/est/cacerts --insecure | base64 -d > /tmp/cacert.p7b
+      sudo openssl pkcs7 -print_certs -in /tmp/cacert.p7b -inform der -out data/acme_ca/ca_bundle.pem
+      sudo chmod a+rw data/acme_ca/ca_bundle.pem
+      sudo openssl s_client -connect $OPENXPKI_IP:8443 2>/dev/null </dev/null |  sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' >> data/acme_ca/ca_bundle.pem
+    env:
+      OPENXPKI_IP: ${{ inputs.RUNNER_IP }}
+    shell: bash
\ No newline at end of file
diff --git a/.github/actions/wf_specific/xca_ca_handler/enroll_eab/action.yml b/.github/actions/wf_specific/xca_ca_handler/enroll_eab/action.yml
new file mode 100644
index 00000000..3970d494
--- /dev/null
+++ b/.github/actions/wf_specific/xca_ca_handler/enroll_eab/action.yml
@@ -0,0 +1,210 @@
+name: "enroll_eab"
+description: "enroll_eab"
+
+runs:
+  using: "composite"
+  steps:
+  - name: "Sleep for 5s"
+    uses: juliangruber/sleep-action@v2.0.3
+    with:
+      time: 5s
+
+  - name: "EAB - Sleep for 10s"
+    uses: juliangruber/sleep-action@v2.0.3
+    with:
+      time: 10s
+
+  - name: "EAB - Test http://acme-srv/directory is accessible"
+    run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory
+    shell: bash
+
+  - name: "EAB - Test if https://acme-srv/directory is accessible"
+    run: docker run -i --rm --network acme curlimages/curl --insecure -f https://acme-srv/directory
+    shell: bash
+
+  - name: "EAB - 01 - Enroll acme with a template_name taken from list in kid.json"
+    run: |
+      sudo rm -rf acme-sh/*
+      docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --register-account --server http://acme-srv --accountemail 'acme-sh@example.com' --eab-kid keyid_00 --eab-hmac-key V2VfbmVlZF9hbm90aGVyX3ZlcnkfX2xvbmdfaG1hY190b19jaGVja19lYWJfZm9yX2tleWlkXzAwX2FzX2xlZ29fZW5mb3JjZXNfYW5faG1hY19sb25nZXJfdGhhbl8yNTZfYml0cw --debug 3
+      docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv -d acme-sh.acme --standalone --debug 3 --output-insecure
+      awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "cert-" c ".pem"}' < acme-sh/acme-sh.acme_ecc/ca.cer
+      openssl verify -CAfile cert-2.pem -untrusted cert-1.pem  acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer
+      openssl x509 -in acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer -text -noout
+      openssl x509 -in acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer -ext keyUsage -noout | grep "Digital Signature, Non Repudiation"
+      openssl x509 -in acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer -ext extendedKeyUsage -noout | grep "TLS Web Client Authentication, Code Signing"
+    shell: bash
+
+  - name: "EAB - 01 - Enroll lego with a template_name taken from list in kid.json"
+    run: |
+      sudo rm -rf lego/*
+      docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" --eab --kid keyid_00 --hmac V2VfbmVlZF9hbm90aGVyX3ZlcnkfX2xvbmdfaG1hY190b19jaGVja19lYWJfZm9yX2tleWlkXzAwX2FzX2xlZ29fZW5mb3JjZXNfYW5faG1hY19sb25nZXJfdGhhbl8yNTZfYml0cw -d lego.acme --http run
+      sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem  lego/certificates/lego.acme.crt
+      sudo openssl x509 -in lego/certificates/lego.acme.crt -text -noout
+      sudo openssl x509 -in lego/certificates/lego.acme.crt -text -ext keyUsage | grep "Digital Signature, Non Repudiation"
+      sudo openssl x509 -in lego/certificates/lego.acme.crt -text -ext extendedKeyUsage | grep "TLS Web Client Authentication, Code Signing"
+    shell: bash
+
+  - name: "EAB - 02a - Enroll acme with a template_name taken from header_info NOT included in kid.json (to fail)"
+    id: acmefail01
+    continue-on-error: true
+    run: |
+      sudo rm -rf acme-sh/*
+      docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --register-account --server http://acme-srv --accountemail 'acme-sh@example.com' --eab-kid keyid_00 --eab-hmac-key V2VfbmVlZF9hbm90aGVyX3ZlcnkfX2xvbmdfaG1hY190b19jaGVja19lYWJfZm9yX2tleWlkXzAwX2FzX2xlZ29fZW5mb3JjZXNfYW5faG1hY19sb25nZXJfdGhhbl8yNTZfYml0cw --debug 3
+      docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv --useragent template_name=unknown -d acme-sh.acme --standalone --debug 3 --output-insecure
+    shell: bash
+
+  - name: "EAB - 02a - check  result "
+    if: steps.acmefail01.outcome != 'failure'
+    run: |
+      echo "acmefail outcome is ${{steps.acmefail01.outcome }}"
+      exit 1
+    shell: bash
+
+  - name: "EAB - 02b - Enroll acme with a template_name taken from header_info included in kid.json"
+    run: |
+      sudo rm -rf acme-sh/*
+      docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --register-account --server http://acme-srv --accountemail 'acme-sh@example.com' --eab-kid keyid_00 --eab-hmac-key V2VfbmVlZF9hbm90aGVyX3ZlcnkfX2xvbmdfaG1hY190b19jaGVja19lYWJfZm9yX2tleWlkXzAwX2FzX2xlZ29fZW5mb3JjZXNfYW5faG1hY19sb25nZXJfdGhhbl8yNTZfYml0cw --debug 3
+      docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv --useragent template_name=acme -d acme-sh.acme --standalone --debug 3 --output-insecure
+      awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "cert-" c ".pem"}' < acme-sh/acme-sh.acme_ecc/ca.cer
+      openssl verify -CAfile cert-2.pem -untrusted cert-1.pem  acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer
+      openssl x509 -in acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer -text -noout
+      openssl x509 -in acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer -ext keyUsage -noout | grep "Digital Signature, Non Repudiation, Key Encipherment, Key Agreement"
+      openssl x509 -in acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer -ext extendedKeyUsage -noout | grep "TLS Web Server Authentication, TLS Web Client Authentication"
+    shell: bash
+
+  - name: "EAB - 02a - Enroll lego with a template_name taken from header_info NOT included in kid.json (to fail)"
+    id: legofail01
+    continue-on-error: true
+    run: |
+      sudo rm -rf lego/*
+      docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" --eab --kid keyid_00 --hmac V2VfbmVlZF9hbm90aGVyX3ZlcnkfX2xvbmdfaG1hY190b19jaGVja19lYWJfZm9yX2tleWlkXzAwX2FzX2xlZ29fZW5mb3JjZXNfYW5faG1hY19sb25nZXJfdGhhbl8yNTZfYml0cw --user-agent template_name=unknown -d lego.acme --http run
+    shell: bash
+
+  - name: "EAB - 02a - check  result "
+    if: steps.legofail01.outcome != 'failure'
+    run: |
+      echo "legofail outcome is ${{steps.legofail01.outcome }}"
+      exit 1
+    shell: bash
+
+  - name: "EAB - 02b - Enroll lego with a template_name taken from header_info included in kid.json"
+    run: |
+      sudo rm -rf lego/*
+      docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" --eab --kid keyid_00 --hmac V2VfbmVlZF9hbm90aGVyX3ZlcnkfX2xvbmdfaG1hY190b19jaGVja19lYWJfZm9yX2tleWlkXzAwX2FzX2xlZ29fZW5mb3JjZXNfYW5faG1hY19sb25nZXJfdGhhbl8yNTZfYml0cw --user-agent template_name=acme -d lego.acme --http run
+      sudo openssl x509 -in lego/certificates/lego.acme.crt -ext extendedKeyUsage -noout
+      sudo openssl x509 -in lego/certificates/lego.acme.crt -issuer --noout
+      sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem  lego/certificates/lego.acme.crt
+      sudo openssl x509 -in lego/certificates/lego.acme.crt -text -noout
+      sudo openssl x509 -in lego/certificates/lego.acme.crt -text -ext keyUsage | grep "Digital Signature, Non Repudiation, Key Encipherment, Key Agreement"
+      sudo openssl x509 -in lego/certificates/lego.acme.crt -text -ext extendedKeyUsage | grep "TLS Web Server Authentication, TLS Web Client Authentication"
+    shell: bash
+
+  - name: "EAB - 03 - Enroll acme with a template_name/ca_name taken from kid.json"
+    run: |
+      sudo rm -rf acme-sh/*
+      docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --register-account --server http://acme-srv --accountemail 'acme-sh@example.com' --eab-kid keyid_01 --eab-hmac-key YW5vdXRoZXJfdmVyeV9sb25nX2htYWNfZm9yX2tleWlkXzAxX3doaWNoIHdpbGxfYmUgdXNlZF9kdXJpbmcgcmVncmVzc2lvbg --debug 3
+      docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv -d acme-sh.acme --standalone --debug 3 --output-insecure
+      awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "cert-" c ".pem"}' < acme-sh/acme-sh.acme_ecc/ca.cer
+      openssl verify -CAfile cert-2.pem -untrusted cert-1.pem  acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer
+      openssl x509 -in acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer -text -noout
+      openssl x509 -in acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer -ext keyUsage -noout | grep "Digital Signature, Non Repudiation"
+      openssl x509 -in acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer -ext extendedKeyUsage -noout | grep "TLS Web Client Authentication, Code Signing"
+    shell: bash
+
+  - name: "EAB - 03 - Enroll lego with a template_name/ca_name taken from kid.json"
+    run: |
+      sudo rm -rf lego/*
+      docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" --eab --kid keyid_01 --hmac YW5vdXRoZXJfdmVyeV9sb25nX2htYWNfZm9yX2tleWlkXzAxX3doaWNoIHdpbGxfYmUgdXNlZF9kdXJpbmcgcmVncmVzc2lvbg -d lego.acme --http run
+      sudo openssl x509 -in lego/certificates/lego.acme.crt -ext extendedKeyUsage -noout
+      sudo openssl x509 -in lego/certificates/lego.acme.crt -issuer --noout
+      sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem  lego/certificates/lego.acme.crt
+      sudo openssl x509 -in lego/certificates/lego.acme.crt -text -noout
+      sudo openssl x509 -in lego/certificates/lego.acme.crt -text -ext keyUsage | grep "Digital Signature, Non Repudiation"
+      sudo openssl x509 -in lego/certificates/lego.acme.crt -text -ext extendedKeyUsage | grep "TLS Web Client Authentication, Code Signing"
+    shell: bash
+
+  - name: "EAB - 04 - Enroll acme with a not allowed fqdn in kid.json (to fail)"
+    id: acmefail02
+    continue-on-error: true
+    run: |
+      sudo rm -rf acme-sh/*
+      docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --register-account --server http://acme-srv --accountemail 'acme-sh@example.com' --eab-kid keyid_02 --eab-hmac-key dGhpc19pc19hX3ZlcnlfbG9uZ19obWFjX3RvX21ha2Vfc3VyZV90aGF0X2l0c19tb3JlX3RoYW5fMjU2X2JpdHM --debug 3
+      docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv  -d acme-sh.acme --standalone --debug 3 --output-insecure
+    shell: bash
+
+  - name: "EAB - 04 - check  result "
+    if: steps.acmefail02.outcome != 'failure'
+    run: |
+      echo "acmefail outcome is ${{steps.acmefail02.outcome }}"
+      exit 1
+    shell: bash
+
+  - name: "EAB - 04 - Enroll lego with a not allowed fqdn in kid.json (to fail)"
+    id: legofail02
+    continue-on-error: true
+    run: |
+      sudo rm -rf lego/*
+      docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" --eab --kid keyid_02 --hmac dGhpc19pc19hX3ZlcnlfbG9uZ19obWFjX3RvX21ha2Vfc3VyZV90aGF0X2l0c19tb3JlX3RoYW5fMjU2X2JpdHM -d lego.acme --http run
+    shell: bash
+
+  - name: "EAB - 04a - check  result "
+    if: steps.legofail02.outcome != 'failure'
+    run: |
+      echo "legofail outcome is ${{steps.legofail02.outcome }}"
+      exit 1
+    shell: bash
+
+  - name: "EAB - 05 - Enroll acme with default values from acme.cfg"
+    run: |
+      sudo rm -rf acme-sh/*
+      docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --register-account --server http://acme-srv --accountemail 'acme-sh@example.com' --eab-kid keyid_03 --eab-hmac-key YW5kX2ZpbmFsbHlfdGhlX2xhc3RfaG1hY19rZXlfd2hpY2hfaXNfbG9uZ2VyX3RoYW5fMjU2X2JpdHNfYW5kX3Nob3VsZF93b3Jr --debug 3
+      docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv -d acme-sh.acme --standalone --debug 3 --output-insecure
+      awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "cert-" c ".pem"}' < acme-sh/acme-sh.acme_ecc/ca.cer
+      openssl verify -CAfile cert-2.pem -untrusted cert-1.pem  acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer
+      openssl x509 -in acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer -text -noout
+      openssl x509 -in acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer -ext keyUsage -noout | grep "Digital Signature, Non Repudiation, Key Encipherment, Key Agreement"
+      openssl x509 -in acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer -ext extendedKeyUsage -noout | grep "TLS Web Server Authentication, TLS Web Client Authentication"
+    shell: bash
+
+  - name: "EAB - 05 - Enroll lego with default values from acme.cfg"
+    run: |
+      sudo rm -rf lego/*
+      docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" --eab --kid keyid_03 --hmac YW5kX2ZpbmFsbHlfdGhlX2xhc3RfaG1hY19rZXlfd2hpY2hfaXNfbG9uZ2VyX3RoYW5fMjU2X2JpdHNfYW5kX3Nob3VsZF93b3Jr -d lego.acme --http run
+      sudo openssl x509 -in lego/certificates/lego.acme.crt -ext extendedKeyUsage -noout
+      sudo openssl x509 -in lego/certificates/lego.acme.crt -issuer --noout
+      sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem  lego/certificates/lego.acme.crt
+      sudo openssl x509 -in lego/certificates/lego.acme.crt -text -noout
+      sudo openssl x509 -in lego/certificates/lego.acme.crt -text -ext keyUsage | grep "Digital Signature, Non Repudiation, Key Encipherment, Key Agreement"
+      sudo openssl x509 -in lego/certificates/lego.acme.crt -text -ext extendedKeyUsage | grep "TLS Web Server Authentication, TLS Web Client Authentication"
+    shell: bash
+
+  - name: "EAB - 06 - Enroll acme with not allowed headerinfo-field (should fail)"
+    id: acmefail03
+    continue-on-error: true
+    run: |
+      sudo rm -rf acme-sh/*
+      docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --register-account --server http://acme-srv --accountemail 'acme-sh@example.com' --eab-kid keyid_02 --eab-hmac-key dGhpc19pc19hX3ZlcnlfbG9uZ19obWFjX3RvX21ha2Vfc3VyZV90aGF0X2l0c19tb3JlX3RoYW5fMjU2X2JpdHM --debug 3
+      docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv --useragent template_name=acme -d acme-sh.acme --standalone --debug 3 --output-insecure
+    shell: bash
+
+  - name: "EAB - 06 - check  result "
+    if: steps.acmefail03.outcome != 'failure'
+    run: |
+      echo "acmefail outcome is ${{steps.acmefail03.outcome }}"
+      exit 1
+    shell: bash
+
+  - name: "EAB - 06 - Enroll lego with not allowed headerinfo-field (should fail)"
+    id: legofail03
+    continue-on-error: true
+    run: |
+      sudo rm -rf lego/*
+      docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" --eab --kid keyid_02 --hmac dGhpc19pc19hX3ZlcnlfbG9uZ19obWFjX3RvX21ha2Vfc3VyZV90aGF0X2l0c19tb3JlX3RoYW5fMjU2X2JpdHM --user-agent template_name=acme -d lego.acme --http run
+    shell: bash
+
+  - name: "EAB - 06 - check  result "
+    if: steps.legofail03.outcome != 'failure'
+    run: |
+      echo "legofail outcome is ${{steps.legofail03.outcome }}"
+      exit 1
+    shell: bash
\ No newline at end of file
diff --git a/.github/actions/wf_specific/xca_ca_handler/enroll_eab_sp/action.yml b/.github/actions/wf_specific/xca_ca_handler/enroll_eab_sp/action.yml
new file mode 100644
index 00000000..9b97905d
--- /dev/null
+++ b/.github/actions/wf_specific/xca_ca_handler/enroll_eab_sp/action.yml
@@ -0,0 +1,362 @@
+name: "enroll_eab"
+description: "enroll_eab"
+inputs:
+  DEPLOYMENT_TYPE:
+    description: "Deployment type"
+    required: true
+    default: "container"
+
+
+runs:
+  using: "composite"
+  steps:
+  - name: "EAB - Sleep for 10s"
+    uses: juliangruber/sleep-action@v2.0.3
+    with:
+      time: 10s
+
+  - name: "EAB - Test http://acme-srv/directory is accessible"
+    run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory
+    shell: bash
+
+  - name: "EAB - Test if https://acme-srv/directory is accessible"
+    run: docker run -i --rm --network acme curlimages/curl --insecure -f https://acme-srv/directory
+    shell: bash
+
+  - name: "EAB SP - 01a - SUCC - Enroll acme - 1st list entry"
+    run: |
+      mkdir -p acme-sh
+      sudo rm -rf acme-sh/*
+      openssl genrsa -out acme-sh/acme-sh.acme.key 2048
+      openssl req -new -key acme-sh/acme-sh.acme.key -subj '/CN=acme-sh.acme/O=acme corp/OU=acme1/C=AC/serialNumber=00-11-22-33' --addext "subjectAltName = DNS:acme-sh.acme" -outform pem -out acme-sh/acme-sh.acme.csr
+      docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --register-account --server http://acme-srv --accountemail 'acme-sh@example.com' --eab-kid keyid_00 --eab-hmac-key V2VfbmVlZF9hbm90aGVyX3ZlcnkfX2xvbmdfaG1hY190b19jaGVja19lYWJfZm9yX2tleWlkXzAwX2FzX2xlZ29fZW5mb3JjZXNfYW5faG1hY19sb25nZXJfdGhhbl8yNTZfYml0cw --debug 3
+      docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name acme-sh neilpang/acme.sh:latest --signcsr --csr acme.sh/acme-sh.acme.csr --server http://acme-srv --standalone --debug 1 --output-insecure --insecure
+      awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "cert-" c ".pem"}' < acme-sh/acme-sh.acme/ca.cer
+      openssl verify -CAfile cert-2.pem -untrusted cert-1.pem  acme-sh/acme-sh.acme/acme-sh.acme.cer
+      openssl x509 -in acme-sh/acme-sh.acme/acme-sh.acme.cer -text -noout
+    shell: bash
+
+  - name: "EAB SP - 01a - SUCC - Enroll lego - 1st list entry"
+    run: |
+      sudo mkdir -p lego
+      sudo rm -rf lego/*
+      sudo openssl genrsa -out lego/lego.acme.key 2048
+      sudo openssl req -new -key lego/lego.acme.key -subj '/CN=lego.acme/O=acme corp/OU=acme1/C=AC/serialNumber=00-11-22-33' --addext "subjectAltName = DNS:lego.acme" -outform pem -out lego/lego.acme.csr
+      docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" --eab --kid keyid_00 --hmac V2VfbmVlZF9hbm90aGVyX3ZlcnkfX2xvbmdfaG1hY190b19jaGVja19lYWJfZm9yX2tleWlkXzAwX2FzX2xlZ29fZW5mb3JjZXNfYW5faG1hY19sb25nZXJfdGhhbl8yNTZfYml0cw --csr .lego/lego.acme.csr --http run
+      sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem  lego/certificates/lego.acme.crt
+      sudo openssl x509 -in lego/certificates/lego.acme.crt -text -noout
+    shell: bash
+
+  - name: "EAB SP - 01B - SUCC - Enroll acme - 2nd list entry"
+    run: |
+      sudo rm -rf acme-sh/*
+      openssl genrsa -out acme-sh/acme-sh.acme.key 2048
+      openssl req -new -key acme-sh/acme-sh.acme.key -subj '/CN=acme-sh.acme/O=acme corp/OU=acme2/C=AC/serialNumber=00-11-22-33' --addext "subjectAltName = DNS:acme-sh.acme" -outform pem -out acme-sh/acme-sh.acme.csr
+      docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --register-account --server http://acme-srv --accountemail 'acme-sh@example.com' --eab-kid keyid_00 --eab-hmac-key V2VfbmVlZF9hbm90aGVyX3ZlcnkfX2xvbmdfaG1hY190b19jaGVja19lYWJfZm9yX2tleWlkXzAwX2FzX2xlZ29fZW5mb3JjZXNfYW5faG1hY19sb25nZXJfdGhhbl8yNTZfYml0cw --debug 3
+      docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name acme-sh neilpang/acme.sh:latest --signcsr --csr acme.sh/acme-sh.acme.csr --server http://acme-srv --standalone --debug 1 --output-insecure --insecure
+      openssl verify -CAfile cert-2.pem -untrusted cert-1.pem  acme-sh/acme-sh.acme/acme-sh.acme.cer
+      openssl x509 -in acme-sh/acme-sh.acme/acme-sh.acme.cer -text -noout
+    shell: bash
+
+  - name: "EAB SP - 01B - SUCC - Enroll lego - 2nd list entry"
+    run: |
+      sudo rm -rf lego/*
+      sudo openssl genrsa -out lego/lego.acme.key 2048
+      sudo openssl req -new -key lego/lego.acme.key -subj '/CN=lego.acme/O=acme corp/OU=acme2/C=AC/serialNumber=00-11-22-33' --addext "subjectAltName = DNS:lego.acme" -outform pem -out lego/lego.acme.csr
+      docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" --eab --kid keyid_00 --hmac V2VfbmVlZF9hbm90aGVyX3ZlcnkfX2xvbmdfaG1hY190b19jaGVja19lYWJfZm9yX2tleWlkXzAwX2FzX2xlZ29fZW5mb3JjZXNfYW5faG1hY19sb25nZXJfdGhhbl8yNTZfYml0cw --csr .lego/lego.acme.csr --http run
+      sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem  lego/certificates/lego.acme.crt
+      sudo openssl x509 -in lego/certificates/lego.acme.crt -text -noout
+    shell: bash
+
+  - name: "EAB SP - 01C - FAIL - Enroll acme - entry not in list"
+    id: acmefail01
+    continue-on-error: true
+    run: |
+      sudo rm -rf acme-sh/*
+      openssl genrsa -out acme-sh/acme-sh.acme.key 2048
+      openssl req -new -key acme-sh/acme-sh.acme.key -subj '/CN=acme-sh.acme/O=acme corp/OU=acme3/C=AC/serialNumber=00-11-22-33' --addext "subjectAltName = DNS:acme-sh.acme" -outform pem -out acme-sh/acme-sh.acme.csr
+      docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --register-account --server http://acme-srv --accountemail 'acme-sh@example.com' --eab-kid keyid_00 --eab-hmac-key V2VfbmVlZF9hbm90aGVyX3ZlcnkfX2xvbmdfaG1hY190b19jaGVja19lYWJfZm9yX2tleWlkXzAwX2FzX2xlZ29fZW5mb3JjZXNfYW5faG1hY19sb25nZXJfdGhhbl8yNTZfYml0cw --debug 3
+      docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name acme-sh neilpang/acme.sh:latest --signcsr --csr acme.sh/acme-sh.acme.csr --server http://acme-srv --standalone --debug 1 --output-insecure --insecure
+      openssl verify -CAfile cert-2.pem -untrusted cert-1.pem  acme-sh/acme-sh.acme/acme-sh.acme.cer
+      openssl x509 -in acme-sh/acme-sh.acme/acme-sh.acme.cer -text -noout
+    shell: bash
+
+  - name: "Check result"
+    if: steps.acmefail01.outcome != 'failure'
+    run: |
+      echo "acmefail outcome is ${{steps.acmefail01.outcome }}"
+      exit 1
+    shell: bash
+
+  - name: "Sleep for 2s"
+    uses: juliangruber/sleep-action@v2.0.3
+    with:
+      time: 2s
+
+  - name: "Check logs for errors"
+    working-directory: examples/Docker/
+    run: |
+      if [ ${{ inputs.DEPLOYMENT_TYPE }} == "container" ]; then
+        docker-compose logs > docker-compose.log
+        cat docker-compose.log | grep "organizationalUnitName: value: acme3 expected: \['acme1', 'acme2'\]"
+        sudo truncate -s 0 $(docker inspect --format='{{.LogPath}}' acme2certifier_acme-srv_1)
+      # elif [ ${{ inputs.DEPLOYMENT_TYPE }} == "rpm" ]; then
+      #  docker exec acme-srv grep "organizationalUnitName: value: acme3 expected: \['acme1', 'acme2'\]" /var/log/messages
+      fi
+    shell: bash
+
+  - name: "EAB SP - 01C - Fail - Enroll lego - entry not in list"
+    id: legofail01
+    continue-on-error: true
+    run: |
+      sudo rm -rf lego/*
+      sudo openssl genrsa -out lego/lego.acme.key 2048
+      sudo openssl req -new -key lego/lego.acme.key -subj '/CN=lego.acme/O=acme corp/OU=acme3/C=AC/serialNumber=00-11-22-33' --addext "subjectAltName = DNS:lego.acme" -outform pem -out lego/lego.acme.csr
+      docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" --eab --kid keyid_00 --hmac V2VfbmVlZF9hbm90aGVyX3ZlcnkfX2xvbmdfaG1hY190b19jaGVja19lYWJfZm9yX2tleWlkXzAwX2FzX2xlZ29fZW5mb3JjZXNfYW5faG1hY19sb25nZXJfdGhhbl8yNTZfYml0cw --csr .lego/lego.acme.csr --http run
+      sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem  lego/certificates/lego.acme.crt
+      sudo openssl x509 -in lego/certificates/lego.acme.crt -text -noout
+    shell: bash
+
+  - name: "Check result"
+    if: steps.legofail01.outcome != 'failure'
+    run: |
+      echo "legofail outcome is ${{steps.legofail01.outcome }}"
+      exit 1
+    shell: bash
+
+  - name: "Sleep for 2s"
+    uses: juliangruber/sleep-action@v2.0.3
+    with:
+      time: 2s
+
+  - name: "Check logs for errors"
+    working-directory: examples/Docker/
+    run: |
+      if [ ${{ inputs.DEPLOYMENT_TYPE }} == "container" ]; then
+        docker-compose logs > docker-compose.log
+        cat docker-compose.log | grep "organizationalUnitName: value: acme3 expected: \['acme1', 'acme2'\]"
+        sudo truncate -s 0 $(docker inspect --format='{{.LogPath}}' acme2certifier_acme-srv_1)
+      # elif [ ${{ inputs.DEPLOYMENT_TYPE }} == "rpm" ]; then
+      #  docker exec acme-srv grep "organizationalUnitName: value: acme3 expected: \['acme1', 'acme2'\]" /var/log/messages
+      fi
+    shell: bash
+
+  - name: "EAB SP - 02 - FAIL - Enroll acme - wildcard entry not present"
+    id: acmefail02
+    continue-on-error: true
+    run: |
+      sudo rm -rf acme-sh/*
+      openssl genrsa -out acme-sh/acme-sh.acme.key 2048
+      openssl req -new -key acme-sh/acme-sh.acme.key -subj '/CN=acme-sh.acme/O=acme corp/OU=acme1/C=AC' --addext "subjectAltName = DNS:acme-sh.acme" -outform pem -out acme-sh/acme-sh.acme.csr
+      docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --register-account --server http://acme-srv --accountemail 'acme-sh@example.com' --eab-kid keyid_00 --eab-hmac-key V2VfbmVlZF9hbm90aGVyX3ZlcnkfX2xvbmdfaG1hY190b19jaGVja19lYWJfZm9yX2tleWlkXzAwX2FzX2xlZ29fZW5mb3JjZXNfYW5faG1hY19sb25nZXJfdGhhbl8yNTZfYml0cw --debug 3
+      docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name acme-sh neilpang/acme.sh:latest --signcsr --csr acme.sh/acme-sh.acme.csr --server http://acme-srv --standalone --debug 1 --output-insecure --insecure
+      openssl verify -CAfile cert-2.pem -untrusted cert-1.pem  acme-sh/acme-sh.acme/acme-sh.acme.cer
+      openssl x509 -in acme-sh/acme-sh.acme/acme-sh.acme.cer -text -noout
+    shell: bash
+
+  - name: "Check result"
+    if: steps.acmefail02.outcome != 'failure'
+    run: |
+      echo "acmefail outcome is ${{steps.acmefail02.outcome }}"
+      exit 1
+    shell: bash
+
+  - name: "Sleep for 2s"
+    uses: juliangruber/sleep-action@v2.0.3
+    with:
+      time: 2s
+
+  - name: "Check logs for errors"
+    working-directory: examples/Docker/
+    run: |
+      if [ ${{ inputs.DEPLOYMENT_TYPE }} == "container" ]; then
+        docker-compose logs > docker-compose.log
+        cat docker-compose.log | grep "failed for: \['serialNumber'\]"
+        sudo truncate -s 0 $(docker inspect --format='{{.LogPath}}' acme2certifier_acme-srv_1)
+      # elif [ ${{ inputs.DEPLOYMENT_TYPE }} == "rpm" ]; then
+      #  docker exec acme-srv grep "failed for: \['serialNumber'\]" /var/log/messages
+      fi
+    shell: bash
+
+  - name: "EAB SP - 02 - FAIL - Enroll lego - wildcard entry not present"
+    id: legofail02
+    continue-on-error: true
+    run: |
+      sudo rm -rf lego/*
+      sudo openssl genrsa -out lego/lego.acme.key 2048
+      sudo openssl req -new -key lego/lego.acme.key -subj '/CN=lego.acme/O=acme corp/OU=acme1/C=AC' --addext "subjectAltName = DNS:lego.acme" -outform pem -out lego/lego.acme.csr
+      docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" --eab --kid keyid_00 --hmac V2VfbmVlZF9hbm90aGVyX3ZlcnkfX2xvbmdfaG1hY190b19jaGVja19lYWJfZm9yX2tleWlkXzAwX2FzX2xlZ29fZW5mb3JjZXNfYW5faG1hY19sb25nZXJfdGhhbl8yNTZfYml0cw --csr .lego/lego.acme.csr --http run
+      sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem  lego/certificates/lego.acme.crt
+      sudo openssl x509 -in lego/certificates/lego.acme.crt -text -noout
+    shell: bash
+
+  - name: "Check result"
+    if: steps.legofail02.outcome != 'failure'
+    run: |
+      echo "legofail outcome is ${{steps.legofail02.outcome }}"
+      exit 1
+    shell: bash
+
+  - name: "Sleep for 2s"
+    uses: juliangruber/sleep-action@v2.0.3
+    with:
+      time: 2s
+
+  - name: "Check logs for errors"
+    working-directory: examples/Docker/
+    run: |
+      if [ ${{ inputs.DEPLOYMENT_TYPE }} == "container" ]; then
+        docker-compose logs > docker-compose.log
+        cat docker-compose.log | grep "failed for: \['serialNumber'\]"
+        sudo truncate -s 0 $(docker inspect --format='{{.LogPath}}' acme2certifier_acme-srv_1)
+      # elif [ ${{ inputs.DEPLOYMENT_TYPE }} == "rpm" ]; then
+      #  docker exec acme-srv grep "failed for: \['serialNumber'\]" /var/log/messages
+      fi
+    shell: bash
+
+  - name: "EAB SP - 03 - FAIL - Enroll acme - string check failed"
+    id: acmefail03
+    continue-on-error: true
+    run: |
+      sudo rm -rf acme-sh/*
+      openssl genrsa -out acme-sh/acme-sh.acme.key 2048
+      openssl req -new -key acme-sh/acme-sh.acme.key -subj '/CN=acme-sh.acme/O=noacme corp/OU=acme2/C=AC/serialNumber=00-11-22-33' --addext "subjectAltName = DNS:acme-sh.acme" -outform pem -out acme-sh/acme-sh.acme.csr
+      docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --register-account --server http://acme-srv --accountemail 'acme-sh@example.com' --eab-kid keyid_00 --eab-hmac-key V2VfbmVlZF9hbm90aGVyX3ZlcnkfX2xvbmdfaG1hY190b19jaGVja19lYWJfZm9yX2tleWlkXzAwX2FzX2xlZ29fZW5mb3JjZXNfYW5faG1hY19sb25nZXJfdGhhbl8yNTZfYml0cw --debug 3
+      docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name acme-sh neilpang/acme.sh:latest --signcsr --csr acme.sh/acme-sh.acme.csr --server http://acme-srv --standalone --debug 1 --output-insecure --insecure
+      openssl verify -CAfile cert-2.pem -untrusted cert-1.pem  acme-sh/acme-sh.acme/acme-sh.acme.cer
+      openssl x509 -in acme-sh/acme-sh.acme/acme-sh.acme.cer -text -noout
+    shell: bash
+
+  - name: "Check result"
+    if: steps.acmefail03.outcome != 'failure'
+    run: |
+      echo "acmefail outcome is ${{steps.acmefail03.outcome }}"
+      exit 1
+    shell: bash
+
+  - name: "Sleep for 2s"
+    uses: juliangruber/sleep-action@v2.0.3
+    with:
+      time: 2s
+
+  - name: "Check logs for errors"
+    working-directory: examples/Docker/
+    run: |
+      if [ ${{ inputs.DEPLOYMENT_TYPE }} == "container" ]; then
+        docker-compose logs > docker-compose.log
+        cat docker-compose.log | grep "failed for: organizationName: value: noacme corp expected: acme corp"
+        sudo truncate -s 0 $(docker inspect --format='{{.LogPath}}' acme2certifier_acme-srv_1)
+      # elif [ ${{ inputs.DEPLOYMENT_TYPE }} == "rpm" ]; then
+      #  docker exec acme-srv grep "failed for: organizationName: value: noacme corp expected: acme corp" /var/log/messages
+      fi
+    shell: bash
+
+  - name: "EAB SP - 03 - FAIL - Enroll lego - string check failed"
+    id: legofail03
+    continue-on-error: true
+    run: |
+      sudo rm -rf lego/*
+      sudo openssl genrsa -out lego/lego.acme.key 2048
+      sudo openssl req -new -key lego/lego.acme.key -subj '/CN=lego.acme/O=noacme corp/OU=acme2/C=AC/serialNumber=00-11-22-33' --addext "subjectAltName = DNS:lego.acme" -outform pem -out lego/lego.acme.csr
+      docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" --eab --kid keyid_00 --hmac V2VfbmVlZF9hbm90aGVyX3ZlcnkfX2xvbmdfaG1hY190b19jaGVja19lYWJfZm9yX2tleWlkXzAwX2FzX2xlZ29fZW5mb3JjZXNfYW5faG1hY19sb25nZXJfdGhhbl8yNTZfYml0cw --csr .lego/lego.acme.csr --http run
+      sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem  lego/certificates/lego.acme.crt
+      sudo openssl x509 -in lego/certificates/lego.acme.crt -text -noout
+    shell: bash
+
+  - name: "Check result"
+    if: steps.legofail03.outcome != 'failure'
+    run: |
+      echo "legofail outcome is ${{steps.legofail03.outcome }}"
+      exit 1
+    shell: bash
+
+  - name: "Sleep for 2s"
+    uses: juliangruber/sleep-action@v2.0.3
+    with:
+      time: 2s
+
+  - name: "Check logs for errors"
+    working-directory: examples/Docker/
+    run: |
+      if [ ${{ inputs.DEPLOYMENT_TYPE }} == "container" ]; then
+        docker-compose logs > docker-compose.log
+        cat docker-compose.log | grep "failed for: organizationName: value: noacme corp expected: acme corp"
+        sudo truncate -s 0 $(docker inspect --format='{{.LogPath}}' acme2certifier_acme-srv_1)
+      # elif [ ${{ inputs.DEPLOYMENT_TYPE }} == "rpm" ]; then
+      #  docker exec acme-srv grep "failed for: organizationName: value: noacme corp expected: acme corp" /var/log/messages
+      fi
+    shell: bash
+
+  - name: "EAB SP - 04 - FAIL - Enroll acme - string parameter not present"
+    id: acmefail04
+    continue-on-error: true
+    run: |
+      sudo rm -rf acme-sh/*
+      openssl genrsa -out acme-sh/acme-sh.acme.key 2048
+      openssl req -new -key acme-sh/acme-sh.acme.key -subj '/CN=acme-sh.acme/O=acme corp/OU=acme2/serialNumber=00-11-22-33' --addext "subjectAltName = DNS:acme-sh.acme" -outform pem -out acme-sh/acme-sh.acme.csr
+      docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --register-account --server http://acme-srv --accountemail 'acme-sh@example.com' --eab-kid keyid_00 --eab-hmac-key V2VfbmVlZF9hbm90aGVyX3ZlcnkfX2xvbmdfaG1hY190b19jaGVja19lYWJfZm9yX2tleWlkXzAwX2FzX2xlZ29fZW5mb3JjZXNfYW5faG1hY19sb25nZXJfdGhhbl8yNTZfYml0cw --debug 3
+      docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name acme-sh neilpang/acme.sh:latest --signcsr --csr acme.sh/acme-sh.acme.csr --server http://acme-srv --standalone --debug 1 --output-insecure --insecure
+      openssl verify -CAfile cert-2.pem -untrusted cert-1.pem  acme-sh/acme-sh.acme/acme-sh.acme.cer
+      openssl x509 -in acme-sh/acme-sh.acme/acme-sh.acme.cer -text -noout
+    shell: bash
+
+  - name: "Check result"
+    if: steps.acmefail04.outcome != 'failure'
+    run: |
+      echo "acmefail outcome is ${{steps.acmefail04.outcome }}"
+      exit 1
+    shell: bash
+
+  - name: "Sleep for 2s"
+    uses: juliangruber/sleep-action@v2.0.3
+    with:
+      time: 2s
+
+  - name: "Check logs for errors"
+    working-directory: examples/Docker/
+    run: |
+      if [ ${{ inputs.DEPLOYMENT_TYPE }} == "container" ]; then
+        docker-compose logs > docker-compose.log
+        cat docker-compose.log | grep "failed for: \['countryName'\]"
+        sudo truncate -s 0 $(docker inspect --format='{{.LogPath}}' acme2certifier_acme-srv_1)
+      # elif [ ${{ inputs.DEPLOYMENT_TYPE }} == "rpm" ]; then
+      #  docker exec acme-srv grep "failed for: \['countryName'\]" /var/log/messages
+      fi
+    shell: bash
+
+  - name: "EAB SP - 04 - FAIL - Enroll acme - string parameter not present"
+    id: legofail04
+    continue-on-error: true
+    run: |
+      sudo rm -rf lego/*
+      sudo openssl genrsa -out lego/lego.acme.key 2048
+      sudo openssl req -new -key lego/lego.acme.key -subj '/CN=lego.acme/O=acme corp/OU=acme2/serialNumber=00-11-22-33' --addext "subjectAltName = DNS:lego.acme" -outform pem -out lego/lego.acme.csr
+      docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" --eab --kid keyid_00 --hmac V2VfbmVlZF9hbm90aGVyX3ZlcnkfX2xvbmdfaG1hY190b19jaGVja19lYWJfZm9yX2tleWlkXzAwX2FzX2xlZ29fZW5mb3JjZXNfYW5faG1hY19sb25nZXJfdGhhbl8yNTZfYml0cw --csr .lego/lego.acme.csr --http run
+      sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem  lego/certificates/lego.acme.crt
+      sudo openssl x509 -in lego/certificates/lego.acme.crt -text -noout
+    shell: bash
+
+  - name: "Check result"
+    if: steps.legofail04.outcome != 'failure'
+    run: |
+      echo "legofail outcome is ${{steps.legofail04.outcome }}"
+      exit 1
+    shell: bash
+
+  - name: "Sleep for 2s"
+    uses: juliangruber/sleep-action@v2.0.3
+    with:
+      time: 2s
+
+  - name: "Check logs for errors"
+    working-directory: examples/Docker/
+    run: |
+      if [ ${{ inputs.DEPLOYMENT_TYPE }} == "container" ]; then
+        docker-compose logs > docker-compose.log
+        cat docker-compose.log | grep "failed for: \['countryName'\]"
+        sudo truncate -s 0 $(docker inspect --format='{{.LogPath}}' acme2certifier_acme-srv_1)
+      # elif [ ${{ inputs.DEPLOYMENT_TYPE }} == "rpm" ]; then
+      #  docker exec acme-srv grep "failed for: \['countryName'\]" /var/log/messages
+      fi
+    shell: bash
+
diff --git a/.github/actions/wf_specific/xca_ca_handler/enroll_headerinfo/action.yml b/.github/actions/wf_specific/xca_ca_handler/enroll_headerinfo/action.yml
new file mode 100644
index 00000000..ea3c88d7
--- /dev/null
+++ b/.github/actions/wf_specific/xca_ca_handler/enroll_headerinfo/action.yml
@@ -0,0 +1,68 @@
+name: "enroll_headerinfo"
+description: "enroll_headerinfo"
+
+runs:
+  using: "composite"
+  steps:
+  - name: "Sleep for 5s"
+    uses: juliangruber/sleep-action@v2.0.3
+    with:
+      time: 5s
+
+  - name: "Header-info - Test http://acme-srv/directory is accessible"
+    run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory
+    shell: bash
+
+  - name: "Header-info - Test if https://acme-srv/directory is accessible"
+    run: docker run -i --rm --network acme curlimages/curl --insecure -f https://acme-srv/directory
+    shell: bash
+
+  - name: "Header-info - 01 - Enroll acme.sh without template_name"
+    run: |
+      sudo rm -rf acme-sh/*
+      docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv  --accountemail 'acme-sh@example.com' -d acme-sh.acme --standalone --debug 3 --output-insecure
+      awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "cert-" c ".pem"}' < acme-sh/acme-sh.acme_ecc/ca.cer
+      openssl verify -CAfile cert-2.pem -untrusted cert-1.pem  acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer
+      openssl x509 -in acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer -text -noout
+      openssl x509 -in acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer -ext keyUsage -noout | grep "Digital Signature, Non Repudiation, Key Encipherment, Key Agreement"
+      openssl x509 -in acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer -ext extendedKeyUsage -noout | grep "TLS Web Server Authentication, TLS Web Client Authentication"
+    shell: bash
+
+  - name: "Header-info - 01 - Enroll lego without template_name"
+    run: |
+      sudo rm -rf lego/*
+      docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" -d lego.acme --http run
+      sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem  lego/certificates/lego.acme.crt
+      sudo openssl x509 -in lego/certificates/lego.acme.crt -text -noout
+      sudo openssl x509 -in lego/certificates/lego.acme.crt -text -ext keyUsage | grep "Digital Signature, Non Repudiation, Key Encipherment, Key Agreement"
+      sudo openssl x509 -in lego/certificates/lego.acme.crt -text -ext extendedKeyUsage | grep "TLS Web Server Authentication, TLS Web Client Authentication"
+    shell: bash
+
+  - name: "Header-info - 02 - Enroll acme.sh with template_name template"
+    run: |
+      sudo rm -rf acme-sh/*
+      # docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --register-account --server http://acme-srv --accountemail 'acme-sh@example.com' --debug 3
+      docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv  --accountemail 'acme-sh@example.com' --useragent template_name=template -d acme-sh.acme --standalone --debug 3 --output-insecure
+      awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "cert-" c ".pem"}' < acme-sh/acme-sh.acme_ecc/ca.cer
+      openssl verify -CAfile cert-2.pem -untrusted cert-1.pem  acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer
+      openssl x509 -in acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer -text -noout
+      openssl x509 -in acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer -ext keyUsage -noout | grep "Digital Signature, Non Repudiation"
+      openssl x509 -in acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer -ext extendedKeyUsage -noout | grep "TLS Web Client Authentication, Code Signing"
+    shell: bash
+
+  - name: "Header-info - 02 - Enroll lego with template_name template"
+    run: |
+      sudo rm -rf lego/*
+      docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" --user-agent template_name=template -d lego.acme --http run
+      sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem  lego/certificates/lego.acme.crt
+      sudo openssl x509 -in lego/certificates/lego.acme.crt -text -noout
+      sudo openssl x509 -in lego/certificates/lego.acme.crt -text -ext keyUsage | grep "Digital Signature, Non Repudiation"
+      sudo openssl x509 -in lego/certificates/lego.acme.crt -text -ext extendedKeyUsage | grep "TLS Web Client Authentication, Code Signing"
+    shell: bash
+
+  - name: "Delete acme-sh, letsencypt and lego folders"
+    run: |
+      sudo rm -rf  lego/*
+      sudo rm -rf  acme-sh/*
+      sudo rm -rf  certbot/*
+    shell: bash
\ No newline at end of file
diff --git a/.github/actions/wf_specific/xca_ca_handler/enroll_no_template/action.yml b/.github/actions/wf_specific/xca_ca_handler/enroll_no_template/action.yml
new file mode 100644
index 00000000..2de41d0f
--- /dev/null
+++ b/.github/actions/wf_specific/xca_ca_handler/enroll_no_template/action.yml
@@ -0,0 +1,56 @@
+name: "enroll_no_template"
+description: "enroll_no_template"
+
+runs:
+  using: "composite"
+  steps:
+  - name: "Sleep for 5s"
+    uses: juliangruber/sleep-action@v2.0.3
+    with:
+      time: 5s
+
+  - name: "No template - Test http://acme-srv/directory is accessible"
+    run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory
+    shell: bash
+
+  - name: "No template - Enroll acme.sh"
+    run: |
+      docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv  --accountemail 'acme-sh@example.com' -d acme-sh.acme --alpn --standalone --debug 3 --output-insecure
+      openssl verify -CAfile cert-2.pem -untrusted cert-1.pem  acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer
+      openssl x509 -in acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer -text -noout
+      openssl x509 -in acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer -text -noout | grep "Basic Constraints: critical"
+      openssl x509 -in acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer -text -noout | grep "Digital Signature, Key Encipherment"
+      openssl x509 -in acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer -text -noout | grep "TLS Web Server Authentication"
+    shell: bash
+
+  - name: "No template - Register certbot"
+    run: |
+      docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot register --agree-tos -m 'certbot@example.com' --server http://acme-srv --no-eff-email
+    shell: bash
+
+  - name: "No template - Enroll HTTP-01 single domain certbot"
+    run: |
+      docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot certonly --server http://acme-srv --standalone --preferred-challenges http -d certbot.acme --cert-name certbot
+      sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem  certbot/live/certbot/cert.pem
+      sudo openssl x509 -in certbot/archive/certbot/cert1.pem -text -noout
+      sudo openssl x509 -in certbot/archive/certbot/cert1.pem -text -noout | grep "Basic Constraints: critical"
+      sudo openssl x509 -in certbot/archive/certbot/cert1.pem -text -noout | grep "Digital Signature, Key Encipherment"
+      sudo openssl x509 -in certbot/archive/certbot/cert1.pem -text -noout | grep "TLS Web Server Authentication"
+    shell: bash
+
+  - name: "No template - Enroll lego"
+    run: |
+      docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" -d lego.acme --http run
+      sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem  lego/certificates/lego.acme.crt
+      sudo openssl x509 -in lego/certificates/lego.acme.crt -text -noout
+      sudo openssl x509 -in lego/certificates/lego.acme.crt -text -noout | grep "Basic Constraints: critical"
+      sudo openssl x509 -in lego/certificates/lego.acme.crt -text -noout | grep "Digital Signature, Key Encipherment"
+      sudo openssl x509 -in lego/certificates/lego.acme.crt -text -noout | grep "TLS Web Server Authentication"
+    shell: bash
+
+  - name: "Delete acme-sh, letsencypt and lego folders"
+    run: |
+      sudo rm -rf  lego/*
+      sudo rm -rf  acme-sh/*
+      sudo rm -rf  certbot/*
+    shell: bash
\ No newline at end of file
diff --git a/.github/actions/wf_specific/xca_ca_handler/enroll_template/action.yml b/.github/actions/wf_specific/xca_ca_handler/enroll_template/action.yml
new file mode 100644
index 00000000..e0981ce3
--- /dev/null
+++ b/.github/actions/wf_specific/xca_ca_handler/enroll_template/action.yml
@@ -0,0 +1,60 @@
+name: "enroll_template"
+description: "enroll_template"
+
+runs:
+  using: "composite"
+  steps:
+  - name: "Sleep for 5s"
+    uses: juliangruber/sleep-action@v2.0.3
+    with:
+      time: 5s
+
+  - name: "Template - Test http://acme-srv/directory is accessible"
+    run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory
+    shell: bash
+
+  - name: "Template - Test if https://acme-srv/directory is accessible"
+    run: docker run -i --rm --network acme curlimages/curl --insecure -f https://acme-srv/directory
+    shell: bash
+
+  - name: "Template - Enroll acme.sh"
+    run: |
+      sudo rm -rf acme-sh/*
+      docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv  --accountemail 'acme-sh@example.com' -d acme-sh.acme --alpn --standalone --debug 3 --output-insecure
+      openssl verify -CAfile cert-2.pem -untrusted cert-1.pem  acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer
+      openssl x509 -in acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer -text -noout
+      openssl x509 -in acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer -text -noout | grep "Digital Signature, Non Repudiation, Key Encipherment, Key Agreement"
+      openssl x509 -in acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer -text -noout | grep "TLS Web Server Authentication, TLS Web Client Authentication"
+    shell: bash
+
+  - name: "Template - Register certbot"
+    run: |
+      sudo rm -rf certbot/*
+      docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot register --agree-tos -m 'certbot@example.com' --server http://acme-srv --no-eff-email
+    shell: bash
+
+  - name: "Template - Enroll certbot"
+    run: |
+      docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot certonly --server http://acme-srv --standalone --preferred-challenges http -d certbot.acme --cert-name certbot
+      sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem  certbot/live/certbot/cert.pem
+      sudo openssl x509 -in certbot/archive/certbot/cert1.pem -text -noout
+      sudo openssl x509 -in certbot/archive/certbot/cert1.pem -text -noout | grep "Digital Signature, Non Repudiation, Key Encipherment, Key Agreement"
+      sudo openssl x509 -in certbot/archive/certbot/cert1.pem -text -noout | grep "TLS Web Server Authentication, TLS Web Client Authentication"
+    shell: bash
+
+  - name: "Template - Enroll lego"
+    run: |
+      sudo rm -rf lego/*
+      docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" -d lego.acme --http run
+      sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem  lego/certificates/lego.acme.crt
+      sudo openssl x509 -in lego/certificates/lego.acme.crt -text -noout
+      sudo openssl x509 -in lego/certificates/lego.acme.crt -text -noout | grep "Digital Signature, Non Repudiation, Key Encipherment, Key Agreement"
+      sudo openssl x509 -in lego/certificates/lego.acme.crt -text -noout | grep "TLS Web Server Authentication, TLS Web Client Authentication"
+    shell: bash
+
+  - name: "Delete acme-sh, letsencypt and lego folders"
+    run: |
+      sudo rm -rf  lego/*
+      sudo rm -rf  acme-sh/*
+      sudo rm -rf  certbot/*
+    shell: bash
\ No newline at end of file
diff --git a/.github/k8s-acme-srv.yml b/.github/k8s-acme-srv.yml
index 4de1bd9a..7ccd8027 100644
--- a/.github/k8s-acme-srv.yml
+++ b/.github/k8s-acme-srv.yml
@@ -14,11 +14,20 @@ metadata:
 spec:
   hostname: acme-srv
   dnsPolicy: "None"
+  automountServiceAccountToken: false
   dnsConfig:
     nameservers:
       - DNSMASQ_IP
   containers:
     - name: acme2certifier
+      resources:
+        requests:
+          cpu: "250m"
+          memory: "256Mi"
+          ephemeral-storage: "1Gi"
+        limits:
+          memory: "512Mi"
+          ephemeral-storage: "1Gi"
       image: grindsa/acme2certifier:devel
       imagePullPolicy: Never
       ports:
diff --git a/.github/k8s-cert-mgr-http-01.yml b/.github/k8s-cert-mgr-http-01.yml
index 73f46812..340b8b18 100644
--- a/.github/k8s-cert-mgr-http-01.yml
+++ b/.github/k8s-cert-mgr-http-01.yml
@@ -12,9 +12,19 @@ spec:
       labels:
         app: webserver-app
     spec:
+      automountServiceAccountToken: false
       containers:
         - name: webserver-app
           image: nginx:1.8
+          resources:
+            requests:
+              cpu: "100m"
+              memory: "128Mi"
+              ephemeral-storage: "1Gi"
+            limits:
+              cpu: "500m"
+              memory: "256Mi"
+              ephemeral-storage: "1Gi"
 ---
 apiVersion: v1
 kind: Service
diff --git a/.github/workflows/acme_sh-application-test.yml b/.github/workflows/acme_sh-application-test.yml
deleted file mode 100644
index c4908b75..00000000
--- a/.github/workflows/acme_sh-application-test.yml
+++ /dev/null
@@ -1,523 +0,0 @@
-name: Application Tests - acme_sh
-
-on:
-  push:
-  pull_request:
-    branches: [ devel ]
-  schedule:
-    # * is a special character in YAML so you have to quote this string
-    - cron:  '0 2 * * 6'
-
-jobs:
-  acme_sh_apache2_wsgi:
-    name: "acme_sh_apache2_wsgi"
-    runs-on: ubuntu-latest
-    strategy:
-      fail-fast: false
-      matrix:
-        accountkeylength: [2048, ec-256, ec-521]
-        keylength: [2048, 4096, ec-521]
-    steps:
-    - name: "checkout GIT"
-      uses: actions/checkout@v3
-
-    - name: "[ PREPARE ] Build docker-compose (apache2_wsgi)"
-      working-directory: examples/Docker/
-      run: |
-        sudo mkdir -p data
-        docker network create acme
-        docker-compose up -d
-        docker-compose logs
-
-    - name: "Test http://acme-srv/directory is accessable"
-      run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory
-
-    - name: "[ PREPARE ] setup a2c with certifier_ca_handler"
-      run: |
-        sudo cp test/ca/certsrv_ca_certs.pem examples/Docker/data/ca_certs.pem
-        sudo touch examples/Docker/data/acme_srv.cfg
-        sudo chmod 777 examples/Docker/data/acme_srv.cfg
-        sudo head -n -8 .github/openssl_ca_handler.py_acme_srv_default_handler.cfg > examples/Docker/data/acme_srv.cfg
-        sudo echo "handler_file: examples/ca_handler/certifier_ca_handler.py" >> examples/Docker/data/acme_srv.cfg
-        sudo echo "api_host: $NCM_API_HOST" >> examples/Docker/data/acme_srv.cfg
-        sudo echo "api_user: $NCM_API_USER" >> examples/Docker/data/acme_srv.cfg
-        sudo echo "api_password: $NCM_API_PASSWORD" >> examples/Docker/data/acme_srv.cfg
-        sudo echo "ca_name: $NCM_CA_NAME" >> examples/Docker/data/acme_srv.cfg
-        sudo echo "ca_bundle: $NCM_CA_BUNDLE" >> examples/Docker/data/acme_srv.cfg
-        cd examples/Docker/
-        docker-compose restart
-        docker-compose logs
-      env:
-        NCM_API_HOST: ${{ secrets.NCM_API_HOST }}
-        NCM_API_USER: ${{ secrets.NCM_API_USER }}
-        NCM_API_PASSWORD: ${{ secrets.NCM_API_PASSWORD }}
-        NCM_CA_NAME: ${{ secrets.NCM_CA_NAME }}
-        NCM_CA_BUNDLE: ${{ secrets.NCM_CA_BUNDLE }}
-
-    - name: "[ PREPARE ] prepare acme.sh container"
-      run: |
-        docker run --rm -id -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest daemon
-
-    - name: "[ ENROLL ] HTTP-01 single domain acme.sh"
-      run: |
-        docker exec -i acme-sh acme.sh --server http://acme-srv --keylength ${{ matrix.keylength }} --accountkeylength ${{ matrix.accountkeylength }} --accountemail 'acme-sh@example.com' --issue -d acme-sh.acme --standalone --debug 3 --output-insecure
-        if ([ "${{ matrix.keylength }}" == "ec-256" ] || [ "${{ matrix.keylength }}" == "ec-384" ] || [ "${{ matrix.keylength }}" == "ec-521" ]) ; then
-          ECC="_ecc"
-        fi
-        awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "cert-" c ".pem"}' < acme-sh/acme-sh.acme${ECC}/ca.cer
-        openssl verify -CAfile cert-2.pem -untrusted cert-1.pem  acme-sh/acme-sh.acme${ECC}/acme-sh.acme.cer
-
-    - name: "[ RENEW ] HTTP-01 single domain acme.sh"
-      run: |
-        if ([ "${{ matrix.keylength }}" == "ec-256" ] || [ "${{ matrix.keylength }}" == "ec-384" ] || [ "${{ matrix.keylength }}" == "ec-521" ]) ; then
-          ECC="--ecc"
-        fi
-        docker exec -i acme-sh acme.sh --server http://acme-srv --keylength ${{ matrix.keylength }} --renew --force ${ECC} -d acme-sh.acme --standalone --debug 3 --output-insecure
-        if ([ "${{ matrix.keylength }}" == "ec-256" ] || [ "${{ matrix.keylength }}" == "ec-384" ] || [ "${{ matrix.keylength }}" == "ec-521" ]) ; then
-          ECC="_ecc"
-        fi
-        openssl verify -CAfile cert-2.pem -untrusted cert-1.pem  acme-sh/acme-sh.acme${ECC}/acme-sh.acme.cer
-
-    - name: "[ REVOKE ] HTTP-01 single domain acme.sh"
-      run: |
-        if ([ "${{ matrix.keylength }}" == "ec-256" ] || [ "${{ matrix.keylength }}" == "ec-384" ] || [ "${{ matrix.keylength }}" == "ec-521" ]) ; then
-          ECC="--ecc"
-        fi
-        docker exec -i acme-sh acme.sh --server http://acme-srv --revoke ${ECC} -d acme-sh.acme --standalone --debug 2 --output-insecure
-
-    - name: "[ ENROLL ] HTTP-01 2x domain acme.sh"
-      run: |
-        docker exec -i acme-sh acme.sh --server http://acme-srv --keylength ${{ matrix.keylength }} --issue -d acme-sh.acme -d acme-sh. --standalone --debug 3 --output-insecure
-        if ([ "${{ matrix.keylength }}" == "ec-256" ] || [ "${{ matrix.keylength }}" == "ec-384" ] || [ "${{ matrix.keylength }}" == "ec-521" ]) ; then
-          ECC="_ecc"
-        fi
-        openssl verify -CAfile cert-2.pem -untrusted cert-1.pem  acme-sh/acme-sh.acme${ECC}/acme-sh.acme.cer
-
-    - name: "[ RENEW ] HTTP-01 2x domain acme.sh"
-      run: |
-        if ([ "${{ matrix.keylength }}" == "ec-256" ] || [ "${{ matrix.keylength }}" == "ec-384" ] || [ "${{ matrix.keylength }}" == "ec-521" ]) ; then
-          ECC="--ecc"
-        fi
-        docker exec -i acme-sh acme.sh --server http://acme-srv --keylength ${{ matrix.keylength }} --renew --force ${ECC} -d acme-sh.acme -d acme-sh. --standalone --debug 3 --output-insecure
-        if ([ "${{ matrix.keylength }}" == "ec-256" ] || [ "${{ matrix.keylength }}" == "ec-384" ] || [ "${{ matrix.keylength }}" == "ec-521" ]) ; then
-          ECC="_ecc"
-        fi
-        openssl verify -CAfile cert-2.pem -untrusted cert-1.pem  acme-sh/acme-sh.acme${ECC}/acme-sh.acme.cer
-
-    - name: "[ REVOKE ] HTTP-01 2x domain acme.sh"
-      run: |
-        if ([ "${{ matrix.keylength }}" == "ec-256" ] || [ "${{ matrix.keylength }}" == "ec-384" ] || [ "${{ matrix.keylength }}" == "ec-521" ]) ; then
-          ECC="--ecc"
-        fi
-        docker exec -i acme-sh acme.sh --server http://acme-srv --revoke ${ECC} -d acme-sh.acme -d acme-sh. --standalone --debug 3 --output-insecure
-
-    - name: "[ DEACTIVATE ] acme.sh"
-      run: |
-        docker exec -i acme-sh acme.sh --server http://acme-srv --deactivate-account --debug 2 --output-insecure
-
-    - name: "[ * ] collecting test data"
-      if: ${{ failure() }}
-      run: |
-        mkdir -p ${{ github.workspace }}/artifact/upload
-        sudo cp -rp examples/Docker/data/ ${{ github.workspace }}/artifact/data/
-        sudo cp -rp acme-sh/ ${{ github.workspace }}/artifact/acme-sh/
-        cd examples/Docker
-        docker-compose logs > ${{ github.workspace }}/artifact/docker-compose.log
-        sudo tar -C ${{ github.workspace }}/artifact/ -cvzf ${{ github.workspace }}/artifact/upload/artifact.tar.gz docker-compose.log data acme-sh
-
-    - name: "[ * ] uploading artifacts"
-      uses: actions/upload-artifact@v3
-      if: ${{ failure() }}
-      with:
-        name: acme_sh_apache2_wsgi-${{ matrix.accountkeylength }}_key-${{ matrix.keylength }}.tar.gz
-        path: ${{ github.workspace }}/artifact/upload/
-
-  acme_sh_apache2_django:
-    name: "acme_sh_apache2_django"
-    runs-on: ubuntu-latest
-    strategy:
-      fail-fast: false
-      matrix:
-        accountkeylength: [2048, ec-256, ec-521]
-        keylength: [2048, 4096, ec-521]
-    steps:
-    - name: "checkout GIT"
-      uses: actions/checkout@v3
-
-    - name: "[ PREPARE ] Build docker-compose (apache2_django)"
-      working-directory: examples/Docker/
-      run: |
-        sed -i "s/wsgi/django/g" .env
-        sudo mkdir -p data
-        docker network create acme
-        docker-compose up -d
-        docker-compose logs
-
-    - name: "[ WAIT ] Sleep for 10s"
-      uses: juliangruber/sleep-action@v1
-      with:
-        time: 10s
-
-    - name: "Test http://acme-srv/directory is accessable"
-      run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory
-
-    - name: "[ PREPARE ] setup a2c with certifier_ca_handler"
-      run: |
-        sudo cp test/ca/certsrv_ca_certs.pem examples/Docker/data/ca_certs.pem
-        sudo touch examples/Docker/data/acme_srv.cfg
-        sudo chmod 777 examples/Docker/data/acme_srv.cfg
-        sudo head -n -8 .github/openssl_ca_handler.py_acme_srv_default_handler.cfg > examples/Docker/data/acme_srv.cfg
-        sudo echo "handler_file: examples/ca_handler/certifier_ca_handler.py" >> examples/Docker/data/acme_srv.cfg
-        sudo echo "api_host: $NCM_API_HOST" >> examples/Docker/data/acme_srv.cfg
-        sudo echo "api_user: $NCM_API_USER" >> examples/Docker/data/acme_srv.cfg
-        sudo echo "api_password: $NCM_API_PASSWORD" >> examples/Docker/data/acme_srv.cfg
-        sudo echo "ca_name: $NCM_CA_NAME" >> examples/Docker/data/acme_srv.cfg
-        sudo echo "ca_bundle: $NCM_CA_BUNDLE" >> examples/Docker/data/acme_srv.cfg
-        sudo cp .github/django_settings.py examples/Docker/data/settings.py
-        cd examples/Docker/
-        docker-compose restart
-        docker-compose logs
-      env:
-        NCM_API_HOST: ${{ secrets.NCM_API_HOST }}
-        NCM_API_USER: ${{ secrets.NCM_API_USER }}
-        NCM_API_PASSWORD: ${{ secrets.NCM_API_PASSWORD }}
-        NCM_CA_NAME: ${{ secrets.NCM_CA_NAME }}
-        NCM_CA_BUNDLE: ${{ secrets.NCM_CA_BUNDLE }}
-
-    - name: "[ PREPARE ] prepare acme.sh container"
-      run: |
-        docker run --rm -id -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest daemon
-
-    - name: "[ ENROLL ] HTTP-01 single domain acme.sh"
-      run: |
-        docker exec -i acme-sh acme.sh --server http://acme-srv --keylength ${{ matrix.keylength }} --accountkeylength ${{ matrix.accountkeylength }} --accountemail 'acme-sh@example.com' --issue -d acme-sh.acme --standalone --debug 3 --output-insecure
-        if ([ "${{ matrix.keylength }}" == "ec-256" ] || [ "${{ matrix.keylength }}" == "ec-384" ] || [ "${{ matrix.keylength }}" == "ec-521" ]) ; then
-          ECC="_ecc"
-        fi
-        awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "cert-" c ".pem"}' < acme-sh/acme-sh.acme${ECC}/ca.cer
-        openssl verify -CAfile cert-2.pem -untrusted cert-1.pem acme-sh/acme-sh.acme${ECC}/acme-sh.acme.cer
-
-    - name: "[ RENEW ] HTTP-01 single domain acme.sh"
-      run: |
-        if ([ "${{ matrix.keylength }}" == "ec-256" ] || [ "${{ matrix.keylength }}" == "ec-384" ] || [ "${{ matrix.keylength }}" == "ec-521" ]) ; then
-          ECC="--ecc"
-        fi
-        docker exec -i acme-sh acme.sh --server http://acme-srv --keylength ${{ matrix.keylength }} --renew --force ${ECC} -d acme-sh.acme --standalone --debug 3 --output-insecure
-        if ([ "${{ matrix.keylength }}" == "ec-256" ] || [ "${{ matrix.keylength }}" == "ec-384" ] || [ "${{ matrix.keylength }}" == "ec-521" ]) ; then
-          ECC="_ecc"
-        fi
-        openssl verify -CAfile cert-2.pem -untrusted cert-1.pem acme-sh/acme-sh.acme${ECC}/acme-sh.acme.cer
-
-    - name: "[ REVOKE ] HTTP-01 single domain acme.sh"
-      run: |
-        if ([ "${{ matrix.keylength }}" == "ec-256" ] || [ "${{ matrix.keylength }}" == "ec-384" ] || [ "${{ matrix.keylength }}" == "ec-521" ]) ; then
-          ECC="--ecc"
-        fi
-        docker exec -i acme-sh acme.sh --server http://acme-srv --revoke ${ECC} -d acme-sh.acme --standalone --debug 2 --output-insecure
-
-    - name: "[ ENROLL ] HTTP-01 2x domain acme.sh"
-      run: |
-        docker exec -i acme-sh acme.sh --server http://acme-srv --keylength ${{ matrix.keylength }} --issue -d acme-sh.acme -d acme-sh. --standalone --debug 3 --output-insecure
-        if ([ "${{ matrix.keylength }}" == "ec-256" ] || [ "${{ matrix.keylength }}" == "ec-384" ] || [ "${{ matrix.keylength }}" == "ec-521" ]) ; then
-          ECC="_ecc"
-        fi
-        openssl verify -CAfile cert-2.pem -untrusted cert-1.pem acme-sh/acme-sh.acme${ECC}/acme-sh.acme.cer
-
-    - name: "[ RENEW ] HTTP-01 2x domain acme.sh"
-      run: |
-        if ([ "${{ matrix.keylength }}" == "ec-256" ] || [ "${{ matrix.keylength }}" == "ec-384" ] || [ "${{ matrix.keylength }}" == "ec-521" ]) ; then
-          ECC="--ecc"
-        fi
-        docker exec -i acme-sh acme.sh --server http://acme-srv --keylength ${{ matrix.keylength }} --renew --force ${ECC} -d acme-sh.acme -d acme-sh. --standalone --debug 3 --output-insecure
-        if ([ "${{ matrix.keylength }}" == "ec-256" ] || [ "${{ matrix.keylength }}" == "ec-384" ] || [ "${{ matrix.keylength }}" == "ec-521" ]) ; then
-          ECC="_ecc"
-        fi
-        openssl verify -CAfile cert-2.pem -untrusted cert-1.pem acme-sh/acme-sh.acme${ECC}/acme-sh.acme.cer
-
-    - name: "[ REVOKE ] HTTP-01 2x domain acme.sh"
-      run: |
-        if ([ "${{ matrix.keylength }}" == "ec-256" ] || [ "${{ matrix.keylength }}" == "ec-384" ] || [ "${{ matrix.keylength }}" == "ec-521" ]) ; then
-          ECC="--ecc"
-        fi
-        docker exec -i acme-sh acme.sh --server http://acme-srv --revoke ${ECC} -d acme-sh.acme -d acme-sh. --standalone --debug 3 --output-insecure
-
-    - name: "[ DEACTIVATE ] acme.sh"
-      run: |
-        docker exec -i acme-sh acme.sh --server http://acme-srv --deactivate-account --debug 2 --output-insecure
-
-    - name: "[ * ] collecting test data"
-      if: ${{ failure() }}
-      run: |
-        mkdir -p ${{ github.workspace }}/artifact/upload
-        sudo cp -rp examples/Docker/data/ ${{ github.workspace }}/artifact/data/
-        sudo cp -rp acme-sh/ ${{ github.workspace }}/artifact/acme-sh/
-        cd examples/Docker
-        docker-compose logs > ${{ github.workspace }}/artifact/docker-compose.log
-        sudo tar -C ${{ github.workspace }}/artifact/ -cvzf ${{ github.workspace }}/artifact/upload/artifact.tar.gz docker-compose.log data acme-sh
-
-    - name: "[ * ] uploading artifacts"
-      uses: actions/upload-artifact@v3
-      if: ${{ failure() }}
-      with:
-        name: acme_sh_apache2_django-${{ matrix.accountkeylength }}_key-${{ matrix.keylength }}.tar.gz
-        path: ${{ github.workspace }}/artifact/upload/
-
-  acme_sh_nginx_wsgi:
-    name: "acme_sh_nginx_wsgi"
-    runs-on: ubuntu-latest
-    strategy:
-      fail-fast: false
-      matrix:
-        accountkeylength: [2048, ec-256, ec-521]
-        keylength: [2048, 4096, ec-521]
-    steps:
-    - name: "checkout GIT"
-      uses: actions/checkout@v3
-
-    - name: "[ PREPARE ] Build docker-compose (nginx_django)"
-      working-directory: examples/Docker/
-      run: |
-        sed -i "s/apache2/nginx/g" .env
-        sudo mkdir -p data
-        docker network create acme
-        docker-compose up -d
-        docker-compose logs
-
-    - name: "[ WAIT ] Sleep for 10s"
-      uses: juliangruber/sleep-action@v1
-      with:
-        time: 10s
-
-    - name: "Test http://acme-srv/directory is accessable"
-      run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory
-
-    - name: "[ PREPARE ] setup a2c with certifier_ca_handler"
-      run: |
-        sudo cp test/ca/certsrv_ca_certs.pem examples/Docker/data/ca_certs.pem
-        sudo touch examples/Docker/data/acme_srv.cfg
-        sudo chmod 777 examples/Docker/data/acme_srv.cfg
-        sudo head -n -8 .github/openssl_ca_handler.py_acme_srv_default_handler.cfg > examples/Docker/data/acme_srv.cfg
-        sudo echo "handler_file: examples/ca_handler/certifier_ca_handler.py" >> examples/Docker/data/acme_srv.cfg
-        sudo echo "api_host: $NCM_API_HOST" >> examples/Docker/data/acme_srv.cfg
-        sudo echo "api_user: $NCM_API_USER" >> examples/Docker/data/acme_srv.cfg
-        sudo echo "api_password: $NCM_API_PASSWORD" >> examples/Docker/data/acme_srv.cfg
-        sudo echo "ca_name: $NCM_CA_NAME" >> examples/Docker/data/acme_srv.cfg
-        sudo echo "ca_bundle: $NCM_CA_BUNDLE" >> examples/Docker/data/acme_srv.cfg
-        cd examples/Docker/
-        docker-compose restart
-        docker-compose logs
-      env:
-        NCM_API_HOST: ${{ secrets.NCM_API_HOST }}
-        NCM_API_USER: ${{ secrets.NCM_API_USER }}
-        NCM_API_PASSWORD: ${{ secrets.NCM_API_PASSWORD }}
-        NCM_CA_NAME: ${{ secrets.NCM_CA_NAME }}
-        NCM_CA_BUNDLE: ${{ secrets.NCM_CA_BUNDLE }}
-
-    - name: "[ PREPARE ] prepare acme.sh container"
-      run: |
-        docker run --rm -id -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest daemon
-
-    - name: "[ ENROLL ] HTTP-01 single domain acme.sh"
-      run: |
-        docker exec -i acme-sh acme.sh --server http://acme-srv --keylength ${{ matrix.keylength }} --accountkeylength ${{ matrix.accountkeylength }} --accountemail 'acme-sh@example.com' --issue -d acme-sh.acme --standalone --debug 3 --output-insecure
-        if ([ "${{ matrix.keylength }}" == "ec-256" ] || [ "${{ matrix.keylength }}" == "ec-384" ] || [ "${{ matrix.keylength }}" == "ec-521" ]) ; then
-          ECC="_ecc"
-        fi
-        awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "cert-" c ".pem"}' < acme-sh/acme-sh.acme${ECC}/ca.cer
-        openssl verify -CAfile cert-2.pem -untrusted cert-1.pem acme-sh/acme-sh.acme${ECC}/acme-sh.acme.cer
-
-    - name: "[ RENEW ] HTTP-01 single domain acme.sh"
-      run: |
-        if ([ "${{ matrix.keylength }}" == "ec-256" ] || [ "${{ matrix.keylength }}" == "ec-384" ] || [ "${{ matrix.keylength }}" == "ec-521" ]) ; then
-          ECC="--ecc"
-        fi
-        docker exec -i acme-sh acme.sh --server http://acme-srv --keylength ${{ matrix.keylength }} --renew --force ${ECC} -d acme-sh.acme --standalone --debug 3 --output-insecure
-        if ([ "${{ matrix.keylength }}" == "ec-256" ] || [ "${{ matrix.keylength }}" == "ec-384" ] || [ "${{ matrix.keylength }}" == "ec-521" ]) ; then
-          ECC="_ecc"
-        fi
-        openssl verify -CAfile cert-2.pem -untrusted cert-1.pem acme-sh/acme-sh.acme${ECC}/acme-sh.acme.cer
-
-    - name: "[ REVOKE ] HTTP-01 single domain acme.sh"
-      run: |
-        if ([ "${{ matrix.keylength }}" == "ec-256" ] || [ "${{ matrix.keylength }}" == "ec-384" ] || [ "${{ matrix.keylength }}" == "ec-521" ]) ; then
-          ECC="--ecc"
-        fi
-        docker exec -i acme-sh acme.sh --server http://acme-srv --revoke ${ECC} -d acme-sh.acme --standalone --debug 2 --output-insecure
-
-    - name: "[ ENROLL ] HTTP-01 2x domain acme.sh"
-      run: |
-        docker exec -i acme-sh acme.sh --server http://acme-srv --keylength ${{ matrix.keylength }} --issue -d acme-sh.acme -d acme-sh. --standalone --debug 3 --output-insecure
-        if ([ "${{ matrix.keylength }}" == "ec-256" ] || [ "${{ matrix.keylength }}" == "ec-384" ] || [ "${{ matrix.keylength }}" == "ec-521" ]) ; then
-          ECC="_ecc"
-        fi
-        openssl verify -CAfile cert-2.pem -untrusted cert-1.pem acme-sh/acme-sh.acme${ECC}/acme-sh.acme.cer
-
-    - name: "[ RENEW ] HTTP-01 2x domain acme.sh"
-      run: |
-        if ([ "${{ matrix.keylength }}" == "ec-256" ] || [ "${{ matrix.keylength }}" == "ec-384" ] || [ "${{ matrix.keylength }}" == "ec-521" ]) ; then
-          ECC="--ecc"
-        fi
-        docker exec -i acme-sh acme.sh --server http://acme-srv --keylength ${{ matrix.keylength }} --renew --force ${ECC} -d acme-sh.acme -d acme-sh. --standalone --debug 3 --output-insecure
-        if ([ "${{ matrix.keylength }}" == "ec-256" ] || [ "${{ matrix.keylength }}" == "ec-384" ] || [ "${{ matrix.keylength }}" == "ec-521" ]) ; then
-          ECC="_ecc"
-        fi
-        openssl verify -CAfile cert-2.pem -untrusted cert-1.pem acme-sh/acme-sh.acme${ECC}/acme-sh.acme.cer
-
-    - name: "[ REVOKE ] HTTP-01 2x domain acme.sh"
-      run: |
-        if ([ "${{ matrix.keylength }}" == "ec-256" ] || [ "${{ matrix.keylength }}" == "ec-384" ] || [ "${{ matrix.keylength }}" == "ec-521" ]) ; then
-          ECC="--ecc"
-        fi
-        docker exec -i acme-sh acme.sh --server http://acme-srv --revoke ${ECC} -d acme-sh.acme -d acme-sh. --standalone --debug 3 --output-insecure
-
-    - name: "[ DEACTIVATE ] acme.sh"
-      run: |
-        docker exec -i acme-sh acme.sh --server http://acme-srv --deactivate-account --debug 2 --output-insecure
-
-    - name: "[ * ] collecting test data"
-      if: ${{ failure() }}
-      run: |
-        mkdir -p ${{ github.workspace }}/artifact/upload
-        sudo cp -rp examples/Docker/data/ ${{ github.workspace }}/artifact/data/
-        sudo cp -rp acme-sh/ ${{ github.workspace }}/artifact/acme-sh/
-        cd examples/Docker
-        docker-compose logs > ${{ github.workspace }}/artifact/docker-compose.log
-        sudo tar -C ${{ github.workspace }}/artifact/ -cvzf ${{ github.workspace }}/artifact/upload/artifact.tar.gz docker-compose.log data acme-sh
-
-    - name: "[ * ] uploading artifacts"
-      uses: actions/upload-artifact@v3
-      if: ${{ failure() }}
-      with:
-        name: acme_sh_nginx_wsgi-${{ matrix.accountkeylength }}_key-${{ matrix.keylength }}.tar.gz
-        path: ${{ github.workspace }}/artifact/upload/
-
-  acme_sh_nginx_django:
-    name: "acme_sh_nginx_django"
-    runs-on: ubuntu-latest
-    strategy:
-      fail-fast: false
-      matrix:
-        accountkeylength: [2048, ec-256, ec-521]
-        keylength: [2048, 4096, ec-521]
-    steps:
-    - name: "checkout GIT"
-      uses: actions/checkout@v3
-
-    - name: "[ PREPARE ] Build docker-compose (nginx_django)"
-      working-directory: examples/Docker/
-      run: |
-        sed -i "s/wsgi/django/g" .env
-        sed -i "s/apache2/nginx/g" .env
-        sudo mkdir -p data
-        docker network create acme
-        docker-compose up -d
-        docker-compose logs
-
-    - name: "[ WAIT ] Sleep for 10s"
-      uses: juliangruber/sleep-action@v1
-      with:
-        time: 10s
-
-    - name: "Test http://acme-srv/directory is accessable"
-      run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory
-
-    - name: "[ PREPARE ] setup a2c with certifier_ca_handler"
-      run: |
-        sudo cp test/ca/certsrv_ca_certs.pem examples/Docker/data/ca_certs.pem
-        sudo touch examples/Docker/data/acme_srv.cfg
-        sudo chmod 777 examples/Docker/data/acme_srv.cfg
-        sudo head -n -8 .github/openssl_ca_handler.py_acme_srv_default_handler.cfg > examples/Docker/data/acme_srv.cfg
-        sudo echo "handler_file: examples/ca_handler/certifier_ca_handler.py" >> examples/Docker/data/acme_srv.cfg
-        sudo echo "api_host: $NCM_API_HOST" >> examples/Docker/data/acme_srv.cfg
-        sudo echo "api_user: $NCM_API_USER" >> examples/Docker/data/acme_srv.cfg
-        sudo echo "api_password: $NCM_API_PASSWORD" >> examples/Docker/data/acme_srv.cfg
-        sudo echo "ca_name: $NCM_CA_NAME" >> examples/Docker/data/acme_srv.cfg
-        sudo echo "ca_bundle: $NCM_CA_BUNDLE" >> examples/Docker/data/acme_srv.cfg
-        sudo cp .github/django_settings.py examples/Docker/data/settings.py
-        cd examples/Docker/
-        docker-compose restart
-        docker-compose logs
-      env:
-        NCM_API_HOST: ${{ secrets.NCM_API_HOST }}
-        NCM_API_USER: ${{ secrets.NCM_API_USER }}
-        NCM_API_PASSWORD: ${{ secrets.NCM_API_PASSWORD }}
-        NCM_CA_NAME: ${{ secrets.NCM_CA_NAME }}
-        NCM_CA_BUNDLE: ${{ secrets.NCM_CA_BUNDLE }}
-
-    - name: "[ PREPARE ] prepare acme.sh container"
-      run: |
-        docker run --rm -id -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest daemon
-
-    - name: "[ ENROLL ] HTTP-01 single domain acme.sh"
-      run: |
-        docker exec -i acme-sh acme.sh --server http://acme-srv --keylength ${{ matrix.keylength }} --accountkeylength ${{ matrix.accountkeylength }} --accountemail 'acme-sh@example.com' --issue -d acme-sh.acme --standalone --debug 3 --output-insecure
-        if ([ "${{ matrix.keylength }}" == "ec-256" ] || [ "${{ matrix.keylength }}" == "ec-384" ] || [ "${{ matrix.keylength }}" == "ec-521" ]) ; then
-          ECC="_ecc"
-        fi
-        awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "cert-" c ".pem"}' < acme-sh/acme-sh.acme${ECC}/ca.cer
-        openssl verify -CAfile cert-2.pem -untrusted cert-1.pem acme-sh/acme-sh.acme${ECC}/acme-sh.acme.cer
-
-    - name: "[ RENEW ] HTTP-01 single domain acme.sh"
-      run: |
-        if ([ "${{ matrix.keylength }}" == "ec-256" ] || [ "${{ matrix.keylength }}" == "ec-384" ] || [ "${{ matrix.keylength }}" == "ec-521" ]) ; then
-          ECC="--ecc"
-        fi
-        docker exec -i acme-sh acme.sh --server http://acme-srv --keylength ${{ matrix.keylength }} --renew --force ${ECC} -d acme-sh.acme --standalone --debug 3 --output-insecure
-        if ([ "${{ matrix.keylength }}" == "ec-256" ] || [ "${{ matrix.keylength }}" == "ec-384" ] || [ "${{ matrix.keylength }}" == "ec-521" ]) ; then
-          ECC="_ecc"
-        fi
-        openssl verify -CAfile cert-2.pem -untrusted cert-1.pem acme-sh/acme-sh.acme${ECC}/acme-sh.acme.cer
-
-    - name: "[ REVOKE ] HTTP-01 single domain acme.sh"
-      run: |
-        if ([ "${{ matrix.keylength }}" == "ec-256" ] || [ "${{ matrix.keylength }}" == "ec-384" ] || [ "${{ matrix.keylength }}" == "ec-521" ]) ; then
-          ECC="--ecc"
-        fi
-        docker exec -i acme-sh acme.sh --server http://acme-srv --revoke ${ECC} -d acme-sh.acme --standalone --debug 2 --output-insecure
-
-    - name: "[ ENROLL ] HTTP-01 2x domain acme.sh"
-      run: |
-        docker exec -i acme-sh acme.sh --server http://acme-srv --keylength ${{ matrix.keylength }} --issue -d acme-sh.acme -d acme-sh. --standalone --debug 3 --output-insecure
-        if ([ "${{ matrix.keylength }}" == "ec-256" ] || [ "${{ matrix.keylength }}" == "ec-384" ] || [ "${{ matrix.keylength }}" == "ec-521" ]) ; then
-          ECC="_ecc"
-        fi
-        openssl verify -CAfile cert-2.pem -untrusted cert-1.pem acme-sh/acme-sh.acme${ECC}/acme-sh.acme.cer
-
-    - name: "[ RENEW ] HTTP-01 2x domain acme.sh"
-      run: |
-        if ([ "${{ matrix.keylength }}" == "ec-256" ] || [ "${{ matrix.keylength }}" == "ec-384" ] || [ "${{ matrix.keylength }}" == "ec-521" ]) ; then
-          ECC="--ecc"
-        fi
-        docker exec -i acme-sh acme.sh --server http://acme-srv --keylength ${{ matrix.keylength }} --renew --force ${ECC} -d acme-sh.acme -d acme-sh. --standalone --debug 3 --output-insecure
-        if ([ "${{ matrix.keylength }}" == "ec-256" ] || [ "${{ matrix.keylength }}" == "ec-384" ] || [ "${{ matrix.keylength }}" == "ec-521" ]) ; then
-          ECC="_ecc"
-        fi
-        openssl verify -CAfile cert-2.pem -untrusted cert-1.pem acme-sh/acme-sh.acme${ECC}/acme-sh.acme.cer
-
-    - name: "[ REVOKE ] HTTP-01 2x domain acme.sh"
-      run: |
-        if ([ "${{ matrix.keylength }}" == "ec-256" ] || [ "${{ matrix.keylength }}" == "ec-384" ] || [ "${{ matrix.keylength }}" == "ec-521" ]) ; then
-          ECC="--ecc"
-        fi
-        docker exec -i acme-sh acme.sh --server http://acme-srv --revoke ${ECC} -d acme-sh.acme -d acme-sh. --standalone --debug 3 --output-insecure
-
-    - name: "[ DEACTIVATE ] acme.sh"
-      run: |
-        docker exec -i acme-sh acme.sh --server http://acme-srv --deactivate-account --debug 2 --output-insecure
-
-    - name: "[ * ] collecting test data"
-      if: ${{ failure() }}
-      run: |
-        mkdir -p ${{ github.workspace }}/artifact/upload
-        sudo cp -rp examples/Docker/data/ ${{ github.workspace }}/artifact/data/
-        sudo cp -rp acme-sh/ ${{ github.workspace }}/artifact/acme-sh/
-        cd examples/Docker
-        docker-compose logs > ${{ github.workspace }}/artifact/docker-compose.log
-        sudo tar -C ${{ github.workspace }}/artifact/ -cvzf ${{ github.workspace }}/artifact/upload/artifact.tar.gz docker-compose.log data acme-sh
-
-    - name: "[ * ] uploading artifacts"
-      uses: actions/upload-artifact@v3
-      if: ${{ failure() }}
-      with:
-        name: acme_sh_nginx_django-${{ matrix.accountkeylength }}_key-${{ matrix.keylength }}.tar.gz
-        path: ${{ github.workspace }}/artifact/upload/
diff --git a/.github/workflows/alpn-test.yml b/.github/workflows/alpn-test.yml
index 568e829e..33075720 100644
--- a/.github/workflows/alpn-test.yml
+++ b/.github/workflows/alpn-test.yml
@@ -9,69 +9,77 @@ on:
     - cron:  '0 2 * * 6'
 
 jobs:
-  alpn_apache2_wsgi:
-    name: "alpn_apache2_wsgi"
+  alpn_container_tests:
+    name: "alpn_container_tests"
     runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+      max-parallel: 2
+      matrix:
+        websrv: ['apache2', 'nginx']
+        dbhandler: ['wsgi', 'django']
     steps:
     - name: "checkout GIT"
-      uses: actions/checkout@v3
+      uses: actions/checkout@v4
 
-    - name: "[ PREPARE ] create letsencrypt and lego folder"
-      run: |
-        mkdir acmme-sh
-        mkdir lego
-
-    - name: "[ PREPARE ] Build docker-compose (apache2_wsgi)"
-      working-directory: examples/Docker/
-      run: |
-        sudo mkdir -p data
-        docker network create acme
-        docker-compose up -d
-        docker-compose logs
+    - name: "Build container"
+      uses: ./.github/actions/container_prep
+      with:
+        DB_HANDLER: ${{ matrix.dbhandler }}
+        WEB_SRV: ${{ matrix.websrv }}
 
-    - name: "Test http://acme-srv/directory is accessable"
-      run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory
+    - name: "Prepare acme_srv.cfg with certifier_ca_handler"
+      uses: ./.github/actions/wf_specific/certifier_ca_handler/certifier_setup_no_profile
+      with:
+        WCCE_SSH_ACCESS_KEY: ${{ secrets.WCCE_SSH_ACCESS_KEY }}
+        WCCE_SSH_KNOWN_HOSTS: ${{ secrets.WCCE_SSH_KNOWN_HOSTS }}
+        WCCE_SSH_USER: ${{ secrets.WCCE_SSH_USER }}
+        WCCE_SSH_HOST: ${{ secrets.WCCE_SSH_HOST }}
+        WCCE_SSH_PORT: ${{ secrets.WCCE_SSH_PORT }}
+        NCM_API_HOST: ${{ secrets.NCM_API_HOST }}
+        NCM_API_USER: ${{ secrets.NCM_API_USER }}
+        NCM_API_PASSWORD: ${{ secrets.NCM_API_PASSWORD }}
+        NCM_CA_NAME: ${{ secrets.NCM_CA_NAME }}
+        DATA_PATH: examples/Docker/data
 
-    - name: "[ PREPARE ] setup a2c with certifier_ca_handler"
+    - name: "Restart a2c"
       run: |
-        sudo cp test/ca/certsrv_ca_certs.pem examples/Docker/data/ca_certs.pem
-        sudo touch examples/Docker/data/acme_srv.cfg
-        sudo chmod 777 examples/Docker/data/acme_srv.cfg
-        sudo head -n -8 .github/openssl_ca_handler.py_acme_srv_default_handler.cfg > examples/Docker/data/acme_srv.cfg
-        sudo echo "handler_file: examples/ca_handler/certifier_ca_handler.py" >> examples/Docker/data/acme_srv.cfg
-        sudo echo "api_host: $NCM_API_HOST" >> examples/Docker/data/acme_srv.cfg
-        sudo echo "api_user: $NCM_API_USER" >> examples/Docker/data/acme_srv.cfg
-        sudo echo "api_password: $NCM_API_PASSWORD" >> examples/Docker/data/acme_srv.cfg
-        sudo echo "ca_name: $NCM_CA_NAME" >> examples/Docker/data/acme_srv.cfg
-        sudo echo "ca_bundle: $NCM_CA_BUNDLE" >> examples/Docker/data/acme_srv.cfg
         cd examples/Docker/
         docker-compose restart
         docker-compose logs
-      env:
-        NCM_API_HOST: ${{ secrets.NCM_API_HOST }}
-        NCM_API_USER: ${{ secrets.NCM_API_USER }}
-        NCM_API_PASSWORD: ${{ secrets.NCM_API_PASSWORD }}
-        NCM_CA_NAME: ${{ secrets.NCM_CA_NAME }}
-        NCM_CA_BUNDLE: ${{ secrets.NCM_CA_BUNDLE }}
 
-    - name: "Test http://acme-srv/directory is accessable again"
+    - name: "Create folders"
+      run: |
+        mkdir acmme-sh
+        mkdir lego
+
+    - name: "Sleep for 10s"
+      uses: juliangruber/sleep-action@v2.0.3
+      with:
+        time: 10s
+
+    - name: "Test http://acme-srv/directory is accessible"
       run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory
 
-    - name: "[ PREPARE ] prepare acme.sh container"
-      run: |
-        docker run --rm -id -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest daemon
+    - name: "Test if https://acme-srv/directory is accessible"
+      run: docker run -i --rm --network acme curlimages/curl --insecure -f https://acme-srv/directory
 
-    - name: "[ ENROLL ] acme.sh"
+    - name: "Enroll acme.sh"
       run: |
-        docker exec -i acme-sh acme.sh --server http://acme-srv --accountemail 'acme-sh@example.com' --issue -d acme-sh.acme --alpn --standalone --debug 3 --output-insecure --force
+        docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv  --accountemail 'acme-sh@example.com' -d acme-sh.acme --alpn --standalone --debug 3 --output-insecure
         awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "cert-" c ".pem"}' < acme-sh/acme-sh.acme_ecc/ca.cer
-        ls -la *.pem
-        openssl verify -CAfile cert-2.pem -untrusted cert-1.pem  acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer
+        openssl verify -CAfile cert-2.pem -untrusted cert-1.pem acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer
 
-    - name: "[ ENROLL ] lego"
+    - name: "Enroll lego"
       run: |
         docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" -d lego.acme --tls run
-        sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem  lego/certificates/lego.acme.crt
+        sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem lego/certificates/lego.acme.crt
+
+    - name: "Check container configuration"
+      uses: ./.github/actions/container_check
+      with:
+        DB_HANDLER: ${{ matrix.dbhandler }}
+        WEB_SRV: ${{ matrix.websrv }}
 
     - name: "[ * ] collecting test logs"
       if: ${{ failure() }}
@@ -82,101 +90,72 @@ jobs:
         sudo cp -rp lego/ ${{ github.workspace }}/artifact/lego/
         cd examples/Docker
         docker-compose logs > ${{ github.workspace }}/artifact/docker-compose.log
-        sudo tar -C ${{ github.workspace }}/artifact/ -cvzf ${{ github.workspace }}/artifact/upload/artifact.tar.gz docker-compose.log data acme-sh lego
-
+        sudo tar -C ${{ github.workspace }}/artifact/ -cvzf ${{ github.workspace }}/artifact/upload/artifact.tar.gz docker-compose.log data
     - name: "[ * ] uploading artificates"
-      uses: actions/upload-artifact@v3
+      uses: actions/upload-artifact@v4
       if: ${{ failure() }}
       with:
-        name: alpn.tar.gz
+        name: alpn_containercontainer-${{ matrix.websrv }}-${{ matrix.dbhandler }}.tar.gz
         path: ${{ github.workspace }}/artifact/upload/
 
-  alpn_apache2_wsgi_rpm:
-    name: "alpn_apache2_wsgi_rpm"
+  alpn_wsgi_rpm:
+    name: "alpn_wsgi_rpm"
     runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+      max-parallel: 1
+      matrix:
+        rhversion: [8, 9]
     steps:
     - name: "checkout GIT"
-      uses: actions/checkout@v3
-
-    - name: Retrieve Version from version.py
-      run: |
-        echo TAG_NAME=$(cat acme_srv/version.py | grep -i __version__ | head -n 1 | sed 's/__version__ = //g' | sed s/\'//g) >> $GITHUB_ENV
-    - run: echo "Latest tag is ${{ env.TAG_NAME }}"
+      uses: actions/checkout@v4
 
-    - name: update version number in spec file
-      run: |
-        # sudo sed -i "s/Source0:.*/Source0:        %{name}-%{version}.tar.gz/g" examples/install_scripts/rpm/acme2certifier.spec
-        sudo sed -i "s/__version__/${{ env.TAG_NAME }}/g" examples/install_scripts/rpm/acme2certifier.spec
-        cat examples/install_scripts/rpm/acme2certifier.spec
+    - name: "Prepare Alma environment"
+      uses: ./.github/actions/rpm_prep
+      with:
+        GH_SBOM_USER: ${{ secrets.GH_SBOM_USER }}
+        GH_SBOM_TOKEN: ${{ secrets.GH_SBOM_TOKEN }}
+        RH_VERSION: ${{ matrix.rhversion }}
 
-    - name: "[ PREPARE ] create letsencrypt and lego folder"
+    - name: "Create letsencrypt and lego folder"
       run: |
         mkdir acmme-sh
         mkdir lego
 
-    - name: build RPM package
-      id: rpm
-      uses: grindsa/rpmbuild@alma9
+    - name: "Prepare acme_srv.cfg with certifier_ca_handler"
+      uses: ./.github/actions/wf_specific/certifier_ca_handler/certifier_setup_no_profile
       with:
-        spec_file: "examples/install_scripts/rpm/acme2certifier.spec"
-
-    - run: echo "path is ${{ steps.rpm.outputs.rpm_dir_path }}"
-
-    - name: "[ PREPARE ] setup environment for alma installation"
-      run: |
-        docker network create acme
-        sudo mkdir -p data
-        sudo chmod -R 777 data
-        sudo cp ${{ steps.rpm.outputs.rpm_dir_path }}noarch/acme2certifier-${{ env.TAG_NAME }}-1.0.noarch.rpm data
-        sudo cp examples/Docker/almalinux-systemd/rpm_tester.sh data
-
-    - name: "[ PREPARE ] setup a2c with certifier_ca_handler"
-      run: |
-        mkdir -p data/acme_ca
-        sudo cp test/ca/certsrv_ca_certs.pem data/acme_ca/ca_certs.pem
-        sudo touch data/acme_srv.cfg
-        sudo chmod 777 data/acme_srv.cfg
-        sudo head -n -8 .github/openssl_ca_handler.py_acme_srv_default_handler.cfg > data/acme_srv.cfg
-        sudo echo "handler_file: examples/ca_handler/certifier_ca_handler.py" >> data/acme_srv.cfg
-        sudo echo "api_host: $NCM_API_HOST" >> data/acme_srv.cfg
-        sudo echo "api_user: $NCM_API_USER" >> data/acme_srv.cfg
-        sudo echo "api_password: $NCM_API_PASSWORD" >> data/acme_srv.cfg
-        sudo echo "ca_name: $NCM_CA_NAME" >> data/acme_srv.cfg
-        sudo echo "ca_bundle: $NCM_CA_BUNDLE" >> data/acme_srv.cfg
-        sudo echo "profile_id: 101" >> data/acme_srv.cfg
-      env:
+        WCCE_SSH_ACCESS_KEY: ${{ secrets.WCCE_SSH_ACCESS_KEY }}
+        WCCE_SSH_KNOWN_HOSTS: ${{ secrets.WCCE_SSH_KNOWN_HOSTS }}
+        WCCE_SSH_USER: ${{ secrets.WCCE_SSH_USER }}
+        WCCE_SSH_HOST: ${{ secrets.WCCE_SSH_HOST }}
+        WCCE_SSH_PORT: ${{ secrets.WCCE_SSH_PORT }}
         NCM_API_HOST: ${{ secrets.NCM_API_HOST }}
         NCM_API_USER: ${{ secrets.NCM_API_USER }}
         NCM_API_PASSWORD: ${{ secrets.NCM_API_PASSWORD }}
         NCM_CA_NAME: ${{ secrets.NCM_CA_NAME }}
-        NCM_CA_BUNDLE: ${{ secrets.NCM_CA_BUNDLE }}
+        DATA_PATH: data
 
-    - name: "[ PREPARE ] Almalinux instance"
-      run: |
-        cat examples/Docker/almalinux-systemd/Dockerfile | docker build -t almalinux-systemd -f - . --no-cache
-        docker run -d -id --privileged --network acme --name=acme-srv -v "$(pwd)/data":/tmp/acme2certifier almalinux-systemd
-
-    - name: "[ RUN ] Execute install scipt"
+    - name: "Execute install script"
       run: |
         docker exec acme-srv sh /tmp/acme2certifier/rpm_tester.sh
 
     - name: "Test http://acme-srv/directory is accessible"
       run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory
 
-    - name: "[ PREPARE ] prepare acme.sh container"
-      run: |
-        docker run --rm -id -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest daemon
+    - name: "Test if https://acme-srv/directory is accessible"
+      run: docker run -i --rm --network acme curlimages/curl --insecure -f https://acme-srv/directory
 
-    - name: "[ ENROLL ] acme.sh"
+    - name: "Enroll acme.sh"
       run: |
-        docker exec -i acme-sh acme.sh --server http://acme-srv --accountemail 'acme-sh@example.com' --issue -d acme-sh.acme --alpn --standalone --debug 3 --output-insecure --force
+        docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv  --accountemail 'acme-sh@example.com' -d acme-sh.acme --alpn --standalone --debug 3 --output-insecure
         awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "cert-" c ".pem"}' < acme-sh/acme-sh.acme_ecc/ca.cer
-        openssl verify -CAfile cert-2.pem -untrusted cert-1.pem  acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer
+        openssl verify -CAfile cert-2.pem -untrusted cert-1.pem acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer
 
-    - name: "[ ENROLL ] lego"
+    - name: "Enroll lego"
       run: |
         docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" -d lego.acme --tls run
-        sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem  lego/certificates/lego.acme.crt
+        sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem lego/certificates/lego.acme.crt
 
     - name: "[ * ] collecting test logs"
       if: ${{ failure() }}
@@ -184,13 +163,16 @@ jobs:
         mkdir -p ${{ github.workspace }}/artifact/upload
         docker exec acme-srv tar cvfz /tmp/acme2certifier/a2c.tgz /opt/acme2certifier
         sudo cp -rp data/ ${{ github.workspace }}/artifact/data/
-        sudo cp -rp acme-sh/ ${{ github.workspace }}/artifact/acme-sh/
+        sudo rm ${{ github.workspace }}/artifact/data/*.rpm
+        # sudo cp -rp acme-sh/ ${{ github.workspace }}/artifact/acme-sh/
+        docker exec acme-srv cat /etc/nginx/nginx.conf.orig > ${{ github.workspace }}/artifact/data/nginx.conf.orig
+        docker exec acme-srv cat /etc/nginx/nginx.conf > ${{ github.workspace }}/artifact/data/nginx.conf
         docker exec acme-srv cat /var/log/messages > ${{ github.workspace }}/artifact/acme-srv.log
-        sudo tar -C ${{ github.workspace }}/artifact/ -cvzf ${{ github.workspace }}/artifact/upload/artifact.tar.gz data acme-srv.log acme-sh
+        sudo tar -C ${{ github.workspace }}/artifact/ -cvzf ${{ github.workspace }}/artifact/upload/artifact.tar.gz data acme-srv.log # acme-sh
 
     - name: "[ * ] uploading artificates"
-      uses: actions/upload-artifact@v3
+      uses: actions/upload-artifact@v4
       if: ${{ failure() }}
       with:
-        name: alpn-rpm.tar.gz
-        path: ${{ github.workspace }}/artifact/upload/
\ No newline at end of file
+        name: alpn-rpm-rh${{ matrix.rhversion }}.tar.gz
+        path: ${{ github.workspace }}/artifact/upload/
diff --git a/.github/workflows/ari-test.yml b/.github/workflows/ari-test.yml
index 5fc709b2..35f4a3fb 100644
--- a/.github/workflows/ari-test.yml
+++ b/.github/workflows/ari-test.yml
@@ -10,53 +10,63 @@ on:
 
 jobs:
 
-  ari_apache2_wsgi:
-    name: "ari_apache2_wsgi"
+  ari_container_tests:
+    name: "ari_container_tests"
     runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+      max-parallel: 2
+      matrix:
+        websrv: ['apache2', 'nginx']
+        dbhandler: ['wsgi', 'django']
     steps:
     - name: "checkout GIT"
-      uses: actions/checkout@v3
+      uses: actions/checkout@v4
 
-    - name: "[ PREPARE ] Build docker-compose (apache2_wsgi)"
-      working-directory: examples/Docker/
-      run: |
-        sudo mkdir -p data
-        docker network create acme
-        docker-compose up -d
-        docker-compose logs
+    - name: "Build container"
+      uses: ./.github/actions/container_prep
+      with:
+        DB_HANDLER: ${{ matrix.dbhandler }}
+        WEB_SRV: ${{ matrix.websrv }}
 
-    - name: "Test http://acme-srv/directory is accessable"
-      run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory
+    - name: "Prepare acme_srv.cfg with certifier_ca_handler"
+      uses: ./.github/actions/wf_specific/certifier_ca_handler/certifier_setup_no_profile
+      with:
+        WCCE_SSH_ACCESS_KEY: ${{ secrets.WCCE_SSH_ACCESS_KEY }}
+        WCCE_SSH_KNOWN_HOSTS: ${{ secrets.WCCE_SSH_KNOWN_HOSTS }}
+        WCCE_SSH_USER: ${{ secrets.WCCE_SSH_USER }}
+        WCCE_SSH_HOST: ${{ secrets.WCCE_SSH_HOST }}
+        WCCE_SSH_PORT: ${{ secrets.WCCE_SSH_PORT }}
+        NCM_API_HOST: ${{ secrets.NCM_API_HOST }}
+        NCM_API_USER: ${{ secrets.NCM_API_USER }}
+        NCM_API_PASSWORD: ${{ secrets.NCM_API_PASSWORD }}
+        NCM_CA_NAME: ${{ secrets.NCM_CA_NAME }}
+        DATA_PATH: examples/Docker/data
 
-    - name: "[ PREPARE ] setup a2c with certifier_ca_handler"
+    - name: "Restart a2c"
       run: |
-        sudo cp test/ca/certsrv_ca_certs.pem examples/Docker/data/ca_certs.pem
-        sudo touch examples/Docker/data/acme_srv.cfg
-        sudo chmod 777 examples/Docker/data/acme_srv.cfg
-        sudo head -n -8 .github/openssl_ca_handler.py_acme_srv_default_handler.cfg > examples/Docker/data/acme_srv.cfg
-        sudo echo "handler_file: examples/ca_handler/certifier_ca_handler.py" >> examples/Docker/data/acme_srv.cfg
-        sudo echo "api_host: $NCM_API_HOST" >> examples/Docker/data/acme_srv.cfg
-        sudo echo "api_user: $NCM_API_USER" >> examples/Docker/data/acme_srv.cfg
-        sudo echo "api_password: $NCM_API_PASSWORD" >> examples/Docker/data/acme_srv.cfg
-        sudo echo "ca_name: $NCM_CA_NAME" >> examples/Docker/data/acme_srv.cfg
-        sudo echo "ca_bundle: $NCM_CA_BUNDLE" >> examples/Docker/data/acme_srv.cfg
         sudo echo -e "\n\n[Renewalinfo]" >> examples/Docker/data/acme_srv.cfg
         sudo echo "renewal_force: True" >> examples/Docker/data/acme_srv.cfg
         cd examples/Docker/
         docker-compose restart
         docker-compose logs
-      env:
-        NCM_API_HOST: ${{ secrets.NCM_API_HOST }}
-        NCM_API_USER: ${{ secrets.NCM_API_USER }}
-        NCM_API_PASSWORD: ${{ secrets.NCM_API_PASSWORD }}
-        NCM_CA_NAME: ${{ secrets.NCM_CA_NAME }}
-        NCM_CA_BUNDLE: ${{ secrets.NCM_CA_BUNDLE }}
 
-    - name: "create lego folder"
+    - name: "Sleep for 10s"
+      uses: juliangruber/sleep-action@v2.0.3
+      with:
+        time: 10s
+
+    - name: "Create lego folder"
       run: |
         mkdir lego
 
-    - name: "[ ENROLL ] HTTP-01 single domain lego"
+    - name: "Test http://acme-srv/directory is accessible"
+      run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory
+
+    - name: "Test if https://acme-srv/directory is accessible"
+      run: docker run -i --rm --network acme curlimages/curl --insecure -f https://acme-srv/directory
+
+    - name: "Enroll lego"
       run: |
         docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" -d lego.acme --http run
         sudo chmod 777 lego/certificates/lego.acme.issuer.crt
@@ -64,13 +74,19 @@ jobs:
         sudo awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "cert-" c ".pem"}' < lego.acme.issuer.crt
         sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem lego/certificates/lego.acme.crt
 
-    - name: "[ RENEW ] HTTP-01 single domain lego"
+    - name: "Renew lego"
       run: |
-        docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" -d lego.acme --http renew --ari-enable --no-random-sleep 2> ari.txt
+        docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" -d lego.acme --http renew --no-random-sleep 2> ari.txt
         grep "renewalInfo endpoint indicates that renewal is needed" ari.txt
         cat ari.txt
         sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem lego/certificates/lego.acme.crt
 
+    - name: "Check container configuration"
+      uses: ./.github/actions/container_check
+      with:
+        DB_HANDLER: ${{ matrix.dbhandler }}
+        WEB_SRV: ${{ matrix.websrv }}
+
     - name: "[ * ] collecting test logs"
       if: ${{ failure() }}
       run: |
@@ -82,66 +98,59 @@ jobs:
         sudo tar -C ${{ github.workspace }}/artifact/ -cvzf ${{ github.workspace }}/artifact/upload/artifact.tar.gz docker-compose.log data lego
 
     - name: "[ * ] uploading artificates"
-      uses: actions/upload-artifact@v3
+      uses: actions/upload-artifact@v4
       if: ${{ failure() }}
       with:
-        name: ari_apache2_wsgi.tar.gz
+        name: ari_container-${{ matrix.websrv }}-${{ matrix.dbhandler }}.tar.gz
         path: ${{ github.workspace }}/artifact/upload/
 
-  ari_apache2_django:
-    name: "ari_apache2_django"
+  ari_wsgi_rpm:
+    name: "ari_wsgi_rpm"
     runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+      max-parallel: 1
+      matrix:
+        rhversion: [8, 9]
     steps:
     - name: "checkout GIT"
-      uses: actions/checkout@v3
+      uses: actions/checkout@v4
 
-    - name: "[ PREPARE ] Build docker-compose (apache2_django)"
-      working-directory: examples/Docker/
-      run: |
-        sed -i "s/wsgi/django/g" .env
-        sudo mkdir -p data
-        docker network create acme
-        docker-compose up -d
-        docker-compose logs
-
-    - name: "[ WAIT ] Sleep for 10s"
-      uses: juliangruber/sleep-action@v1
+    - name: "Prepare Alma environment"
+      uses: ./.github/actions/rpm_prep
       with:
-        time: 10s
+        GH_SBOM_USER: ${{ secrets.GH_SBOM_USER }}
+        GH_SBOM_TOKEN: ${{ secrets.GH_SBOM_TOKEN }}
+        RH_VERSION: ${{ matrix.rhversion }}
 
-    - name: "Test http://acme-srv/directory is accessable"
-      run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory
-
-    - name: "[ PREPARE ] setup a2c with certifier_ca_handler"
-      run: |
-        sudo cp test/ca/certsrv_ca_certs.pem examples/Docker/data/ca_certs.pem
-        sudo touch examples/Docker/data/acme_srv.cfg
-        sudo chmod 777 examples/Docker/data/acme_srv.cfg
-        sudo head -n -8 .github/openssl_ca_handler.py_acme_srv_default_handler.cfg > examples/Docker/data/acme_srv.cfg
-        sudo echo "handler_file: examples/ca_handler/certifier_ca_handler.py" >> examples/Docker/data/acme_srv.cfg
-        sudo echo "api_host: $NCM_API_HOST" >> examples/Docker/data/acme_srv.cfg
-        sudo echo "api_user: $NCM_API_USER" >> examples/Docker/data/acme_srv.cfg
-        sudo echo "api_password: $NCM_API_PASSWORD" >> examples/Docker/data/acme_srv.cfg
-        sudo echo "ca_name: $NCM_CA_NAME" >> examples/Docker/data/acme_srv.cfg
-        sudo echo "ca_bundle: $NCM_CA_BUNDLE" >> examples/Docker/data/acme_srv.cfg
-        sudo echo -e "\n\n[Renewalinfo]" >> examples/Docker/data/acme_srv.cfg
-        sudo echo "renewal_force: True" >> examples/Docker/data/acme_srv.cfg
-        sudo cp .github/django_settings.py examples/Docker/data/settings.py
-        cd examples/Docker/
-        docker-compose restart
-        docker-compose logs
-      env:
+    - name: "Prepare acme_srv.cfg with certifier_ca_handler"
+      uses: ./.github/actions/wf_specific/certifier_ca_handler/certifier_setup_no_profile
+      with:
+        WCCE_SSH_ACCESS_KEY: ${{ secrets.WCCE_SSH_ACCESS_KEY }}
+        WCCE_SSH_KNOWN_HOSTS: ${{ secrets.WCCE_SSH_KNOWN_HOSTS }}
+        WCCE_SSH_USER: ${{ secrets.WCCE_SSH_USER }}
+        WCCE_SSH_HOST: ${{ secrets.WCCE_SSH_HOST }}
+        WCCE_SSH_PORT: ${{ secrets.WCCE_SSH_PORT }}
         NCM_API_HOST: ${{ secrets.NCM_API_HOST }}
         NCM_API_USER: ${{ secrets.NCM_API_USER }}
         NCM_API_PASSWORD: ${{ secrets.NCM_API_PASSWORD }}
         NCM_CA_NAME: ${{ secrets.NCM_CA_NAME }}
-        NCM_CA_BUNDLE: ${{ secrets.NCM_CA_BUNDLE }}
+        DATA_PATH: data
+
+    - name: "Restart a2c"
+      run: |
+        sudo echo -e "\n\n[Renewalinfo]" >> data/acme_srv.cfg
+        sudo echo "renewal_force: True" >> data/acme_srv.cfg
+
+    - name: "Execute install scipt"
+      run: |
+        docker exec acme-srv sh /tmp/acme2certifier/rpm_tester.sh
 
-    - name: "create lego folder"
+    - name: "Create lego folder"
       run: |
         mkdir lego
 
-    - name: "[ ENROLL ] HTTP-01 single domain lego"
+    - name: "Enroll HTTP-01 single domain lego"
       run: |
         docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" -d lego.acme --http run
         sudo chmod 777 lego/certificates/lego.acme.issuer.crt
@@ -149,9 +158,9 @@ jobs:
         sudo awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "cert-" c ".pem"}' < lego.acme.issuer.crt
         sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem lego/certificates/lego.acme.crt
 
-    - name: "[ RENEW ] HTTP-01 single domain lego"
+    - name: "Renew HTTP-01 single domain lego"
       run: |
-        docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" -d lego.acme --http renew --ari-enable --no-random-sleep 2> ari.txt
+        docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" -d lego.acme --http renew --no-random-sleep 2> ari.txt
         grep "renewalInfo endpoint indicates that renewal is needed" ari.txt
         cat ari.txt
         sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem lego/certificates/lego.acme.crt
@@ -160,158 +169,76 @@ jobs:
       if: ${{ failure() }}
       run: |
         mkdir -p ${{ github.workspace }}/artifact/upload
-        sudo cp -rp examples/Docker/data/ ${{ github.workspace }}/artifact/data/
+        docker exec acme-srv tar cvfz /tmp/acme2certifier/a2c.tgz /opt/acme2certifier
+        sudo cp -rp data/ ${{ github.workspace }}/artifact/data/
         sudo cp -rp lego/ ${{ github.workspace }}/artifact/lego/
-        cd examples/Docker
-        docker-compose logs > ${{ github.workspace }}/artifact/docker-compose.log
-        sudo tar -C ${{ github.workspace }}/artifact/ -cvzf ${{ github.workspace }}/artifact/upload/artifact.tar.gz docker-compose.log data lego
+        sudo rm ${{ github.workspace }}/artifact/data/*.rpm
+        docker exec acme-srv cat /etc/nginx/nginx.conf.orig > ${{ github.workspace }}/artifact/data/nginx.conf.orig
+        docker exec acme-srv cat /etc/nginx/nginx.conf > ${{ github.workspace }}/artifact/data/nginx.conf
+        docker exec acme-srv cat /var/log/messages > ${{ github.workspace }}/artifact/acme-srv.log
+        sudo tar -C ${{ github.workspace }}/artifact/ -cvzf ${{ github.workspace }}/artifact/upload/artifact.tar.gz data acme-srv.log lego
 
     - name: "[ * ] uploading artificates"
-      uses: actions/upload-artifact@v3
+      uses: actions/upload-artifact@v4
       if: ${{ failure() }}
       with:
-        name: ari_apache2_django.tar.gz
+        name: ari_wsgi_rpm-rh${{ matrix.rhversion }}.tar.gz
         path: ${{ github.workspace }}/artifact/upload/
 
-  ari_nginx_wsgi:
-    name: "ari_nginx_wsgi"
+
+  ari_django_rpm:
+    name: "ari_django_rpm"
     runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+      max-parallel: 1
+      matrix:
+        rhversion: [8, 9]
     steps:
     - name: "checkout GIT"
-      uses: actions/checkout@v3
-
-    - name: "[ PREPARE ] Build docker-compose (nginx_django)"
-      working-directory: examples/Docker/
-      run: |
-        sed -i "s/apache2/nginx/g" .env
-        sudo mkdir -p data
-        docker network create acme
-        docker-compose up -d
-        docker-compose logs
+      uses: actions/checkout@v4
 
-    - name: "[ WAIT ] Sleep for 10s"
-      uses: juliangruber/sleep-action@v1
+    - name: "Prepare Alma environment"
+      uses: ./.github/actions/rpm_prep
       with:
-        time: 10s
-
-    - name: "Test http://acme-srv/directory is accessable"
-      run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory
+        GH_SBOM_USER: ${{ secrets.GH_SBOM_USER }}
+        GH_SBOM_TOKEN: ${{ secrets.GH_SBOM_TOKEN }}
+        RH_VERSION: ${{ matrix.rhversion }}
 
-    - name: "[ PREPARE ] setup a2c with certifier_ca_handler"
+    - name: "Create lego folder"
       run: |
-        sudo cp test/ca/certsrv_ca_certs.pem examples/Docker/data/ca_certs.pem
-        sudo touch examples/Docker/data/acme_srv.cfg
-        sudo chmod 777 examples/Docker/data/acme_srv.cfg
-        sudo head -n -8 .github/openssl_ca_handler.py_acme_srv_default_handler.cfg > examples/Docker/data/acme_srv.cfg
-        sudo echo "handler_file: examples/ca_handler/certifier_ca_handler.py" >> examples/Docker/data/acme_srv.cfg
-        sudo echo "api_host: $NCM_API_HOST" >> examples/Docker/data/acme_srv.cfg
-        sudo echo "api_user: $NCM_API_USER" >> examples/Docker/data/acme_srv.cfg
-        sudo echo "api_password: $NCM_API_PASSWORD" >> examples/Docker/data/acme_srv.cfg
-        sudo echo "ca_name: $NCM_CA_NAME" >> examples/Docker/data/acme_srv.cfg
-        sudo echo "ca_bundle: $NCM_CA_BUNDLE" >> examples/Docker/data/acme_srv.cfg
-        sudo echo -e "\n\n[Renewalinfo]" >> examples/Docker/data/acme_srv.cfg
-        sudo echo "renewal_force: True" >> examples/Docker/data/acme_srv.cfg
-        cd examples/Docker/
-        docker-compose restart
-        docker-compose logs
-      env:
+        mkdir lego
+
+    - name: "Prepare acme_srv.cfg with certifier_ca_handler"
+      uses: ./.github/actions/wf_specific/certifier_ca_handler/certifier_setup_no_profile
+      with:
+        WCCE_SSH_ACCESS_KEY: ${{ secrets.WCCE_SSH_ACCESS_KEY }}
+        WCCE_SSH_KNOWN_HOSTS: ${{ secrets.WCCE_SSH_KNOWN_HOSTS }}
+        WCCE_SSH_USER: ${{ secrets.WCCE_SSH_USER }}
+        WCCE_SSH_HOST: ${{ secrets.WCCE_SSH_HOST }}
+        WCCE_SSH_PORT: ${{ secrets.WCCE_SSH_PORT }}
         NCM_API_HOST: ${{ secrets.NCM_API_HOST }}
         NCM_API_USER: ${{ secrets.NCM_API_USER }}
         NCM_API_PASSWORD: ${{ secrets.NCM_API_PASSWORD }}
         NCM_CA_NAME: ${{ secrets.NCM_CA_NAME }}
-        NCM_CA_BUNDLE: ${{ secrets.NCM_CA_BUNDLE }}
-
-    - name: "create lego folder"
-      run: |
-        mkdir lego
-
-    - name: "[ ENROLL ] HTTP-01 single domain lego"
-      run: |
-        docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" -d lego.acme --http run
-        sudo chmod 777 lego/certificates/lego.acme.issuer.crt
-        sudo cp lego/certificates/lego.acme.issuer.crt lego.acme.issuer.crt
-        sudo awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "cert-" c ".pem"}' < lego.acme.issuer.crt
-        sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem lego/certificates/lego.acme.crt
+        DATA_PATH: data/volume
 
-    - name: "[ RENEW ] HTTP-01 single domain lego"
+    - name: "Restart a2c"
       run: |
-        docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" -d lego.acme --http renew --ari-enable --no-random-sleep 2> ari.txt
-        grep "renewalInfo endpoint indicates that renewal is needed" ari.txt
-        cat ari.txt
-        sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem lego/certificates/lego.acme.crt
+        sudo echo -e "\n\n[Renewalinfo]" >> data/volume/acme_srv.cfg
+        sudo echo "renewal_force: True" >> data/volume/acme_srv.cfg
 
-    - name: "[ * ] collecting test logs"
-      if: ${{ failure() }}
+    - name: "Execute install scipt"
       run: |
-        mkdir -p ${{ github.workspace }}/artifact/upload
-        sudo cp -rp examples/Docker/data/ ${{ github.workspace }}/artifact/data/
-        sudo cp -rp lego/ ${{ github.workspace }}/artifact/lego/
-        cd examples/Docker
-        docker-compose logs > ${{ github.workspace }}/artifact/docker-compose.log
-        sudo tar -C ${{ github.workspace }}/artifact/ -cvzf ${{ github.workspace }}/artifact/upload/artifact.tar.gz docker-compose.log data lego
+        docker exec acme-srv sh /tmp/acme2certifier/django_tester.sh
 
-    - name: "[ * ] uploading artificates"
-      uses: actions/upload-artifact@v3
-      if: ${{ failure() }}
-      with:
-        name: ari_nginx_wsgi.tar.gz
-        path: ${{ github.workspace }}/artifact/upload/
-
-  ari_nginx_django:
-    name: "lego_nginx_django"
-    runs-on: ubuntu-latest
-    steps:
-    - name: "checkout GIT"
-      uses: actions/checkout@v3
-
-    - name: "[ PREPARE ] Build docker-compose (nginx_django)"
-      working-directory: examples/Docker/
-      run: |
-        sed -i "s/wsgi/django/g" .env
-        sed -i "s/apache2/nginx/g" .env
-        sudo mkdir -p data
-        docker network create acme
-        docker-compose up -d
-        docker-compose logs
-
-    - name: "[ WAIT ] Sleep for 10s"
-      uses: juliangruber/sleep-action@v1
-      with:
-        time: 10s
-
-    - name: "Test http://acme-srv/directory is accessable"
+    - name: "Test http://acme-srv/directory is accessible"
       run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory
 
-    - name: "[ PREPARE ] setup a2c with certifier_ca_handler"
-      run: |
-        sudo cp test/ca/certsrv_ca_certs.pem examples/Docker/data/ca_certs.pem
-        sudo touch examples/Docker/data/acme_srv.cfg
-        sudo chmod 777 examples/Docker/data/acme_srv.cfg
-        sudo head -n -8 .github/openssl_ca_handler.py_acme_srv_default_handler.cfg > examples/Docker/data/acme_srv.cfg
-        sudo echo "handler_file: examples/ca_handler/certifier_ca_handler.py" >> examples/Docker/data/acme_srv.cfg
-        sudo echo "api_host: $NCM_API_HOST" >> examples/Docker/data/acme_srv.cfg
-        sudo echo "api_user: $NCM_API_USER" >> examples/Docker/data/acme_srv.cfg
-        sudo echo "api_password: $NCM_API_PASSWORD" >> examples/Docker/data/acme_srv.cfg
-        sudo echo "ca_name: $NCM_CA_NAME" >> examples/Docker/data/acme_srv.cfg
-        sudo echo "ca_bundle: $NCM_CA_BUNDLE" >> examples/Docker/data/acme_srv.cfg
-        sudo echo -e "\n\n[Renewalinfo]" >> examples/Docker/data/acme_srv.cfg
-        sudo echo "renewal_force: True" >> examples/Docker/data/acme_srv.cfg
-        sudo cp .github/django_settings.py examples/Docker/data/settings.py
-        cd examples/Docker/
-        docker-compose restart
-        docker-compose logs
-      env:
-        NCM_API_HOST: ${{ secrets.NCM_API_HOST }}
-        NCM_API_USER: ${{ secrets.NCM_API_USER }}
-        NCM_API_PASSWORD: ${{ secrets.NCM_API_PASSWORD }}
-        NCM_CA_NAME: ${{ secrets.NCM_CA_NAME }}
-        NCM_CA_BUNDLE: ${{ secrets.NCM_CA_BUNDLE }}
+    - name: "Test if https://acme-srv/directory is accessible"
+      run: docker run -i --rm --network acme curlimages/curl --insecure -f https://acme-srv/directory
 
-    - name: "create lego folder"
-      run: |
-        mkdir lego
-
-    - name: "[ ENROLL ] HTTP-01 single domain lego"
+    - name: "Enroll HTTP-01 single domain lego"
       run: |
         docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" -d lego.acme --http run
         sudo chmod 777 lego/certificates/lego.acme.issuer.crt
@@ -319,9 +246,9 @@ jobs:
         sudo awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "cert-" c ".pem"}' < lego.acme.issuer.crt
         sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem lego/certificates/lego.acme.crt
 
-    - name: "[ RENEW ] HTTP-01 single domain lego"
+    - name: "Renew HTTP-01 single domain lego"
       run: |
-        docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" -d lego.acme --http renew --ari-enable --no-random-sleep 2> ari.txt
+        docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" -d lego.acme --http renew --no-random-sleep 2> ari.txt
         grep "renewalInfo endpoint indicates that renewal is needed" ari.txt
         cat ari.txt
         sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem lego/certificates/lego.acme.crt
@@ -330,15 +257,20 @@ jobs:
       if: ${{ failure() }}
       run: |
         mkdir -p ${{ github.workspace }}/artifact/upload
-        sudo cp -rp examples/Docker/data/ ${{ github.workspace }}/artifact/data/
+        docker exec acme-srv tar cvfz /tmp/acme2certifier/a2c.tgz /opt/acme2certifier
+        docker exec acme-srv tar cvfz /tmp/acme2certifier/nginx.tgz /etc/nginx
+        sudo cp -rp data/ ${{ github.workspace }}/artifact/data/
         sudo cp -rp lego/ ${{ github.workspace }}/artifact/lego/
-        cd examples/Docker
-        docker-compose logs > ${{ github.workspace }}/artifact/docker-compose.log
-        sudo tar -C ${{ github.workspace }}/artifact/ -cvzf ${{ github.workspace }}/artifact/upload/artifact.tar.gz docker-compose.log data lego
+        sudo rm ${{ github.workspace }}/artifact/data/*.rpm
+        docker exec acme-srv cat /etc/nginx/nginx.conf.orig > ${{ github.workspace }}/artifact/data/nginx.conf.orig
+        docker exec acme-srv cat /etc/nginx/nginx.conf > ${{ github.workspace }}/artifact/data/nginx.conf
+        docker exec acme-srv rpm -qa > ${{ github.workspace }}/artifact/data/packages.txt
+        docker exec acme-srv cat /var/log/messages > ${{ github.workspace }}/artifact/acme-srv.log
+        sudo tar -C ${{ github.workspace }}/artifact/ -cvzf ${{ github.workspace }}/artifact/upload/artifact.tar.gz data acme-srv.log lego
 
     - name: "[ * ] uploading artificates"
-      uses: actions/upload-artifact@v3
+      uses: actions/upload-artifact@v4
       if: ${{ failure() }}
       with:
-        name: ari_nginx_django.tar.gz
-        path: ${{ github.workspace }}/artifact/upload/
+        name: ari_django_rpm-rh${{ matrix.rhversion }}.tar.gz
+        path: ${{ github.workspace }}/artifact/upload/
\ No newline at end of file
diff --git a/.github/workflows/ca_handler_tests_asa.yml b/.github/workflows/ca_handler_tests_asa.yml
new file mode 100644
index 00000000..89594e49
--- /dev/null
+++ b/.github/workflows/ca_handler_tests_asa.yml
@@ -0,0 +1,604 @@
+name: CA handler Tests - Insta ASA
+
+on:
+  push:
+  pull_request:
+    branches: [ devel ]
+  schedule:
+    # * is a special character in YAML so you have to quote this string
+    - cron:  '0 2 * * 6'
+
+jobs:
+  asa_handler_headerinfo_tests:
+    name: "asa_handler_headerinfo_tests"
+    runs-on: ubuntu-latest
+    steps:
+    - name: "checkout GIT"
+      uses: actions/checkout@v4
+
+    - name: "Build container"
+      uses: ./.github/actions/container_prep
+      with:
+        DB_HANDLER: "wsgi"
+        WEB_SRV: "apache2"
+
+    - name: "Create lego folder"
+      run: |
+        mkdir lego
+
+    - name: "Test http://acme-srv/directory is accessible"
+      run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory
+
+    - name: "a2c configuration with standard profile"
+      run: |
+        sudo cp test/ca/certsrv_ca_certs.pem examples/Docker/data/ca_certs.pem
+        sudo touch examples/Docker/data/acme_srv.cfg
+        sudo chmod 777 examples/Docker/data/acme_srv.cfg
+        sudo head -n -8 .github/openssl_ca_handler.py_acme_srv_default_handler.cfg > examples/Docker/data/acme_srv.cfg
+        sudo echo "handler_file: examples/ca_handler/asa_ca_handler.py" >> examples/Docker/data/acme_srv.cfg
+        sudo echo "api_host: $ASA_API_HOST" >> examples/Docker/data/acme_srv.cfg
+        sudo echo "api_user: $ASA_API_USER" >> examples/Docker/data/acme_srv.cfg
+        sudo echo "api_password: $ASA_API_PASSWORD" >> examples/Docker/data/acme_srv.cfg
+        sudo echo "api_key: $ASA_API_KEY" >> examples/Docker/data/acme_srv.cfg
+        sudo echo "ca_name: $ASA_CA_NAME" >> examples/Docker/data/acme_srv.cfg
+        sudo echo "ca_bundle: $ASA_CA_BUNDLE" >> examples/Docker/data/acme_srv.cfg
+        sudo echo "profile_name: $ASA_POFILE1" >> examples/Docker/data/acme_srv.cfg
+        sudo sed -i "s/revocation_reason_check_disable: False/revocation_reason_check_disable: False\nenrollment_timeout:15/g" examples/Docker/data/acme_srv.cfg
+        sudo sed -i "s/tnauthlist_support: False/tnauthlist_support: False\nheader_info_list: [\"HTTP_USER_AGENT\"]/g" examples/Docker/data/acme_srv.cfg
+        cd examples/Docker/
+        docker-compose restart
+      env:
+        ASA_API_HOST: ${{ secrets.ASA_API_HOST }}
+        ASA_API_USER: ${{ secrets.ASA_API_USER }}
+        ASA_API_PASSWORD: ${{ secrets.ASA_API_PASSWORD }}
+        ASA_API_KEY: ${{ secrets.ASA_API_KEY }}
+        ASA_CA_NAME: ${{ secrets.ASA_CA_NAME }}
+        ASA_CA_BUNDLE: ${{ secrets.ASA_CA_BUNDLE }}
+        ASA_PROFILE1: ${{ secrets.ASA_POFILE1 }}
+
+    - name: "Test http://acme-srv/directory is accessible again"
+      run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory
+
+    - name: "Enroll lego with profileID ACME - could potenially fail"
+      continue-on-error: True
+      run: |
+        docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" --user-agent profile_name=ACME -d lego.acme --key-type rsa2048 --http run
+        sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem lego/certificates/lego.acme.crt
+        sudo openssl x509 -in lego/certificates/lego.acme.crt -ext keyUsage -noout | grep "Digital Signature"
+
+    - name: "Enroll acme.sh with profileID ACME"
+      run: |
+        docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv --accountemail 'acme-sh@example.com' -d acme-sh.acme --standalone --useragent profile_name=ACME --keylength 2048 --debug 3 --output-insecure
+        awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "cert-" c ".pem"}' < acme-sh/acme-sh.acme/ca.cer
+        openssl verify -CAfile cert-2.pem -untrusted cert-1.pem acme-sh/acme-sh.acme/acme-sh.acme.cer
+        openssl x509 -in acme-sh/acme-sh.acme/acme-sh.acme.cer -ext keyUsage -noout | grep "Digital Signature"
+
+    - name: "Enroll lego with profileID ACME"
+      run: |
+        docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" --user-agent profile_name=ACME -d lego.acme --key-type rsa2048 --http run
+        sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem lego/certificates/lego.acme.crt
+        sudo openssl x509 -in lego/certificates/lego.acme.crt -ext keyUsage -noout | grep "Digital Signature"
+
+    - name: "Enroll acme.sh with profileID ACME_2"
+      run: |
+        docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --renew --server http://acme-srv --force -d acme-sh.acme --standalone --useragent profile_name=ACME_2 --keylength 2048 --debug 3 --output-insecure
+        openssl verify -CAfile cert-2.pem -untrusted cert-1.pem acme-sh/acme-sh.acme/acme-sh.acme.cer
+        openssl x509 -in acme-sh/acme-sh.acme/acme-sh.acme.cer -ext keyUsage -noout | grep "Key Encipherment, Data Encipherment"
+
+    - name: "Enroll lego with profileID ACME_2"
+      run: |
+        docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" --user-agent profile_name=ACME_2 -d lego.acme --key-type rsa2048 --http run
+        sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem lego/certificates/lego.acme.crt
+        sudo openssl x509 -in lego/certificates/lego.acme.crt -ext keyUsage -noout | grep "Key Encipherment, Data Encipherment"
+
+    - name: "[ * ] collecting test logs"
+      if: ${{ failure() }}
+      run: |
+        mkdir -p ${{ github.workspace }}/artifact/upload
+        sudo cp -rp examples/Docker/data/ ${{ github.workspace }}/artifact/data/
+        sudo cp -rp lego/ ${{ github.workspace }}/artifact/lego/
+        cd examples/Docker
+        docker-compose logs > ${{ github.workspace }}/artifact/docker-compose.log
+        sudo tar -C ${{ github.workspace }}/artifact/ -cvzf ${{ github.workspace }}/artifact/upload/artifact.tar.gz docker-compose.log data lego
+
+    - name: "[ * ] uploading artificates"
+      uses: actions/upload-artifact@v4
+      if: ${{ failure() }}
+      with:
+        name: asa_handler_headerinfo_tests.tar.gz
+        path: ${{ github.workspace }}/artifact/upload/
+
+  asa_handler_tests:
+    name: "asa_handler_tests"
+    runs-on: ubuntu-latest
+    needs: asa_handler_headerinfo_tests
+    strategy:
+      max-parallel: 2
+      fail-fast: false
+      matrix:
+        websrv: ['apache2', 'nginx']
+        dbhandler: ['wsgi', 'django']
+    steps:
+    - name: "checkout GIT"
+      uses: actions/checkout@v4
+
+    - name: "create folders"
+      run: |
+        mkdir lego
+        mkdir acme-sh
+        mkdir certbot
+
+    - name: "Build container"
+      uses: ./.github/actions/container_prep
+      with:
+        DB_HANDLER: ${{ matrix.dbhandler }}
+        WEB_SRV: ${{ matrix.websrv }}
+
+    - name: "Profile ${{ secrets.ASA_PROFILE1 }} - Setup a2c with asa_ca_handler with profile ${{ secrets.ASA_PROFILE1 }}"
+      run: |
+        sudo cp .github/openssl_ca_handler.py_acme_srv_default_handler.cfg examples/Docker/data/acme_srv.cfg
+        sudo chmod 777 examples/Docker/data/acme_srv.cfg
+        sudo cp test/ca/certsrv_ca_certs.pem examples/Docker/data/ca_certs.pem
+        sudo head -n -8 .github/openssl_ca_handler.py_acme_srv_default_handler.cfg > examples/Docker/data/acme_srv.cfg
+        sudo echo "handler_file: examples/ca_handler/asa_ca_handler.py" >> examples/Docker/data/acme_srv.cfg
+        sudo echo "api_host: $ASA_API_HOST" >> examples/Docker/data/acme_srv.cfg
+        sudo echo "api_user: $ASA_API_USER" >> examples/Docker/data/acme_srv.cfg
+        sudo echo "api_password: $ASA_API_PASSWORD" >> examples/Docker/data/acme_srv.cfg
+        sudo echo "api_key: $ASA_API_KEY" >> examples/Docker/data/acme_srv.cfg
+        sudo echo "ca_name: $ASA_CA_NAME" >> examples/Docker/data/acme_srv.cfg
+        sudo echo "ca_bundle: $ASA_CA_BUNDLE" >> examples/Docker/data/acme_srv.cfg
+        sudo echo "profile_name: $ASA_PROFILE1" >> examples/Docker/data/acme_srv.cfg
+        sudo sed -i "s/revocation_reason_check_disable: False/revocation_reason_check_disable: False\nenrollment_timeout:15/g" examples/Docker/data/acme_srv.cfg
+        cd examples/Docker/
+        docker-compose restart
+      env:
+        ASA_API_HOST: ${{ secrets.ASA_API_HOST }}
+        ASA_API_USER: ${{ secrets.ASA_API_USER }}
+        ASA_API_PASSWORD: ${{ secrets.ASA_API_PASSWORD }}
+        ASA_API_KEY: ${{ secrets.ASA_API_KEY }}
+        ASA_CA_NAME: ${{ secrets.ASA_CA_NAME }}
+        ASA_CA_BUNDLE: ${{ secrets.ASA_CA_BUNDLE }}
+        ASA_PROFILE1: ${{ secrets.ASA_PROFILE1 }}
+
+    - name: "${{ secrets.ASA_PROFILE1 }} - enrollment"
+      uses: ./.github/actions/wf_specific/asa_ca_handler/enroll_profile_1
+      with:
+        PROFILE: ${{ secrets.ASA_PROFILE1 }}
+
+    - name: "Profile ${{ secrets.ASA_PROFILE2 }} - Reconfiguration of a2c with a new profile"
+      run: |
+        sudo cp test/ca/certsrv_ca_certs.pem examples/Docker/data/ca_certs.pem
+        sudo touch examples/Docker/data/acme_srv.cfg
+        sudo chmod 777 examples/Docker/data/acme_srv.cfg
+        sudo head -n -8 .github/openssl_ca_handler.py_acme_srv_default_handler.cfg > examples/Docker/data/acme_srv.cfg
+        sudo echo "handler_file: examples/ca_handler/asa_ca_handler.py" >> examples/Docker/data/acme_srv.cfg
+        sudo echo "api_host: $ASA_API_HOST" >> examples/Docker/data/acme_srv.cfg
+        sudo echo "api_user: $ASA_API_USER" >> examples/Docker/data/acme_srv.cfg
+        sudo echo "api_password: $ASA_API_PASSWORD" >> examples/Docker/data/acme_srv.cfg
+        sudo echo "api_key: $ASA_API_KEY" >> examples/Docker/data/acme_srv.cfg
+        sudo echo "ca_name: $ASA_CA_NAME" >> examples/Docker/data/acme_srv.cfg
+        sudo echo "ca_bundle: $ASA_CA_BUNDLE" >> examples/Docker/data/acme_srv.cfg
+        sudo echo "profile_name: $ASA_PROFILE2" >> examples/Docker/data/acme_srv.cfg
+        sudo sed -i "s/revocation_reason_check_disable: False/revocation_reason_check_disable: False\nenrollment_timeout:15/g" examples/Docker/data/acme_srv.cfg
+        cd examples/Docker/
+        docker-compose restart
+      env:
+        ASA_API_HOST: ${{ secrets.ASA_API_HOST }}
+        ASA_API_USER: ${{ secrets.ASA_API_USER }}
+        ASA_API_PASSWORD: ${{ secrets.ASA_API_PASSWORD }}
+        ASA_API_KEY: ${{ secrets.ASA_API_KEY }}
+        ASA_CA_NAME: ${{ secrets.ASA_CA_NAME }}
+        ASA_CA_BUNDLE: ${{ secrets.ASA_CA_BUNDLE }}
+        ASA_PROFILE2: ${{ secrets.ASA_PROFILE2 }}
+
+    - name: "${{ secrets.ASA_PROFILE2 }} - enrollment"
+      uses: ./.github/actions/wf_specific/asa_ca_handler/enroll_profile_2
+      with:
+        PROFILE: ${{ secrets.ASA_PROFILE1 }}
+
+    - name: "Header-info - Setup asa_ca_handler with headerinfo"
+      run: |
+        sudo cp .github/openssl_ca_handler.py_acme_srv_default_handler.cfg examples/Docker/data/acme_srv.cfg
+        sudo chmod 777 examples/Docker/data/acme_srv.cfg
+        sudo cp test/ca/certsrv_ca_certs.pem examples/Docker/data/ca_certs.pem
+        sudo head -n -8 .github/openssl_ca_handler.py_acme_srv_default_handler.cfg > examples/Docker/data/acme_srv.cfg
+        sudo echo "handler_file: examples/ca_handler/asa_ca_handler.py" >> examples/Docker/data/acme_srv.cfg
+        sudo echo "api_host: $ASA_API_HOST" >> examples/Docker/data/acme_srv.cfg
+        sudo echo "api_user: $ASA_API_USER" >> examples/Docker/data/acme_srv.cfg
+        sudo echo "api_password: $ASA_API_PASSWORD" >> examples/Docker/data/acme_srv.cfg
+        sudo echo "api_key: $ASA_API_KEY" >> examples/Docker/data/acme_srv.cfg
+        sudo echo "ca_name: $ASA_CA_NAME" >> examples/Docker/data/acme_srv.cfg
+        sudo echo "ca_bundle: $ASA_CA_BUNDLE" >> examples/Docker/data/acme_srv.cfg
+        sudo echo "profile_name: $ASA_PROFILE1" >> examples/Docker/data/acme_srv.cfg
+        sudo sed -i "s/revocation_reason_check_disable: False/revocation_reason_check_disable: False\nenrollment_timeout:15/g" examples/Docker/data/acme_srv.cfg
+        sudo sed -i "s/tnauthlist_support: False/tnauthlist_support: False\nheader_info_list: [\"HTTP_USER_AGENT\"]/g" examples/Docker/data/acme_srv.cfg
+        cd examples/Docker/
+        docker-compose restart
+      env:
+        ASA_API_HOST: ${{ secrets.ASA_API_HOST }}
+        ASA_API_USER: ${{ secrets.ASA_API_USER }}
+        ASA_API_PASSWORD: ${{ secrets.ASA_API_PASSWORD }}
+        ASA_API_KEY: ${{ secrets.ASA_API_KEY }}
+        ASA_CA_NAME: ${{ secrets.ASA_CA_NAME }}
+        ASA_CA_BUNDLE: ${{ secrets.ASA_CA_BUNDLE }}
+        ASA_PROFILE1: ${{ secrets.ASA_PROFILE1 }}
+
+    - name: "Hederinfo - enrollment"
+      uses: ./.github/actions/wf_specific/asa_ca_handler/enroll_headerinfo
+      with:
+        ASA_PROFILE1: ${{ secrets.ASA_PROFILE1 }}
+        ASA_PROFILE2: ${{ secrets.ASA_PROFILE2 }}
+
+    - name: "EAB without headerinfo - Setup asa_ca_handler"
+      run: |
+        sudo cp .github/openssl_ca_handler.py_acme_srv_default_handler.cfg examples/Docker/data/acme_srv.cfg
+        sudo chmod 777 examples/Docker/data/acme_srv.cfg
+        sudo cp test/ca/certsrv_ca_certs.pem examples/Docker/data/ca_certs.pem
+        sudo head -n -8 .github/openssl_ca_handler.py_acme_srv_default_handler.cfg > examples/Docker/data/acme_srv.cfg
+        sudo echo "handler_file: examples/ca_handler/asa_ca_handler.py" >> examples/Docker/data/acme_srv.cfg
+        sudo echo "api_host: $ASA_API_HOST" >> examples/Docker/data/acme_srv.cfg
+        sudo echo "api_user: $ASA_API_USER" >> examples/Docker/data/acme_srv.cfg
+        sudo echo "api_password: $ASA_API_PASSWORD" >> examples/Docker/data/acme_srv.cfg
+        sudo echo "api_key: $ASA_API_KEY" >> examples/Docker/data/acme_srv.cfg
+        sudo echo "ca_name: $ASA_CA_NAME" >> examples/Docker/data/acme_srv.cfg
+        sudo echo "ca_bundle: $ASA_CA_BUNDLE" >> examples/Docker/data/acme_srv.cfg
+        sudo echo "profile_name: $ASA_PROFILE1" >> examples/Docker/data/acme_srv.cfg
+        sudo echo "eab_profiling: True" >> examples/Docker/data/acme_srv.cfg
+        sudo sed -i "s/revocation_reason_check_disable: False/revocation_reason_check_disable: False\nenrollment_timeout:15/g" examples/Docker/data/acme_srv.cfg
+        sudo echo -e "\n[EABhandler]" >> examples/Docker/data/acme_srv.cfg
+        sudo echo "eab_handler_file: /var/www/acme2certifier/examples/eab_handler/kid_profile_handler.py" >> examples/Docker/data/acme_srv.cfg
+        sudo echo "key_file: volume/kid_profiles.json" >> examples/Docker/data/acme_srv.cfg
+
+        sudo cp examples/eab_handler/kid_profiles.json examples/Docker/data/kid_profiles.json
+        sudo chmod 777 examples/eab_handler/kid_profiles.json
+        sudo sed -i "s/\"profile_id\"\: \[\"profile_1\", \"profile_2\", \"profile_3\"\]/\"profile_name\"\: \[\"$ASA_PROFILE2\", \"$ASA_PROFILE1\"\]/g" examples/Docker/data/kid_profiles.json
+        sudo sed -i "s/\"profile_id\"\: \"profile_2\"/\"profile_name\"\: \"$ASA_PROFILE3\"/g" examples/Docker/data/kid_profiles.json
+        sudo sed -i "s/\"ca_name\": \"example_ca_2\",/\"ca_name\": \"$ASA_CA_NAME2\"/" examples/Docker/data/kid_profiles.json
+        sudo sed -i "s/\"ca_name\": \"example_ca\",/\"unknown_key\": \"unknown_value\"/g" examples/Docker/data/kid_profiles.json
+        sudo sed -i "s/example.net/acme/g" examples/Docker/data/kid_profiles.json
+        sudo sed -i '18,19d' examples/Docker/data/kid_profiles.json
+        sudo sed -i '8,9d' examples/Docker/data/kid_profiles.json
+
+        cd examples/Docker/
+        docker-compose restart
+      env:
+        ASA_API_HOST: ${{ secrets.ASA_API_HOST }}
+        ASA_API_USER: ${{ secrets.ASA_API_USER }}
+        ASA_API_PASSWORD: ${{ secrets.ASA_API_PASSWORD }}
+        ASA_API_KEY: ${{ secrets.ASA_API_KEY }}
+        ASA_CA_NAME: ${{ secrets.ASA_CA_NAME }}
+        ASA_CA_NAME2: ${{ secrets.ASA_CA_NAME2 }}
+        ASA_CA_BUNDLE: ${{ secrets.ASA_CA_BUNDLE }}
+        ASA_PROFILE1: ${{ secrets.ASA_PROFILE1 }}
+        ASA_PROFILE2: ${{ secrets.ASA_PROFILE2 }}
+        ASA_PROFILE3: ${{ secrets.ASA_PROFILE3 }}
+
+    - name: "EAB without headerinfo - enrollment"
+      uses: ./.github/actions/wf_specific/asa_ca_handler/enroll_eab_wo_headerinfo
+      with:
+        ASA_CA_NAME1: ${{ secrets.ASA_CA_NAME }}
+        ASA_CA_NAME2: ${{ secrets.ASA_CA_NAME2 }}
+
+    - name: "EAB with headerinfo - Setup asa_ca_handler"
+      run: |
+        sudo cp .github/openssl_ca_handler.py_acme_srv_default_handler.cfg examples/Docker/data/acme_srv.cfg
+        sudo chmod 777 examples/Docker/data/acme_srv.cfg
+        sudo cp test/ca/certsrv_ca_certs.pem examples/Docker/data/ca_certs.pem
+        sudo head -n -8 .github/openssl_ca_handler.py_acme_srv_default_handler.cfg > examples/Docker/data/acme_srv.cfg
+        sudo echo "handler_file: examples/ca_handler/asa_ca_handler.py" >> examples/Docker/data/acme_srv.cfg
+        sudo echo "api_host: $ASA_API_HOST" >> examples/Docker/data/acme_srv.cfg
+        sudo echo "api_user: $ASA_API_USER" >> examples/Docker/data/acme_srv.cfg
+        sudo echo "api_password: $ASA_API_PASSWORD" >> examples/Docker/data/acme_srv.cfg
+        sudo echo "api_key: $ASA_API_KEY" >> examples/Docker/data/acme_srv.cfg
+        sudo echo "ca_name: $ASA_CA_NAME" >> examples/Docker/data/acme_srv.cfg
+        sudo echo "ca_bundle: $ASA_CA_BUNDLE" >> examples/Docker/data/acme_srv.cfg
+        sudo echo "profile_name: $ASA_PROFILE1" >> examples/Docker/data/acme_srv.cfg
+        sudo echo "eab_profiling: True" >> examples/Docker/data/acme_srv.cfg
+        sudo sed -i "s/revocation_reason_check_disable: False/revocation_reason_check_disable: False\nenrollment_timeout:15/g" examples/Docker/data/acme_srv.cfg
+        sudo sed -i "s/tnauthlist_support: False/tnauthlist_support: False\nheader_info_list: [\"HTTP_USER_AGENT\"]/g" examples/Docker/data/acme_srv.cfg
+        sudo echo -e "\n[EABhandler]" >> examples/Docker/data/acme_srv.cfg
+        sudo echo "eab_handler_file: /var/www/acme2certifier/examples/eab_handler/kid_profile_handler.py" >> examples/Docker/data/acme_srv.cfg
+        sudo echo "key_file: volume/kid_profiles.json" >> examples/Docker/data/acme_srv.cfg
+
+        sudo cp examples/eab_handler/kid_profiles.json examples/Docker/data/kid_profiles.json
+        sudo chmod 777 examples/eab_handler/kid_profiles.json
+        sudo sed -i "s/\"profile_id\"\: \[\"profile_1\", \"profile_2\", \"profile_3\"\]/\"profile_name\"\: \[\"$ASA_PROFILE2\", \"$ASA_PROFILE1\"\]/g" examples/Docker/data/kid_profiles.json
+        sudo sed -i "s/\"profile_id\"\: \"profile_2\"/\"profile_name\"\: \"$ASA_PROFILE3\"/g" examples/Docker/data/kid_profiles.json
+        sudo sed -i "s/\"ca_name\": \"example_ca_2\",/\"ca_name\": \"$ASA_CA_NAME2\"/" examples/Docker/data/kid_profiles.json
+        sudo sed -i "s/\"ca_name\": \"example_ca\",/\"unknown_key\": \"unknown_value\"/g" examples/Docker/data/kid_profiles.json
+        sudo sed -i "s/example.net/acme/g" examples/Docker/data/kid_profiles.json
+        sudo sed -i '18,19d' examples/Docker/data/kid_profiles.json
+        sudo sed -i '8,9d' examples/Docker/data/kid_profiles.json
+
+        cd examples/Docker/
+        docker-compose restart
+      env:
+        ASA_API_HOST: ${{ secrets.ASA_API_HOST }}
+        ASA_API_USER: ${{ secrets.ASA_API_USER }}
+        ASA_API_PASSWORD: ${{ secrets.ASA_API_PASSWORD }}
+        ASA_API_KEY: ${{ secrets.ASA_API_KEY }}
+        ASA_CA_NAME: ${{ secrets.ASA_CA_NAME }}
+        ASA_CA_NAME2: ${{ secrets.ASA_CA_NAME2 }}
+        ASA_CA_BUNDLE: ${{ secrets.ASA_CA_BUNDLE }}
+        ASA_PROFILE1: ${{ secrets.ASA_PROFILE1 }}
+        ASA_PROFILE2: ${{ secrets.ASA_PROFILE2 }}
+        ASA_PROFILE3: ${{ secrets.ASA_PROFILE3 }}
+
+    - name: "EAB with headerinfo - enrollment"
+      uses: ./.github/actions/wf_specific/asa_ca_handler/enroll_eab_w_headerinfo
+      with:
+        ASA_CA_NAME1: ${{ secrets.ASA_CA_NAME }}
+        ASA_CA_NAME2: ${{ secrets.ASA_CA_NAME2 }}
+
+    - name: "Check container configuration"
+      uses: ./.github/actions/container_check
+      with:
+        DB_HANDLER: ${{ matrix.dbhandler }}
+        WEB_SRV: ${{ matrix.websrv }}
+
+    - name: "[ * ] collecting test logs"
+      if: ${{ failure() }}
+      run: |
+        mkdir -p ${{ github.workspace }}/artifact/upload
+        sudo cp -rp examples/Docker/data/ ${{ github.workspace }}/artifact/data/
+        sudo cp -rp acme-sh/ ${{ github.workspace }}/artifact/acme-sh/
+        sudo cp -rp certbot/ ${{ github.workspace }}/artifact/certbot/
+        sudo cp -rp lego/ ${{ github.workspace }}/artifact/lego/
+        cd examples/Docker
+        docker-compose logs > ${{ github.workspace }}/artifact/docker-compose.log
+        sudo tar -C ${{ github.workspace }}/artifact/ -cvzf ${{ github.workspace }}/artifact/upload/artifact.tar.gz docker-compose.log data acme-sh certbot lego
+
+    - name: "[ * ] uploading artificates"
+      uses: actions/upload-artifact@v4
+      if: ${{ failure() }}
+      with:
+        name: asa-${{ matrix.websrv }}-${{ matrix.dbhandler }}.tar.gz
+        path: ${{ github.workspace }}/artifact/upload/
+
+  asa_handler_tests_rpm:
+    name: "asa_handler_tests_rpm"
+    runs-on: ubuntu-latest
+    needs: asa_handler_headerinfo_tests
+    strategy:
+      fail-fast: false
+      max-parallel: 1
+      matrix:
+        rhversion: [8, 9]
+    steps:
+    - name: "checkout GIT"
+      uses: actions/checkout@v4
+
+    - name: "Prepare Alma environment"
+      uses: ./.github/actions/rpm_prep
+      with:
+        GH_SBOM_USER: ${{ secrets.GH_SBOM_USER }}
+        GH_SBOM_TOKEN: ${{ secrets.GH_SBOM_TOKEN }}
+        RH_VERSION: ${{ matrix.rhversion }}
+
+    - name: "Create letsencrypt and lego folder"
+      run: |
+        mkdir certbot
+        mkdir lego
+        mkdir acme-sh
+
+    - name: "Profile ${{ secrets.ASA_PROFILE1 }} - Setup a2c with asa_ca_handler with profile ${{ secrets.ASA_PROFILE1 }}"
+      run: |
+        mkdir -p data/acme_ca
+        sudo cp test/ca/certsrv_ca_certs.pem data/acme_ca/ca_certs.pem
+        sudo touch data/acme_srv.cfg
+        sudo chmod 777 data/acme_srv.cfg
+        sudo head -n -8 .github/openssl_ca_handler.py_acme_srv_default_handler.cfg > data/acme_srv.cfg
+        sudo echo "handler_file: examples/ca_handler/asa_ca_handler.py" >> data/acme_srv.cfg
+        sudo echo "api_host: $ASA_API_HOST" >> data/acme_srv.cfg
+        sudo echo "api_user: $ASA_API_USER" >> data/acme_srv.cfg
+        sudo echo "api_password: $ASA_API_PASSWORD" >> data/acme_srv.cfg
+        sudo echo "api_key: $ASA_API_KEY" >> data/acme_srv.cfg
+        sudo echo "ca_name: $ASA_CA_NAME" >> data/acme_srv.cfg
+        sudo echo "ca_bundle: $ASA_CA_BUNDLE" >> data/acme_srv.cfg
+        sudo echo "profile_name: $ASA_PROFILE1" >> data/acme_srv.cfg
+        sudo sed -i "s/revocation_reason_check_disable: False/revocation_reason_check_disable: False\nenrollment_timeout:15/g" data/acme_srv.cfg
+      env:
+        ASA_API_HOST: ${{ secrets.ASA_API_HOST }}
+        ASA_API_USER: ${{ secrets.ASA_API_USER }}
+        ASA_API_PASSWORD: ${{ secrets.ASA_API_PASSWORD }}
+        ASA_API_KEY: ${{ secrets.ASA_API_KEY }}
+        ASA_CA_NAME: ${{ secrets.ASA_CA_NAME }}
+        ASA_CA_BUNDLE: ${{ secrets.ASA_CA_BUNDLE }}
+        ASA_PROFILE1: ${{ secrets.ASA_PROFILE1 }}
+
+    - name: "Profile ${{ secrets.ASA_PROFILE1 }} - Execute install scipt"
+      run: |
+        docker exec acme-srv sh /tmp/acme2certifier/rpm_tester.sh
+
+    - name: "${{ secrets.ASA_PROFILE1 }} - enrollment"
+      uses: ./.github/actions/wf_specific/asa_ca_handler/enroll_profile_1
+      with:
+        PROFILE: ${{ secrets.ASA_PROFILE1 }}
+
+    - name: "Profile ${{ secrets.ASA_PROFILE2 }} - Setup a2c with asa_ca_handler with profile ${{ secrets.ASA_PROFILE1 }}"
+      run: |
+        sudo touch data/acme_srv.cfg
+        sudo chmod 777 data/acme_srv.cfg
+        sudo head -n -8 .github/openssl_ca_handler.py_acme_srv_default_handler.cfg > data/acme_srv.cfg
+        sudo echo "handler_file: examples/ca_handler/asa_ca_handler.py" >> data/acme_srv.cfg
+        sudo echo "api_host: $ASA_API_HOST" >> data/acme_srv.cfg
+        sudo echo "api_user: $ASA_API_USER" >> data/acme_srv.cfg
+        sudo echo "api_password: $ASA_API_PASSWORD" >> data/acme_srv.cfg
+        sudo echo "api_key: $ASA_API_KEY" >> data/acme_srv.cfg
+        sudo echo "ca_name: $ASA_CA_NAME" >> data/acme_srv.cfg
+        sudo echo "ca_bundle: $ASA_CA_BUNDLE" >> data/acme_srv.cfg
+        sudo echo "profile_name: $ASA_PROFILE2" >> data/acme_srv.cfg
+        sudo sed -i "s/revocation_reason_check_disable: False/revocation_reason_check_disable: False\nenrollment_timeout:15/g" data/acme_srv.cfg
+      env:
+        ASA_API_HOST: ${{ secrets.ASA_API_HOST }}
+        ASA_API_USER: ${{ secrets.ASA_API_USER }}
+        ASA_API_PASSWORD: ${{ secrets.ASA_API_PASSWORD }}
+        ASA_API_KEY: ${{ secrets.ASA_API_KEY }}
+        ASA_CA_NAME: ${{ secrets.ASA_CA_NAME }}
+        ASA_CA_BUNDLE: ${{ secrets.ASA_CA_BUNDLE }}
+        ASA_PROFILE2: ${{ secrets.ASA_PROFILE2 }}
+
+    - name: "Profile ${{ secrets.ASA_PROFILE2 }} - reconfigure a2c "
+      run: |
+        docker exec acme-srv sh /tmp/acme2certifier/rpm_tester.sh restart
+
+    - name: "${{ secrets.ASA_PROFILE2 }} - enrollment"
+      uses: ./.github/actions/wf_specific/asa_ca_handler/enroll_profile_2
+      with:
+        PROFILE: ${{ secrets.ASA_PROFILE1 }}
+
+    - name: "Header-info - Setup asa_ca_handler with headerinfo"
+      run: |
+        sudo touch data/acme_srv.cfg
+        sudo chmod 777 data/acme_srv.cfg
+        sudo head -n -8 .github/openssl_ca_handler.py_acme_srv_default_handler.cfg > data/acme_srv.cfg
+        sudo echo "handler_file: examples/ca_handler/asa_ca_handler.py" >> data/acme_srv.cfg
+        sudo echo "api_host: $ASA_API_HOST" >> data/acme_srv.cfg
+        sudo echo "api_user: $ASA_API_USER" >> data/acme_srv.cfg
+        sudo echo "api_password: $ASA_API_PASSWORD" >> data/acme_srv.cfg
+        sudo echo "api_key: $ASA_API_KEY" >> data/acme_srv.cfg
+        sudo echo "ca_name: $ASA_CA_NAME" >> data/acme_srv.cfg
+        sudo echo "ca_bundle: $ASA_CA_BUNDLE" >> data/acme_srv.cfg
+        sudo echo "profile_name: $ASA_PROFILE1" >> data/acme_srv.cfg
+        sudo sed -i "s/revocation_reason_check_disable: False/revocation_reason_check_disable: False\nenrollment_timeout:15/g" data/acme_srv.cfg
+        sudo sed -i "s/tnauthlist_support: False/tnauthlist_support: False\nheader_info_list: [\"HTTP_USER_AGENT\"]/g" data/acme_srv.cfg
+      env:
+        ASA_API_HOST: ${{ secrets.ASA_API_HOST }}
+        ASA_API_USER: ${{ secrets.ASA_API_USER }}
+        ASA_API_PASSWORD: ${{ secrets.ASA_API_PASSWORD }}
+        ASA_API_KEY: ${{ secrets.ASA_API_KEY }}
+        ASA_CA_NAME: ${{ secrets.ASA_CA_NAME }}
+        ASA_CA_BUNDLE: ${{ secrets.ASA_CA_BUNDLE }}
+        ASA_PROFILE1: ${{ secrets.ASA_PROFILE1 }}
+
+    - name: "Profile ${{ secrets.ASA_PROFILE2 }} - reconfigure a2c "
+      run: |
+        docker exec acme-srv sh /tmp/acme2certifier/rpm_tester.sh restart
+
+    - name: "Hederinfo - enrollment"
+      uses: ./.github/actions/wf_specific/asa_ca_handler/enroll_headerinfo
+      with:
+        ASA_PROFILE1: ${{ secrets.ASA_PROFILE1 }}
+        ASA_PROFILE2: ${{ secrets.ASA_PROFILE2 }}
+
+    - name: "EAB without headerinfo - Setup asa_ca_handler"
+      run: |
+        sudo touch data/acme_srv.cfg
+        sudo chmod 777 data/acme_srv.cfg
+        sudo head -n -8 .github/openssl_ca_handler.py_acme_srv_default_handler.cfg > data/acme_srv.cfg
+        sudo echo "handler_file: examples/ca_handler/asa_ca_handler.py" >> data/acme_srv.cfg
+        sudo echo "api_host: $ASA_API_HOST" >> data/acme_srv.cfg
+        sudo echo "api_user: $ASA_API_USER" >> data/acme_srv.cfg
+        sudo echo "api_password: $ASA_API_PASSWORD" >> data/acme_srv.cfg
+        sudo echo "api_key: $ASA_API_KEY" >> data/acme_srv.cfg
+        sudo echo "ca_name: $ASA_CA_NAME" >> data/acme_srv.cfg
+        sudo echo "ca_bundle: $ASA_CA_BUNDLE" >> data/acme_srv.cfg
+        sudo echo "profile_name: $ASA_PROFILE1" >> data/acme_srv.cfg
+        sudo echo "eab_profiling: True" >> data/acme_srv.cfg
+        sudo sed -i "s/revocation_reason_check_disable: False/revocation_reason_check_disable: False\nenrollment_timeout:15/g" data/acme_srv.cfg
+        sudo echo -e "\n\n[EABhandler]" >> data/acme_srv.cfg
+        sudo echo "eab_handler_file: /opt/acme2certifier/examples/eab_handler/kid_profile_handler.py" >> data/acme_srv.cfg
+        sudo echo "key_file: /opt/acme2certifier/volume/acme_ca/kid_profiles.json" >> data/acme_srv.cfg
+
+        sudo cp examples/eab_handler/kid_profiles.json data/acme_ca/kid_profiles.json
+        sudo chmod 777 data/acme_ca/kid_profiles.json
+        sudo sed -i "s/\"profile_id\"\: \[\"profile_1\", \"profile_2\", \"profile_3\"\]/\"profile_name\"\: \[\"$ASA_PROFILE2\", \"$ASA_PROFILE1\"\]/g" data/acme_ca/kid_profiles.json
+        sudo sed -i "s/\"profile_id\"\: \"profile_2\"/\"profile_name\"\: \"$ASA_PROFILE3\"/g" data/acme_ca/kid_profiles.json
+        sudo sed -i "s/\"ca_name\": \"example_ca_2\",/\"ca_name\": \"$ASA_CA_NAME2\"/" data/acme_ca/kid_profiles.json
+        sudo sed -i "s/\"ca_name\": \"example_ca\",/\"unknown_key\": \"unknown_value\"/g" data/acme_ca/kid_profiles.json
+        sudo sed -i "s/example.net/acme/g" data/acme_ca/kid_profiles.json
+        sudo sed -i '18,19d' data/acme_ca/kid_profiles.json
+        sudo sed -i '8,9d' data/acme_ca/kid_profiles.json
+      env:
+        ASA_API_HOST: ${{ secrets.ASA_API_HOST }}
+        ASA_API_USER: ${{ secrets.ASA_API_USER }}
+        ASA_API_PASSWORD: ${{ secrets.ASA_API_PASSWORD }}
+        ASA_API_KEY: ${{ secrets.ASA_API_KEY }}
+        ASA_CA_NAME: ${{ secrets.ASA_CA_NAME }}
+        ASA_CA_NAME2: ${{ secrets.ASA_CA_NAME2 }}
+        ASA_CA_BUNDLE: ${{ secrets.ASA_CA_BUNDLE }}
+        ASA_PROFILE1: ${{ secrets.ASA_PROFILE1 }}
+        ASA_PROFILE2: ${{ secrets.ASA_PROFILE2 }}
+        ASA_PROFILE3: ${{ secrets.ASA_PROFILE3 }}
+
+    - name: "EAB without headerinfo - Reconfigure a2c "
+      run: |
+        docker exec acme-srv sh /tmp/acme2certifier/rpm_tester.sh restart
+
+    - name: "EAB without headerinfo - enrollment"
+      uses: ./.github/actions/wf_specific/asa_ca_handler/enroll_eab_wo_headerinfo
+      with:
+        ASA_CA_NAME1: ${{ secrets.ASA_CA_NAME }}
+        ASA_CA_NAME2: ${{ secrets.ASA_CA_NAME2 }}
+
+    - name: "EAB with headerinfo - Setup asa_ca_handler"
+      run: |
+        sudo touch data/acme_srv.cfg
+        sudo chmod 777 data/acme_srv.cfg
+        sudo head -n -8 .github/openssl_ca_handler.py_acme_srv_default_handler.cfg > data/acme_srv.cfg
+        sudo echo "handler_file: examples/ca_handler/asa_ca_handler.py" >> data/acme_srv.cfg
+        sudo echo "api_host: $ASA_API_HOST" >> data/acme_srv.cfg
+        sudo echo "api_user: $ASA_API_USER" >> data/acme_srv.cfg
+        sudo echo "api_password: $ASA_API_PASSWORD" >> data/acme_srv.cfg
+        sudo echo "api_key: $ASA_API_KEY" >> data/acme_srv.cfg
+        sudo echo "ca_name: $ASA_CA_NAME" >> data/acme_srv.cfg
+        sudo echo "ca_bundle: $ASA_CA_BUNDLE" >> data/acme_srv.cfg
+        sudo echo "profile_name: $ASA_PROFILE1" >> data/acme_srv.cfg
+        sudo echo "eab_profiling: True" >> data/acme_srv.cfg
+        sudo sed -i "s/revocation_reason_check_disable: False/revocation_reason_check_disable: False\nenrollment_timeout:15/g" data/acme_srv.cfg
+        sudo sed -i "s/tnauthlist_support: False/tnauthlist_support: False\nheader_info_list: [\"HTTP_USER_AGENT\"]/g" data/acme_srv.cfg
+        sudo echo -e "\n\n[EABhandler]" >> data/acme_srv.cfg
+        sudo echo "eab_handler_file: /opt/acme2certifier/examples/eab_handler/kid_profile_handler.py" >> data/acme_srv.cfg
+        sudo echo "key_file: /opt/acme2certifier/volume/acme_ca/kid_profiles.json" >> data/acme_srv.cfg
+
+        sudo cp examples/eab_handler/kid_profiles.json data/acme_ca/kid_profiles.json
+        sudo chmod 777 data/acme_ca/kid_profiles.json
+        sudo sed -i "s/\"profile_id\"\: \[\"profile_1\", \"profile_2\", \"profile_3\"\]/\"profile_name\"\: \[\"$ASA_PROFILE2\", \"$ASA_PROFILE1\"\]/g" data/acme_ca/kid_profiles.json
+        sudo sed -i "s/\"profile_id\"\: \"profile_2\"/\"profile_name\"\: \"$ASA_PROFILE3\"/g" data/acme_ca/kid_profiles.json
+        sudo sed -i "s/\"ca_name\": \"example_ca_2\",/\"ca_name\": \"$ASA_CA_NAME2\"/" data/acme_ca/kid_profiles.json
+        sudo sed -i "s/\"ca_name\": \"example_ca\",/\"unknown_key\": \"unknown_value\"/g" data/acme_ca/kid_profiles.json
+        sudo sed -i "s/example.net/acme/g" data/acme_ca/kid_profiles.json
+        sudo sed -i '18,19d' data/acme_ca/kid_profiles.json
+        sudo sed -i '8,9d' data/acme_ca/kid_profiles.json
+      env:
+        ASA_API_HOST: ${{ secrets.ASA_API_HOST }}
+        ASA_API_USER: ${{ secrets.ASA_API_USER }}
+        ASA_API_PASSWORD: ${{ secrets.ASA_API_PASSWORD }}
+        ASA_API_KEY: ${{ secrets.ASA_API_KEY }}
+        ASA_CA_NAME: ${{ secrets.ASA_CA_NAME }}
+        ASA_CA_NAME2: ${{ secrets.ASA_CA_NAME2 }}
+        ASA_CA_BUNDLE: ${{ secrets.ASA_CA_BUNDLE }}
+        ASA_PROFILE1: ${{ secrets.ASA_PROFILE1 }}
+        ASA_PROFILE2: ${{ secrets.ASA_PROFILE2 }}
+        ASA_PROFILE3: ${{ secrets.ASA_PROFILE3 }}
+
+    - name: "EAB with headerinfo - Reconfigure a2c "
+      run: |
+        docker exec acme-srv sh /tmp/acme2certifier/rpm_tester.sh restart
+
+    - name: "EAB with headerinfo - enrollment"
+      uses: ./.github/actions/wf_specific/asa_ca_handler/enroll_eab_w_headerinfo
+      with:
+        ASA_CA_NAME1: ${{ secrets.ASA_CA_NAME }}
+        ASA_CA_NAME2: ${{ secrets.ASA_CA_NAME2 }}
+
+    - name: "[ * ] collecting test logs"
+      if: ${{ failure() }}
+      run: |
+        mkdir -p ${{ github.workspace }}/artifact/upload
+        docker exec acme-srv tar cvfz /tmp/acme2certifier/a2c.tgz /opt/acme2certifier
+        sudo cp -rp data/ ${{ github.workspace }}/artifact/data/
+        sudo rm ${{ github.workspace }}/artifact/data/*.rpm
+        sudo cp -rp acme-sh/ ${{ github.workspace }}/artifact/acme-sh/
+        docker exec acme-srv cat /etc/nginx/nginx.conf.orig > ${{ github.workspace }}/artifact/data/nginx.conf.orig
+        docker exec acme-srv cat /etc/nginx/nginx.conf > ${{ github.workspace }}/artifact/data/nginx.conf
+        docker exec acme-srv cat /var/log/messages > ${{ github.workspace }}/artifact/acme-srv.log
+        sudo tar -C ${{ github.workspace }}/artifact/ -cvzf ${{ github.workspace }}/artifact/upload/artifact.tar.gz data acme-srv.log acme-sh
+
+    - name: "[ * ] uploading artificates"
+      uses: actions/upload-artifact@v4
+      if: ${{ failure() }}
+      with:
+        name: asa_handler_tests_rpm-rh${{ matrix.rhversion }}.tar.gz
+        path: ${{ github.workspace }}/artifact/upload/
+
diff --git a/.github/workflows/ca_handler_tests_certifier.yml b/.github/workflows/ca_handler_tests_certifier.yml
index 528bd812..2079bf06 100644
--- a/.github/workflows/ca_handler_tests_certifier.yml
+++ b/.github/workflows/ca_handler_tests_certifier.yml
@@ -12,41 +12,50 @@ jobs:
   certifier_handler_tests:
     name: "certifier_handler_tests"
     runs-on: ubuntu-latest
+    strategy:
+      max-parallel: 2
+      fail-fast: false
+      matrix:
+        websrv: ['apache2', 'nginx']
+        dbhandler: ['wsgi', 'django']
     steps:
     - name: "checkout GIT"
-      uses: actions/checkout@v3
+      uses: actions/checkout@v4
 
-    - name: "[ PREPARE ] Build docker-compose (apache2_wsgi)"
-      working-directory: examples/Docker/
-      run: |
-        sudo mkdir -p data
-        docker network create acme
-        docker-compose up -d
-        docker-compose logs
-
-    - name: "[ PREPARE ] create letsencrypt and lego folder"
-      run: |
-        mkdir certbot
-        mkdir lego
+    - name: "Build container"
+      uses: ./.github/actions/container_prep
+      with:
+        DB_HANDLER: ${{ matrix.dbhandler }}
+        WEB_SRV: ${{ matrix.websrv }}
 
-    - name: "Test http://acme-srv/directory is accessable"
-      run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory
+    - name: "Setup tunnel"
+      uses: ./.github/actions/wf_specific/certifier_ca_handler/tunnel_setup
+      with:
+        WCCE_SSH_USER: ${{ secrets.WCCE_SSH_USER }}
+        WCCE_SSH_HOST: ${{ secrets.WCCE_SSH_HOST }}
+        WCCE_SSH_PORT: ${{ secrets.WCCE_SSH_PORT }}
+        NCM_API_HOST: ${{ secrets.NCM_API_HOST }}
+        WCCE_SSH_KNOWN_HOSTS: ${{ secrets.WCCE_SSH_KNOWN_HOSTS }}
+        WCCE_SSH_ACCESS_KEY: ${{ secrets.WCCE_SSH_ACCESS_KEY }}
+        NCM_API_USER: ${{ secrets.NCM_API_USER }}
+        NCM_API_PASSWORD: ${{ secrets.NCM_API_PASSWORD }}
 
-    - name: "[ PREPARE ] setup a2c with certifier_ca_handler"
+    - name: "No profile - Setup a2c with certifier_ca_handler"
       run: |
-        sudo cp test/ca/certsrv_ca_certs.pem examples/Docker/data/ca_certs.pem
-        sudo touch examples/Docker/data/acme_srv.cfg
+        sudo cp .github/openssl_ca_handler.py_acme_srv_default_handler.cfg examples/Docker/data/acme_srv.cfg
         sudo chmod 777 examples/Docker/data/acme_srv.cfg
+        sudo cp test/ca/certsrv_ca_certs.pem examples/Docker/data/ca_certs.pem
         sudo head -n -8 .github/openssl_ca_handler.py_acme_srv_default_handler.cfg > examples/Docker/data/acme_srv.cfg
         sudo echo "handler_file: examples/ca_handler/certifier_ca_handler.py" >> examples/Docker/data/acme_srv.cfg
-        sudo echo "api_host: $NCM_API_HOST" >> examples/Docker/data/acme_srv.cfg
+        # sudo echo "api_host: $NCM_API_HOST" >> examples/Docker/data/acme_srv.cfg
+        sudo echo "api_host: https://forwarder.acme:8084" >> examples/Docker/data/acme_srv.cfg
+        sudo echo "ca_bundle: False" >> examples/Docker/data/acme_srv.cfg
         sudo echo "api_user: $NCM_API_USER" >> examples/Docker/data/acme_srv.cfg
         sudo echo "api_password: $NCM_API_PASSWORD" >> examples/Docker/data/acme_srv.cfg
         sudo echo "ca_name: $NCM_CA_NAME" >> examples/Docker/data/acme_srv.cfg
-        sudo echo "ca_bundle: $NCM_CA_BUNDLE" >> examples/Docker/data/acme_srv.cfg
+        # sudo echo "ca_bundle: $NCM_CA_BUNDLE" >> examples/Docker/data/acme_srv.cfg
         cd examples/Docker/
         docker-compose restart
-        docker-compose logs
       env:
         NCM_API_HOST: ${{ secrets.NCM_API_HOST }}
         NCM_API_USER: ${{ secrets.NCM_API_USER }}
@@ -54,211 +63,152 @@ jobs:
         NCM_CA_NAME: ${{ secrets.NCM_CA_NAME }}
         NCM_CA_BUNDLE: ${{ secrets.NCM_CA_BUNDLE }}
 
-    - name: "Test http://acme-srv/directory is accessable again"
-      run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory
-
-    - name: "[ PREPARE ] prepare acme.sh container"
-      run: |
-        sudo mkdir acme-sh
-        docker run --rm -id -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest daemon
-
-    - name: "[ ENROLL ] acme.sh"
-      run: |
-        docker exec -i acme-sh acme.sh --server http://acme-srv --accountemail 'acme-sh@example.com' --issue -d acme-sh.acme --alpn --standalone --debug 3 --output-insecure --force
-        awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "cert-" c ".pem"}' < acme-sh/acme-sh.acme_ecc/ca.cer
-        openssl verify -CAfile cert-2.pem -untrusted cert-1.pem acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer
-
-    - name: "revoke via acme.sh"
-      run: |
-        docker exec -i acme-sh acme.sh --server http://acme-srv --revoke -d acme-sh.acme --standalone --debug 3 --output-insecure
+    - name: "No profile - Enrollmnet"
+      uses: ./.github/actions/wf_specific/certifier_ca_handler/enroll_no_profile
 
-    - name: "[ REGISTER ] certbot"
+    - name: "Profile 101 - Setup a2c with certifier_ca_handler with profile 101"
       run: |
-        docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot register --agree-tos -m 'certbot@example.com' --server http://acme-srv --no-eff-email
-
-    - name: "[ ENROLL ] HTTP-01 single domain certbot"
-      run: |
-        docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot certonly --server http://acme-srv --standalone --preferred-challenges http -d certbot.acme --cert-name certbot
-        sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem certbot/live/certbot/cert.pem
-
-    - name: "revoke HTTP-01 single domain certbot"
-      run: |
-        docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot revoke --delete-after-revoke --server http://acme-srv  -d certbot.acme --cert-name certbot
-
-    - name: "[ ENROLL ] lego"
-      run: |
-        docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" -d lego.acme --http run
-        sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem lego/certificates/lego.acme.crt
-
-    - name: "revoke HTTP-01 single domain lego"
-      run: |
-        docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" -d lego.acme revoke
-
-    - name: "[ * ] collecting test logs"
-      if: ${{ failure() }}
-      run: |
-        mkdir -p ${{ github.workspace }}/artifact/upload
-        sudo cp -rp examples/Docker/data/ ${{ github.workspace }}/artifact/data/
-        sudo cp -rp acme-sh/ ${{ github.workspace }}/artifact/acme-sh/
-        sudo cp -rp certbot/ ${{ github.workspace }}/artifact/certbot/
-        sudo cp -rp lego/ ${{ github.workspace }}/artifact/lego/
-        cd examples/Docker
-        docker-compose logs > ${{ github.workspace }}/artifact/docker-compose.log
-        sudo tar -C ${{ github.workspace }}/artifact/ -cvzf ${{ github.workspace }}/artifact/upload/artifact.tar.gz docker-compose.log data acme-sh certbot lego
-
-    - name: "[ * ] uploading artificates"
-      uses: actions/upload-artifact@v3
-      if: ${{ failure() }}
-      with:
-        name: ncm.tar.gz
-        path: ${{ github.workspace }}/artifact/upload/
-
-  certifier_p101_handler_tests:
-    name: "certifier_p101_handler_tests"
-    runs-on: ubuntu-latest
-    steps:
-    - name: "checkout GIT"
-      uses: actions/checkout@v3
-
-    - name: "[ PREPARE ] Build docker-compose (apache2_wsgi)"
-      working-directory: examples/Docker/
-      run: |
-        sudo mkdir -p data
-        docker network create acme
-        docker-compose up -d
-        docker-compose logs
-
-    - name: "[ PREPARE ] create letsencrypt and lego folder"
-      run: |
-        mkdir certbot
-        mkdir lego
-
-    - name: "Test http://acme-srv/directory is accessable"
-      run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory
-
-    - name: "[ PREPARE ] setup a2c with certifier_ca_handler"
-      run: |
-        sudo cp test/ca/certsrv_ca_certs.pem examples/Docker/data/ca_certs.pem
-        sudo touch examples/Docker/data/acme_srv.cfg
-        sudo chmod 777 examples/Docker/data/acme_srv.cfg
         sudo head -n -8 .github/openssl_ca_handler.py_acme_srv_default_handler.cfg > examples/Docker/data/acme_srv.cfg
         sudo echo "handler_file: examples/ca_handler/certifier_ca_handler.py" >> examples/Docker/data/acme_srv.cfg
-        sudo echo "api_host: $NCM_API_HOST" >> examples/Docker/data/acme_srv.cfg
+        # sudo echo "api_host: $NCM_API_HOST" >> examples/Docker/data/acme_srv.cfg
+        sudo echo "api_host: https://forwarder.acme:8084" >> examples/Docker/data/acme_srv.cfg
+        sudo echo "ca_bundle: False" >> examples/Docker/data/acme_srv.cfg
         sudo echo "api_user: $NCM_API_USER" >> examples/Docker/data/acme_srv.cfg
         sudo echo "api_password: $NCM_API_PASSWORD" >> examples/Docker/data/acme_srv.cfg
         sudo echo "ca_name: $NCM_CA_NAME" >> examples/Docker/data/acme_srv.cfg
-        sudo echo "ca_bundle: $NCM_CA_BUNDLE" >> examples/Docker/data/acme_srv.cfg
+        # sudo echo "ca_bundle: $NCM_CA_BUNDLE" >> examples/Docker/data/acme_srv.cfg
         sudo echo "profile_id: 101" >> examples/Docker/data/acme_srv.cfg
         cd examples/Docker/
         docker-compose restart
-        docker-compose logs
       env:
         NCM_API_HOST: ${{ secrets.NCM_API_HOST }}
         NCM_API_USER: ${{ secrets.NCM_API_USER }}
         NCM_API_PASSWORD: ${{ secrets.NCM_API_PASSWORD }}
         NCM_CA_NAME: ${{ secrets.NCM_CA_NAME }}
         NCM_CA_BUNDLE: ${{ secrets.NCM_CA_BUNDLE }}
+        PROFILE: ${{ secrets.PROFILE }}
 
-    - name: "Test http://acme-srv/directory is accessable again"
-      run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory
-
-    - name: "[ PREPARE ] prepare acme.sh container"
-      run: |
-        sudo mkdir acme-sh
-        docker run --rm -id -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest daemon
-
-    - name: "[ ENROLL ] acme.sh"
-      run: |
-        docker exec -i acme-sh acme.sh --server http://acme-srv --accountemail 'acme-sh@example.com' --issue -d acme-sh.acme --alpn --standalone --debug 3 --output-insecure --force
-        awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "cert-" c ".pem"}' < acme-sh/acme-sh.acme_ecc/ca.cer
-        openssl verify -CAfile cert-2.pem -untrusted cert-1.pem acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer
-
-    - name: "revoke via acme.sh"
-      run: |
-        docker exec -i acme-sh acme.sh --server http://acme-srv --revoke -d acme-sh.acme --standalone --debug 3 --output-insecure
-
-    - name: "[ REGISTER ] certbot"
-      run: |
-        docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot register --agree-tos -m 'certbot@example.com' --server http://acme-srv --no-eff-email
+    - name: "Profile 101 - Enrollmnet"
+      uses: ./.github/actions/wf_specific/certifier_ca_handler/enroll_101_profile
 
-    - name: "[ ENROLL ] HTTP-01 single domain certbot"
+    - name: "Profile 102 - Setup a2c with certifier_ca_handler with Profile 102"
       run: |
-        docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot certonly --server http://acme-srv --standalone --preferred-challenges http -d certbot.acme --cert-name certbot
-        sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem certbot/live/certbot/cert.pem
-        sudo openssl x509 -in certbot/live/certbot/cert.pem -ext extendedKeyUsage  -noout | grep -i "TLS Web Client"
-
-    - name: "revoke HTTP-01 single domain certbot"
-      run: |
-        docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot revoke --delete-after-revoke --server http://acme-srv  -d certbot.acme --cert-name certbot
-
-    - name: "[ ENROLL ] lego"
-      run: |
-        docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" -d lego.acme --http run
-        sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem lego/certificates/lego.acme.crt
-        sudo openssl x509 -in lego/certificates/lego.acme.crt -ext extendedKeyUsage  -noout | grep -i "TLS Web Client"
+        sudo head -n -8 .github/openssl_ca_handler.py_acme_srv_default_handler.cfg > examples/Docker/data/acme_srv.cfg
+        sudo echo "handler_file: examples/ca_handler/certifier_ca_handler.py" >> examples/Docker/data/acme_srv.cfg
+        # sudo echo "api_host: $NCM_API_HOST" >> examples/Docker/data/acme_srv.cfg
+        sudo echo "api_host: https://forwarder.acme:8084" >> examples/Docker/data/acme_srv.cfg
+        sudo echo "ca_bundle: False" >> examples/Docker/data/acme_srv.cfg
+        sudo echo "api_user: $NCM_API_USER" >> examples/Docker/data/acme_srv.cfg
+        sudo echo "api_password: $NCM_API_PASSWORD" >> examples/Docker/data/acme_srv.cfg
+        sudo echo "ca_name: $NCM_CA_NAME" >> examples/Docker/data/acme_srv.cfg
+        # sudo echo "ca_bundle: $NCM_CA_BUNDLE" >> examples/Docker/data/acme_srv.cfg
+        sudo echo "profile_id: 102" >> examples/Docker/data/acme_srv.cfg
+        cd examples/Docker/
+        docker-compose restart
+      env:
+        NCM_API_HOST: ${{ secrets.NCM_API_HOST }}
+        NCM_API_USER: ${{ secrets.NCM_API_USER }}
+        NCM_API_PASSWORD: ${{ secrets.NCM_API_PASSWORD }}
+        NCM_CA_NAME: ${{ secrets.NCM_CA_NAME }}
+        NCM_CA_BUNDLE: ${{ secrets.NCM_CA_BUNDLE }}
 
-    - name: "revoke HTTP-01 single domain lego"
-      run: |
-        docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" -d lego.acme revoke
+    - name: "Profile 102 - Enrollmnet"
+      uses: ./.github/actions/wf_specific/certifier_ca_handler/enroll_102_profile
 
-    - name: "[ * ] collecting test logs"
-      if: ${{ failure() }}
+    - name: "Header-info - Setup a2c with certifier_ca_handler with header-info"
       run: |
-        mkdir -p ${{ github.workspace }}/artifact/upload
-        sudo cp -rp examples/Docker/data/ ${{ github.workspace }}/artifact/data/
-        sudo cp -rp acme-sh/ ${{ github.workspace }}/artifact/acme-sh/
-        sudo cp -rp certbot/ ${{ github.workspace }}/artifact/certbot/
-        sudo cp -rp lego/ ${{ github.workspace }}/artifact/lego/
-        cd examples/Docker
-        docker-compose logs > ${{ github.workspace }}/artifact/docker-compose.log
-        sudo tar -C ${{ github.workspace }}/artifact/ -cvzf ${{ github.workspace }}/artifact/upload/artifact.tar.gz docker-compose.log data acme-sh certbot lego
-
-    - name: "[ * ] uploading artificates"
-      uses: actions/upload-artifact@v3
-      if: ${{ failure() }}
-      with:
-        name: certifier_p101_handler_tests.tar.gz
-        path: ${{ github.workspace }}/artifact/upload/
+        sudo head -n -8 .github/openssl_ca_handler.py_acme_srv_default_handler.cfg > examples/Docker/data/acme_srv.cfg
+        sudo echo "handler_file: examples/ca_handler/certifier_ca_handler.py" >> examples/Docker/data/acme_srv.cfg
+        # sudo echo "api_host: $NCM_API_HOST" >> examples/Docker/data/acme_srv.cfg
+        sudo echo "api_host: https://forwarder.acme:8084" >> examples/Docker/data/acme_srv.cfg
+        sudo echo "ca_bundle: False" >> examples/Docker/data/acme_srv.cfg
+        sudo echo "api_user: $NCM_API_USER" >> examples/Docker/data/acme_srv.cfg
+        sudo echo "api_password: $NCM_API_PASSWORD" >> examples/Docker/data/acme_srv.cfg
+        sudo echo "ca_name: $NCM_CA_NAME" >> examples/Docker/data/acme_srv.cfg
+        # sudo echo "ca_bundle: $NCM_CA_BUNDLE" >> examples/Docker/data/acme_srv.cfg
+        sudo sed -i "s/tnauthlist_support: False/tnauthlist_support: False\nheader_info_list: [\"HTTP_USER_AGENT\"]/g" examples/Docker/data/acme_srv.cfg
+        cd examples/Docker/
+        docker-compose restart
+      env:
+        NCM_API_HOST: ${{ secrets.NCM_API_HOST }}
+        NCM_API_USER: ${{ secrets.NCM_API_USER }}
+        NCM_API_PASSWORD: ${{ secrets.NCM_API_PASSWORD }}
+        NCM_CA_NAME: ${{ secrets.NCM_CA_NAME }}
+        NCM_CA_BUNDLE: ${{ secrets.NCM_CA_BUNDLE }}
 
-  certifier_p102_handler_tests:
-    name: "certifier_p102_handler_tests"
-    runs-on: ubuntu-latest
-    steps:
-    - name: "checkout GIT"
-      uses: actions/checkout@v3
+    - name: "Header-info - Enrollmnet"
+      uses: ./.github/actions/wf_specific/certifier_ca_handler/enroll_headerinfo
 
-    - name: "[ PREPARE ] Build docker-compose (apache2_wsgi)"
-      working-directory: examples/Docker/
+    - name: "EAB without headerinfo - Setup a2c with certifier_ca_handler"
       run: |
-        sudo mkdir -p data
-        docker network create acme
-        docker-compose up -d
-        docker-compose logs
+        sudo head -n -8 .github/openssl_ca_handler.py_acme_srv_default_handler.cfg > examples/Docker/data/acme_srv.cfg
+        sudo echo "handler_file: examples/ca_handler/certifier_ca_handler.py" >> examples/Docker/data/acme_srv.cfg
+        # sudo echo "api_host: $NCM_API_HOST" >> examples/Docker/data/acme_srv.cfg
+        sudo echo "api_host: https://forwarder.acme:8084" >> examples/Docker/data/acme_srv.cfg
+        sudo echo "ca_bundle: False" >> examples/Docker/data/acme_srv.cfg
+        sudo echo "api_user: $NCM_API_USER" >> examples/Docker/data/acme_srv.cfg
+        sudo echo "api_password: $NCM_API_PASSWORD" >> examples/Docker/data/acme_srv.cfg
+        sudo echo "ca_name: $NCM_CA_NAME" >> examples/Docker/data/acme_srv.cfg
+        # sudo echo "ca_bundle: $NCM_CA_BUNDLE" >> examples/Docker/data/acme_srv.cfg
+        sudo echo "profile_id: 100" >> examples/Docker/data/acme_srv.cfg
+        sudo echo "eab_profiling: True" >> examples/Docker/data/acme_srv.cfg
+        sudo echo -e "\n[EABhandler]" >> examples/Docker/data/acme_srv.cfg
+        sudo echo "eab_handler_file: /var/www/acme2certifier/examples/eab_handler/kid_profile_handler.py" >> examples/Docker/data/acme_srv.cfg
+        sudo echo "key_file: volume/kid_profiles.json" >> examples/Docker/data/acme_srv.cfg
+
+        sudo cp examples/eab_handler/kid_profiles.json examples/Docker/data/kid_profiles.json
+        sudo chmod 777 examples/eab_handler/kid_profiles.json
+        sudo sed -i "s/\"profile_id\"\: \[\"profile_1\", \"profile_2\", \"profile_3\"\]/\"profile_id\"\: \[\"102\", \"101\"\, \"100\"]/g" examples/Docker/data/kid_profiles.json
+        sudo sed -i "s/\"profile_id\"\: \"profile_2\"/\"profile_id\"\: \"102\"/g" examples/Docker/data/kid_profiles.json
+        sudo sed -i "s/\"ca_name\": \"example_ca_2\",/\"ca_name\": \"SubCA2\"/" examples/Docker/data/kid_profiles.json
+        sudo sed -i "s/\"ca_name\": \"example_ca\",/\"unknown_key\": \"unknown_value\"/g" examples/Docker/data/kid_profiles.json
+        sudo sed -i "s/example.net/acme/g" examples/Docker/data/kid_profiles.json
+        sudo sed -i '18,19d' examples/Docker/data/kid_profiles.json
+        sudo sed -i '8,9d' examples/Docker/data/kid_profiles.json
 
-    - name: "[ PREPARE ] create letsencrypt and lego folder"
-      run: |
-        mkdir certbot
-        mkdir lego
+        cd examples/Docker/
+        docker-compose restart
+      env:
+        NCM_API_HOST: ${{ secrets.NCM_API_HOST }}
+        NCM_API_USER: ${{ secrets.NCM_API_USER }}
+        NCM_API_PASSWORD: ${{ secrets.NCM_API_PASSWORD }}
+        NCM_CA_NAME: ${{ secrets.NCM_CA_NAME }}
+        NCM_CA_BUNDLE: ${{ secrets.NCM_CA_BUNDLE }}
 
-    - name: "Test http://acme-srv/directory is accessable"
-      run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory
+    - name: "EAB without headerinfo - Enrollment"
+      uses: ./.github/actions/wf_specific/certifier_ca_handler/enroll_eab_wo_headerinfo
 
-    - name: "[ PREPARE ] setup a2c with certifier_ca_handler"
+    - name: "EAB with headerinfo - Setup a2c with certifier_ca_handler"
       run: |
-        sudo cp test/ca/certsrv_ca_certs.pem examples/Docker/data/ca_certs.pem
         sudo touch examples/Docker/data/acme_srv.cfg
         sudo chmod 777 examples/Docker/data/acme_srv.cfg
         sudo head -n -8 .github/openssl_ca_handler.py_acme_srv_default_handler.cfg > examples/Docker/data/acme_srv.cfg
         sudo echo "handler_file: examples/ca_handler/certifier_ca_handler.py" >> examples/Docker/data/acme_srv.cfg
-        sudo echo "api_host: $NCM_API_HOST" >> examples/Docker/data/acme_srv.cfg
+        # sudo echo "api_host: $NCM_API_HOST" >> examples/Docker/data/acme_srv.cfg
+        sudo echo "api_host: https://forwarder.acme:8084" >> examples/Docker/data/acme_srv.cfg
+        sudo echo "ca_bundle: False" >> examples/Docker/data/acme_srv.cfg
         sudo echo "api_user: $NCM_API_USER" >> examples/Docker/data/acme_srv.cfg
         sudo echo "api_password: $NCM_API_PASSWORD" >> examples/Docker/data/acme_srv.cfg
         sudo echo "ca_name: $NCM_CA_NAME" >> examples/Docker/data/acme_srv.cfg
-        sudo echo "ca_bundle: $NCM_CA_BUNDLE" >> examples/Docker/data/acme_srv.cfg
-        sudo echo "profile_id: 102" >> examples/Docker/data/acme_srv.cfg
+        # sudo echo "ca_bundle: $NCM_CA_BUNDLE" >> examples/Docker/data/acme_srv.cfg
+        sudo echo "profile_id: 100" >> examples/Docker/data/acme_srv.cfg
+        sudo echo "eab_profiling: True" >> examples/Docker/data/acme_srv.cfg
+        sudo sed -i "s/tnauthlist_support: False/tnauthlist_support: False\nheader_info_list: [\"HTTP_USER_AGENT\"]/g" examples/Docker/data/acme_srv.cfg
+        sudo echo -e "\n[EABhandler]" >> examples/Docker/data/acme_srv.cfg
+        sudo echo "eab_handler_file: /var/www/acme2certifier/examples/eab_handler/kid_profile_handler.py" >> examples/Docker/data/acme_srv.cfg
+        sudo echo "key_file: volume/kid_profiles.json" >> examples/Docker/data/acme_srv.cfg
+
+        sudo cp examples/eab_handler/kid_profiles.json examples/Docker/data/kid_profiles.json
+        sudo chmod 777 examples/eab_handler/kid_profiles.json
+        sudo sed -i "s/\"profile_id\"\: \[\"profile_1\", \"profile_2\", \"profile_3\"\]/\"profile_id\"\: \[\"102\", \"101\"\, \"100\"]/g" examples/Docker/data/kid_profiles.json
+        sudo sed -i "s/\"profile_id\"\: \"profile_2\"/\"profile_id\"\: \"102\"/g" examples/Docker/data/kid_profiles.json
+        sudo sed -i "s/\"ca_name\": \"example_ca_2\",/\"ca_name\": \"SubCA2\"/" examples/Docker/data/kid_profiles.json
+        sudo sed -i "s/\"ca_name\": \"example_ca\",/\"unknown_key\": \"unknown_value\"/g" examples/Docker/data/kid_profiles.json
+        sudo sed -i "s/example.net/acme/g" examples/Docker/data/kid_profiles.json
+        sudo sed -i '18,19d' examples/Docker/data/kid_profiles.json
+        sudo sed -i '8,9d' examples/Docker/data/kid_profiles.json
         cd examples/Docker/
         docker-compose restart
-        docker-compose logs
       env:
         NCM_API_HOST: ${{ secrets.NCM_API_HOST }}
         NCM_API_USER: ${{ secrets.NCM_API_USER }}
@@ -266,47 +216,40 @@ jobs:
         NCM_CA_NAME: ${{ secrets.NCM_CA_NAME }}
         NCM_CA_BUNDLE: ${{ secrets.NCM_CA_BUNDLE }}
 
-    - name: "Test http://acme-srv/directory is accessable again"
-      run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory
-
-    - name: "[ PREPARE ] prepare acme.sh container"
-      run: |
-        sudo mkdir acme-sh
-        docker run --rm -id -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest daemon
-
-    - name: "[ ENROLL ] acme.sh"
-      run: |
-        docker exec -i acme-sh acme.sh --server http://acme-srv --accountemail 'acme-sh@example.com' --issue -d acme-sh.acme --alpn --standalone --debug 3 --output-insecure --force
-        awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "cert-" c ".pem"}' < acme-sh/acme-sh.acme_ecc/ca.cer
-        openssl verify -CAfile cert-2.pem -untrusted cert-1.pem acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer
-
-    - name: "revoke via acme.sh"
-      run: |
-        docker exec -i acme-sh acme.sh --server http://acme-srv --revoke -d acme-sh.acme --standalone --debug 3 --output-insecure
+    - name: "EAB with headerinfo - Enrollment"
+      uses: ./.github/actions/wf_specific/certifier_ca_handler/enroll_eab_w_headerinfo
 
-    - name: "[ REGISTER ] certbot"
+    - name: "EAB with headerinfo - Reconfigure key_file without restarting"
       run: |
-        docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot register --agree-tos -m 'certbot@example.com' --server http://acme-srv --no-eff-email
+        sudo sed -i "s/\"allowed_domainlist\": \[\"www.example.com\", \"www.example.org\"\]/\"allowed_domainlist\": \[\"www.example.com\", \"www.example.org\", \"*.acme\"\]/g" examples/Docker/data/kid_profiles.json
+        sudo sed -i '26,27d' examples/Docker/data/kid_profiles.json
+        sudo sed -i "s/    \"hmac\": \"YW5kX2ZpbmFsbHlfdGhlX2xhc3RfaG1hY19rZXlfd2hpY2hfaXNfbG9uZ2VyX3RoYW5fMjU2X2JpdHNfYW5kX3Nob3VsZF93b3Jr\"/    \"hmac\": \"YW5kX2ZpbmFsbHlfdGhlX2xhc3RfaG1hY19rZXlfd2hpY2hfaXNfbG9uZ2VyX3RoYW5fMjU2X2JpdHNfYW5kX3Nob3VsZF93b3Jr\"\n  },\n  \"keyid_04\": {\n    \"hmac\": \"YW5kX2hlcmVfaXNfYW5vdGhlcl92ZXJ5X2xvbmdfbWFja19obWFjX2tleV90b19jaGVja19pZl9jaGFuZ2VzX2FmZmVjdF9pbW1lZGF0ZWx5\",\n    \"cahandler\": {}\n  }\n}/g" examples/Docker/data/kid_profiles.json
 
-    - name: "[ ENROLL ] HTTP-01 single domain certbot"
-      run: |
-        docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot certonly --server http://acme-srv --standalone --preferred-challenges http -d certbot.acme --cert-name certbot
-        sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem certbot/live/certbot/cert.pem
-        sudo openssl x509 -in certbot/live/certbot/cert.pem -ext extendedKeyUsage  -noout | grep -i "TLS Web Server"
+    - name: "EAB with headerinfo - Enrollment after reconfiguration"
+      uses: ./.github/actions/wf_specific/certifier_ca_handler/enroll_eab_w_headerinfo
+      with:
+        RECONFIGURE: true
 
-    - name: "revoke HTTP-01 single domain certbot"
+    - name: "kid-file in yaml format - Reconfiguration"
       run: |
-        docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot revoke --delete-after-revoke --server http://acme-srv  -d certbot.acme --cert-name certbot
+        sudo sed -i "s/kid_profiles.json/kid_profiles.yml/g" examples/Docker/data/acme_srv.cfg
+        sudo pip3 install yq
+        sudo pip3 install jq
+        sudo sh -c "cat examples/Docker/data/kid_profiles.json | yq -y '.' > examples/Docker/data/kid_profiles.yml"
+        sudo rm examples/Docker/data/kid_profiles.json
+        sudo sed -i '33,34d' examples/Docker/data/kid_profiles.yml
+        # sudo cat examples/Docker/data/kid_profiles.yml
 
-    - name: "[ ENROLL ] lego"
-      run: |
-        docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" -d lego.acme --http run
-        sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem lego/certificates/lego.acme.crt
-        sudo openssl x509 -in lego/certificates/lego.acme.crt -ext extendedKeyUsage  -noout | grep -i "TLS Web Server"
+    - name: "kid-file in yaml format - Enrollment after reconfiguration"
+      uses: ./.github/actions/wf_specific/certifier_ca_handler/enroll_eab_w_headerinfo
+      with:
+        RECONFIGURE: true
 
-    - name: "revoke HTTP-01 single domain lego"
-      run: |
-        docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" -d lego.acme revoke
+    - name: "Check container configuration"
+      uses: ./.github/actions/container_check
+      with:
+        DB_HANDLER: ${{ matrix.dbhandler }}
+        WEB_SRV: ${{ matrix.websrv }}
 
     - name: "[ * ] collecting test logs"
       if: ${{ failure() }}
@@ -321,52 +264,45 @@ jobs:
         sudo tar -C ${{ github.workspace }}/artifact/ -cvzf ${{ github.workspace }}/artifact/upload/artifact.tar.gz docker-compose.log data acme-sh certbot lego
 
     - name: "[ * ] uploading artificates"
-      uses: actions/upload-artifact@v3
+      uses: actions/upload-artifact@v4
       if: ${{ failure() }}
       with:
-        name: certifier_p102_handler_tests.tar.gz
+        name: ncm-${{ matrix.websrv }}-${{ matrix.dbhandler }}.tar.gz
         path: ${{ github.workspace }}/artifact/upload/
 
   certifier_handler_tests_rpm:
     name: "certifier_handler_tests_rpm"
     runs-on: ubuntu-latest
+    # needs: certifier_handler_tests
+    strategy:
+      fail-fast: false
+      max-parallel: 1
+      matrix:
+        rhversion: [8, 9]
     steps:
     - name: "checkout GIT"
-      uses: actions/checkout@v3
-
-    - name: Retrieve Version from version.py
-      run: |
-        echo TAG_NAME=$(cat acme_srv/version.py | grep -i __version__ | head -n 1 | sed 's/__version__ = //g' | sed s/\'//g) >> $GITHUB_ENV
-    - run: echo "Latest tag is ${{ env.TAG_NAME }}"
+      uses: actions/checkout@v4
 
-    - name: update version number in spec file
-      run: |
-        # sudo sed -i "s/Source0:.*/Source0:        %{name}-%{version}.tar.gz/g" examples/install_scripts/rpm/acme2certifier.spec
-        sudo sed -i "s/__version__/${{ env.TAG_NAME }}/g" examples/install_scripts/rpm/acme2certifier.spec
-        cat examples/install_scripts/rpm/acme2certifier.spec
-
-    - name: build RPM package
-      id: rpm
-      uses: grindsa/rpmbuild@alma9
+    - name: "Prepare Alma environment"
+      uses: ./.github/actions/rpm_prep
       with:
-        spec_file: "examples/install_scripts/rpm/acme2certifier.spec"
-
-    - run: echo "path is ${{ steps.rpm.outputs.rpm_dir_path }}"
-
-    - name: "[ PREPARE ] setup environment for alma installation"
-      run: |
-        docker network create acme
-        sudo mkdir -p data
-        sudo chmod -R 777 data
-        sudo cp ${{ steps.rpm.outputs.rpm_dir_path }}noarch/acme2certifier-${{ env.TAG_NAME }}-1.0.noarch.rpm data
-        sudo cp examples/Docker/almalinux-systemd/rpm_tester.sh data
+        GH_SBOM_USER: ${{ secrets.GH_SBOM_USER }}
+        GH_SBOM_TOKEN: ${{ secrets.GH_SBOM_TOKEN }}
+        RH_VERSION: ${{ matrix.rhversion }}
 
-    - name: "[ PREPARE ] create letsencrypt and lego folder"
-      run: |
-        mkdir certbot
-        mkdir lego
+    - name: "Setup tunnel"
+      uses: ./.github/actions/wf_specific/certifier_ca_handler/tunnel_setup
+      with:
+        WCCE_SSH_USER: ${{ secrets.WCCE_SSH_USER }}
+        WCCE_SSH_HOST: ${{ secrets.WCCE_SSH_HOST }}
+        WCCE_SSH_PORT: ${{ secrets.WCCE_SSH_PORT }}
+        NCM_API_HOST: ${{ secrets.NCM_API_HOST }}
+        WCCE_SSH_KNOWN_HOSTS: ${{ secrets.WCCE_SSH_KNOWN_HOSTS }}
+        WCCE_SSH_ACCESS_KEY: ${{ secrets.WCCE_SSH_ACCESS_KEY }}
+        NCM_API_USER: ${{ secrets.NCM_API_USER }}
+        NCM_API_PASSWORD: ${{ secrets.NCM_API_PASSWORD }}
 
-    - name: "[ PREPARE ] prepare acme_srv.cfg with certifier_ca_handler"
+    - name: "No profile - Setup a2c with certifier_ca_handler"
       run: |
         mkdir -p data/acme_ca
         sudo cp test/ca/certsrv_ca_certs.pem data/acme_ca/ca_certs.pem
@@ -374,11 +310,13 @@ jobs:
         sudo chmod 777 data/acme_srv.cfg
         sudo head -n -8 .github/openssl_ca_handler.py_acme_srv_default_handler.cfg > data/acme_srv.cfg
         sudo echo "handler_file: examples/ca_handler/certifier_ca_handler.py" >> data/acme_srv.cfg
-        sudo echo "api_host: $NCM_API_HOST" >> data/acme_srv.cfg
+        # sudo echo "api_host: $NCM_API_HOST" >> data/acme_srv.cfg
+        sudo echo "api_host: https://forwarder.acme:8084" >> data/acme_srv.cfg
+        sudo echo "ca_bundle: False" >> data/acme_srv.cfg
         sudo echo "api_user: $NCM_API_USER" >> data/acme_srv.cfg
         sudo echo "api_password: $NCM_API_PASSWORD" >> data/acme_srv.cfg
         sudo echo "ca_name: $NCM_CA_NAME" >> data/acme_srv.cfg
-        sudo echo "ca_bundle: $NCM_CA_BUNDLE" >> data/acme_srv.cfg
+        # sudo echo "ca_bundle: $NCM_CA_BUNDLE" >> data/acme_srv.cfg
       env:
         NCM_API_HOST: ${{ secrets.NCM_API_HOST }}
         NCM_API_USER: ${{ secrets.NCM_API_USER }}
@@ -386,172 +324,227 @@ jobs:
         NCM_CA_NAME: ${{ secrets.NCM_CA_NAME }}
         NCM_CA_BUNDLE: ${{ secrets.NCM_CA_BUNDLE }}
 
-    - name: "[ PREPARE ] Almalinux instance"
-      run: |
-        cat examples/Docker/almalinux-systemd/Dockerfile | docker build -t almalinux-systemd -f - . --no-cache
-        docker run -d -id --privileged --network acme --name=acme-srv -v "$(pwd)/data":/tmp/acme2certifier almalinux-systemd
-
-    - name: "[ RUN ] Execute install scipt"
+    - name: "Execute install scipt"
       run: |
         docker exec acme-srv sh /tmp/acme2certifier/rpm_tester.sh
 
-    - name: "Test http://acme-srv/directory is accessible"
-      run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory
-
-    - name: "[ PREPARE ] prepare acme.sh container"
-      run: |
-        sudo mkdir acme-sh
-        docker run --rm -id -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest daemon
-
-    - name: "[ REGISTER] acme.sh"
-      run: |
-        docker exec -i acme-sh acme.sh --server http://acme-srv --register-account --accountemail 'acme-sh@example.com' --debug 3
+    - name: "No profile - Enrollmnet"
+      uses: ./.github/actions/wf_specific/certifier_ca_handler/enroll_no_profile
 
-    - name: "[ ENROLL] acme.sh"
+    - name: "Profile 101 - Setup a2c with certifier_ca_handler with profile 101"
       run: |
-        docker exec -i acme-sh acme.sh --server http://acme-srv --issue -d acme-sh.acme --standalone --debug 3 --output-insecure
-        awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "cert-" c ".pem"}' < acme-sh/acme-sh.acme_ecc/ca.cer
-        openssl verify -CAfile cert-2.pem -untrusted cert-1.pem acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer
+        sudo head -n -8 .github/openssl_ca_handler.py_acme_srv_default_handler.cfg > data/acme_srv.cfg
+        sudo echo "handler_file: examples/ca_handler/certifier_ca_handler.py" >> data/acme_srv.cfg
+        # sudo echo "api_host: $NCM_API_HOST" >> data/acme_srv.cfg
+        sudo echo "api_host: https://forwarder.acme:8084" >> data/acme_srv.cfg
+        sudo echo "ca_bundle: False" >> data/acme_srv.cfg
+        sudo echo "api_user: $NCM_API_USER" >> data/acme_srv.cfg
+        sudo echo "api_password: $NCM_API_PASSWORD" >> data/acme_srv.cfg
+        sudo echo "ca_name: $NCM_CA_NAME" >> data/acme_srv.cfg
+        # sudo echo "ca_bundle: $NCM_CA_BUNDLE" >> data/acme_srv.cfg
+        sudo echo "profile_id: 101" >> data/acme_srv.cfg
+      env:
+        NCM_API_HOST: ${{ secrets.NCM_API_HOST }}
+        NCM_API_USER: ${{ secrets.NCM_API_USER }}
+        NCM_API_PASSWORD: ${{ secrets.NCM_API_PASSWORD }}
+        NCM_CA_NAME: ${{ secrets.NCM_CA_NAME }}
+        NCM_CA_BUNDLE: ${{ secrets.NCM_CA_BUNDLE }}
+        PROFILE: ${{ secrets.PROFILE }}
 
-    - name: "revoke via acme.sh"
+    - name: "Profile 101 - Reconfigure a2c "
       run: |
-        docker exec -i acme-sh acme.sh --server http://acme-srv --revoke -d acme-sh.acme --standalone --debug 3 --output-insecure
+        docker exec acme-srv sh /tmp/acme2certifier/rpm_tester.sh restart
 
-    - name: "[ REGISTER ] certbot"
-      run: |
-        docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot register --agree-tos -m 'certbot@example.com' --server http://acme-srv --no-eff-email
+    - name: "Profile 101 - Enrollmnet"
+      uses: ./.github/actions/wf_specific/certifier_ca_handler/enroll_101_profile
 
-    - name: "[ ENROLL ] HTTP-01 single domain certbot"
+    - name: "Profile 102 - Setup a2c with certifier_ca_handler with profile 101"
       run: |
-        docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot certonly --server http://acme-srv --standalone --preferred-challenges http -d certbot.acme --cert-name certbot
-        sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem certbot/live/certbot/cert.pem
+        sudo head -n -8 .github/openssl_ca_handler.py_acme_srv_default_handler.cfg > data/acme_srv.cfg
+        sudo echo "handler_file: examples/ca_handler/certifier_ca_handler.py" >> data/acme_srv.cfg
+        # sudo echo "api_host: $NCM_API_HOST" >> data/acme_srv.cfg
+        sudo echo "api_host: https://forwarder.acme:8084" >> data/acme_srv.cfg
+        sudo echo "ca_bundle: False" >> data/acme_srv.cfg
+        sudo echo "api_user: $NCM_API_USER" >> data/acme_srv.cfg
+        sudo echo "api_password: $NCM_API_PASSWORD" >> data/acme_srv.cfg
+        sudo echo "ca_name: $NCM_CA_NAME" >> data/acme_srv.cfg
+        # sudo echo "ca_bundle: $NCM_CA_BUNDLE" >> data/acme_srv.cfg
+        sudo echo "profile_id: 102" >> data/acme_srv.cfg
+      env:
+        NCM_API_HOST: ${{ secrets.NCM_API_HOST }}
+        NCM_API_USER: ${{ secrets.NCM_API_USER }}
+        NCM_API_PASSWORD: ${{ secrets.NCM_API_PASSWORD }}
+        NCM_CA_NAME: ${{ secrets.NCM_CA_NAME }}
+        NCM_CA_BUNDLE: ${{ secrets.NCM_CA_BUNDLE }}
+        PROFILE: ${{ secrets.PROFILE }}
 
-    - name: "revoke HTTP-01 single domain certbot"
+    - name: "Profile 102 - Reconfigure a2c "
       run: |
-        docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot revoke --delete-after-revoke --server http://acme-srv  -d certbot.acme --cert-name certbot
+        docker exec acme-srv sh /tmp/acme2certifier/rpm_tester.sh restart
 
-    - name: "[ ENROLL ] lego"
-      run: |
-        docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" -d lego.acme --http run
-        sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem lego/certificates/lego.acme.crt
+    - name: "Profile 102 - Enrollmnet"
+      uses: ./.github/actions/wf_specific/certifier_ca_handler/enroll_102_profile
 
-    - name: "revoke HTTP-01 single domain lego"
+    - name: "Header-info - Setup a2c with certifier_ca_handler"
       run: |
-        docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" -d lego.acme revoke
+        sudo head -n -8 .github/openssl_ca_handler.py_acme_srv_default_handler.cfg > data/acme_srv.cfg
+        sudo echo "handler_file: examples/ca_handler/certifier_ca_handler.py" >> data/acme_srv.cfg
+        # sudo echo "api_host: $NCM_API_HOST" >> data/acme_srv.cfg
+        sudo echo "api_host: https://forwarder.acme:8084" >> data/acme_srv.cfg
+        sudo echo "ca_bundle: False" >> data/acme_srv.cfg
+        sudo echo "api_user: $NCM_API_USER" >> data/acme_srv.cfg
+        sudo echo "api_password: $NCM_API_PASSWORD" >> data/acme_srv.cfg
+        sudo echo "ca_name: $NCM_CA_NAME" >> data/acme_srv.cfg
+        # sudo echo "ca_bundle: $NCM_CA_BUNDLE" >> data/acme_srv.cfg
+        sudo sed -i "s/tnauthlist_support: False/tnauthlist_support: False\nheader_info_list: [\"HTTP_USER_AGENT\"]/g" data/acme_srv.cfg
+      env:
+        NCM_API_HOST: ${{ secrets.NCM_API_HOST }}
+        NCM_API_USER: ${{ secrets.NCM_API_USER }}
+        NCM_API_PASSWORD: ${{ secrets.NCM_API_PASSWORD }}
+        NCM_CA_NAME: ${{ secrets.NCM_CA_NAME }}
+        NCM_CA_BUNDLE: ${{ secrets.NCM_CA_BUNDLE }}
+        PROFILE: ${{ secrets.PROFILE }}
 
-    - name: "[ * ] collecting test logs"
-      if: ${{ failure() }}
+    - name: "Header-info - Reconfigure a2c "
       run: |
-        mkdir -p ${{ github.workspace }}/artifact/upload
-        docker exec acme-srv tar cvfz /tmp/acme2certifier/a2c.tgz /opt/acme2certifier
-        sudo cp -rp data/ ${{ github.workspace }}/artifact/data/
-        sudo cp -rp acme-sh/ ${{ github.workspace }}/artifact/acme-sh/
-        docker exec acme-srv cat /var/log/messages > ${{ github.workspace }}/artifact/acme-srv.log
-        sudo tar -C ${{ github.workspace }}/artifact/ -cvzf ${{ github.workspace }}/artifact/upload/artifact.tar.gz data acme-srv.log acme-sh
-
-    - name: "[ * ] uploading artificates"
-      uses: actions/upload-artifact@v3
-      if: ${{ failure() }}
-      with:
-        name: certifier_ca_handler_rpm.tar.gz
-        path: ${{ github.workspace }}/artifact/upload/
+        docker exec acme-srv sh /tmp/acme2certifier/rpm_tester.sh restart
 
+    - name: "Header-info - Enrollmnet"
+      uses: ./.github/actions/wf_specific/certifier_ca_handler/enroll_headerinfo
 
-  certifier_handler_headerinfo_tests:
-    name: "certifier_handler_headerinfo_tests"
-    runs-on: ubuntu-latest
-    steps:
-    - name: "checkout GIT"
-      uses: actions/checkout@v3
-
-    - name: "[ PREPARE ] Build docker-compose (apache2_wsgi)"
-      working-directory: examples/Docker/
+    - name: "EAB without headerinfo - Setup a2c with certifier_ca_handler"
       run: |
-        sudo mkdir -p data
-        docker network create acme
-        docker-compose up -d
-        docker-compose logs
+        sudo head -n -8 .github/openssl_ca_handler.py_acme_srv_default_handler.cfg > data/acme_srv.cfg
+        sudo echo "handler_file: examples/ca_handler/certifier_ca_handler.py" >> data/acme_srv.cfg
+        # sudo echo "api_host: $NCM_API_HOST" >> data/acme_srv.cfg
+        sudo echo "api_host: https://forwarder.acme:8084" >> data/acme_srv.cfg
+        sudo echo "ca_bundle: False" >> data/acme_srv.cfg
+        sudo echo "api_user: $NCM_API_USER" >> data/acme_srv.cfg
+        sudo echo "api_password: $NCM_API_PASSWORD" >> data/acme_srv.cfg
+        sudo echo "ca_name: $NCM_CA_NAME" >> data/acme_srv.cfg
+        # sudo echo "ca_bundle: $NCM_CA_BUNDLE" >> data/acme_srv.cfg
+        sudo echo "profile_id: 100" >> data/acme_srv.cfg
+        sudo echo "eab_profiling: True" >> data/acme_srv.cfg
+        sudo echo -e "\n\n[EABhandler]" >> data/acme_srv.cfg
+        sudo echo "eab_handler_file: /opt/acme2certifier/examples/eab_handler/kid_profile_handler.py" >> data/acme_srv.cfg
+        sudo echo "key_file: /opt/acme2certifier/volume/acme_ca/kid_profiles.json" >> data/acme_srv.cfg
+
+        sudo cp examples/eab_handler/kid_profiles.json data/acme_ca/kid_profiles.json
+        sudo chmod 777 data/acme_ca/kid_profiles.json
+        sudo sed -i "s/\"profile_id\"\: \[\"profile_1\", \"profile_2\", \"profile_3\"\]/\"profile_id\"\: \[\"102\", \"101\"\, \"100\"]/g" data/acme_ca/kid_profiles.json
+        sudo sed -i "s/\"profile_id\"\: \"profile_2\"/\"profile_id\"\: \"102\"/g" data/acme_ca/kid_profiles.json
+        sudo sed -i "s/\"ca_name\": \"example_ca_2\",/\"ca_name\": \"SubCA2\"/" data/acme_ca/kid_profiles.json
+        sudo sed -i "s/\"ca_name\": \"example_ca\",/\"unknown_key\": \"unknown_value\"/g" data/acme_ca/kid_profiles.json
+        sudo sed -i "s/example.net/acme/g" data/acme_ca/kid_profiles.json
+        sudo sed -i '18,19d' data/acme_ca/kid_profiles.json
+        sudo sed -i '8,9d' data/acme_ca/kid_profiles.json
+      env:
+        NCM_API_HOST: ${{ secrets.NCM_API_HOST }}
+        NCM_API_USER: ${{ secrets.NCM_API_USER }}
+        NCM_API_PASSWORD: ${{ secrets.NCM_API_PASSWORD }}
+        NCM_CA_NAME: ${{ secrets.NCM_CA_NAME }}
+        NCM_CA_BUNDLE: ${{ secrets.NCM_CA_BUNDLE }}
+        PROFILE: ${{ secrets.PROFILE }}
 
-    - name: "[ PREPARE ] create lego folder"
+    - name: "EAB without headerinfo - Reconfigure a2c "
       run: |
-        mkdir lego
+        docker exec acme-srv sh /tmp/acme2certifier/rpm_tester.sh restart
 
-    - name: "Test http://acme-srv/directory is accessable"
-      run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory
+    - name: "EAB without headerinfo - Enrollment"
+      uses: ./.github/actions/wf_specific/certifier_ca_handler/enroll_eab_wo_headerinfo
 
-    - name: "[ PREPARE ] setup a2c with certifier_ca_handler"
+    - name: "EAB with headerinfo - Setup a2c with certifier_ca_handler"
       run: |
-        sudo cp test/ca/certsrv_ca_certs.pem examples/Docker/data/ca_certs.pem
-        sudo touch examples/Docker/data/acme_srv.cfg
-        sudo chmod 777 examples/Docker/data/acme_srv.cfg
-        sudo head -n -8 .github/openssl_ca_handler.py_acme_srv_default_handler.cfg > examples/Docker/data/acme_srv.cfg
-        sudo echo "handler_file: examples/ca_handler/certifier_ca_handler.py" >> examples/Docker/data/acme_srv.cfg
-        sudo echo "api_host: $NCM_API_HOST" >> examples/Docker/data/acme_srv.cfg
-        sudo echo "api_user: $NCM_API_USER" >> examples/Docker/data/acme_srv.cfg
-        sudo echo "api_password: $NCM_API_PASSWORD" >> examples/Docker/data/acme_srv.cfg
-        sudo echo "ca_name: $NCM_CA_NAME" >> examples/Docker/data/acme_srv.cfg
-        sudo echo "ca_bundle: $NCM_CA_BUNDLE" >> examples/Docker/data/acme_srv.cfg
-        sudo sed -i "s/tnauthlist_support: False/tnauthlist_support: False\nheader_info_list: [\"HTTP_USER_AGENT\"]/g" examples/Docker/data/acme_srv.cfg
-        cd examples/Docker/
-        docker-compose restart
-        docker-compose logs
+        sudo head -n -8 .github/openssl_ca_handler.py_acme_srv_default_handler.cfg > data/acme_srv.cfg
+        sudo echo "handler_file: examples/ca_handler/certifier_ca_handler.py" >> data/acme_srv.cfg
+        # sudo echo "api_host: $NCM_API_HOST" >> data/acme_srv.cfg
+        sudo echo "api_host: https://forwarder.acme:8084" >> data/acme_srv.cfg
+        sudo echo "ca_bundle: False" >> data/acme_srv.cfg
+        sudo echo "api_user: $NCM_API_USER" >> data/acme_srv.cfg
+        sudo echo "api_password: $NCM_API_PASSWORD" >> data/acme_srv.cfg
+        sudo echo "ca_name: $NCM_CA_NAME" >> data/acme_srv.cfg
+        # sudo echo "ca_bundle: $NCM_CA_BUNDLE" >> data/acme_srv.cfg
+        sudo echo "profile_id: 100" >> data/acme_srv.cfg
+        sudo echo "eab_profiling: True" >> data/acme_srv.cfg
+        sudo sed -i "s/tnauthlist_support: False/tnauthlist_support: False\nheader_info_list: [\"HTTP_USER_AGENT\"]/g" data/acme_srv.cfg
+        sudo echo -e "\n\n[EABhandler]" >> data/acme_srv.cfg
+        sudo echo "eab_handler_file: /opt/acme2certifier/examples/eab_handler/kid_profile_handler.py" >> data/acme_srv.cfg
+        sudo echo "key_file: /opt/acme2certifier/volume/acme_ca/kid_profiles.json" >> data/acme_srv.cfg
+
+        sudo cp examples/eab_handler/kid_profiles.json data/acme_ca/kid_profiles.json
+        sudo chmod 777 data/acme_ca/kid_profiles.json
+        sudo sed -i "s/\"profile_id\"\: \[\"profile_1\", \"profile_2\", \"profile_3\"\]/\"profile_id\"\: \[\"102\", \"101\"\, \"100\"]/g" data/acme_ca/kid_profiles.json
+        sudo sed -i "s/\"profile_id\"\: \"profile_2\"/\"profile_id\"\: \"102\"/g" data/acme_ca/kid_profiles.json
+        sudo sed -i "s/\"ca_name\": \"example_ca_2\",/\"ca_name\": \"SubCA2\"/" data/acme_ca/kid_profiles.json
+        sudo sed -i "s/\"ca_name\": \"example_ca\",/\"unknown_key\": \"unknown_value\"/g" data/acme_ca/kid_profiles.json
+        sudo sed -i "s/example.net/acme/g" data/acme_ca/kid_profiles.json
+        sudo sed -i '18,19d' data/acme_ca/kid_profiles.json
+        sudo sed -i '8,9d' data/acme_ca/kid_profiles.json
       env:
         NCM_API_HOST: ${{ secrets.NCM_API_HOST }}
         NCM_API_USER: ${{ secrets.NCM_API_USER }}
         NCM_API_PASSWORD: ${{ secrets.NCM_API_PASSWORD }}
         NCM_CA_NAME: ${{ secrets.NCM_CA_NAME }}
         NCM_CA_BUNDLE: ${{ secrets.NCM_CA_BUNDLE }}
+        PROFILE: ${{ secrets.PROFILE }}
 
-    - name: "Test http://acme-srv/directory is accessable again"
-      run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory
-
-    - name: "[ PREPARE ] prepare acme.sh container"
+    - name: "EAB with headerinfo - Reconfigure a2c "
       run: |
-        sudo mkdir acme-sh
-        docker run --rm -id -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest daemon
+        docker exec acme-srv sh /tmp/acme2certifier/rpm_tester.sh restart
 
-    - name: "[ REGISTER] acme.sh"
-      run: |
-        docker exec -i acme-sh acme.sh --server http://acme-srv --register-account --accountemail 'acme-sh@example.com' --debug 3
+    - name: "EAB with headerinfo - Enrollment"
+      uses: ./.github/actions/wf_specific/certifier_ca_handler/enroll_eab_w_headerinfo
 
-    - name: "[ ENROLL] acme.sh with profileID 101"
+    - name: "EAB with headerinfo - Reconfigure key_file without restarting"
       run: |
-        docker exec -i acme-sh acme.sh --server http://acme-srv --issue -d acme-sh.acme --standalone --useragent profileID=101 --debug 3 --output-insecure
-        awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "cert-" c ".pem"}' < acme-sh/acme-sh.acme_ecc/ca.cer
-        openssl verify -CAfile cert-2.pem -untrusted cert-1.pem acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer
-        openssl x509 -in acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer -ext extendedKeyUsage  -noout | grep -i "TLS Web Client"
+        sudo sed -i "s/\"allowed_domainlist\": \[\"www.example.com\", \"www.example.org\"\]/\"allowed_domainlist\": \[\"www.example.com\", \"www.example.org\", \"*.acme\"\]/g" data/acme_ca/kid_profiles.json
+        sudo sed -i '26,27d' data/acme_ca/kid_profiles.json
+        sudo sed -i "s/    \"hmac\": \"YW5kX2ZpbmFsbHlfdGhlX2xhc3RfaG1hY19rZXlfd2hpY2hfaXNfbG9uZ2VyX3RoYW5fMjU2X2JpdHNfYW5kX3Nob3VsZF93b3Jr\"/    \"hmac\": \"YW5kX2ZpbmFsbHlfdGhlX2xhc3RfaG1hY19rZXlfd2hpY2hfaXNfbG9uZ2VyX3RoYW5fMjU2X2JpdHNfYW5kX3Nob3VsZF93b3Jr\"\n  },\n  \"keyid_04\": {\n    \"hmac\": \"YW5kX2hlcmVfaXNfYW5vdGhlcl92ZXJ5X2xvbmdfbWFja19obWFjX2tleV90b19jaGVja19pZl9jaGFuZ2VzX2FmZmVjdF9pbW1lZGF0ZWx5\",\n    \"cahandler\": {}\n  }\n}/g" data/acme_ca/kid_profiles.json
 
-    - name: "[ ENROLL ] lego with profileID 101"
+    - name: "Update configuration"
       run: |
-        docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" --user-agent profileID=101 -d lego.acme --http run
-        sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem lego/certificates/lego.acme.crt
-        sudo openssl x509 -in lego/certificates/lego.acme.crt -ext extendedKeyUsage  -noout | grep -i "TLS Web Client"
+        docker exec acme-srv sh /tmp/acme2certifier/rpm_tester.sh update
+
+    - name: "EAB with headerinfo - Enrollment after reconfiguration"
+      uses: ./.github/actions/wf_specific/certifier_ca_handler/enroll_eab_w_headerinfo
+      with:
+        RECONFIGURE: true
 
-    - name: "[ ENROLL] acme.sh with profileID 102"
+    - name: "kid-file in yaml format - Reconfiguration"
       run: |
-        docker exec -i acme-sh acme.sh --server http://acme-srv --renew --force -d acme-sh.acme --standalone --useragent profileID=102 --debug 3 --output-insecure
-        openssl verify -CAfile cert-2.pem -untrusted cert-1.pem acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer
-        openssl x509 -in acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer -ext extendedKeyUsage  -noout | grep -i "TLS Web Server"
+        sudo sed -i "s/kid_profiles.json/kid_profiles.yml/g" data/acme_srv.cfg
+        sudo pip3 install yq
+        sudo pip3 install jq
+        sudo sh -c "cat data/acme_ca/kid_profiles.json | yq -y '.' > data/acme_ca/kid_profiles.yml"
+        sudo rm data/acme_ca/kid_profiles.json
+        sudo sed -i '33,34d' data/acme_ca/kid_profiles.yml
 
-    - name: "[ ENROLL ] lego with profileID 102"
+    - name: "kid-file in yaml format - update a2c "
       run: |
-        docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" --user-agent profileID=102 -d lego.acme --http run
-        sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem lego/certificates/lego.acme.crt
-        sudo openssl x509 -in lego/certificates/lego.acme.crt -ext extendedKeyUsage  -noout | grep -i "TLS Web Server"
+        docker exec acme-srv sh /tmp/acme2certifier/rpm_tester.sh restart
+
+    - name: "kid-file in yaml format - Enrollment after reconfiguration"
+      uses: ./.github/actions/wf_specific/certifier_ca_handler/enroll_eab_w_headerinfo
+      with:
+        RECONFIGURE: true
 
     - name: "[ * ] collecting test logs"
       if: ${{ failure() }}
       run: |
         mkdir -p ${{ github.workspace }}/artifact/upload
-        sudo cp -rp examples/Docker/data/ ${{ github.workspace }}/artifact/data/
-        sudo cp -rp lego/ ${{ github.workspace }}/artifact/lego/
-        cd examples/Docker
-        docker-compose logs > ${{ github.workspace }}/artifact/docker-compose.log
-        sudo tar -C ${{ github.workspace }}/artifact/ -cvzf ${{ github.workspace }}/artifact/upload/artifact.tar.gz docker-compose.log data lego
+        docker exec acme-srv tar cvfz /tmp/acme2certifier/a2c.tgz /opt/acme2certifier
+        sudo cp -rp data/ ${{ github.workspace }}/artifact/data/
+        sudo rm ${{ github.workspace }}/artifact/data/*.rpm
+        sudo cp -rp acme-sh/ ${{ github.workspace }}/artifact/acme-sh/
+        docker exec acme-srv cat /etc/nginx/nginx.conf.orig > ${{ github.workspace }}/artifact/data/nginx.conf.orig
+        docker exec acme-srv cat /etc/nginx/nginx.conf > ${{ github.workspace }}/artifact/data/nginx.conf
+        docker exec acme-srv cat /var/log/messages > ${{ github.workspace }}/artifact/acme-srv.log
+        sudo tar -C ${{ github.workspace }}/artifact/ -cvzf ${{ github.workspace }}/artifact/upload/artifact.tar.gz data acme-srv.log acme-sh
 
     - name: "[ * ] uploading artificates"
-      uses: actions/upload-artifact@v3
+      uses: actions/upload-artifact@v4
       if: ${{ failure() }}
       with:
-        name: certifier_handler_headerinfo_tests.tar.gz
-        path: ${{ github.workspace }}/artifact/upload/
\ No newline at end of file
+        name: certifier_ca_handler_rpm-rh${{ matrix.rhversion }}.tar.gz
+        path: ${{ github.workspace }}/artifact/upload/
+
diff --git a/.github/workflows/ca_handler_tests_nclm.yml b/.github/workflows/ca_handler_tests_nclm.yml
index 80a79e40..432be990 100644
--- a/.github/workflows/ca_handler_tests_nclm.yml
+++ b/.github/workflows/ca_handler_tests_nclm.yml
@@ -12,27 +12,29 @@ jobs:
   nclm_handler_tests:
     name: "nclm_handler_tests"
     runs-on: ubuntu-latest
+    strategy:
+      max-parallel: 1
+      fail-fast: false
+      # max-parallel: 1
+      matrix:
+        websrv: ['apache2', 'nginx']
+        dbhandler: ['wsgi', 'django']
     steps:
     - name: "checkout GIT"
-      uses: actions/checkout@v3
+      uses: actions/checkout@v4
 
-    - name: "[ PREPARE ] Build docker-compose (apache2_wsgi)"
-      working-directory: examples/Docker/
+    - name: "Generate UUID"
       run: |
-        sudo mkdir -p data
-        docker network create acme
-        docker-compose up -d
-        docker-compose logs
+        echo UUID=$(uuidgen | cut -d "-" -f1) >> $GITHUB_ENV
+    - run: echo "UUID ${{ env.UUID }}"
 
-    - name: "[ PREPARE ] create letsencrypt and lego folder"
-      run: |
-        mkdir certbot
-        mkdir lego
-
-    - name: "Test http://acme-srv/directory is accessable"
-      run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory
+    - name: "Build container"
+      uses: ./.github/actions/container_prep
+      with:
+        DB_HANDLER: ${{ matrix.dbhandler }}
+        WEB_SRV: ${{ matrix.websrv }}
 
-    - name: "[ PREPARE ] setup a2c with nclm_ca_handler"
+    - name: "Setup a2c with nclm_ca_handler"
       run: |
         sudo cp test/ca/certsrv_ca_certs.pem examples/Docker/data/ca_certs.pem
         sudo touch examples/Docker/data/acme_srv.cfg
@@ -48,7 +50,6 @@ jobs:
         sudo sed -i "s/revocation_reason_check_disable: False/revocation_reason_check_disable: False\nenrollment_timeout: 45/g" examples/Docker/data/acme_srv.cfg
         cd examples/Docker/
         docker-compose restart
-        docker-compose logs
       env:
         NCLM_API_HOST: ${{ secrets.NCLM_API_HOST }}
         NCLM_API_USER: ${{ secrets.NCLM_API_USER }}
@@ -57,68 +58,50 @@ jobs:
         NCLM_CA_NAME: ${{ secrets.NCLM_CA_NAME }}
         NCLM_CA_ID_LIST: ${{ secrets.NCLM_CA_ID_LIST }}
 
-    - name: "Test http://acme-srv/directory is accessable again"
-      run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory
-
-    - name: "[ PREPARE ] prepare acme.sh container"
-      run: |
-        sudo mkdir acme-sh
-        docker run --rm -id -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest daemon
-
-    - name: "[ ENROLL ] acme.sh"
-      run: |
-        docker exec -i acme-sh acme.sh --server http://acme-srv --accountemail 'acme-sh@example.com' --issue -d acme-sh.acme --alpn --standalone --debug 3 --output-insecure --force
-        awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "cert-" c ".pem"}' < acme-sh/acme-sh.acme_ecc/ca.cer
-        openssl verify -CAfile cert-2.pem -untrusted cert-1.pem acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer
-
-    - name: "[ REGISTER] certbot"
-      run: |
-        docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot register --agree-tos -m 'certbot@example.com' --server http://acme-srv --no-eff-email
-
-    - name: "[ ENROLL ] HTTP-01 single domain certbot"
-      run: |
-        docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot certonly --server http://acme-srv --standalone --preferred-challenges http -d certbot.acme --cert-name certbot
-        sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem certbot/live/certbot/cert.pem
+    - name: "Test enrollment"
+      uses: ./.github/actions/acme_clients
+      with:
+        HOSTNAME_SUFFIX: -${{ env.UUID }}
+        VERIFY_CERT: false
 
-    - name: "[ ENROLL ] lego"
+    - name: "Generate UUID"
       run: |
-        docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" -d lego.acme --http run
-        sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem lego/certificates/lego.acme.crt
+        echo UUID=$(uuidgen | cut -d "-" -f1) >> $GITHUB_ENV
+    - run: echo "UUID ${{ env.UUID }}"
 
-    - name: "[ PREPARE ] reconfigure nclm handler to test enrollment from MSCA"
+    - name: "Reconfigure nclm handler to test enrollment from MSCA"
       run: |
         sudo sed -i "s/ca_name: $NCLM_CA_NAME/ca_name: $NCLM_MSCA_NAME/g" examples/Docker/data/acme_srv.cfg
         sudo echo "template_name: $NCLM_MSCA_TEMPLATE_NAME" >> examples/Docker/data/acme_srv.cfg
-        sudo rm -rf lego/*
+        cd examples/Docker/
+        docker-compose restart
       env:
         NCLM_MSCA_TEMPLATE_NAME: ${{ secrets.NCLM_MSCA_TEMPLATE_NAME }}
         NCLM_MSCA_NAME: ${{ secrets.NCLM_MSCA_NAME }}
         NCLM_CA_NAME: ${{ secrets.NCLM_CA_NAME }}
 
-    - name: "[ PREPARE ] restart a2c"
-      working-directory: examples/Docker/
-      run: |
-        docker-compose restart
-
-    - name: "[ ENROLL ] lego"
-      run: |
-        docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" -d lego.acme --http run
-        sudo openssl verify -CAfile lego/certificates/lego.acme.issuer.crt lego/certificates/lego.acme.crt
+    - name: "Test enrollment"
+      uses: ./.github/actions/acme_clients
+      with:
+        USE_RSA: true
+        HOSTNAME_SUFFIX: -${{ env.UUID }}
 
     - name: "[ * ] collecting test logs"
       if: ${{ failure() }}
       run: |
         mkdir -p ${{ github.workspace }}/artifact/upload
+        mkdir -p ${{ github.workspace }}/artifact/clients
         sudo cp -rp examples/Docker/data/ ${{ github.workspace }}/artifact/data/
-        sudo cp -rp acme-sh/ ${{ github.workspace }}/artifact/acme-sh/
-        sudo cp -rp certbot/ ${{ github.workspace }}/artifact/certbot/
-        sudo cp -rp lego/ ${{ github.workspace }}/artifact/lego/
+        # sudo cp *.pem ${{ github.workspace }}/artifact/data/
+        sudo cp -rp acme-sh/ ${{ github.workspace }}/artifact/clients/acme-sh/
+        sudo cp -rp certbot/ ${{ github.workspace }}/artifact/clients/certbot/
+        sudo cp -rp lego/ ${{ github.workspace }}/artifact/clients/lego/
         cd examples/Docker
         docker-compose logs > ${{ github.workspace }}/artifact/docker-compose.log
-        sudo tar -C ${{ github.workspace }}/artifact/ -cvzf ${{ github.workspace }}/artifact/upload/artifact.tar.gz docker-compose.log data acme-sh certbot lego
+        sudo tar -C ${{ github.workspace }}/artifact/ -cvzf ${{ github.workspace }}/artifact/upload/artifact.tar.gz docker-compose.log data clients
 
     - name: "[ * ] uploading artificates"
-      uses: actions/upload-artifact@v3
+      uses: actions/upload-artifact@v4
       if: ${{ failure() }}
       with:
         name: nclm.tar.gz
@@ -128,43 +111,31 @@ jobs:
   nclm_handler_tests_rpm:
     name: "nclm_handler_tests_rpm"
     runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+      max-parallel: 1
+      matrix:
+        rhversion: [8, 9]
+        execscript: ['rpm_tester.sh', 'django_tester.sh']
+
     steps:
     - name: "checkout GIT"
-      uses: actions/checkout@v3
-
-    - name: Retrieve Version from version.py
-      run: |
-        echo TAG_NAME=$(cat acme_srv/version.py | grep -i __version__ | head -n 1 | sed 's/__version__ = //g' | sed s/\'//g) >> $GITHUB_ENV
-    - run: echo "Latest tag is ${{ env.TAG_NAME }}"
+      uses: actions/checkout@v4
 
-    - name: update version number in spec file
+    - name: "Generate UUID"
       run: |
-        # sudo sed -i "s/Source0:.*/Source0:        %{name}-%{version}.tar.gz/g" examples/install_scripts/rpm/acme2certifier.spec
-        sudo sed -i "s/__version__/${{ env.TAG_NAME }}/g" examples/install_scripts/rpm/acme2certifier.spec
-        cat examples/install_scripts/rpm/acme2certifier.spec
+        echo UUID=$(uuidgen | cut -d "-" -f1) >> $GITHUB_ENV
+    - run: echo "UUID ${{ env.UUID }}"
 
-    - name: build RPM package
-      id: rpm
-      uses: grindsa/rpmbuild@alma9
+    - name: "Prepare Alma environment"
+      uses: ./.github/actions/rpm_prep
       with:
-        spec_file: "examples/install_scripts/rpm/acme2certifier.spec"
-
-    - run: echo "path is ${{ steps.rpm.outputs.rpm_dir_path }}"
-
-    - name: "[ PREPARE ] setup environment for alma installation"
-      run: |
-        docker network create acme
-        sudo mkdir -p data
-        sudo chmod -R 777 data
-        sudo cp ${{ steps.rpm.outputs.rpm_dir_path }}noarch/acme2certifier-${{ env.TAG_NAME }}-1.0.noarch.rpm data
-        sudo cp examples/Docker/almalinux-systemd/rpm_tester.sh data
+        GH_SBOM_USER: ${{ secrets.GH_SBOM_USER }}
+        GH_SBOM_TOKEN: ${{ secrets.GH_SBOM_TOKEN }}
+        RH_VERSION: ${{ matrix.rhversion }}
 
-    - name: "[ PREPARE ] create letsencrypt and lego folder"
-      run: |
-        mkdir certbot
-        mkdir lego
-
-    - name: "[ PREPARE ] prepare acme_srv.cfg with nclm_ca_handler"
+    - name: "Setup a2c with with nclm_ca_handler"
+      if: matrix.execscript == 'rpm_tester.sh'
       run: |
         mkdir -p data/acme_ca
         sudo cp test/ca/certsrv_ca_certs.pem data/acme_ca/ca_certs.pem
@@ -178,8 +149,8 @@ jobs:
         sudo echo "tsg_name: $NCLM_TSG_NAME" >> data/acme_srv.cfg
         sudo echo "ca_name: $NCLM_CA_NAME" >> data/acme_srv.cfg
         sudo echo "ca_id_list: [$NCLM_CA_ID_LIST]" >> data/acme_srv.cfg
-        sudo sed -i "s/revocation_reason_check_disable: False/revocation_reason_check_disable: False\nenrollment_timeout: 30/g" data/acme_srv.cfg
-
+        sudo echo "request_timeout: 40" >> data/acme_srv.cfg
+        sudo sed -i "s/revocation_reason_check_disable: False/revocation_reason_check_disable: False\nenrollment_timeout: 60/g" data/acme_srv.cfg
       env:
         NCLM_API_HOST: ${{ secrets.NCLM_API_HOST }}
         NCLM_API_USER: ${{ secrets.NCLM_API_USER }}
@@ -188,60 +159,101 @@ jobs:
         NCLM_CA_NAME: ${{ secrets.NCLM_CA_NAME }}
         NCLM_CA_ID_LIST: ${{ secrets.NCLM_CA_ID_LIST }}
 
-    - name: "[ PREPARE ] Almalinux instance"
+    - name: "Setup a2c with with nclm_ca_handler for django"
+      if: matrix.execscript == 'django_tester.sh'
       run: |
-        cat examples/Docker/almalinux-systemd/Dockerfile | docker build -t almalinux-systemd -f - . --no-cache
-        docker run -d -id --privileged --network acme --name=acme-srv -v "$(pwd)/data":/tmp/acme2certifier almalinux-systemd
+        sudo mkdir -p data/volume/acme_ca/certs
+        sudo cp test/ca/certsrv_ca_certs.pem data/volume/acme_ca/ca_certs.pem
+        sudo touch data/volume/acme_srv.cfg
+        sudo chmod 777 data/volume/acme_srv.cfg
+        sudo head -n -8 .github/openssl_ca_handler.py_acme_srv_default_handler.cfg > data/volume/acme_srv.cfg
+        sudo echo "handler_file: examples/ca_handler/nclm_ca_handler.py" >> data/volume/acme_srv.cfg
+        sudo echo "api_host: $NCLM_API_HOST" >> data/volume/acme_srv.cfg
+        sudo echo "api_user: $NCLM_API_USER" >> data/volume/acme_srv.cfg
+        sudo echo "api_password: $NCLM_API_PASSWORD" >> data/volume/acme_srv.cfg
+        sudo echo "tsg_name: $NCLM_TSG_NAME" >> data/volume/acme_srv.cfg
+        sudo echo "ca_name: $NCLM_CA_NAME" >> data/volume/acme_srv.cfg
+        sudo echo "ca_id_list: [$NCLM_CA_ID_LIST]" >> data/volume/acme_srv.cfg
+        sudo echo "request_timeout: 40" >> data/volume/acme_srv.cfg
+        sudo sed -i "s/revocation_reason_check_disable: False/revocation_reason_check_disable: False\nenrollment_timeout: 60/g" data/volume/acme_srv.cfg
+      env:
+        NCLM_API_HOST: ${{ secrets.NCLM_API_HOST }}
+        NCLM_API_USER: ${{ secrets.NCLM_API_USER }}
+        NCLM_API_PASSWORD: ${{ secrets.NCLM_API_PASSWORD }}
+        NCLM_TSG_NAME: ${{ secrets.NCLM_TSG_NAME }}
+        NCLM_CA_NAME: ${{ secrets.NCLM_CA_NAME }}
+        NCLM_CA_ID_LIST: ${{ secrets.NCLM_CA_ID_LIST }}
 
-    - name: "[ RUN ] Execute install scipt"
+    - name: "Execute install scipt"
       run: |
-        docker exec acme-srv sh /tmp/acme2certifier/rpm_tester.sh
-
-    - name: "Test http://acme-srv/directory is accessible"
-      run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory
+        docker exec acme-srv sh /tmp/acme2certifier/$EXEC_SCRIPT
+      env:
+        EXEC_SCRIPT: ${{ matrix.execscript }}
 
-    - name: "[ PREPARE ] prepare acme.sh container"
-      run: |
-        sudo mkdir acme-sh
-        docker run --rm -id -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh -e MAX_RETRY_TIMES=4 neilpang/acme.sh:latest daemon
+    - name: "Test enrollment"
+      uses: ./.github/actions/acme_clients
+      with:
+        HOSTNAME_SUFFIX: -${{ env.UUID }}
+        VERIFY_CERT: false
 
-    - name: "[ REGISTER] acme.sh"
+    - name: "Generate UUID"
       run: |
-        docker exec -i acme-sh acme.sh --server http://acme-srv --register-account --accountemail 'acme-sh@example.com' --debug 3
+        echo UUID=$(uuidgen | cut -d "-" -f1) >> $GITHUB_ENV
+    - run: echo "UUID ${{ env.UUID }}"
 
-    - name: "[ ENROLL] acme.sh"
+    - name: "Reconfigure nclm handler to test enrollment from MSCA"
+      if: matrix.execscript == 'rpm_tester.sh'
       run: |
-        docker exec -i acme-sh acme.sh --server http://acme-srv --issue -d acme-sh.acme --standalone --debug 3 --output-insecure
-        awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "cert-" c ".pem"}' < acme-sh/acme-sh.acme_ecc/ca.cer
-        openssl verify -CAfile cert-2.pem -untrusted cert-1.pem acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer
+        sudo sed -i "s/ca_name: $NCLM_CA_NAME/ca_name: $NCLM_MSCA_NAME/g" data/acme_srv.cfg
+        sudo echo "template_name: $NCLM_MSCA_TEMPLATE_NAME" >> data/acme_srv.cfg
+      env:
+        NCLM_MSCA_TEMPLATE_NAME: ${{ secrets.NCLM_MSCA_TEMPLATE_NAME }}
+        NCLM_MSCA_NAME: ${{ secrets.NCLM_MSCA_NAME }}
+        NCLM_CA_NAME: ${{ secrets.NCLM_CA_NAME }}
 
-    - name: "[ REGISTER ] certbot"
+    - name: "Reconfigure nclm handler to test enrollment from MSCA"
+      if: matrix.execscript == 'django_tester.sh'
       run: |
-        docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot register --agree-tos -m 'certbot@example.com' --server http://acme-srv --no-eff-email
+        sudo sed -i "s/ca_name: $NCLM_CA_NAME/ca_name: $NCLM_MSCA_NAME/g" data/volume/acme_srv.cfg
+        sudo echo "template_name: $NCLM_MSCA_TEMPLATE_NAME" >> data/volume/acme_srv.cfg
+      env:
+        NCLM_MSCA_TEMPLATE_NAME: ${{ secrets.NCLM_MSCA_TEMPLATE_NAME }}
+        NCLM_MSCA_NAME: ${{ secrets.NCLM_MSCA_NAME }}
+        NCLM_CA_NAME: ${{ secrets.NCLM_CA_NAME }}
 
-    - name: "[ ENROLL ] HTTP-01 single domain certbot"
+    - name: "Execute install scipt"
       run: |
-        docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot certonly --server http://acme-srv --standalone --preferred-challenges http -d certbot.acme --cert-name certbot
-        sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem certbot/live/certbot/cert.pem
+        docker exec acme-srv sh /tmp/acme2certifier/$EXEC_SCRIPT restart
+      env:
+        EXEC_SCRIPT: ${{ matrix.execscript }}
 
-    - name: "[ ENROLL ] lego"
-      run: |
-        docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" -d lego.acme --http run
-        sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem lego/certificates/lego.acme.crt
+    - name: "Test enrollment"
+      uses: ./.github/actions/acme_clients
+      with:
+        USE_RSA: true
+        HOSTNAME_SUFFIX: -${{ env.UUID }}
 
     - name: "[ * ] collecting test logs"
       if: ${{ failure() }}
+      continue-on-error: true
       run: |
         mkdir -p ${{ github.workspace }}/artifact/upload
+        mkdir -p ${{ github.workspace }}/artifact/clients
         docker exec acme-srv tar cvfz /tmp/acme2certifier/a2c.tgz /opt/acme2certifier
         sudo cp -rp data/ ${{ github.workspace }}/artifact/data/
-        sudo cp -rp acme-sh/ ${{ github.workspace }}/artifact/acme-sh/
+        # sudo cp *.pem ${{ github.workspace }}/artifact/data/
+        sudo cp -rp acme-sh/ ${{ github.workspace }}/artifact/clients/acme-sh/
+        sudo cp -rp certbot/ ${{ github.workspace }}/artifact/clients/certbot/
+        sudo cp -rp lego/ ${{ github.workspace }}/artifact/clients/lego/
+        sudo rm ${{ github.workspace }}/artifact/data/*.rpm
+        docker exec acme-srv cat /etc/nginx/nginx.conf.orig > ${{ github.workspace }}/artifact/data/nginx.conf.orig
+        docker exec acme-srv cat /etc/nginx/nginx.conf > ${{ github.workspace }}/artifact/data/nginx.conf
         docker exec acme-srv cat /var/log/messages > ${{ github.workspace }}/artifact/acme-srv.log
-        sudo tar -C ${{ github.workspace }}/artifact/ -cvzf ${{ github.workspace }}/artifact/upload/artifact.tar.gz data acme-srv.log acme-sh
+        sudo tar -C ${{ github.workspace }}/artifact/ -cvzf ${{ github.workspace }}/artifact/upload/artifact.tar.gz data clients acme-srv.log
 
     - name: "[ * ] uploading artificates"
-      uses: actions/upload-artifact@v3
+      uses: actions/upload-artifact@v4
       if: ${{ failure() }}
       with:
-        name: nclm_ca_handler_rpm.tar.gz
+        name: nclm_ca_handler_rpm-rh${{ matrix.rhversion }}-${{ matrix.execscript}}.tar.gz
         path: ${{ github.workspace }}/artifact/upload/
\ No newline at end of file
diff --git a/.github/workflows/caddy-application-test.yml b/.github/workflows/caddy-application-test.yml
deleted file mode 100644
index 4cc23b6b..00000000
--- a/.github/workflows/caddy-application-test.yml
+++ /dev/null
@@ -1,387 +0,0 @@
-name: Application Tests - Caddy
-
-on:
-  push:
-  pull_request:
-    branches: [ devel ]
-  schedule:
-    # * is a special character in YAML so you have to quote this string
-    - cron:  '0 2 * * 6'
-
-jobs:
-  caddy_apache2_wsgi:
-    name: "caddy_apache2_wsgi"
-    runs-on: ubuntu-latest
-    strategy:
-      fail-fast: false
-      matrix:
-        ports: ['-p 80:80 -p 443:443', '-p 443:443']
-    steps:
-    - name: "checkout GIT"
-      uses: actions/checkout@v3
-
-    - name: "Build docker-compose (apache2_wsgi)"
-      working-directory: examples/Docker/
-      run: |
-        sudo mkdir -p data
-        docker network create acme
-        docker-compose up -d
-        docker-compose logs
-
-    - name: "[ PREPARE ] setup a2c with certifier_ca_handler"
-      run: |
-        sudo cp test/ca/certsrv_ca_certs.pem examples/Docker/data/ca_certs.pem
-        sudo touch examples/Docker/data/acme_srv.cfg
-        sudo chmod 777 examples/Docker/data/acme_srv.cfg
-        sudo head -n -8 .github/openssl_ca_handler.py_acme_srv_default_handler.cfg > examples/Docker/data/acme_srv.cfg
-        sudo echo "handler_file: examples/ca_handler/certifier_ca_handler.py" >> examples/Docker/data/acme_srv.cfg
-        sudo echo "api_host: $NCM_API_HOST" >> examples/Docker/data/acme_srv.cfg
-        sudo echo "api_user: $NCM_API_USER" >> examples/Docker/data/acme_srv.cfg
-        sudo echo "api_password: $NCM_API_PASSWORD" >> examples/Docker/data/acme_srv.cfg
-        sudo echo "ca_name: $NCM_CA_NAME" >> examples/Docker/data/acme_srv.cfg
-        sudo echo "ca_bundle: $NCM_CA_BUNDLE" >> examples/Docker/data/acme_srv.cfg
-        sudo cp .github/acme2certifier.pem examples/Docker/data/acme2certifier.pem
-        cd examples/Docker/
-        docker-compose restart
-        docker-compose logs
-      env:
-        NCM_API_HOST: ${{ secrets.NCM_API_HOST }}
-        NCM_API_USER: ${{ secrets.NCM_API_USER }}
-        NCM_API_PASSWORD: ${{ secrets.NCM_API_PASSWORD }}
-        NCM_CA_NAME: ${{ secrets.NCM_CA_NAME }}
-        NCM_CA_BUNDLE: ${{ secrets.NCM_CA_BUNDLE }}
-
-    - name: "Sleep for 10s"
-      uses: juliangruber/sleep-action@v1
-      with:
-        time: 10s
-
-    - name: "Test http://acme-srv/directory is accessable"
-      run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory
-
-    - name: "Test if https://acme-srv/directory is accessable"
-      run: docker run -i --rm --network acme curlimages/curl --insecure -f https://acme-srv/directory
-
-
-    - name: "Create caddy folder and copy configuratation files"
-      run: |
-        mkdir caddy
-        cp .github/Caddyfile caddy/
-        cp .github/acme2certifier_cabundle.pem caddy
-
-    - name: "Enroll certificate with Caddy"
-      run: |
-        docker run -d --rm  ${{ matrix.ports }} --network acme -v $PWD/caddy/Caddyfile:/etc/caddy/Caddyfile -v$PWD/caddy/acme2certifier_cabundle.pem:/tmp/acme2certifier_cabundle.pem -v $(pwd)/caddy/config:/config -v $(pwd)/caddy/data:/data --name=caddy caddy:2
-
-    - name: "Sleep for 10s"
-      uses: juliangruber/sleep-action@v1
-      with:
-        time: 10s
-
-    - name: "Check for logs indicating successful enrollment"
-      run: |
-        docker logs caddy 2>&1 | grep "successfully downloaded available certificate chains"
-        docker logs caddy 2>&1 | grep "certificate obtained successfully"
-
-    - name: "[ * ] collecting test logs"
-      if: ${{ failure() }}
-      run: |
-        mkdir -p ${{ github.workspace }}/artifact/upload
-        sudo cp -rp examples/Docker/data/ ${{ github.workspace }}/artifact/data/
-        sudo cp -rp caddy/ ${{ github.workspace }}/artifact/caddy/
-        cd examples/Docker
-        docker-compose logs > ${{ github.workspace }}/artifact/a2c.log
-        docker logs caddy 2> ${{ github.workspace }}/artifact/caddy.log
-        sudo tar -C ${{ github.workspace }}/artifact/ -cvzf ${{ github.workspace }}/artifact/upload/artifact.tar.gz docker-compose.log caddy.log data caddy
-
-    - name: "[ * ] uploading artificates"
-      uses: actions/upload-artifact@v3
-      if: ${{ failure() }}
-      with:
-        name: caddy_apache2_wsgi-${{ github.run_id }}.tar.gz
-        path: ${{ github.workspace }}/artifact/upload/
-
-
-  caddy_apache2_django:
-    name: "caddy_apache2_django"
-    runs-on: ubuntu-latest
-    strategy:
-      fail-fast: false
-      matrix:
-        ports: ['-p 80:80 -p 443:443', '-p 443:443']
-    steps:
-    - name: "checkout GIT"
-      uses: actions/checkout@v3
-
-    - name: "Build docker-compose (apache2_django)"
-      working-directory: examples/Docker/
-      run: |
-        sed -i "s/wsgi/django/g" .env
-        sudo mkdir -p data
-        docker network create acme
-        docker-compose up -d
-        docker-compose logs
-
-    - name: "[ PREPARE ] setup a2c with certifier_ca_handler"
-      run: |
-        sudo cp test/ca/certsrv_ca_certs.pem examples/Docker/data/ca_certs.pem
-        sudo touch examples/Docker/data/acme_srv.cfg
-        sudo chmod 777 examples/Docker/data/acme_srv.cfg
-        sudo head -n -8 .github/openssl_ca_handler.py_acme_srv_default_handler.cfg > examples/Docker/data/acme_srv.cfg
-        sudo echo "handler_file: examples/ca_handler/certifier_ca_handler.py" >> examples/Docker/data/acme_srv.cfg
-        sudo echo "api_host: $NCM_API_HOST" >> examples/Docker/data/acme_srv.cfg
-        sudo echo "api_user: $NCM_API_USER" >> examples/Docker/data/acme_srv.cfg
-        sudo echo "api_password: $NCM_API_PASSWORD" >> examples/Docker/data/acme_srv.cfg
-        sudo echo "ca_name: $NCM_CA_NAME" >> examples/Docker/data/acme_srv.cfg
-        sudo echo "ca_bundle: $NCM_CA_BUNDLE" >> examples/Docker/data/acme_srv.cfg
-        sudo cp .github/acme2certifier.pem examples/Docker/data/acme2certifier.pem
-        sudo cp .github/django_settings.py examples/Docker/data/settings.py
-        cd examples/Docker/
-        docker-compose restart
-        docker-compose logs
-      env:
-        NCM_API_HOST: ${{ secrets.NCM_API_HOST }}
-        NCM_API_USER: ${{ secrets.NCM_API_USER }}
-        NCM_API_PASSWORD: ${{ secrets.NCM_API_PASSWORD }}
-        NCM_CA_NAME: ${{ secrets.NCM_CA_NAME }}
-        NCM_CA_BUNDLE: ${{ secrets.NCM_CA_BUNDLE }}
-
-    - name: "Sleep for 10s"
-      uses: juliangruber/sleep-action@v1
-      with:
-        time: 10s
-
-    - name: "Test http://acme-srv/directory is accessable"
-      run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory
-
-    - name: "Test if https://acme-srv/directory is accessable"
-      run: docker run -i --rm --network acme curlimages/curl --insecure -f https://acme-srv/directory
-
-
-    - name: "Create caddy folder and copy configuratation files"
-      run: |
-        mkdir caddy
-        cp .github/Caddyfile caddy/
-        cp .github/acme2certifier_cabundle.pem caddy
-
-    - name: "Enroll certificate with Caddy"
-      run: |
-        docker run -d --rm  ${{ matrix.ports }} --network acme -v $PWD/caddy/Caddyfile:/etc/caddy/Caddyfile -v$PWD/caddy/acme2certifier_cabundle.pem:/tmp/acme2certifier_cabundle.pem -v $(pwd)/caddy/config:/config -v $(pwd)/caddy/data:/data --name=caddy caddy:2
-
-    - name: "Sleep for 10s"
-      uses: juliangruber/sleep-action@v1
-      with:
-        time: 10s
-
-    - name: "Check for logs indicating successful enrollment"
-      run: |
-        docker logs caddy 2>&1 | grep "successfully downloaded available certificate chains"
-        docker logs caddy 2>&1 | grep "certificate obtained successfully"
-
-    - name: "[ * ] collecting test logs"
-      if: ${{ failure() }}
-      run: |
-        mkdir -p ${{ github.workspace }}/artifact/upload
-        sudo cp -rp examples/Docker/data/ ${{ github.workspace }}/artifact/data/
-        sudo cp -rp caddy/ ${{ github.workspace }}/artifact/caddy/
-        cd examples/Docker
-        docker-compose logs > ${{ github.workspace }}/artifact/a2c.log
-        docker logs caddy 2> ${{ github.workspace }}/artifact/caddy.log
-        sudo tar -C ${{ github.workspace }}/artifact/ -cvzf ${{ github.workspace }}/artifact/upload/artifact.tar.gz docker-compose.log caddy.log data caddy
-
-    - name: "[ * ] uploading artificates"
-      uses: actions/upload-artifact@v3
-      if: ${{ failure() }}
-      with:
-        name: caddy_apache2_django-${{ github.run_id }}.tar.gz
-        path: ${{ github.workspace }}/artifact/upload/
-
-
-  caddy_nginx_wsgi:
-    name: "caddy_nginx_wsgi"
-    runs-on: ubuntu-latest
-    strategy:
-      fail-fast: false
-      matrix:
-        ports: ['-p 80:80 -p 443:443', '-p 443:443']
-    steps:
-    - name: "checkout GIT"
-      uses: actions/checkout@v3
-
-    - name: "Build docker-compose (nginx_wsgi)"
-      working-directory: examples/Docker/
-      run: |
-        sed -i "s/apache2/nginx/g" .env
-        sudo mkdir -p data
-        docker network create acme
-        docker-compose up -d
-        docker-compose logs
-
-    - name: "[ PREPARE ] setup a2c with certifier_ca_handler"
-      run: |
-        sudo cp test/ca/certsrv_ca_certs.pem examples/Docker/data/ca_certs.pem
-        sudo touch examples/Docker/data/acme_srv.cfg
-        sudo chmod 777 examples/Docker/data/acme_srv.cfg
-        sudo head -n -8 .github/openssl_ca_handler.py_acme_srv_default_handler.cfg > examples/Docker/data/acme_srv.cfg
-        sudo echo "handler_file: examples/ca_handler/certifier_ca_handler.py" >> examples/Docker/data/acme_srv.cfg
-        sudo echo "api_host: $NCM_API_HOST" >> examples/Docker/data/acme_srv.cfg
-        sudo echo "api_user: $NCM_API_USER" >> examples/Docker/data/acme_srv.cfg
-        sudo echo "api_password: $NCM_API_PASSWORD" >> examples/Docker/data/acme_srv.cfg
-        sudo echo "ca_name: $NCM_CA_NAME" >> examples/Docker/data/acme_srv.cfg
-        sudo echo "ca_bundle: $NCM_CA_BUNDLE" >> examples/Docker/data/acme_srv.cfg
-        sudo cp .github/acme2certifier_cert.pem examples/Docker/data/acme2certifier_cert.pem
-        sudo cp .github/acme2certifier_key.pem examples/Docker/data/acme2certifier_key.pem
-        cd examples/Docker/
-        docker-compose restart
-        docker-compose logs
-      env:
-        NCM_API_HOST: ${{ secrets.NCM_API_HOST }}
-        NCM_API_USER: ${{ secrets.NCM_API_USER }}
-        NCM_API_PASSWORD: ${{ secrets.NCM_API_PASSWORD }}
-        NCM_CA_NAME: ${{ secrets.NCM_CA_NAME }}
-        NCM_CA_BUNDLE: ${{ secrets.NCM_CA_BUNDLE }}
-
-    - name: "Sleep for 10s"
-      uses: juliangruber/sleep-action@v1
-      with:
-        time: 10s
-
-    - name: "Test http://acme-srv/directory is accessable"
-      run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory
-
-    - name: "Test if https://acme-srv/directory is accessable"
-      run: docker run -i --rm --network acme curlimages/curl --insecure -f https://acme-srv/directory
-
-
-    - name: "Create caddy folder and copy configuratation files"
-      run: |
-        mkdir caddy
-        cp .github/Caddyfile caddy/
-        cp .github/acme2certifier_cabundle.pem caddy
-
-    - name: " enroll certificate with Caddy"
-      run: |
-        docker run -d --rm  ${{ matrix.ports }} --network acme -v $PWD/caddy/Caddyfile:/etc/caddy/Caddyfile -v$PWD/caddy/acme2certifier_cabundle.pem:/tmp/acme2certifier_cabundle.pem -v $(pwd)/caddy/config:/config -v $(pwd)/caddy/data:/data --name=caddy caddy:2
-
-    - name: "Sleep for 10s"
-      uses: juliangruber/sleep-action@v1
-      with:
-        time: 10s
-
-    - name: "Check for logs indicating successful enrollment"
-      run: |
-        docker logs caddy 2>&1 | grep "successfully downloaded available certificate chains"
-        docker logs caddy 2>&1 | grep "certificate obtained successfully"
-
-    - name: "[ * ] collecting test logs"
-      if: ${{ failure() }}
-      run: |
-        mkdir -p ${{ github.workspace }}/artifact/upload
-        sudo cp -rp examples/Docker/data/ ${{ github.workspace }}/artifact/data/
-        sudo cp -rp caddy/ ${{ github.workspace }}/artifact/caddy/
-        cd examples/Docker
-        docker-compose logs > ${{ github.workspace }}/artifact/a2c.log
-        docker logs caddy 2> ${{ github.workspace }}/artifact/caddy.log
-        sudo tar -C ${{ github.workspace }}/artifact/ -cvzf ${{ github.workspace }}/artifact/upload/artifact.tar.gz docker-compose.log caddy.log data caddy
-
-    - name: "[ * ] uploading artificates"
-      uses: actions/upload-artifact@v3
-      if: ${{ failure() }}
-      with:
-        name: caddy_nginx_wsgi-${{ github.run_id }}.tar.gz
-        path: ${{ github.workspace }}/artifact/upload/
-
-  caddy_nginx_django:
-    name: "caddy_nginx_django"
-    runs-on: ubuntu-latest
-    strategy:
-      fail-fast: false
-      matrix:
-        ports: ['-p 80:80 -p 443:443', '-p 443:443']
-    steps:
-    - name: "checkout GIT"
-      uses: actions/checkout@v3
-
-    - name: "Build docker-compose (nginx_django)"
-      working-directory: examples/Docker/
-      run: |
-        sed -i "s/wsgi/django/g" .env
-        sed -i "s/apache2/nginx/g" .env
-        sudo mkdir -p data
-        docker network create acme
-        docker-compose up -d
-        docker-compose logs
-
-    - name: "[ PREPARE ] setup a2c with certifier_ca_handler"
-      run: |
-        sudo cp test/ca/certsrv_ca_certs.pem examples/Docker/data/ca_certs.pem
-        sudo touch examples/Docker/data/acme_srv.cfg
-        sudo chmod 777 examples/Docker/data/acme_srv.cfg
-        sudo head -n -8 .github/openssl_ca_handler.py_acme_srv_default_handler.cfg > examples/Docker/data/acme_srv.cfg
-        sudo echo "handler_file: examples/ca_handler/certifier_ca_handler.py" >> examples/Docker/data/acme_srv.cfg
-        sudo echo "api_host: $NCM_API_HOST" >> examples/Docker/data/acme_srv.cfg
-        sudo echo "api_user: $NCM_API_USER" >> examples/Docker/data/acme_srv.cfg
-        sudo echo "api_password: $NCM_API_PASSWORD" >> examples/Docker/data/acme_srv.cfg
-        sudo echo "ca_name: $NCM_CA_NAME" >> examples/Docker/data/acme_srv.cfg
-        sudo echo "ca_bundle: $NCM_CA_BUNDLE" >> examples/Docker/data/acme_srv.cfg
-        sudo cp .github/acme2certifier_cert.pem examples/Docker/data/acme2certifier_cert.pem
-        sudo cp .github/acme2certifier_key.pem examples/Docker/data/acme2certifier_key.pem
-        sudo cp .github/django_settings.py examples/Docker/data/settings.py
-        cd examples/Docker/
-        docker-compose restart
-        docker-compose logs
-      env:
-        NCM_API_HOST: ${{ secrets.NCM_API_HOST }}
-        NCM_API_USER: ${{ secrets.NCM_API_USER }}
-        NCM_API_PASSWORD: ${{ secrets.NCM_API_PASSWORD }}
-        NCM_CA_NAME: ${{ secrets.NCM_CA_NAME }}
-        NCM_CA_BUNDLE: ${{ secrets.NCM_CA_BUNDLE }}
-
-    - name: "Sleep for 10s"
-      uses: juliangruber/sleep-action@v1
-      with:
-        time: 10s
-
-    - name: "Test http://acme-srv/directory is accessable"
-      run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory
-
-    - name: "Test if https://acme-srv/directory is accessable"
-      run: docker run -i --rm --network acme curlimages/curl --insecure -f https://acme-srv/directory
-
-    - name: "Create caddy folder and copy configuratation files"
-      run: |
-        mkdir caddy
-        cp .github/Caddyfile caddy/
-        cp .github/acme2certifier_cabundle.pem caddy
-
-    - name: "Enroll certificate with Caddy"
-      run: |
-        docker run -d --rm  ${{ matrix.ports }} --network acme -v $PWD/caddy/Caddyfile:/etc/caddy/Caddyfile -v$PWD/caddy/acme2certifier_cabundle.pem:/tmp/acme2certifier_cabundle.pem -v $(pwd)/caddy/config:/config -v $(pwd)/caddy/data:/data --name=caddy caddy:2
-
-    - name: "Sleep for 10s"
-      uses: juliangruber/sleep-action@v1
-      with:
-        time: 10s
-
-    - name: "Check for logs indicating successful enrollment"
-      run: |
-        docker logs caddy 2>&1 | grep "successfully downloaded available certificate chains"
-        docker logs caddy 2>&1 | grep "certificate obtained successfully"
-
-    - name: "[ * ] collecting test logs"
-      if: ${{ failure() }}
-      run: |
-        mkdir -p ${{ github.workspace }}/artifact/upload
-        sudo cp -rp examples/Docker/data/ ${{ github.workspace }}/artifact/data/
-        sudo cp -rp caddy/ ${{ github.workspace }}/artifact/caddy/
-        cd examples/Docker
-        docker-compose logs > ${{ github.workspace }}/artifact/a2c.log
-        docker logs caddy 2> ${{ github.workspace }}/artifact/caddy.log
-        sudo tar -C ${{ github.workspace }}/artifact/ -cvzf ${{ github.workspace }}/artifact/upload/artifact.tar.gz docker-compose.log caddy.log data caddy
-
-    - name: "[ * ] uploading artificates"
-      uses: actions/upload-artifact@v3
-      if: ${{ failure() }}
-      with:
-        name: caddy_nginx_django-${{ github.run_id }}.tar.gz
-        path: ${{ github.workspace }}/artifact/upload/
diff --git a/.github/workflows/certbot-application-test.yml b/.github/workflows/certbot-application-test.yml
deleted file mode 100644
index eb1e9835..00000000
--- a/.github/workflows/certbot-application-test.yml
+++ /dev/null
@@ -1,437 +0,0 @@
-name: Application Tests - Certbot
-
-on:
-  push:
-  pull_request:
-    branches: [ devel ]
-  schedule:
-    # * is a special character in YAML so you have to quote this string
-    - cron:  '0 2 * * 6'
-
-jobs:
-
-  certbot_apache2_wsgi:
-    name: "certbot_apache2_wsgi"
-    runs-on: ubuntu-latest
-    strategy:
-      fail-fast: false
-      matrix:
-        keylength: [2048, 4096]
-    steps:
-    - name: "checkout GIT"
-      uses: actions/checkout@v3
-
-    - name: "[ PREPARE ] Build docker-compose (apache2_wsgi)"
-      working-directory: examples/Docker/
-      run: |
-        sudo mkdir -p data
-        docker network create acme
-        docker-compose up -d
-        docker-compose logs
-
-    - name: "[ PREPARE ] Sleep for 10s"
-      uses: juliangruber/sleep-action@v1
-      with:
-        time: 10s
-
-    - name: "Test http://acme-srv/directory is accessable"
-      run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory
-
-    - name: "[ PREPARE ] setup a2c with certifier_ca_handler"
-      run: |
-        sudo cp test/ca/certsrv_ca_certs.pem examples/Docker/data/ca_certs.pem
-        sudo touch examples/Docker/data/acme_srv.cfg
-        sudo chmod 777 examples/Docker/data/acme_srv.cfg
-        sudo head -n -8 .github/openssl_ca_handler.py_acme_srv_default_handler.cfg > examples/Docker/data/acme_srv.cfg
-        sudo echo "handler_file: examples/ca_handler/certifier_ca_handler.py" >> examples/Docker/data/acme_srv.cfg
-        sudo echo "api_host: $NCM_API_HOST" >> examples/Docker/data/acme_srv.cfg
-        sudo echo "api_user: $NCM_API_USER" >> examples/Docker/data/acme_srv.cfg
-        sudo echo "api_password: $NCM_API_PASSWORD" >> examples/Docker/data/acme_srv.cfg
-        sudo echo "ca_name: $NCM_CA_NAME" >> examples/Docker/data/acme_srv.cfg
-        sudo echo "ca_bundle: $NCM_CA_BUNDLE" >> examples/Docker/data/acme_srv.cfg
-        cd examples/Docker/
-        docker-compose restart
-        docker-compose logs
-      env:
-        NCM_API_HOST: ${{ secrets.NCM_API_HOST }}
-        NCM_API_USER: ${{ secrets.NCM_API_USER }}
-        NCM_API_PASSWORD: ${{ secrets.NCM_API_PASSWORD }}
-        NCM_CA_NAME: ${{ secrets.NCM_CA_NAME }}
-        NCM_CA_BUNDLE: ${{ secrets.NCM_CA_BUNDLE }}
-
-    - name: "[ PREPARE ] create letsencrypt folder"
-      run: |
-        mkdir certbot
-
-    - name: "[ REGISTER] certbot"
-      run: |
-        docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot register --agree-tos -m 'certbot@example.com' --server http://acme-srv --no-eff-email
-
-    - name: "[ ENROLL ] HTTP-01 single domain certbot"
-      run: |
-        docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot certonly --rsa-key-size ${{ matrix.keylength }} --server http://acme-srv --standalone --preferred-challenges http -d certbot.acme --cert-name certbot
-        sudo chmod 777 certbot/archive/certbot/chain1.pem
-        sudo cp certbot/archive/certbot/chain1.pem chain1.pem
-        awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "cert-" c ".pem"}' < chain1.pem
-        sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem certbot/live/certbot/cert.pem
-
-    - name: "[ RENEW ] HTTP-01 single domain certbot"
-      run: |
-        docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot certonly --force-renew --rsa-key-size ${{ matrix.keylength }} --server http://acme-srv --standalone --preferred-challenges http -d certbot.acme --cert-name certbot
-        sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem certbot/live/certbot/cert.pem
-
-    - name: "[ REVOKE ] HTTP-01 single domain certbot"
-      run: |
-        docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot revoke --delete-after-revoke --server http://acme-srv  -d certbot.acme --cert-name certbot
-
-    - name: "[ ENROLL ] HTTP-01 2x domain certbot"
-      run: |
-        docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot certonly --rsa-key-size ${{ matrix.keylength }} --server http://acme-srv --standalone --preferred-challenges http -d certbot.acme -d certbot. --cert-name certbot
-        sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem certbot/live/certbot/cert.pem
-
-    - name: "[ RENEW ] HTTP-01 single domain certbot"
-      run: |
-        docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot certonly --force-renew  --rsa-key-size ${{ matrix.keylength }} --server http://acme-srv --standalone --preferred-challenges http -d certbot.acme -d certbot. --cert-name certbot
-        sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem certbot/live/certbot/cert.pem
-
-    - name: "[ REVOKE ] HTTP-01 single domain certbot"
-      run: |
-        docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot revoke --delete-after-revoke --server http://acme-srv  -d certbot.acme -d certbot. --cert-name certbot
-
-    - name: "[ * ] collecting test logs"
-      if: ${{ failure() }}
-      run: |
-        mkdir -p ${{ github.workspace }}/artifact/upload
-        sudo cp -rp examples/Docker/data/ ${{ github.workspace }}/artifact/data/
-        sudo cp -rp certbot/ ${{ github.workspace }}/artifact/certbot/
-        cd examples/Docker
-        docker-compose logs > ${{ github.workspace }}/artifact/docker-compose.log
-        sudo tar -C ${{ github.workspace }}/artifact/ -cvzf ${{ github.workspace }}/artifact/upload/artifact.tar.gz docker-compose.log data certbot
-
-    - name: "[ * ] uploading artificates"
-      uses: actions/upload-artifact@v3
-      if: ${{ failure() }}
-      with:
-        name: certbot_apache2_wsgi-${{ matrix.keylength }}.tar.gz
-        path: ${{ github.workspace }}/artifact/upload/
-
-  certbot_apache2_django:
-    name: "certbot_apache2_django"
-    runs-on: ubuntu-latest
-    strategy:
-      fail-fast: false
-      matrix:
-        keylength: [2048, 4096]
-    steps:
-    - name: "checkout GIT"
-      uses: actions/checkout@v3
-
-    - name: "[ PREPARE ] Build docker-compose (apache2_django)"
-      working-directory: examples/Docker/
-      run: |
-        sed -i "s/wsgi/django/g" .env
-        sudo mkdir -p data
-        docker network create acme
-        docker-compose up -d
-        docker-compose logs
-
-    - name: "[ PREPARE ] Sleep for 10s"
-      uses: juliangruber/sleep-action@v1
-      with:
-        time: 10s
-
-    - name: "Test http://acme-srv/directory is accessable"
-      run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory
-
-    - name: "[ PREPARE ] setup a2c with certifier_ca_handler"
-      run: |
-        sudo cp test/ca/certsrv_ca_certs.pem examples/Docker/data/ca_certs.pem
-        sudo touch examples/Docker/data/acme_srv.cfg
-        sudo chmod 777 examples/Docker/data/acme_srv.cfg
-        sudo head -n -8 .github/openssl_ca_handler.py_acme_srv_default_handler.cfg > examples/Docker/data/acme_srv.cfg
-        sudo echo "handler_file: examples/ca_handler/certifier_ca_handler.py" >> examples/Docker/data/acme_srv.cfg
-        sudo echo "api_host: $NCM_API_HOST" >> examples/Docker/data/acme_srv.cfg
-        sudo echo "api_user: $NCM_API_USER" >> examples/Docker/data/acme_srv.cfg
-        sudo echo "api_password: $NCM_API_PASSWORD" >> examples/Docker/data/acme_srv.cfg
-        sudo echo "ca_name: $NCM_CA_NAME" >> examples/Docker/data/acme_srv.cfg
-        sudo echo "ca_bundle: $NCM_CA_BUNDLE" >> examples/Docker/data/acme_srv.cfg
-        sudo cp .github/django_settings.py examples/Docker/data/settings.py
-        cd examples/Docker/
-        docker-compose restart
-        docker-compose logs
-      env:
-        NCM_API_HOST: ${{ secrets.NCM_API_HOST }}
-        NCM_API_USER: ${{ secrets.NCM_API_USER }}
-        NCM_API_PASSWORD: ${{ secrets.NCM_API_PASSWORD }}
-        NCM_CA_NAME: ${{ secrets.NCM_CA_NAME }}
-        NCM_CA_BUNDLE: ${{ secrets.NCM_CA_BUNDLE }}
-
-    - name: "[ PREPARE ] create letsencrypt folder"
-      run: |
-        mkdir certbot
-
-    - name: "[ REGISTER] certbot"
-      run: |
-        docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot register --agree-tos -m 'certbot@example.com' --server http://acme-srv --no-eff-email
-
-    - name: "[ ENROLL ] HTTP-01 single domain certbot"
-      run: |
-        docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot certonly --rsa-key-size ${{ matrix.keylength }} --server http://acme-srv --standalone --preferred-challenges http -d certbot.acme --cert-name certbot
-        sudo chmod 777 certbot/archive/certbot/chain1.pem
-        sudo cp certbot/archive/certbot/chain1.pem chain1.pem
-        awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "cert-" c ".pem"}' < chain1.pem
-        sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem certbot/live/certbot/cert.pem
-
-    - name: "[ RENEW ] HTTP-01 single domain certbot"
-      run: |
-        docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot certonly --force-renew --rsa-key-size ${{ matrix.keylength }} --server http://acme-srv --standalone --preferred-challenges http -d certbot.acme --cert-name certbot
-        sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem certbot/live/certbot/cert.pem
-
-    - name: "[ REVOKE ] HTTP-01 single domain certbot"
-      run: |
-        docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot revoke --delete-after-revoke --server http://acme-srv  -d certbot.acme --cert-name certbot
-
-    - name: "[ ENROLL ] HTTP-01 2x domain certbot"
-      run: |
-        docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot certonly --rsa-key-size ${{ matrix.keylength }} --server http://acme-srv --standalone --preferred-challenges http -d certbot.acme -d certbot. --cert-name certbot
-        sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem certbot/live/certbot/cert.pem
-
-    - name: "[ RENEW ] HTTP-01 single domain certbot"
-      run: |
-        docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot certonly --force-renew  --rsa-key-size ${{ matrix.keylength }} --server http://acme-srv --standalone --preferred-challenges http -d certbot.acme -d certbot. --cert-name certbot
-        sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem certbot/live/certbot/cert.pem
-
-    - name: "[ REVOKE ] HTTP-01 single domain certbot"
-      run: |
-        docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot revoke --delete-after-revoke --server http://acme-srv  -d certbot.acme -d certbot. --cert-name certbot
-
-    - name: "[ * ] collecting test logs"
-      if: ${{ failure() }}
-      run: |
-        mkdir -p ${{ github.workspace }}/artifact/upload
-        sudo cp -rp examples/Docker/data/ ${{ github.workspace }}/artifact/data/
-        sudo cp -rp certbot/ ${{ github.workspace }}/artifact/certbot/
-        cd examples/Docker
-        docker-compose logs > ${{ github.workspace }}/artifact/docker-compose.log
-        sudo tar -C ${{ github.workspace }}/artifact/ -cvzf ${{ github.workspace }}/artifact/upload/artifact.tar.gz docker-compose.log data certbot
-
-    - name: "[ * ] uploading artificates"
-      uses: actions/upload-artifact@v3
-      if: ${{ failure() }}
-      with:
-        name: certbot_apache2_django-${{ matrix.keylength }}.tar.gz
-        path: ${{ github.workspace }}/artifact/upload/
-
-  certbot_nginx_wsgi:
-    name: "certbot_nginx_wsgi"
-    runs-on: ubuntu-latest
-    strategy:
-      fail-fast: false
-      matrix:
-        keylength: [2048, 4096]
-    steps:
-    - name: "checkout GIT"
-      uses: actions/checkout@v3
-
-    - name: "[ PREPARE ] Build docker-compose (nginx_django)"
-      working-directory: examples/Docker/
-      run: |
-        sed -i "s/apache2/nginx/g" .env
-        sudo mkdir -p data
-        docker network create acme
-        docker-compose up -d
-        docker-compose logs
-
-    - name: "[ PREPARE ] Sleep for 10s"
-      uses: juliangruber/sleep-action@v1
-      with:
-        time: 10s
-
-    - name: "Test http://acme-srv/directory is accessable"
-      run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory
-
-    - name: "[ PREPARE ] setup a2c with certifier_ca_handler"
-      run: |
-        sudo cp test/ca/certsrv_ca_certs.pem examples/Docker/data/ca_certs.pem
-        sudo touch examples/Docker/data/acme_srv.cfg
-        sudo chmod 777 examples/Docker/data/acme_srv.cfg
-        sudo head -n -8 .github/openssl_ca_handler.py_acme_srv_default_handler.cfg > examples/Docker/data/acme_srv.cfg
-        sudo echo "handler_file: examples/ca_handler/certifier_ca_handler.py" >> examples/Docker/data/acme_srv.cfg
-        sudo echo "api_host: $NCM_API_HOST" >> examples/Docker/data/acme_srv.cfg
-        sudo echo "api_user: $NCM_API_USER" >> examples/Docker/data/acme_srv.cfg
-        sudo echo "api_password: $NCM_API_PASSWORD" >> examples/Docker/data/acme_srv.cfg
-        sudo echo "ca_name: $NCM_CA_NAME" >> examples/Docker/data/acme_srv.cfg
-        sudo echo "ca_bundle: $NCM_CA_BUNDLE" >> examples/Docker/data/acme_srv.cfg
-        cd examples/Docker/
-        docker-compose restart
-        docker-compose logs
-      env:
-        NCM_API_HOST: ${{ secrets.NCM_API_HOST }}
-        NCM_API_USER: ${{ secrets.NCM_API_USER }}
-        NCM_API_PASSWORD: ${{ secrets.NCM_API_PASSWORD }}
-        NCM_CA_NAME: ${{ secrets.NCM_CA_NAME }}
-        NCM_CA_BUNDLE: ${{ secrets.NCM_CA_BUNDLE }}
-
-    - name: "[ PREPARE ] create letsencrypt folder"
-      run: |
-        mkdir certbot
-
-    - name: "[ REGISTER] certbot"
-      run: |
-        docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot register --agree-tos -m 'certbot@example.com' --server http://acme-srv --no-eff-email
-
-    - name: "[ ENROLL ] HTTP-01 single domain certbot"
-      run: |
-        docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot certonly --rsa-key-size ${{ matrix.keylength }} --server http://acme-srv --standalone --preferred-challenges http -d certbot.acme --cert-name certbot
-        sudo chmod 777 certbot/archive/certbot/chain1.pem
-        sudo cp certbot/archive/certbot/chain1.pem chain1.pem
-        awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "cert-" c ".pem"}' < chain1.pem
-        sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem certbot/live/certbot/cert.pem
-
-    - name: "[ RENEW ] HTTP-01 single domain certbot"
-      run: |
-        docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot certonly --force-renew --rsa-key-size ${{ matrix.keylength }} --server http://acme-srv --standalone --preferred-challenges http -d certbot.acme --cert-name certbot
-        sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem certbot/live/certbot/cert.pem
-
-    - name: "[ REVOKE ] HTTP-01 single domain certbot"
-      run: |
-        docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot revoke --delete-after-revoke --server http://acme-srv  -d certbot.acme --cert-name certbot
-
-    - name: "[ ENROLL ] HTTP-01 2x domain certbot"
-      run: |
-        docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot certonly --rsa-key-size ${{ matrix.keylength }} --server http://acme-srv --standalone --preferred-challenges http -d certbot.acme -d certbot. --cert-name certbot
-        sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem certbot/live/certbot/cert.pem
-
-    - name: "[ RENEW ] HTTP-01 single domain certbot"
-      run: |
-        docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot certonly --force-renew  --rsa-key-size ${{ matrix.keylength }} --server http://acme-srv --standalone --preferred-challenges http -d certbot.acme -d certbot. --cert-name certbot
-        sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem certbot/live/certbot/cert.pem
-
-    - name: "[ REVOKE ] HTTP-01 single domain certbot"
-      run: |
-        docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot revoke --delete-after-revoke --server http://acme-srv  -d certbot.acme -d certbot. --cert-name certbot
-
-    - name: "[ * ] collecting test logs"
-      if: ${{ failure() }}
-      run: |
-        mkdir -p ${{ github.workspace }}/artifact/upload
-        sudo cp -rp examples/Docker/data/ ${{ github.workspace }}/artifact/data/
-        sudo cp -rp certbot/ ${{ github.workspace }}/artifact/certbot/
-        cd examples/Docker
-        docker-compose logs > ${{ github.workspace }}/artifact/docker-compose.log
-        sudo tar -C ${{ github.workspace }}/artifact/ -cvzf ${{ github.workspace }}/artifact/upload/artifact.tar.gz docker-compose.log data certbot
-
-    - name: "[ * ] uploading artificates"
-      uses: actions/upload-artifact@v3
-      if: ${{ failure() }}
-      with:
-        name: certbot_nginx_wsgi-${{ matrix.keylength }}.tar.gz
-        path: ${{ github.workspace }}/artifact/upload/
-
-  certbot_nginx_django:
-    name: "certbot_nginx_django"
-    runs-on: ubuntu-latest
-    strategy:
-      fail-fast: false
-      matrix:
-        keylength: [2048, 4096]
-    steps:
-    - name: "checkout GIT"
-      uses: actions/checkout@v3
-
-    - name: "[ PREPARE ] Build docker-compose (nginx_django)"
-      working-directory: examples/Docker/
-      run: |
-        sed -i "s/wsgi/django/g" .env
-        sed -i "s/apache2/nginx/g" .env
-        sudo mkdir -p data
-        docker network create acme
-        docker-compose up -d
-        docker-compose logs
-
-    - name: "[ PREPARE ] Sleep for 10s"
-      uses: juliangruber/sleep-action@v1
-      with:
-        time: 10s
-
-    - name: "Test http://acme-srv/directory is accessable"
-      run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory
-
-    - name: "[ PREPARE ] setup a2c with certifier_ca_handler"
-      run: |
-        sudo cp test/ca/certsrv_ca_certs.pem examples/Docker/data/ca_certs.pem
-        sudo touch examples/Docker/data/acme_srv.cfg
-        sudo chmod 777 examples/Docker/data/acme_srv.cfg
-        sudo head -n -8 .github/openssl_ca_handler.py_acme_srv_default_handler.cfg > examples/Docker/data/acme_srv.cfg
-        sudo echo "handler_file: examples/ca_handler/certifier_ca_handler.py" >> examples/Docker/data/acme_srv.cfg
-        sudo echo "api_host: $NCM_API_HOST" >> examples/Docker/data/acme_srv.cfg
-        sudo echo "api_user: $NCM_API_USER" >> examples/Docker/data/acme_srv.cfg
-        sudo echo "api_password: $NCM_API_PASSWORD" >> examples/Docker/data/acme_srv.cfg
-        sudo echo "ca_name: $NCM_CA_NAME" >> examples/Docker/data/acme_srv.cfg
-        sudo echo "ca_bundle: $NCM_CA_BUNDLE" >> examples/Docker/data/acme_srv.cfg
-        sudo cp .github/django_settings.py examples/Docker/data/settings.py
-        cd examples/Docker/
-        docker-compose restart
-        docker-compose logs
-      env:
-        NCM_API_HOST: ${{ secrets.NCM_API_HOST }}
-        NCM_API_USER: ${{ secrets.NCM_API_USER }}
-        NCM_API_PASSWORD: ${{ secrets.NCM_API_PASSWORD }}
-        NCM_CA_NAME: ${{ secrets.NCM_CA_NAME }}
-        NCM_CA_BUNDLE: ${{ secrets.NCM_CA_BUNDLE }}
-
-    - name: "[ PREPARE ] create letsencrypt folder"
-      run: |
-        mkdir certbot
-
-    - name: "[ REGISTER] certbot"
-      run: |
-        docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot register --agree-tos -m 'certbot@example.com' --server http://acme-srv --no-eff-email
-
-    - name: "[ ENROLL ] HTTP-01 single domain certbot"
-      run: |
-        docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot certonly --rsa-key-size ${{ matrix.keylength }} --server http://acme-srv --standalone --preferred-challenges http -d certbot.acme --cert-name certbot
-        sudo chmod 777 certbot/archive/certbot/chain1.pem
-        sudo cp certbot/archive/certbot/chain1.pem chain1.pem
-        awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "cert-" c ".pem"}' < chain1.pem
-        sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem certbot/live/certbot/cert.pem
-
-    - name: "[ RENEW ] HTTP-01 single domain certbot"
-      run: |
-        docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot certonly --force-renew --rsa-key-size ${{ matrix.keylength }} --server http://acme-srv --standalone --preferred-challenges http -d certbot.acme --cert-name certbot
-        sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem certbot/live/certbot/cert.pem
-
-    - name: "[ REVOKE ] HTTP-01 single domain certbot"
-      run: |
-        docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot revoke --delete-after-revoke --server http://acme-srv  -d certbot.acme --cert-name certbot
-
-    - name: "[ ENROLL ] HTTP-01 2x domain certbot"
-      run: |
-        docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot certonly --rsa-key-size ${{ matrix.keylength }} --server http://acme-srv --standalone --preferred-challenges http -d certbot.acme -d certbot. --cert-name certbot
-        sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem certbot/live/certbot/cert.pem
-
-    - name: "[ RENEW ] HTTP-01 single domain certbot"
-      run: |
-        docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot certonly --force-renew  --rsa-key-size ${{ matrix.keylength }} --server http://acme-srv --standalone --preferred-challenges http -d certbot.acme -d certbot. --cert-name certbot
-        sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem certbot/live/certbot/cert.pem
-
-    - name: "[ REVOKE ] HTTP-01 single domain certbot"
-      run: |
-        docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot revoke --delete-after-revoke --server http://acme-srv  -d certbot.acme -d certbot. --cert-name certbot
-
-    - name: "[ * ] collecting test logs"
-      if: ${{ failure() }}
-      run: |
-        mkdir -p ${{ github.workspace }}/artifact/upload
-        sudo cp -rp examples/Docker/data/ ${{ github.workspace }}/artifact/data/
-        sudo cp -rp certbot/ ${{ github.workspace }}/artifact/certbot/
-        cd examples/Docker
-        docker-compose logs > ${{ github.workspace }}/artifact/docker-compose.log
-        sudo tar -C ${{ github.workspace }}/artifact/ -cvzf ${{ github.workspace }}/artifact/upload/artifact.tar.gz docker-compose.log data certbot
-
-    - name: "[ * ] uploading artificates"
-      uses: actions/upload-artifact@v3
-      if: ${{ failure() }}
-      with:
-        name: certbot_nginx_django-${{ matrix.keylength }}.tar.gz
-        path: ${{ github.workspace }}/artifact/upload/
diff --git a/.github/workflows/certmanager-application-test.yml b/.github/workflows/certmanager-application-test.yml
deleted file mode 100644
index e69815fd..00000000
--- a/.github/workflows/certmanager-application-test.yml
+++ /dev/null
@@ -1,905 +0,0 @@
-name: Application Tests - cert-manager
-
-on:
-  push:
-  pull_request:
-    branches: [ devel ]
-  schedule:
-    # * is a special character in YAML so you have to quote this string
-    - cron:  '0 2 * * 6'
-
-jobs:
-  certmgr_http01_apwsgi:
-    name: "apache2 wsgi - certmgr http01 challenge tests"
-    runs-on: ubuntu-latest
-    steps:
-
-    - name: "checkout GIT"
-      uses: actions/checkout@v3
-
-    - name: "[ PREPARE ] get runner ip"
-      run: |
-        echo RUNNER_IP=$(ip addr show eth0 | grep -i "inet " | cut -d ' ' -f 6 | cut -d '/' -f 1) >> $GITHUB_ENV
-        echo RUNNER_PATH=$(pwd | sed 's_/_\\/_g') >> $GITHUB_ENV
-    - run: echo "runner IP is ${{ env.RUNNER_IP }}"
-
-    - name: "[ PREPARE ] install microk8s"
-      run: |
-        sudo snap install microk8s --classic
-        sudo microk8s status --wait-ready
-        sudo microk8s enable helm3
-        sudo microk8s enable ingress
-    - name: "[ PREPARE ] install dnsmasq"
-      run: |
-        sudo mkdir -p data
-        sudo cp .github/dnsmasq.conf data
-        sudo cp .github/dnsmasq.yml data
-        sudo chmod -R 777 data/dnsmasq.conf
-        sudo chmod -R 777 data/dnsmasq.yml
-        sudo sed -i "s/RUNNER_IP/${{ env.RUNNER_IP }}/g" data/dnsmasq.conf
-        sudo sed -i "s/RUNNER_PATH/${{ env.RUNNER_PATH }}/g" data/dnsmasq.yml
-        cat data/dnsmasq.conf
-        cat data/dnsmasq.yml
-        docker pull gigantuar/dnsmasq:latest-amd64
-        docker save gigantuar/dnsmasq -o dnsmasq.tar
-        sudo microk8s ctr image import dnsmasq.tar
-        sudo microk8s ctr images ls | grep -i gigantuar
-    - name: "[ PREPARE ] deploy dnsmasq pod"
-      run: |
-        sudo microk8s.kubectl apply -f data/dnsmasq.yml
-    - name: "[ WAIT ] Sleep for 10s"
-      uses: juliangruber/sleep-action@v1
-      with:
-        time: 10s
-
-    - name: "[ CHECK ] check status dnsmasq pod and grab ip"
-      run: |
-        sudo microk8s.kubectl get pods -n dnsmasq
-        sudo microk8s.kubectl -n dnsmasq describe pod dnsmasq
-        sudo microk8s.kubectl get pods -n dnsmasq | grep -i Running
-        sudo microk8s.kubectl -n dnsmasq describe pod dnsmasq | grep " IP:" | cut -d ' ' -f 5
-        echo DNSMASQ_IP=$(sudo microk8s.kubectl -n dnsmasq describe pod dnsmasq | grep " IP:" | cut -d ' ' -f 5) >> $GITHUB_ENV
-    - run: echo "dnsmasq pod IP is ${{ env.DNSMASQ_IP }}"
-
-    - name: "[ PREPARE ] change and test dns"
-      run: |
-        sudo cp .github/k8s-acme-srv.yml data/
-        sudo chmod 777 data/k8s-acme-srv.yml
-        sudo sed -i "s/DNSMASQ_IP/${{ env.DNSMASQ_IP }}/g" data/k8s-acme-srv.yml
-        cat data/k8s-acme-srv.yml
-        host www.bar.local ${{ env.DNSMASQ_IP }}
-
-    - name: "[ PREPARE ] install cert-manager charts"
-      run: |
-        sudo microk8s.kubectl create namespace cert-manager
-        sudo microk8s.helm3 repo add jetstack https://charts.jetstack.io
-        sudo microk8s.helm3 repo update
-        sudo microk8s.helm3 install cert-manager jetstack/cert-manager --namespace cert-manager  --set installCRDs=true  --set podDnsPolicy="None",podDnsConfig.nameservers={${{ env.DNSMASQ_IP }}}
-        echo CERTMGR_VERSION=$(sudo microk8s.helm3 show chart jetstack/cert-manager | grep version) >> $GITHUB_ENV
-    - run: echo "cert-manager ${{ env.CERTMGR_VERSION }}"
-
-    - name: "[ PREPARE ] Build docker-compose (apache2_wsgi)"
-      run: |
-        cat examples/Docker/apache2/wsgi/Dockerfile | docker build -t grindsa/acme2certifier:devel -f - . --no-cache
-        # docker pull grindsa/acme2certifier:devel
-        docker save grindsa/acme2certifier > a2c.tar
-        sudo microk8s ctr image import a2c.tar
-        sudo microk8s ctr images ls | grep -i grindsa
-
-    - name: "[ PREPARE ] setup a2c with certifier_ca_handler"
-      run: |
-        sudo chmod 777 data
-        mkdir -p data/acme_ca
-        sudo cp examples/ca_handler/certifier_ca_handler.py data/ca_handler.py
-        sudo cp test/ca/certsrv_ca_certs.pem data/acme_ca/ca_certs.pem
-        sudo touch data/acme_srv.cfg
-        sudo chmod 777 data/acme_srv.cfg
-        sudo head -n -8 .github/openssl_ca_handler.py_acme_srv_default_handler.cfg > data/acme_srv.cfg
-        sudo echo "handler_file: /opt/acme2certifier/examples/ca_handler/certifier_ca_handler.py" >> data/acme_srv.cfg
-        sudo echo "api_host: $NCM_API_HOST" >> data/acme_srv.cfg
-        sudo echo "api_user: $NCM_API_USER" >> data/acme_srv.cfg
-        sudo echo "api_password: $NCM_API_PASSWORD" >> data/acme_srv.cfg
-        sudo echo "ca_name: $NCM_CA_NAME" >> data/acme_srv.cfg
-        sudo echo "ca_bundle: $NCM_CA_BUNDLE" >> data/acme_srv.cfg
-        sudo echo "profile_id: 101" >> data/acme_srv.cfg
-      env:
-        NCM_API_HOST: ${{ secrets.NCM_API_HOST }}
-        NCM_API_USER: ${{ secrets.NCM_API_USER }}
-        NCM_API_PASSWORD: ${{ secrets.NCM_API_PASSWORD }}
-        NCM_CA_NAME: ${{ secrets.NCM_CA_NAME }}
-        NCM_CA_BUNDLE: ${{ secrets.NCM_CA_BUNDLE }}
-
-    - name: "[ DEPLOY ] deploy a2c pod"
-      run: |
-        sudo microk8s.kubectl apply -f data/k8s-acme-srv.yml
-        sudo microk8s.kubectl get pods -n cert-manager-acme
-    - name: "[ WAIT ] Sleep for 10s"
-      uses: juliangruber/sleep-action@v1
-      with:
-        time: 10s
-
-    - name: "[ CHECK ] check status a2c pod and grab ip of a2c pod"
-      run: |
-        sudo microk8s.kubectl get pods -n cert-manager-acme
-        sudo microk8s.kubectl -n cert-manager-acme describe pod acme2certifier
-        sudo microk8s.kubectl get pods -n cert-manager-acme | grep -i Running
-        sudo microk8s.kubectl -n cert-manager-acme describe pod acme2certifier | grep " IP:" | cut -d ' ' -f 5
-        echo ACME_IP=$(sudo microk8s.kubectl -n cert-manager-acme describe pod acme2certifier | grep " IP:" | cut -d ' ' -f 5) >> $GITHUB_ENV
-    - run: echo "a2c pod IP is ${{ env.ACME_IP }}"
-
-    - name: "[ DEPLOY ] deploy cert-manager and trigger enrollment"
-      run: |
-        sudo cp .github/k8s-cert-mgr-http-01.yml data
-        sudo chmod -R 777 data/k8s-cert-mgr-http-01.yml
-        sudo sed -i "s/ACME_SRV/${{ env.ACME_IP }}/g" data/k8s-cert-mgr-http-01.yml
-        sudo microk8s.kubectl apply -f data/k8s-cert-mgr-http-01.yml
-
-    - name: "[ WAIT ] Sleep for 20s"
-      uses: juliangruber/sleep-action@v1
-      with:
-        time: 20s
-
-    - name: "[ CHECK ] check issuer and challenge"
-      run: |
-        sudo microk8s.kubectl describe ClusterIssuer acme2certifier
-        sudo microk8s.kubectl describe challenge
-    - name: "[ WAIT ] Sleep for 20s"
-      uses: juliangruber/sleep-action@v1
-      with:
-        time: 20s
-
-    - name: "[ CHECK ] check issuer and challenge"
-      run: |
-        sudo microk8s.kubectl describe ClusterIssuer acme2certifier
-        sudo microk8s.kubectl describe challenge
-    - name: "[ WAIT ] Sleep for 20s"
-      uses: juliangruber/sleep-action@v1
-      with:
-        time: 20s
-
-    - name: "[ CHECK ] check issuer and challenge"
-      run: |
-        sudo microk8s.kubectl describe ClusterIssuer acme2certifier
-        sudo microk8s.kubectl describe challenge
-        sudo microk8s.kubectl describe certificate
-        sudo microk8s.kubectl describe certificates | grep -i "The certificate has been successfully issued"
-    - name: "[ * ] collecting test logs"
-
-      if: ${{ failure() }}
-      run: |
-        mkdir -p ${{ github.workspace }}/artifact/upload
-        sudo cp -rp data/ ${{ github.workspace }}/artifact/data/
-        sudo microk8s.kubectl logs acme2certifier -n cert-manager-acme > ${{ github.workspace }}/artifact/acme2certifier.log
-        sudo tar -C ${{ github.workspace }}/artifact/ -cvzf ${{ github.workspace }}/artifact/upload/artifact.tar.gz acme2certifier.log data
-
-    - name: "[ * ] uploading artificates"
-      uses: actions/upload-artifact@v3
-      if: ${{ failure() }}
-      with:
-        name: cert-manager-http-apwsgi.tar.gz
-        path: ${{ github.workspace }}/artifact/upload/
-
-
-  certmgr_http01_apdjango:
-    name: "apache2 django - certmgr http01 challenge tests"
-    runs-on: ubuntu-latest
-    steps:
-
-    - name: "checkout GIT"
-      uses: actions/checkout@v3
-
-    - name: "[ PREPARE ] get runner ip"
-      run: |
-        echo RUNNER_IP=$(ip addr show eth0 | grep -i "inet " | cut -d ' ' -f 6 | cut -d '/' -f 1) >> $GITHUB_ENV
-        echo RUNNER_PATH=$(pwd | sed 's_/_\\/_g') >> $GITHUB_ENV
-    - run: echo "runner IP is ${{ env.RUNNER_IP }}"
-
-    - name: "[ PREPARE ] install microk8s"
-      run: |
-        sudo snap install microk8s --classic
-        sudo microk8s status --wait-ready
-        sudo microk8s enable helm3
-        sudo microk8s enable ingress
-
-    - name: "[ PREPARE ] install dnsmasq"
-      run: |
-        sudo mkdir -p data
-        sudo cp .github/dnsmasq.conf data
-        sudo cp .github/dnsmasq.yml data
-        sudo chmod -R 777 data/dnsmasq.conf
-        sudo chmod -R 777 data/dnsmasq.yml
-        sudo sed -i "s/RUNNER_IP/${{ env.RUNNER_IP }}/g" data/dnsmasq.conf
-        sudo sed -i "s/RUNNER_PATH/${{ env.RUNNER_PATH }}/g" data/dnsmasq.yml
-        cat data/dnsmasq.conf
-        cat data/dnsmasq.yml
-        docker pull gigantuar/dnsmasq:latest-amd64
-        docker save gigantuar/dnsmasq -o dnsmasq.tar
-        sudo microk8s ctr image import dnsmasq.tar
-        sudo microk8s ctr images ls | grep -i gigantuar
-    - name: "[ PREPARE ] deploy dnsmasq pod"
-      run: |
-        sudo microk8s.kubectl apply -f data/dnsmasq.yml
-    - name: "[ WAIT ] Sleep for 10s"
-      uses: juliangruber/sleep-action@v1
-      with:
-        time: 10s
-
-    - name: "[ CHECK ] check status dnsmasq pod and grab ip"
-      run: |
-        sudo microk8s.kubectl get pods -n dnsmasq
-        sudo microk8s.kubectl -n dnsmasq describe pod dnsmasq
-        sudo microk8s.kubectl get pods -n dnsmasq | grep -i Running
-        sudo microk8s.kubectl -n dnsmasq describe pod dnsmasq | grep " IP:" | cut -d ' ' -f 5
-        echo DNSMASQ_IP=$(sudo microk8s.kubectl -n dnsmasq describe pod dnsmasq | grep " IP:" | cut -d ' ' -f 5) >> $GITHUB_ENV
-    - run: echo "dnsmasq pod IP is ${{ env.DNSMASQ_IP }}"
-
-    - name: "[ PREPARE ] change and test dns"
-      run: |
-        sudo cp .github/k8s-acme-srv.yml data/
-        sudo chmod 777 data/k8s-acme-srv.yml
-        sudo sed -i "s/DNSMASQ_IP/${{ env.DNSMASQ_IP }}/g" data/k8s-acme-srv.yml
-        cat data/k8s-acme-srv.yml
-        host www.bar.local ${{ env.DNSMASQ_IP }}
-
-    - name: "[ PREPARE ] install cert-manager charts"
-      run: |
-        sudo microk8s.kubectl create namespace cert-manager
-        sudo microk8s.helm3 repo add jetstack https://charts.jetstack.io
-        sudo microk8s.helm3 repo update
-        sudo microk8s.helm3 install cert-manager jetstack/cert-manager --namespace cert-manager  --set installCRDs=true  --set podDnsPolicy="None",podDnsConfig.nameservers={${{ env.DNSMASQ_IP }}}
-        echo CERTMGR_VERSION=$(sudo microk8s.helm3 show chart jetstack/cert-manager | grep version) >> $GITHUB_ENV
-    - run: echo "cert-manager ${{ env.CERTMGR_VERSION }}"
-
-    - name: "[ PREPARE ] Build docker-compose (apache2_django)"
-      run: |
-        cat examples/Docker/apache2/django/Dockerfile | docker build -t grindsa/acme2certifier:devel -f - . --no-cache
-        docker save grindsa/acme2certifier > a2c.tar
-        sudo microk8s ctr image import a2c.tar
-
-    - name: "[ PREPARE ] setup a2c with certifier_ca_handler"
-      run: |
-        sudo chmod 777 data
-        mkdir -p data/acme_ca
-        sudo cp examples/ca_handler/certifier_ca_handler.py data/ca_handler.py
-        sudo cp test/ca/certsrv_ca_certs.pem data/acme_ca/ca_certs.pem
-        sudo touch data/acme_srv.cfg
-        sudo chmod 777 data/acme_srv.cfg
-        sudo head -n -8 .github/openssl_ca_handler.py_acme_srv_default_handler.cfg > data/acme_srv.cfg
-        sudo echo "handler_file: /opt/acme2certifier/examples/ca_handler/certifier_ca_handler.py" >> data/acme_srv.cfg
-        sudo echo "api_host: $NCM_API_HOST" >> data/acme_srv.cfg
-        sudo echo "api_user: $NCM_API_USER" >> data/acme_srv.cfg
-        sudo echo "api_password: $NCM_API_PASSWORD" >> data/acme_srv.cfg
-        sudo echo "ca_name: $NCM_CA_NAME" >> data/acme_srv.cfg
-        sudo echo "ca_bundle: $NCM_CA_BUNDLE" >> data/acme_srv.cfg
-        sudo echo "profile_id: 101" >> data/acme_srv.cfg
-        sudo cp .github/django_settings.py data/settings.py
-      env:
-        NCM_API_HOST: ${{ secrets.NCM_API_HOST }}
-        NCM_API_USER: ${{ secrets.NCM_API_USER }}
-        NCM_API_PASSWORD: ${{ secrets.NCM_API_PASSWORD }}
-        NCM_CA_NAME: ${{ secrets.NCM_CA_NAME }}
-        NCM_CA_BUNDLE: ${{ secrets.NCM_CA_BUNDLE }}
-
-    - name: "[ DEPLOY ] deploy a2c pod"
-      run: |
-        sudo microk8s.kubectl apply -f data/k8s-acme-srv.yml
-        sudo microk8s.kubectl get pods -n cert-manager-acme
-
-    - name: "[ WAIT ] Sleep for 10s"
-      uses: juliangruber/sleep-action@v1
-      with:
-        time: 10s
-
-    - name: "[ CHECK ] check status a2c pod and grab ip of a2c pod"
-      run: |
-        sudo microk8s.kubectl get pods -n cert-manager-acme
-        sudo microk8s.kubectl -n cert-manager-acme describe pod acme2certifier
-        sudo microk8s.kubectl get pods -n cert-manager-acme | grep -i Running
-        sudo microk8s.kubectl -n cert-manager-acme describe pod acme2certifier | grep " IP:" | cut -d ' ' -f 5
-        echo ACME_IP=$(sudo microk8s.kubectl -n cert-manager-acme describe pod acme2certifier | grep " IP:" | cut -d ' ' -f 5) >> $GITHUB_ENV
-    - run: echo "a2c pod IP is ${{ env.ACME_IP }}"
-
-    - name: "[ DEPLOY ] deploy cert-manager and trigger enrollment"
-      run: |
-        sudo cp .github/k8s-cert-mgr-http-01.yml data
-        sudo chmod -R 777 data/k8s-cert-mgr-http-01.yml
-        sudo sed -i "s/ACME_SRV/${{ env.ACME_IP }}/g" data/k8s-cert-mgr-http-01.yml
-        sudo microk8s.kubectl apply -f data/k8s-cert-mgr-http-01.yml
-
-    - name: "[ WAIT ] Sleep for 20s"
-      uses: juliangruber/sleep-action@v1
-      with:
-        time: 20s
-
-    - name: "[ CHECK ] check issuer and challenge"
-      run: |
-        sudo microk8s.kubectl describe ClusterIssuer acme2certifier
-        sudo microk8s.kubectl describe challenge
-    - name: "[ WAIT ] Sleep for 20s"
-      uses: juliangruber/sleep-action@v1
-      with:
-        time: 20s
-
-    - name: "[ CHECK ] check issuer and challenge"
-      run: |
-        sudo microk8s.kubectl describe ClusterIssuer acme2certifier
-        sudo microk8s.kubectl describe challenge
-    - name: "[ WAIT ] Sleep for 20s"
-      uses: juliangruber/sleep-action@v1
-      with:
-        time: 20s
-
-    - name: "[ CHECK ] check issuer and challenge"
-      run: |
-        sudo microk8s.kubectl describe ClusterIssuer acme2certifier
-        sudo microk8s.kubectl describe challenge
-        sudo microk8s.kubectl describe certificate
-        sudo microk8s.kubectl describe certificates | grep -i "The certificate has been successfully issued"
-
-    - name: "[ * ] collecting test logs"
-      if: ${{ failure() }}
-      run: |
-        mkdir -p ${{ github.workspace }}/artifact/upload
-        sudo cp -rp data/ ${{ github.workspace }}/artifact/data/
-        sudo microk8s.kubectl logs acme2certifier -n cert-manager-acme > ${{ github.workspace }}/artifact/acme2certifier.log
-        sudo tar -C ${{ github.workspace }}/artifact/ -cvzf ${{ github.workspace }}/artifact/upload/artifact.tar.gz acme2certifier.log data
-
-    - name: "[ * ] uploading artificates"
-      uses: actions/upload-artifact@v3
-      if: ${{ failure() }}
-      with:
-        name: cert-manager-http-apdjango.tar.gz
-        path: ${{ github.workspace }}/artifact/upload/
-
-  certmgr_http01_nginxwsgi:
-    name: "nginx wsgi - certmgr http01 challenge tests"
-    runs-on: ubuntu-latest
-    steps:
-
-    - name: "checkout GIT"
-      uses: actions/checkout@v3
-
-    - name: "[ PREPARE ] get runner ip"
-      run: |
-        echo RUNNER_IP=$(ip addr show eth0 | grep -i "inet " | cut -d ' ' -f 6 | cut -d '/' -f 1) >> $GITHUB_ENV
-        echo RUNNER_PATH=$(pwd | sed 's_/_\\/_g') >> $GITHUB_ENV
-    - run: echo "runner IP is ${{ env.RUNNER_IP }}"
-
-    - name: "[ PREPARE ] install microk8s"
-      run: |
-        sudo snap install microk8s --classic
-        sudo microk8s status --wait-ready
-        sudo microk8s enable helm3
-        sudo microk8s enable ingress
-    - name: "[ PREPARE ] install dnsmasq"
-      run: |
-        sudo mkdir -p data
-        sudo cp .github/dnsmasq.conf data
-        sudo cp .github/dnsmasq.yml data
-        sudo chmod -R 777 data/dnsmasq.conf
-        sudo chmod -R 777 data/dnsmasq.yml
-        sudo sed -i "s/RUNNER_IP/${{ env.RUNNER_IP }}/g" data/dnsmasq.conf
-        sudo sed -i "s/RUNNER_PATH/${{ env.RUNNER_PATH }}/g" data/dnsmasq.yml
-        cat data/dnsmasq.conf
-        cat data/dnsmasq.yml
-        docker pull gigantuar/dnsmasq:latest-amd64
-        docker save gigantuar/dnsmasq -o dnsmasq.tar
-        sudo microk8s ctr image import dnsmasq.tar
-        sudo microk8s ctr images ls | grep -i gigantuar
-    - name: "[ PREPARE ] deploy dnsmasq pod"
-      run: |
-        sudo microk8s.kubectl apply -f data/dnsmasq.yml
-
-    - name: "[ WAIT ] Sleep for 10s"
-      uses: juliangruber/sleep-action@v1
-      with:
-        time: 10s
-
-    - name: "[ CHECK ] check status dnsmasq pod and grab ip"
-      run: |
-        sudo microk8s.kubectl get pods -n dnsmasq
-        sudo microk8s.kubectl -n dnsmasq describe pod dnsmasq
-        sudo microk8s.kubectl get pods -n dnsmasq | grep -i Running
-        sudo microk8s.kubectl -n dnsmasq describe pod dnsmasq | grep " IP:" | cut -d ' ' -f 5
-        echo DNSMASQ_IP=$(sudo microk8s.kubectl -n dnsmasq describe pod dnsmasq | grep " IP:" | cut -d ' ' -f 5) >> $GITHUB_ENV
-    - run: echo "dnsmasq pod IP is ${{ env.DNSMASQ_IP }}"
-
-    - name: "[ PREPARE ] change and test dns"
-      run: |
-        sudo cp .github/k8s-acme-srv.yml data/
-        sudo chmod 777 data/k8s-acme-srv.yml
-        sudo sed -i "s/DNSMASQ_IP/${{ env.DNSMASQ_IP }}/g" data/k8s-acme-srv.yml
-        cat data/k8s-acme-srv.yml
-        host www.bar.local ${{ env.DNSMASQ_IP }}
-
-    - name: "[ PREPARE ] install cert-manager charts"
-      run: |
-        sudo microk8s.kubectl create namespace cert-manager
-        sudo microk8s.helm3 repo add jetstack https://charts.jetstack.io
-        sudo microk8s.helm3 repo update
-        sudo microk8s.helm3 install cert-manager jetstack/cert-manager --namespace cert-manager  --set installCRDs=true  --set podDnsPolicy="None",podDnsConfig.nameservers={${{ env.DNSMASQ_IP }}}
-        echo CERTMGR_VERSION=$(sudo microk8s.helm3 show chart jetstack/cert-manager | grep version) >> $GITHUB_ENV
-    - run: echo "cert-manager ${{ env.CERTMGR_VERSION }}"
-
-    - name: "[ PREPARE ] Build docker-compose (nginx_wsgi)"
-      run: |
-        cat examples/Docker/nginx/wsgi/Dockerfile | docker build -t grindsa/acme2certifier:devel -f - . --no-cache
-        # docker pull grindsa/acme2certifier:devel
-        docker save grindsa/acme2certifier > a2c.tar
-        sudo microk8s ctr image import a2c.tar
-        sudo microk8s ctr images ls | grep -i grindsa
-
-    - name: "[ PREPARE ] setup a2c with certifier_ca_handler"
-      run: |
-        sudo chmod 777 data
-        mkdir -p data/acme_ca
-        sudo cp examples/ca_handler/certifier_ca_handler.py data/ca_handler.py
-        sudo cp test/ca/certsrv_ca_certs.pem data/acme_ca/ca_certs.pem
-        sudo touch data/acme_srv.cfg
-        sudo chmod 777 data/acme_srv.cfg
-        sudo head -n -8 .github/openssl_ca_handler.py_acme_srv_default_handler.cfg > data/acme_srv.cfg
-        sudo echo "handler_file: /opt/acme2certifier/examples/ca_handler/certifier_ca_handler.py" >> data/acme_srv.cfg
-        sudo echo "api_host: $NCM_API_HOST" >> data/acme_srv.cfg
-        sudo echo "api_user: $NCM_API_USER" >> data/acme_srv.cfg
-        sudo echo "api_password: $NCM_API_PASSWORD" >> data/acme_srv.cfg
-        sudo echo "ca_name: $NCM_CA_NAME" >> data/acme_srv.cfg
-        sudo echo "ca_bundle: $NCM_CA_BUNDLE" >> data/acme_srv.cfg
-        sudo echo "profile_id: 101" >> data/acme_srv.cfg
-      env:
-        NCM_API_HOST: ${{ secrets.NCM_API_HOST }}
-        NCM_API_USER: ${{ secrets.NCM_API_USER }}
-        NCM_API_PASSWORD: ${{ secrets.NCM_API_PASSWORD }}
-        NCM_CA_NAME: ${{ secrets.NCM_CA_NAME }}
-        NCM_CA_BUNDLE: ${{ secrets.NCM_CA_BUNDLE }}
-
-    - name: "[ DEPLOY ] deploy a2c pod"
-      run: |
-        sudo microk8s.kubectl apply -f data/k8s-acme-srv.yml
-        sudo microk8s.kubectl get pods -n cert-manager-acme
-    - name: "[ WAIT ] Sleep for 10s"
-      uses: juliangruber/sleep-action@v1
-      with:
-        time: 10s
-
-    - name: "[ CHECK ] check status a2c pod and grab ip of a2c pod"
-      run: |
-        sudo microk8s.kubectl get pods -n cert-manager-acme
-        sudo microk8s.kubectl -n cert-manager-acme describe pod acme2certifier
-        sudo microk8s.kubectl get pods -n cert-manager-acme | grep -i Running
-        sudo microk8s.kubectl -n cert-manager-acme describe pod acme2certifier | grep " IP:" | cut -d ' ' -f 5
-        echo ACME_IP=$(sudo microk8s.kubectl -n cert-manager-acme describe pod acme2certifier | grep " IP:" | cut -d ' ' -f 5) >> $GITHUB_ENV
-
-    - run: echo "a2c pod IP is ${{ env.ACME_IP }}"
-
-    - name: "[ DEPLOY ] deploy cert-manager and trigger enrollment"
-      run: |
-        sudo cp .github/k8s-cert-mgr-http-01.yml data
-        sudo chmod -R 777 data/k8s-cert-mgr-http-01.yml
-        sudo sed -i "s/ACME_SRV/${{ env.ACME_IP }}/g" data/k8s-cert-mgr-http-01.yml
-        sudo microk8s.kubectl apply -f data/k8s-cert-mgr-http-01.yml
-    - name: "[ WAIT ] Sleep for 20s"
-      uses: juliangruber/sleep-action@v1
-      with:
-        time: 20s
-
-    - name: "[ CHECK ] check issuer and challenge"
-      run: |
-        sudo microk8s.kubectl describe ClusterIssuer acme2certifier
-        sudo microk8s.kubectl describe challenge
-    - name: "[ WAIT ] Sleep for 20s"
-      uses: juliangruber/sleep-action@v1
-      with:
-        time: 20s
-
-    - name: "[ CHECK ] check issuer and challenge"
-      run: |
-        sudo microk8s.kubectl describe ClusterIssuer acme2certifier
-        sudo microk8s.kubectl describe challenge
-    - name: "[ WAIT ] Sleep for 20s"
-      uses: juliangruber/sleep-action@v1
-      with:
-        time: 20s
-
-    - name: "[ CHECK ] check issuer and challenge"
-      run: |
-        sudo microk8s.kubectl describe ClusterIssuer acme2certifier
-        sudo microk8s.kubectl describe challenge
-        sudo microk8s.kubectl describe certificate
-        sudo microk8s.kubectl describe certificates | grep -i "The certificate has been successfully issued"
-    - name: "[ * ] collecting test logs"
-      if: ${{ failure() }}
-      run: |
-        mkdir -p ${{ github.workspace }}/artifact/upload
-        sudo cp -rp data/ ${{ github.workspace }}/artifact/data/
-        sudo microk8s.kubectl logs acme2certifier -n cert-manager-acme > ${{ github.workspace }}/artifact/acme2certifier.log
-        sudo tar -C ${{ github.workspace }}/artifact/ -cvzf ${{ github.workspace }}/artifact/upload/artifact.tar.gz acme2certifier.log data
-    - name: "[ * ] uploading artificates"
-      uses: actions/upload-artifact@v3
-      if: ${{ failure() }}
-      with:
-        name: cert-manager-http-nginxwsgi.tar.gz
-        path: ${{ github.workspace }}/artifact/upload/
-
-  certmgr_http01_nginxdjango:
-    name: "nginx wsgi - certmgr http01 challenge tests"
-    runs-on: ubuntu-latest
-    steps:
-
-    - name: "checkout GIT"
-      uses: actions/checkout@v3
-
-    - name: "[ PREPARE ] get runner ip"
-      run: |
-        echo RUNNER_IP=$(ip addr show eth0 | grep -i "inet " | cut -d ' ' -f 6 | cut -d '/' -f 1) >> $GITHUB_ENV
-        echo RUNNER_PATH=$(pwd | sed 's_/_\\/_g') >> $GITHUB_ENV
-    - run: echo "runner IP is ${{ env.RUNNER_IP }}"
-
-    - name: "[ PREPARE ] install microk8s"
-      run: |
-        sudo snap install microk8s --classic
-        sudo microk8s status --wait-ready
-        sudo microk8s enable helm3
-        sudo microk8s enable ingress
-
-    - name: "[ PREPARE ] install dnsmasq"
-      run: |
-        sudo mkdir -p data
-        sudo cp .github/dnsmasq.conf data
-        sudo cp .github/dnsmasq.yml data
-        sudo chmod -R 777 data/dnsmasq.conf
-        sudo chmod -R 777 data/dnsmasq.yml
-        sudo sed -i "s/RUNNER_IP/${{ env.RUNNER_IP }}/g" data/dnsmasq.conf
-        sudo sed -i "s/RUNNER_PATH/${{ env.RUNNER_PATH }}/g" data/dnsmasq.yml
-        cat data/dnsmasq.conf
-        cat data/dnsmasq.yml
-        docker pull gigantuar/dnsmasq:latest-amd64
-        docker save gigantuar/dnsmasq -o dnsmasq.tar
-        sudo microk8s ctr image import dnsmasq.tar
-        sudo microk8s ctr images ls | grep -i gigantuar
-
-    - name: "[ PREPARE ] deploy dnsmasq pod"
-      run: |
-        sudo microk8s.kubectl apply -f data/dnsmasq.yml
-
-    - name: "[ WAIT ] Sleep for 10s"
-      uses: juliangruber/sleep-action@v1
-      with:
-        time: 10s
-
-    - name: "[ CHECK ] check status dnsmasq pod and grab ip"
-      run: |
-        sudo microk8s.kubectl get pods -n dnsmasq
-        sudo microk8s.kubectl -n dnsmasq describe pod dnsmasq
-        sudo microk8s.kubectl get pods -n dnsmasq | grep -i Running
-        sudo microk8s.kubectl -n dnsmasq describe pod dnsmasq | grep " IP:" | cut -d ' ' -f 5
-        echo DNSMASQ_IP=$(sudo microk8s.kubectl -n dnsmasq describe pod dnsmasq | grep " IP:" | cut -d ' ' -f 5) >> $GITHUB_ENV
-    - run: echo "dnsmasq pod IP is ${{ env.DNSMASQ_IP }}"
-
-    - name: "[ PREPARE ] change and test dns"
-      run: |
-        sudo cp .github/k8s-acme-srv.yml data/
-        sudo chmod 777 data/k8s-acme-srv.yml
-        sudo sed -i "s/DNSMASQ_IP/${{ env.DNSMASQ_IP }}/g" data/k8s-acme-srv.yml
-        cat data/k8s-acme-srv.yml
-        host www.bar.local ${{ env.DNSMASQ_IP }}
-
-    - name: "[ PREPARE ] install cert-manager charts"
-      run: |
-        sudo microk8s.kubectl create namespace cert-manager
-        sudo microk8s.helm3 repo add jetstack https://charts.jetstack.io
-        sudo microk8s.helm3 repo update
-        sudo microk8s.helm3 install cert-manager jetstack/cert-manager --namespace cert-manager  --set installCRDs=true  --set podDnsPolicy="None",podDnsConfig.nameservers={${{ env.DNSMASQ_IP }}}
-        echo CERTMGR_VERSION=$(sudo microk8s.helm3 show chart jetstack/cert-manager | grep version) >> $GITHUB_ENV
-    - run: echo "cert-manager ${{ env.CERTMGR_VERSION }}"
-
-    - name: "[ PREPARE ] Build docker-compose (nginx_django)"
-      run: |
-        cat examples/Docker/nginx/django/Dockerfile | docker build -t grindsa/acme2certifier:devel -f - . --no-cache
-        # docker pull grindsa/acme2certifier:devel
-        docker save grindsa/acme2certifier > a2c.tar
-        sudo microk8s ctr image import a2c.tar
-        sudo microk8s ctr images ls | grep -i grindsa
-
-    - name: "[ PREPARE ] setup a2c with certifier_ca_handler"
-      run: |
-        sudo chmod 777 data
-        mkdir -p data/acme_ca
-        sudo cp examples/ca_handler/certifier_ca_handler.py data/ca_handler.py
-        sudo cp test/ca/certsrv_ca_certs.pem data/acme_ca/ca_certs.pem
-        sudo touch data/acme_srv.cfg
-        sudo chmod 777 data/acme_srv.cfg
-        sudo head -n -8 .github/openssl_ca_handler.py_acme_srv_default_handler.cfg > data/acme_srv.cfg
-        sudo echo "handler_file: /opt/acme2certifier/examples/ca_handler/certifier_ca_handler.py" >> data/acme_srv.cfg
-        sudo echo "api_host: $NCM_API_HOST" >> data/acme_srv.cfg
-        sudo echo "api_user: $NCM_API_USER" >> data/acme_srv.cfg
-        sudo echo "api_password: $NCM_API_PASSWORD" >> data/acme_srv.cfg
-        sudo echo "ca_name: $NCM_CA_NAME" >> data/acme_srv.cfg
-        sudo echo "ca_bundle: $NCM_CA_BUNDLE" >> data/acme_srv.cfg
-        sudo echo "profile_id: 101" >> data/acme_srv.cfg
-        sudo cp .github/django_settings.py data/settings.py
-      env:
-        NCM_API_HOST: ${{ secrets.NCM_API_HOST }}
-        NCM_API_USER: ${{ secrets.NCM_API_USER }}
-        NCM_API_PASSWORD: ${{ secrets.NCM_API_PASSWORD }}
-        NCM_CA_NAME: ${{ secrets.NCM_CA_NAME }}
-        NCM_CA_BUNDLE: ${{ secrets.NCM_CA_BUNDLE }}
-
-    - name: "[ DEPLOY ] deploy a2c pod"
-      run: |
-        sudo microk8s.kubectl apply -f data/k8s-acme-srv.yml
-        sudo microk8s.kubectl get pods -n cert-manager-acme
-
-    - name: "[ WAIT ] Sleep for 10s"
-      uses: juliangruber/sleep-action@v1
-      with:
-        time: 10s
-
-    - name: "[ CHECK ] check status a2c pod and grab ip of a2c pod"
-      run: |
-        sudo microk8s.kubectl get pods -n cert-manager-acme
-        sudo microk8s.kubectl -n cert-manager-acme describe pod acme2certifier
-        sudo microk8s.kubectl get pods -n cert-manager-acme | grep -i Running
-        sudo microk8s.kubectl -n cert-manager-acme describe pod acme2certifier | grep " IP:" | cut -d ' ' -f 5
-        echo ACME_IP=$(sudo microk8s.kubectl -n cert-manager-acme describe pod acme2certifier | grep " IP:" | cut -d ' ' -f 5) >> $GITHUB_ENV
-    - run: echo "a2c pod IP is ${{ env.ACME_IP }}"
-
-    - name: "[ DEPLOY ] deploy cert-manager and trigger enrollment"
-      run: |
-        sudo cp .github/k8s-cert-mgr-http-01.yml data
-        sudo chmod -R 777 data/k8s-cert-mgr-http-01.yml
-        sudo sed -i "s/ACME_SRV/${{ env.ACME_IP }}/g" data/k8s-cert-mgr-http-01.yml
-        sudo microk8s.kubectl apply -f data/k8s-cert-mgr-http-01.yml
-
-    - name: "[ WAIT ] Sleep for 20s"
-      uses: juliangruber/sleep-action@v1
-      with:
-        time: 20s
-
-    - name: "[ CHECK ] check issuer and challenge"
-      run: |
-        sudo microk8s.kubectl describe ClusterIssuer acme2certifier
-        sudo microk8s.kubectl describe challenge
-
-    - name: "[ WAIT ] Sleep for 20s"
-      uses: juliangruber/sleep-action@v1
-      with:
-        time: 20s
-
-    - name: "[ CHECK ] check issuer and challenge"
-      run: |
-        sudo microk8s.kubectl describe ClusterIssuer acme2certifier
-        sudo microk8s.kubectl describe challenge
-    - name: "[ WAIT ] Sleep for 20s"
-      uses: juliangruber/sleep-action@v1
-      with:
-        time: 20s
-
-    - name: "[ CHECK ] check issuer and challenge"
-      run: |
-        sudo microk8s.kubectl describe ClusterIssuer acme2certifier
-        sudo microk8s.kubectl describe challenge
-        sudo microk8s.kubectl describe certificate
-        sudo microk8s.kubectl describe certificates | grep -i "The certificate has been successfully issued"
-
-    - name: "[ * ] collecting test logs"
-      if: ${{ failure() }}
-      run: |
-        mkdir -p ${{ github.workspace }}/artifact/upload
-        sudo cp -rp data/ ${{ github.workspace }}/artifact/data/
-        sudo microk8s.kubectl logs acme2certifier -n cert-manager-acme > ${{ github.workspace }}/artifact/acme2certifier.log
-        sudo tar -C ${{ github.workspace }}/artifact/ -cvzf ${{ github.workspace }}/artifact/upload/artifact.tar.gz acme2certifier.log data
-
-    - name: "[ * ] uploading artificates"
-      uses: actions/upload-artifact@v3
-      if: ${{ failure() }}
-      with:
-        name: cert-manager-http-nginxdjango.tar.gz
-        path: ${{ github.workspace }}/artifact/upload/
-
-  certmgr_dns01_apwsgi:
-    name: "apache2 wsgi - certmgr dns01 challenge tests"
-    runs-on: ubuntu-latest
-    steps:
-
-    - name: "checkout GIT"
-      uses: actions/checkout@v3
-
-    - name: "[ PREPARE ] change dns"
-      run: |
-        sudo mkdir -p data
-        sudo systemctl disable systemd-resolved
-        sudo systemctl stop systemd-resolved
-        sudo chmod -R 777 /etc/resolv.conf
-        sudo echo "nameserver 8.8.8.8" > /etc/resolv.conf
-        sudo cat /etc/resolv.conf
-        sudo cp .github/k8s-acme-srv.yml data/
-        sudo chmod 777 data/k8s-acme-srv.yml
-        sudo sed -i "s/DNSMASQ_IP/8.8.8.8/g" data/k8s-acme-srv.yml
-        cat data/k8s-acme-srv.yml
-
-    - name: "[ PREPARE ] install microk8s"
-      run: |
-        sudo snap install microk8s --classic
-        sudo microk8s status --wait-ready
-        sudo microk8s enable helm3
-
-    - name: "[ PREPARE ] install cert-manager charts"
-      run: |
-        sudo microk8s.kubectl create namespace cert-manager
-        sudo microk8s.helm3 repo add jetstack https://charts.jetstack.io
-        sudo microk8s.helm3 repo update
-        sudo microk8s.helm3 install \
-          cert-manager jetstack/cert-manager \
-          --namespace cert-manager \
-          --set installCRDs=true
-        echo CERTMGR_VERSION=$(sudo microk8s.helm3 show chart jetstack/cert-manager | grep version) >> $GITHUB_ENV
-    - run: echo "cert-manager ${{ env.CERTMGR_VERSION }}"
-
-    - name: "[ PREPARE ] Build docker-compose (apache2_wsgi)"
-      run: |
-        cat examples/Docker/apache2/wsgi/Dockerfile | docker build -t grindsa/acme2certifier:devel -f - . --no-cache
-        # docker pull grindsa/acme2certifier:devel
-        docker save grindsa/acme2certifier > a2c.tar
-        sudo microk8s ctr image import a2c.tar
-        sudo microk8s ctr images ls | grep -i grindsa
-
-    - name: "[ PREPARE ] setup a2c with certifier_ca_handler"
-      run: |
-        sudo chmod 777 data
-        mkdir -p data/acme_ca
-        sudo cp examples/ca_handler/certifier_ca_handler.py data/ca_handler.py
-        sudo cp test/ca/certsrv_ca_certs.pem data/acme_ca/ca_certs.pem
-        sudo touch data/acme_srv.cfg
-        sudo chmod 777 data/acme_srv.cfg
-        sudo head -n -8 .github/openssl_ca_handler.py_acme_srv_default_handler.cfg > data/acme_srv.cfg
-        sudo echo "handler_file: /opt/acme2certifier/examples/ca_handler/certifier_ca_handler.py" >> data/acme_srv.cfg
-        sudo echo "api_host: $NCM_API_HOST" >> data/acme_srv.cfg
-        sudo echo "api_user: $NCM_API_USER" >> data/acme_srv.cfg
-        sudo echo "api_password: $NCM_API_PASSWORD" >> data/acme_srv.cfg
-        sudo echo "ca_name: $NCM_CA_NAME" >> data/acme_srv.cfg
-        sudo echo "ca_bundle: $NCM_CA_BUNDLE" >> data/acme_srv.cfg
-        sudo echo "profile_id: 101" >> data/acme_srv.cfg
-      env:
-        NCM_API_HOST: ${{ secrets.NCM_API_HOST }}
-        NCM_API_USER: ${{ secrets.NCM_API_USER }}
-        NCM_API_PASSWORD: ${{ secrets.NCM_API_PASSWORD }}
-        NCM_CA_NAME: ${{ secrets.NCM_CA_NAME }}
-        NCM_CA_BUNDLE: ${{ secrets.NCM_CA_BUNDLE }}
-
-    - name: "[ DEPLOY ] deploy a2c pod"
-      run: |
-        sudo microk8s.kubectl apply -f data/k8s-acme-srv.yml
-        sudo microk8s.kubectl get pods -n cert-manager-acme
-
-    - name: "[ WAIT ] Sleep for 10s"
-      uses: juliangruber/sleep-action@v1
-      with:
-        time: 10s
-
-    - name: "[ CHECK ] check status a2c pod and grab ip of a2c pod"
-      run: |
-        sudo microk8s.kubectl get pods -n cert-manager-acme
-        sudo microk8s.kubectl -n cert-manager-acme describe pod acme2certifier
-        sudo microk8s.kubectl get pods -n cert-manager-acme | grep -i Running
-        sudo microk8s.kubectl -n cert-manager-acme describe pod acme2certifier | grep " IP:" | cut -d ' ' -f 5
-        echo ACME_IP=$(sudo microk8s.kubectl -n cert-manager-acme describe pod acme2certifier | grep " IP:" | cut -d ' ' -f 5) >> $GITHUB_ENV
-    - run: echo "a2c pod IP is ${{ env.ACME_IP }}"
-
-    - name: "[ DEPLOY ] deploy cert-manager"
-      run: |
-        sudo cp .github/k8s-cert-mgr-dns-01.yml data
-        sudo chmod -R 777 data/k8s-cert-mgr-dns-01.yml
-        sudo sed -i "s/ACME_SRV/${{ env.ACME_IP }}/g" data/k8s-cert-mgr-dns-01.yml
-        sudo sed -i "s/CF_TOKEN/${{ secrets.CF_TOKEN }}/g" data/k8s-cert-mgr-dns-01.yml
-        sudo sed -i "s/MY_EMAIL/${{ secrets.EMAIL }}/g" data/k8s-cert-mgr-dns-01.yml
-
-    - name: "[ DEPLOY ] deploy cert-manager and trigger enrollment"
-      run: |
-        sudo microk8s.kubectl apply -f data/k8s-cert-mgr-dns-01.yml
-
-    - name: "[ WAIT ] Sleep for 20s"
-      uses: juliangruber/sleep-action@v1
-      with:
-        time: 20s
-
-    - name: "[ CHECK ] check issuer and challenge"
-      run: |
-        sudo microk8s.kubectl describe issuer acme2certifier -n cert-manager-acme
-        sudo microk8s.kubectl describe challenge -n cert-manager-acme
-
-    - name: "[ WAIT ] Sleep for 30s"
-      uses: juliangruber/sleep-action@v1
-      with:
-        time: 60s
-
-    - name: "[ CHECK ]  check issuer and challenge"
-      run: |
-        sudo microk8s.kubectl describe issuer acme2certifier -n cert-manager-acme
-        sudo microk8s.kubectl describe challenge -n cert-manager-acme
-
-    - name: "[ WAIT ] Sleep for 60s"
-      uses: juliangruber/sleep-action@v1
-      with:
-        time: 60s
-
-    - name: "[ CHECK ] check issuer and challenge"
-      run: |
-        sudo microk8s.kubectl describe issuer acme2certifier -n cert-manager-acme
-        sudo microk8s.kubectl describe challenge -n cert-manager-acme
-
-    - name: "[ WAIT ] Sleep for 60s"
-      uses: juliangruber/sleep-action@v1
-      with:
-        time: 60s
-
-    - name: "[ CHECK ] check challenge and certificate"
-      run: |
-        sudo microk8s.kubectl describe challenge -n cert-manager-acme
-        sudo microk8s.kubectl describe certificates acme-cert -n cert-manager-acme
-        sudo microk8s.kubectl describe certificates acme-cert -n cert-manager-acme | grep -i "The certificate has been successfully issued"
-
-    - name: "[ PREPARE ] reconfigure YAML to wildcard domain"
-      run: |
-        sudo microk8s.kubectl delete -f data/k8s-cert-mgr-dns-01.yml
-        sudo sed -i "s/commonName: k8.acme.dynamop.de/commonName: '*.acme.dynamop.de'/g" data/k8s-cert-mgr-dns-01.yml
-        sudo sed -i "s/- k8.acme.dynamop.de/- '*.acme.dynamop.de'/g" data/k8s-cert-mgr-dns-01.yml
-
-    - name: "[ DEPLOY ] deploy cert-manager and trigger enrollment"
-      run: |
-        sudo microk8s.kubectl apply -f data/k8s-cert-mgr-dns-01.yml
-
-    - name: "[ WAIT ] Sleep for 20s"
-      uses: juliangruber/sleep-action@v1
-      with:
-        time: 20s
-
-    - name: "[ CHECK ] check issuer and challenge"
-      run: |
-        sudo microk8s.kubectl describe issuer acme2certifier -n cert-manager-acme
-        sudo microk8s.kubectl describe challenge -n cert-manager-acme
-    - name: "[ WAIT ] Sleep for 30s"
-      uses: juliangruber/sleep-action@v1
-      with:
-        time: 60s
-
-    - name: "[ CHECK ]  check issuer and challenge"
-      run: |
-        sudo microk8s.kubectl describe issuer acme2certifier -n cert-manager-acme
-        sudo microk8s.kubectl describe challenge -n cert-manager-acme
-
-    - name: "[ WAIT ] Sleep for 60s"
-      uses: juliangruber/sleep-action@v1
-      with:
-        time: 60s
-
-    - name: "[ CHECK ] check issuer and challenge"
-      run: |
-        sudo microk8s.kubectl describe issuer acme2certifier -n cert-manager-acme
-        sudo microk8s.kubectl describe challenge -n cert-manager-acme
-
-    - name: "[ WAIT ] Sleep for 60s"
-      uses: juliangruber/sleep-action@v1
-      with:
-        time: 60s
-
-    - name: "[ CHECK ] check challenge and certificate"
-      run: |
-        sudo microk8s.kubectl describe challenge -n cert-manager-acme
-        sudo microk8s.kubectl describe certificates acme-cert -n cert-manager-acme
-        sudo microk8s.kubectl describe certificates acme-cert -n cert-manager-acme | grep -i "The certificate has been successfully issued"
-
-    - name: "[ * ] collecting test logs"
-      if: ${{ failure() }}
-      run: |
-        mkdir -p ${{ github.workspace }}/artifact/upload
-        sudo cp -rp data/ ${{ github.workspace }}/artifact/data/
-        sudo microk8s.kubectl logs acme2certifier -n cert-manager-acme > ${{ github.workspace }}/artifact/acme2certifier.log
-        sudo tar -C ${{ github.workspace }}/artifact/ -cvzf ${{ github.workspace }}/artifact/upload/artifact.tar.gz acme2certifier.log data
-
-    - name: "[ * ] uploading artificates"
-      uses: actions/upload-artifact@v3
-      if: ${{ failure() }}
-      with:
-        name: cert-manager-dns-apwsgi.tar.gz
-        path: ${{ github.workspace }}/artifact/upload/
-
diff --git a/.github/workflows/codescanner.yml b/.github/workflows/codescanner.yml
index d4fdd893..91e9748a 100644
--- a/.github/workflows/codescanner.yml
+++ b/.github/workflows/codescanner.yml
@@ -4,27 +4,67 @@ on:
     branches:
       - 'master'
       - 'devel'
-      - 'min'
       - 'min-devel'
+      - 'min'
+      - 'code-scanner_wf'
+
 jobs:
+
+  bandit:
+    permissions:
+      contents: read # for actions/checkout to fetch code
+      security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
+      actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
+
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v2
+      - name: Bandit Scan
+        uses: shundor/python-bandit-scan@9cc5aa4a006482b8a7f91134412df6772dbda22c
+        with: # optional arguments
+          # exit with 0, even with results found
+          exit_zero: true # optional, default is DEFAULT
+          # Github token of the repository (automatically created by Github)
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # Needed to get PR information.
+          # File or directory to run bandit on
+          # path: # optional, default is .
+          # Report only issues of a given severity level or higher. Can be LOW, MEDIUM or HIGH. Default is UNDEFINED (everything)
+          # level: # optional, default is UNDEFINED
+          # Report only issues of a given confidence level or higher. Can be LOW, MEDIUM or HIGH. Default is UNDEFINED (everything)
+          # confidence: # optional, default is UNDEFINED
+          # comma-separated list of paths (glob patterns supported) to exclude from scan (note that these are in addition to the excluded paths provided in the config file) (default: .svn,CVS,.bzr,.hg,.git,__pycache__,.tox,.eggs,*.egg)
+          # excluded_paths: # optional, default is DEFAULT
+          # comma-separated list of test IDs to skip
+          # skips: # optional, default is DEFAULT
+          # path to a .bandit file that supplies command line arguments
+          # ini_path: # optional, default is DEFAULT
+
   codecov:
     name: Codecov Analysis
     runs-on: ubuntu-latest
 
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
       - name: Set up Python
         uses: actions/setup-python@master
         with:
           python-version: 3.9
+
+      - name: Install components
+        run: |
+          sudo DEBIAN_FRONTEND="noninteractive" apt-get install --no-install-recommends -y \
+          libkrb5-dev \
+          python3-gssapi \
+
       - name: Generate coverage report
         run: |
           python -m pip install --upgrade pip
           pip install lxml beautifulsoup4 html5lib
           pip install pytest
-          pip install pytest-cov
+          pip install pytest-cov impacket
           if [ -f requirements.txt ]; then pip install -r requirements.txt; fi
           pytest --cov=./ --cov-report=xml
+
       - name: Upload coverage to Codecov
         uses: codecov/codecov-action@v3
         with:
@@ -36,7 +76,7 @@ jobs:
     name: SonarCloud Analysis
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
         with:
           fetch-depth: 0  # Shallow clones should be disabled for a better relevancy of analysis
 
@@ -45,10 +85,16 @@ jobs:
         with:
           python-version: '3.x'
 
+      - name: Install components
+        run: |
+          sudo DEBIAN_FRONTEND="noninteractive" apt-get install --no-install-recommends -y \
+          libkrb5-dev \
+          python3-gssapi \
+
       - name: Install pytest coverage and any other packages
         run: |
           python -m pip install --upgrade pip
-          pip install pytest coverage
+          pip install pytest coverage impacket
           if [ -f requirements.txt ]; then pip install -r requirements.txt; fi
 
       - name: run coverage
@@ -68,7 +114,7 @@ jobs:
 
     steps:
     - name: Checkout repository
-      uses: actions/checkout@v3
+      uses: actions/checkout@v4
       with:
         # We must fetch at least the immediate parents so that if this is
         # a pull request then we can checkout the head.
@@ -77,7 +123,7 @@ jobs:
     # If this run was triggered by a pull request event, then checkout
     # the head of the pull request instead of the merge commit.
     - run: git checkout HEAD^2
-      if: ${{ github.event_name == 'pull_request' }}
+      if: github.event_name == 'pull_request'
 
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL
@@ -113,7 +159,7 @@ jobs:
   #  steps:
   #    # Checkout your code repository to scan
   #  - name: Checkout repository
-  #    uses: actions/checkout@v3
+  #    uses: actions/checkout@v4
   #    with:
         # We must fetch at least the immediate parents so that if this is
         # a pull request then we can checkout the head.
diff --git a/.github/workflows/container-tests.yml b/.github/workflows/container-tests.yml
deleted file mode 100644
index c39b3d56..00000000
--- a/.github/workflows/container-tests.yml
+++ /dev/null
@@ -1,350 +0,0 @@
-name: Container Deployment Tests
-
-on:
-  push:
-  pull_request:
-    branches: [ devel ]
-  schedule:
-    # * is a special character in YAML so you have to quote this string
-    - cron:  '0 2 * * 6'
-
-jobs:
-  docker-compose_apache2_wsgi:
-    name: "Docker compose - apache2 wsgi"
-    runs-on: ubuntu-latest
-    steps:
-    - uses: actions/checkout@v3
-    - name: "Build the stack"
-      working-directory: examples/Docker/
-      run: |
-        sudo mkdir -p data
-        docker network create acme
-        docker-compose up -d
-        docker-compose logs
-
-    - name: "[ PREPARE ] setup a2c with certifier_ca_handler"
-      run: |
-        sudo cp test/ca/certsrv_ca_certs.pem examples/Docker/data/ca_certs.pem
-        sudo touch examples/Docker/data/acme_srv.cfg
-        sudo chmod 777 examples/Docker/data/acme_srv.cfg
-        sudo head -n -8 .github/openssl_ca_handler.py_acme_srv_default_handler.cfg > examples/Docker/data/acme_srv.cfg
-        sudo echo "handler_file: examples/ca_handler/certifier_ca_handler.py" >> examples/Docker/data/acme_srv.cfg
-        sudo echo "api_host: $NCM_API_HOST" >> examples/Docker/data/acme_srv.cfg
-        sudo echo "api_user: $NCM_API_USER" >> examples/Docker/data/acme_srv.cfg
-        sudo echo "api_password: $NCM_API_PASSWORD" >> examples/Docker/data/acme_srv.cfg
-        sudo echo "ca_name: $NCM_CA_NAME" >> examples/Docker/data/acme_srv.cfg
-        sudo echo "ca_bundle: $NCM_CA_BUNDLE" >> examples/Docker/data/acme_srv.cfg
-        sudo cp .github/acme2certifier.pem examples/Docker/data/acme2certifier.pem
-        cd examples/Docker/
-        docker-compose restart
-        docker-compose logs
-      env:
-        NCM_API_HOST: ${{ secrets.NCM_API_HOST }}
-        NCM_API_USER: ${{ secrets.NCM_API_USER }}
-        NCM_API_PASSWORD: ${{ secrets.NCM_API_PASSWORD }}
-        NCM_CA_NAME: ${{ secrets.NCM_CA_NAME }}
-        NCM_CA_BUNDLE: ${{ secrets.NCM_CA_BUNDLE }}
-
-
-    - name: "Test if http://acme-srv/directory is accessable"
-      run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory
-    - name: "Test if https://acme-srv/directory is accessable"
-      run: docker run -i --rm --network acme curlimages/curl --insecure -f https://acme-srv/directory
-    - name: "[ PREPARE ] prepare acme.sh container"
-      run: |
-        docker run --rm -id -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest daemon
-    - name: "[ ENROLL ] register via http"
-      run: |
-        docker exec -i acme-sh acme.sh --server http://acme-srv  --register-account --accountemail 'acme-sh@example.com' --accountkeylength ec-256 --debug 2
-    - name: "[ ENROLL ] register via https"
-      run: |
-        docker exec -i acme-sh acme.sh --server https://acme-srv  --register-account --accountemail 'acme-sh@example.com' --accountkeylength ec-256 --insecure --debug 2
-    - name: "[ PREPARE ] test ca_handler_migration"
-      run: |
-        sudo cp .github/openssl_ca_handler_v16.py examples/Docker/data/ca_handler.py
-        cd examples/Docker/
-        docker-compose restart
-        head -n 13 data/ca_handler.py
-        docker-compose logs
-    - name: "[ PREPARE ] Sleep for 10s"
-      uses: juliangruber/sleep-action@v1
-      with:
-        time: 10s
-    - name: "Test if http://acme-srv/directory is accessable"
-      run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory
-    - name: "[ ENROLL ] enroll certificate to verify handler migration"
-      run: |
-        docker exec -i acme-sh acme.sh --server http://acme-srv --register-account --accountemail 'acme-sh@example.com' --debug --output-insecure
-    - name: "[ * ] collecting test data"
-      if: ${{ failure() }}
-      run: |
-        mkdir -p ${{ github.workspace }}/artifact/upload
-        sudo cp -rp examples/Docker/data/ ${{ github.workspace }}/artifact/data/
-        cd examples/Docker
-        docker-compose logs > ${{ github.workspace }}/artifact/docker-compose.log
-        sudo tar -C ${{ github.workspace }}/artifact/ -cvzf ${{ github.workspace }}/artifact/upload/artifact.tar.gz docker-compose.log data acme_sh
-    - name: "[ * ] uploading artifacts"
-      uses: actions/upload-artifact@v3
-      if: ${{ failure() }}
-      with:
-        name: docker-compose_apache2_wsgi.tar.gz
-        path: ${{ github.workspace }}/artifact/upload/
-
-  docker-compose_nginx_wsgi:
-    name: "Docker compose - nginx wsgi"
-    runs-on: ubuntu-latest
-    steps:
-    - uses: actions/checkout@v3
-    - name: "Build the stack"
-      working-directory: examples/Docker/
-      run: |
-        sed -i "s/apache2/nginx/g" .env
-        sudo mkdir -p data
-        docker network create acme
-        docker-compose up -d
-        docker-compose logs
-
-    - name: "[ PREPARE ] setup a2c with certifier_ca_handler"
-      run: |
-        sudo cp test/ca/certsrv_ca_certs.pem examples/Docker/data/ca_certs.pem
-        sudo touch examples/Docker/data/acme_srv.cfg
-        sudo chmod 777 examples/Docker/data/acme_srv.cfg
-        sudo head -n -8 .github/openssl_ca_handler.py_acme_srv_default_handler.cfg > examples/Docker/data/acme_srv.cfg
-        sudo echo "handler_file: examples/ca_handler/certifier_ca_handler.py" >> examples/Docker/data/acme_srv.cfg
-        sudo echo "api_host: $NCM_API_HOST" >> examples/Docker/data/acme_srv.cfg
-        sudo echo "api_user: $NCM_API_USER" >> examples/Docker/data/acme_srv.cfg
-        sudo echo "api_password: $NCM_API_PASSWORD" >> examples/Docker/data/acme_srv.cfg
-        sudo echo "ca_name: $NCM_CA_NAME" >> examples/Docker/data/acme_srv.cfg
-        sudo echo "ca_bundle: $NCM_CA_BUNDLE" >> examples/Docker/data/acme_srv.cfg
-        sudo cp .github/acme2certifier_cert.pem examples/Docker/data/acme2certifier_cert.pem
-        sudo cp .github/acme2certifier_key.pem examples/Docker/data/acme2certifier_key.pem
-        cd examples/Docker/
-        docker-compose restart
-        docker-compose logs
-      env:
-        NCM_API_HOST: ${{ secrets.NCM_API_HOST }}
-        NCM_API_USER: ${{ secrets.NCM_API_USER }}
-        NCM_API_PASSWORD: ${{ secrets.NCM_API_PASSWORD }}
-        NCM_CA_NAME: ${{ secrets.NCM_CA_NAME }}
-        NCM_CA_BUNDLE: ${{ secrets.NCM_CA_BUNDLE }}
-
-    - name: "[ PREPARE ] Sleep for 10s"
-      uses: juliangruber/sleep-action@v1
-      with:
-        time: 10s
-    - name: "Test if http://acme-srv/directory is accessable"
-      run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory
-    - name: "Test if https://acme-srv/directory is accessable"
-      run: docker run -i --rm --network acme curlimages/curl --insecure -f https://acme-srv/directory
-    - name: "[ PREPARE ] prepare acme.sh container"
-      run: |
-        docker run --rm -id -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest daemon
-    - name: "[ ENROLL ] register via http"
-      run: |
-        docker exec -i acme-sh acme.sh --server http://acme-srv  --register-account --accountemail 'acme-sh@example.com' --accountkeylength ec-256 --debug 2
-    - name: "[ ENROLL ] register via https"
-      run: |
-        docker exec -i acme-sh acme.sh --server https://acme-srv  --register-account --accountemail 'acme-sh@example.com' --accountkeylength ec-256 --insecure --debug 2
-    - name: "[ PREPARE ] test ca_handler_migration"
-      run: |
-        sudo cp .github/openssl_ca_handler_v16.py examples/Docker/data/ca_handler.py
-        cd examples/Docker/
-        docker-compose restart
-        head -n 13 data/ca_handler.py
-        docker-compose logs
-    - name: "[ PREPARE ] Sleep for 10s"
-      uses: juliangruber/sleep-action@v1
-      with:
-        time: 10s
-    - name: "Test if http://acme-srv/directory is accessable"
-      run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory
-    - name: "[ ENROLL ] enroll certificate to verify handler migration"
-      run: |
-        docker exec -i acme-sh acme.sh --server http://acme-srv --register-account --accountemail 'acme-sh@example.com' --debug --output-insecure
-    - name: "[ * ] collecting test data"
-      if: ${{ failure() }}
-      run: |
-        mkdir -p ${{ github.workspace }}/artifact/upload
-        sudo cp -rp examples/Docker/data/ ${{ github.workspace }}/artifact/data/
-        cd examples/Docker
-        docker-compose logs > ${{ github.workspace }}/artifact/docker-compose.log
-        sudo tar -C ${{ github.workspace }}/artifact/ -cvzf ${{ github.workspace }}/artifact/upload/artifact.tar.gz docker-compose.log data acme_sh
-    - name: "[ * ] uploading artifacts"
-      uses: actions/upload-artifact@v3
-      if: ${{ failure() }}
-      with:
-        name: docker-compose_nginx_wsgi.tar.gz
-        path: ${{ github.workspace }}/artifact/upload/
-
-  docker-compose_apache2_django:
-    name: "Docker compose - apache2 django"
-    runs-on: ubuntu-latest
-    steps:
-    - uses: actions/checkout@v3
-    - name: "Build the stack"
-      working-directory: examples/Docker/
-      run: |
-        sed -i "s/wsgi/django/g" .env
-        sudo mkdir -p data
-        docker network create acme
-        docker-compose up -d
-        docker-compose logs
-
-    - name: "[ PREPARE ] setup a2c with certifier_ca_handler"
-      run: |
-        sudo cp test/ca/certsrv_ca_certs.pem examples/Docker/data/ca_certs.pem
-        sudo touch examples/Docker/data/acme_srv.cfg
-        sudo chmod 777 examples/Docker/data/acme_srv.cfg
-        sudo head -n -8 .github/openssl_ca_handler.py_acme_srv_default_handler.cfg > examples/Docker/data/acme_srv.cfg
-        sudo echo "handler_file: examples/ca_handler/certifier_ca_handler.py" >> examples/Docker/data/acme_srv.cfg
-        sudo echo "api_host: $NCM_API_HOST" >> examples/Docker/data/acme_srv.cfg
-        sudo echo "api_user: $NCM_API_USER" >> examples/Docker/data/acme_srv.cfg
-        sudo echo "api_password: $NCM_API_PASSWORD" >> examples/Docker/data/acme_srv.cfg
-        sudo echo "ca_name: $NCM_CA_NAME" >> examples/Docker/data/acme_srv.cfg
-        sudo echo "ca_bundle: $NCM_CA_BUNDLE" >> examples/Docker/data/acme_srv.cfg
-        sudo cp .github/acme2certifier.pem examples/Docker/data/acme2certifier.pem
-        sudo cp .github/django_settings.py examples/Docker/data/settings.py
-        cd examples/Docker/
-        docker-compose restart
-        docker-compose logs
-      env:
-        NCM_API_HOST: ${{ secrets.NCM_API_HOST }}
-        NCM_API_USER: ${{ secrets.NCM_API_USER }}
-        NCM_API_PASSWORD: ${{ secrets.NCM_API_PASSWORD }}
-        NCM_CA_NAME: ${{ secrets.NCM_CA_NAME }}
-        NCM_CA_BUNDLE: ${{ secrets.NCM_CA_BUNDLE }}
-
-    - name: "[ PREPARE ] Sleep for 10s"
-      uses: juliangruber/sleep-action@v1
-      with:
-        time: 10s
-    - name: "Test if http://acme-srv/directory is accessable"
-      run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory
-    - name: "Test if https://acme-srv/directory is accessable"
-      run: docker run -i --rm --network acme curlimages/curl --insecure -f https://acme-srv/directory
-    - name: "[ PREPARE ] prepare acme.sh container"
-      run: |
-        docker run --rm -id -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest daemon
-    - name: "[ ENROLL ] register via http"
-      run: |
-        docker exec -i acme-sh acme.sh --server http://acme-srv  --register-account --accountemail 'acme-sh@example.com' --accountkeylength ec-256 --debug 2
-    - name: "[ ENROLL ] register via https"
-      run: |
-        docker exec -i acme-sh acme.sh --server https://acme-srv  --register-account --accountemail 'acme-sh@example.com' --accountkeylength ec-256 --insecure --debug 2
-    - name: "[ PREPARE ] test ca_handler_migration"
-      run: |
-        sudo cp .github/openssl_ca_handler_v16.py examples/Docker/data/ca_handler.py
-        cd examples/Docker/
-        docker-compose restart
-        head -n 13 data/ca_handler.py
-        docker-compose logs
-    - name: "[ PREPARE ] Sleep for 10s"
-      uses: juliangruber/sleep-action@v1
-      with:
-        time: 10s
-    - name: "Test if http://acme-srv/directory is accessable"
-      run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory
-    - name: "[ ENROLL ] enroll certificate to verify handler migration"
-      run: |
-        docker exec -i acme-sh acme.sh --server http://acme-srv --register-account --accountemail 'acme-sh@example.com' --debug --output-insecure
-    - name: "[ * ] collecting test data"
-      if: ${{ failure() }}
-      run: |
-        mkdir -p ${{ github.workspace }}/artifact/upload
-        sudo cp -rp examples/Docker/data/ ${{ github.workspace }}/artifact/data/
-        cd examples/Docker
-        docker-compose logs > ${{ github.workspace }}/artifact/docker-compose.log
-        sudo tar -C ${{ github.workspace }}/artifact/ -cvzf ${{ github.workspace }}/artifact/upload/artifact.tar.gz docker-compose.log data acme_sh
-    - name: "[ * ] uploading artifacts"
-      uses: actions/upload-artifact@v3
-      if: ${{ failure() }}
-      with:
-        name: docker-compose_apache2_django.tar.gz
-        path: ${{ github.workspace }}/artifact/upload/
-  docker-compose_nginx_django:
-    name: "Docker compose - nginx django"
-    runs-on: ubuntu-latest
-    steps:
-    - uses: actions/checkout@v3
-    - name: "Build the stack"
-      working-directory: examples/Docker/
-      run: |
-        sed -i "s/wsgi/django/g" .env
-        sed -i "s/apache2/nginx/g" .env
-        sudo mkdir -p data
-        docker network create acme
-        docker-compose up -d
-        docker-compose logs
-
-    - name: "[ PREPARE ] setup a2c with certifier_ca_handler"
-      run: |
-        sudo cp test/ca/certsrv_ca_certs.pem examples/Docker/data/ca_certs.pem
-        sudo touch examples/Docker/data/acme_srv.cfg
-        sudo chmod 777 examples/Docker/data/acme_srv.cfg
-        sudo head -n -8 .github/openssl_ca_handler.py_acme_srv_default_handler.cfg > examples/Docker/data/acme_srv.cfg
-        sudo echo "handler_file: examples/ca_handler/certifier_ca_handler.py" >> examples/Docker/data/acme_srv.cfg
-        sudo echo "api_host: $NCM_API_HOST" >> examples/Docker/data/acme_srv.cfg
-        sudo echo "api_user: $NCM_API_USER" >> examples/Docker/data/acme_srv.cfg
-        sudo echo "api_password: $NCM_API_PASSWORD" >> examples/Docker/data/acme_srv.cfg
-        sudo echo "ca_name: $NCM_CA_NAME" >> examples/Docker/data/acme_srv.cfg
-        sudo echo "ca_bundle: $NCM_CA_BUNDLE" >> examples/Docker/data/acme_srv.cfg
-        sudo cp .github/django_settings.py examples/Docker/data/settings.py
-        sudo cp .github/acme2certifier_cert.pem examples/Docker/data/acme2certifier_cert.pem
-        sudo cp .github/acme2certifier_key.pem examples/Docker/data/acme2certifier_key.pem
-        cd examples/Docker/
-        docker-compose restart
-        docker-compose logs
-      env:
-        NCM_API_HOST: ${{ secrets.NCM_API_HOST }}
-        NCM_API_USER: ${{ secrets.NCM_API_USER }}
-        NCM_API_PASSWORD: ${{ secrets.NCM_API_PASSWORD }}
-        NCM_CA_NAME: ${{ secrets.NCM_CA_NAME }}
-        NCM_CA_BUNDLE: ${{ secrets.NCM_CA_BUNDLE }}
-
-    - name: "[ PREPARE ] Sleep for 10s"
-      uses: juliangruber/sleep-action@v1
-      with:
-        time: 10s
-    - name: "Test if http://acme-srv/directory is accessable"
-      run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory
-    - name: "Test if https://acme-srv/directory is accessable"
-      run: docker run -i --rm --network acme curlimages/curl --insecure -f https://acme-srv/directory
-    - name: "[ PREPARE ] prepare acme.sh container"
-      run: |
-        docker run --rm -id -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest daemon
-    - name: "[ ENROLL ] register via http"
-      run: |
-        docker exec -i acme-sh acme.sh --server http://acme-srv  --register-account --accountemail 'acme-sh@example.com' --accountkeylength ec-256 --debug 2
-    - name: "[ ENROLL ] register via https"
-      run: |
-        docker exec -i acme-sh acme.sh --server https://acme-srv  --register-account --accountemail 'acme-sh@example.com' --accountkeylength ec-256 --insecure --debug 2
-    - name: "[ PREPARE ] test ca_handler_migration"
-      run: |
-        sudo cp .github/openssl_ca_handler_v16.py examples/Docker/data/ca_handler.py
-        cd examples/Docker/
-        docker-compose restart
-        head -n 13 data/ca_handler.py
-        docker-compose logs
-    - name: "[ PREPARE ] Sleep for 10s"
-      uses: juliangruber/sleep-action@v1
-      with:
-        time: 10s
-    - name: "Test if http://acme-srv/directory is accessable"
-      run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory
-    - name: "[ ENROLL ] enroll certificate to verify handler migration"
-      run: |
-        docker exec -i acme-sh acme.sh --server http://acme-srv --register-account --accountemail 'acme-sh@example.com' --debug --output-insecure
-    - name: "[ * ] collecting test data"
-      if: ${{ failure() }}
-      run: |
-        mkdir -p ${{ github.workspace }}/artifact/upload
-        sudo cp -rp examples/Docker/data/ ${{ github.workspace }}/artifact/data/
-        cd examples/Docker
-        docker-compose logs > ${{ github.workspace }}/artifact/docker-compose.log
-        sudo tar -C ${{ github.workspace }}/artifact/ -cvzf ${{ github.workspace }}/artifact/upload/artifact.tar.gz docker-compose.log data acme_sh
-    - name: "[ * ] uploading artifacts"
-      uses: actions/upload-artifact@v3
-      if: ${{ failure() }}
-      with:
-        name: docker-compose_nginx_django.tar.gz
-        path: ${{ github.workspace }}/artifact/upload/
diff --git a/.github/workflows/create_release.yml b/.github/workflows/create_release.yml
deleted file mode 100644
index f5c944e2..00000000
--- a/.github/workflows/create_release.yml
+++ /dev/null
@@ -1,117 +0,0 @@
-on:
-  push:
-    branches:
-      - "tbd"
-
-name: Create Release
-
-jobs:
-  build:
-    name: Create Release
-    runs-on: ubuntu-latest
-
-    steps:
-
-      - name: "Get current version"
-        uses: oprypin/find-latest-tag@v1
-        with:
-          repository: ${{ github.repository }}  # The repository to scan.
-          releases-only: true  # We know that all relevant tags have a GitHub release for them.
-        id: acme2certifier_ver  # The step ID to refer to later.
-
-      - name: Checkout code
-        uses: actions/checkout@v3
-
-      - name: Retrieve Version from version.py
-        run: |
-          echo APP_NAME=$(echo ${{ github.repository }} | awk -F / '{print $2}') >> $GITHUB_ENV
-          echo TAG_NAME=$(cat acme_srv/version.py | grep -i __version__ | head -n 1 | sed 's/__version__ = //g' | sed s/\'//g) >> $GITHUB_ENV
-
-      - run: echo "Repo is at version ${{ steps.acme2certifier_ver.outputs.tag }}"
-      - run: echo "APP tag is ${{ env.APP_NAME }}"
-      - run: echo "Latest tag is ${{ env.TAG_NAME }}"
-
-      - name: Create Release
-        id: create_release
-        if: steps.acme2certifier_ver.outputs.tag != env.TAG_NAME
-        uses: actions/create-release@v1
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # This token is provided by Actions, you do not need to create your own token
-        with:
-          tag_name: ${{ env.TAG_NAME }}
-          release_name: ${{ env.APP_NAME }} ${{ env.TAG_NAME }}
-          body: |
-            [Changelog](https://github.com/grindsa/acme2certifier/blob/master/CHANGES.md)
-          draft: false
-          prerelease: false
-
-      - name: update version number in spec file
-        if: steps.acme2certifier_ver.outputs.tag != env.TAG_NAME
-        run: |
-          sudo sed -i "s/__version__/${{ env.TAG_NAME }}/g" examples/install_scripts/rpm/acme2certifier.spec
-          sudo sed -i "s/\/var\/www\/acme2certifier\/volume/\/etc\/nginx/g" examples/nginx/nginx_acme_srv_ssl.conf
-          git config --global user.email "grindelsack@gmail.com"
-          git config --global user.name "rpm update"
-          git add examples/nginx
-          git commit -a -m "rpm update"
-
-      - name: build RPM package
-        id: rpm_build
-        if: steps.acme2certifier_ver.outputs.tag != env.TAG_NAME
-        uses: grindsa/rpmbuild@master
-        with:
-          spec_file: "examples/install_scripts/rpm/acme2certifier.spec"
-
-      - name: Upload Release Source-RPM
-        id: upload-srpm
-        if: steps.acme2certifier_ver.outputs.tag != env.TAG_NAME
-        uses: actions/upload-release-asset@v1
-        env:
-            GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-        with:
-            upload_url: ${{ steps.create_release.outputs.upload_url }}
-            asset_path: ${{ steps.rpm_build.outputs.source_rpm_path }}
-            asset_name: ${{ steps.rpm_build.outputs.source_rpm_name }}
-            asset_content_type: ${{ steps.rpm_build.outputs.rpm_content_type }}
-
-      - name: Upload Release RPM
-        id: upload-rpm
-        if: steps.acme2certifier_ver.outputs.tag != env.TAG_NAME
-        uses: actions/upload-release-asset@v1
-        env:
-            GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-        with:
-            upload_url: ${{ steps.create_release.outputs.upload_url }}
-            asset_path: ${{ steps.rpm_build.outputs.rpm_dir_path }}noarch/acme2certifier-${{ env.TAG_NAME }}-1.0.noarch.rpm
-            asset_name: acme2certifier-${{ env.TAG_NAME }}-1.0.noarch.rpm
-            asset_content_type: ${{ steps.rpm_build.outputs.rpm_content_type }}
-
-      - name: Prepare deb packaging environment
-        if: steps.acme2certifier_ver.outputs.tag != env.TAG_NAME
-        run: |
-          sudo apt-get -y install build-essential fakeroot dpkg-dev devscripts debhelper
-          rm setup.py
-          cp -R examples/install_scripts/debian ./
-          sudo sed -i "s/__version__/${{ env.TAG_NAME }}/g" debian/changelog
-          cd ../
-          tar cvfz ../acme2certifier_${{ env.TAG_NAME }}.orig.tar.gz ./
-
-      - name: "[ BUILD ] build debian package"
-        if: steps.acme2certifier_ver.outputs.tag != env.TAG_NAME
-        run: |
-          dpkg-buildpackage -uc -us
-          # dpkg -c ../acme2certifier_${{ env.TAG_NAME }}-1_all.deb
-          cp ../acme2certifier_${{ env.TAG_NAME }}-1_all.deb "$(pwd)/acme2certifier_${{ env.TAG_NAME }}-1_all.deb"
-          ls -la
-
-      - name: Upload Release deb
-        id: upload-deb
-        if: steps.acme2certifier_ver.outputs.tag != env.TAG_NAME
-        uses: actions/upload-release-asset@v1
-        env:
-            GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-        with:
-            upload_url: ${{ steps.create_release.outputs.upload_url }}
-            asset_path: acme2certifier_${{ env.TAG_NAME }}-1_all.deb
-            asset_name: acme2certifier_${{ env.TAG_NAME }}-1_all.deb
-            asset_content_type: application/vnd.debian.binary-package
\ No newline at end of file
diff --git a/.github/workflows/django_tests..yml b/.github/workflows/django_tests..yml
index e9972b7f..897bac3f 100644
--- a/.github/workflows/django_tests..yml
+++ b/.github/workflows/django_tests..yml
@@ -9,105 +9,60 @@ on:
     - cron:  '0 2 * * 6'
 
 jobs:
-  apache_django_mariadb:
-    name: "apache_django_mariadb"
+  django_mariadb:
+    name: "django_mariadb"
     runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+      max-parallel: 2
+      matrix:
+        websrv: ['apache2', 'nginx']
+
     steps:
     - name: "checkout GIT"
-      uses: actions/checkout@v3
+      uses: actions/checkout@v4
 
-    - name: "[ PREPARE ] Build environment"
-      working-directory: examples/Docker/
-      run: |
-        sed -i "s/wsgi/django/g" .env
-        sudo mkdir -p data/mysql
-        docker network create acme
-        docker-compose up -d
-        docker-compose logs
-
-    - name: "[ PREPARE ] install mariadb"
-      working-directory: examples/Docker/
-      run: |
-        # docker run --name mariadbsrv --network acme -v $PWD/data/mysql:/var/lib/mysql -e MARIADB_ROOT_PASSWORD=foobar -d mariadb
-        docker run --name mariadbsrv --network acme -e MARIADB_ROOT_PASSWORD=foobar -d mariadb
-
-    - name: "[ PREPARE ] Sleep for 10s"
-      uses: juliangruber/sleep-action@v1
+    - name: "Build container"
+      uses: ./.github/actions/container_prep
       with:
-        time: 10s
+        DB_HANDLER: "django"
+        WEB_SRV: ${{ matrix.websrv }}
+        DJANGO_DB: "mariadb"
 
-    - name: "[ PREPARE ] configure mariadb"
-      working-directory: examples/Docker/
-      run: |
-        docker exec mariadbsrv mariadb -u root --password=foobar -e"CREATE DATABASE acme2certifier CHARACTER SET UTF8;"
-        docker exec mariadbsrv mariadb -u root --password=foobar -e"GRANT ALL PRIVILEGES ON acme2certifier.* TO 'acme2certifier'@'%' IDENTIFIED BY '1mmSvDFl';"
-        docker exec mariadbsrv mariadb -u root --password=foobar -e"FLUSH PRIVILEGES;"
-
-    - name: "[ PREPARE ] setup a2c with certifier_ca_handler"
-      run: |
-        sudo cp test/ca/certsrv_ca_certs.pem examples/Docker/data/ca_certs.pem
-        sudo touch examples/Docker/data/acme_srv.cfg
-        sudo chmod 777 examples/Docker/data/acme_srv.cfg
-        sudo head -n -8 .github/openssl_ca_handler.py_acme_srv_default_handler.cfg > examples/Docker/data/acme_srv.cfg
-        sudo echo "handler_file: examples/ca_handler/certifier_ca_handler.py" >> examples/Docker/data/acme_srv.cfg
-        sudo echo "api_host: $NCM_API_HOST" >> examples/Docker/data/acme_srv.cfg
-        sudo echo "api_user: $NCM_API_USER" >> examples/Docker/data/acme_srv.cfg
-        sudo echo "api_password: $NCM_API_PASSWORD" >> examples/Docker/data/acme_srv.cfg
-        sudo echo "ca_name: $NCM_CA_NAME" >> examples/Docker/data/acme_srv.cfg
-        sudo echo "ca_bundle: $NCM_CA_BUNDLE" >> examples/Docker/data/acme_srv.cfg
-        sudo cp .github/acme2certifier.pem examples/Docker/data/acme2certifier.pem
-        sudo cp .github/django_settings.py examples/Docker/data/settings.py
-        cd examples/Docker/
-        sudo chmod 777 data/acme_srv.cfg
-        sudo echo "" >> data/acme_srv.cfg
-        sudo echo "[Directory]" >> data/acme_srv.cfg
-        sudo echo "url_prefix: /foo" >> data/acme_srv.cfg
-        docker-compose restart
-        docker-compose logs
-      env:
+    - name: "Prepare acme_srv.cfg with certifier_ca_handler"
+      uses: ./.github/actions/wf_specific/certifier_ca_handler/certifier_setup_no_profile
+      with:
+        WCCE_SSH_ACCESS_KEY: ${{ secrets.WCCE_SSH_ACCESS_KEY }}
+        WCCE_SSH_KNOWN_HOSTS: ${{ secrets.WCCE_SSH_KNOWN_HOSTS }}
+        WCCE_SSH_USER: ${{ secrets.WCCE_SSH_USER }}
+        WCCE_SSH_HOST: ${{ secrets.WCCE_SSH_HOST }}
+        WCCE_SSH_PORT: ${{ secrets.WCCE_SSH_PORT }}
         NCM_API_HOST: ${{ secrets.NCM_API_HOST }}
         NCM_API_USER: ${{ secrets.NCM_API_USER }}
         NCM_API_PASSWORD: ${{ secrets.NCM_API_PASSWORD }}
         NCM_CA_NAME: ${{ secrets.NCM_CA_NAME }}
-        NCM_CA_BUNDLE: ${{ secrets.NCM_CA_BUNDLE }}
-
-
-    - name: "Test if http://acme-srv/directory is accessable"
-      run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory
-
-    - name: "Test if https://acme-srv/directory is accessable"
-      run: docker run -i --rm --network acme curlimages/curl --insecure -f https://acme-srv/directory
-
-    - name: "[ PREPARE ] prepare acme.sh container"
-      run: |
-        docker run --rm -id -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest daemon
+        DATA_PATH: examples/Docker/data
 
-    - name: "[ ENROLL ] register via http"
+    - name: "Restart a2c"
       run: |
-        docker exec -i acme-sh acme.sh --server http://acme-srv  --register-account --accountemail 'acme-sh@example.com' --accountkeylength ec-256 --debug 2
-
-    - name: "[ ENROLL ] register via https"
-      run: |
-        docker exec -i acme-sh acme.sh --server https://acme-srv  --register-account --accountemail 'acme-sh@example.com' --accountkeylength ec-256 --insecure --debug 2
-
-    - name: "[ ENROLL] acme.sh"
-      run: |
-        docker exec -i acme-sh acme.sh --server http://acme-srv --register-account --accountemail 'acme-sh@example.com' --debug --output-insecure
+        cd examples/Docker/
+        sudo echo "[Directory]" >> data/acme_srv.cfg
+        sudo echo "url_prefix: /foo" >> data/acme_srv.cfg
+        grep -i 'django.db.backends.mysql' data/settings.py
+        docker-compose restart
 
-    - name: "[ REGISTER] certbot"
-      run: |
-        docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot register --agree-tos -m 'certbot@example.com' --server http://acme-srv --no-eff-email
+    - name: "Test enrollment"
+      uses: ./.github/actions/acme_clients
 
-    - name: "[ ENROLL ] HTTP-01 single domain certbot"
-      run: |
-        docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot certonly --server http://acme-srv --standalone --preferred-challenges http -d certbot.acme --cert-name certbot
-        sudo chmod 777 certbot/archive/certbot/chain1.pem
-        sudo cp certbot/archive/certbot/chain1.pem chain1.pem
-        awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "cert-" c ".pem"}' < chain1.pem
-        sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem certbot/live/certbot/cert.pem
+    - name: "Check container configuration"
+      uses: ./.github/actions/container_check
+      with:
+        DB_HANDLER: "django"
+        WEB_SRV: ${{ matrix.websrv }}
 
     - name: "[ * ] collecting test logs"
       if: ${{ failure() }}
+      continue-on-error: true
       run: |
         docker exec mariadbsrv mariadb-dump -u root --password=foobar acme2certifier > /tmp/acme2certifer.sql
         mkdir -p ${{ github.workspace }}/artifact/upload
@@ -116,849 +71,340 @@ jobs:
         cd examples/Docker
         docker-compose logs > ${{ github.workspace }}/artifact/docker-compose.log
         sudo tar -C ${{ github.workspace }}/artifact/ -cvzf ${{ github.workspace }}/artifact/upload/artifact.tar.gz docker-compose.log data
+
     - name: "[ * ] uploading artificates"
-      uses: actions/upload-artifact@v3
+      uses: actions/upload-artifact@v4
       if: ${{ failure() }}
       with:
-        name: apache-django-mariadb.tar.gz
+        name: ${{ matrix.websrv }}-mariadb.tar.gz
         path: ${{ github.workspace }}/artifact/upload/
 
-  apache_django_psql:
-    name: "apache_django_psql"
+  django_psql:
+    name: "django_psql"
     runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+      matrix:
+        websrv: ['apache2', 'nginx']
     steps:
     - name: "checkout GIT"
-      uses: actions/checkout@v3
+      uses: actions/checkout@v4
 
-    - name: "[ PREPARE ] Build environment"
-      working-directory: examples/Docker/
-      run: |
-        sed -i "s/wsgi/django/g" .env
-        sudo mkdir -p data/mysql
-        sudo mkdir -p data/pgsql
-        docker network create acme
-        docker-compose up -d
-        docker-compose logs
-
-    - name: "[ PREPARE ] postgres environment"
-      run: |
-        sudo cp .github/a2c.psql examples/Docker/data/pgsql/a2c.psql
-        sudo cp .github/pgpass examples/Docker/data/pgsql/pgpass
-        sudo chmod 600 examples/Docker/data/pgsql/pgpass
-
-    - name: "[ PREPARE ] install postgres"
-      working-directory: examples/Docker/
-      run: |
-        docker run --name postgresdbsrv --network acme -e POSTGRES_PASSWORD=foobar -d postgres
-
-    - name: "[ PREPARE ] Sleep for 10s"
-      uses: juliangruber/sleep-action@v1
+    - name: "Build container"
+      uses: ./.github/actions/container_prep
       with:
-        time: 10s
+        DB_HANDLER: "django"
+        WEB_SRV: ${{ matrix.websrv }}
+        DJANGO_DB: "psql"
 
-    - name: "[ PREPARE ] configure postgres"
-      working-directory: examples/Docker/
-      run: |
-        docker run -v "$(pwd)/data/pgsql/a2c.psql":/tmp/a2c.psql -v "$(pwd)/data/pgsql/pgpass:/root/.pgpass" --rm --network acme postgres psql -U postgres -h postgresdbsrv -f /tmp/a2c.psql
-    - name: "[ PREPARE ] Sleep for 10s"
-      uses: juliangruber/sleep-action@v1
+    - name: "Prepare acme_srv.cfg with certifier_ca_handler"
+      uses: ./.github/actions/wf_specific/certifier_ca_handler/certifier_setup_no_profile
       with:
-        time: 10s
-
-    - name: "[ PREPARE ] setup a2c with certifier_ca_handler"
-      run: |
-        sudo cp test/ca/certsrv_ca_certs.pem examples/Docker/data/ca_certs.pem
-        sudo touch examples/Docker/data/acme_srv.cfg
-        sudo chmod 777 examples/Docker/data/acme_srv.cfg
-        sudo head -n -8 .github/openssl_ca_handler.py_acme_srv_default_handler.cfg > examples/Docker/data/acme_srv.cfg
-        sudo echo "handler_file: examples/ca_handler/certifier_ca_handler.py" >> examples/Docker/data/acme_srv.cfg
-        sudo echo "api_host: $NCM_API_HOST" >> examples/Docker/data/acme_srv.cfg
-        sudo echo "api_user: $NCM_API_USER" >> examples/Docker/data/acme_srv.cfg
-        sudo echo "api_password: $NCM_API_PASSWORD" >> examples/Docker/data/acme_srv.cfg
-        sudo echo "ca_name: $NCM_CA_NAME" >> examples/Docker/data/acme_srv.cfg
-        sudo echo "ca_bundle: $NCM_CA_BUNDLE" >> examples/Docker/data/acme_srv.cfg
-        sudo cp .github/acme2certifier.pem examples/Docker/data/acme2certifier.pem
-        sudo cp .github/django_settings.py examples/Docker/data/settings.py
-        cd examples/Docker/
-        sudo chmod 777 data/acme_srv.cfg
-        sudo echo "" >> data/acme_srv.cfg
-        sudo echo "[Directory]" >> data/acme_srv.cfg
-        sudo echo "url_prefix: /foo" >> data/acme_srv.cfg
-        sudo truncate -s 0 $(docker inspect --format='{{.LogPath}}' acme2certifier_acme-srv_1)
-        docker-compose restart
-        docker-compose logs
-      env:
+        WCCE_SSH_ACCESS_KEY: ${{ secrets.WCCE_SSH_ACCESS_KEY }}
+        WCCE_SSH_KNOWN_HOSTS: ${{ secrets.WCCE_SSH_KNOWN_HOSTS }}
+        WCCE_SSH_USER: ${{ secrets.WCCE_SSH_USER }}
+        WCCE_SSH_HOST: ${{ secrets.WCCE_SSH_HOST }}
+        WCCE_SSH_PORT: ${{ secrets.WCCE_SSH_PORT }}
         NCM_API_HOST: ${{ secrets.NCM_API_HOST }}
         NCM_API_USER: ${{ secrets.NCM_API_USER }}
         NCM_API_PASSWORD: ${{ secrets.NCM_API_PASSWORD }}
         NCM_CA_NAME: ${{ secrets.NCM_CA_NAME }}
-        NCM_CA_BUNDLE: ${{ secrets.NCM_CA_BUNDLE }}
-
-    - name: "Test if http://acme-srv/directory is accessable"
-      run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory
-
-    - name: "Test if https://acme-srv/directory is accessable"
-      run: docker run -i --rm --network acme curlimages/curl --insecure -f https://acme-srv/directory
-
-    - name: "[ PREPARE ] prepare acme.sh container"
-      run: |
-        docker run --rm -id -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest daemon
-
-    - name: "[ ENROLL ] register via http"
-      run: |
-        docker exec -i acme-sh acme.sh --server http://acme-srv  --register-account --accountemail 'acme-sh@example.com' --accountkeylength ec-256 --debug 2
-
-    - name: "[ ENROLL ] register via https"
-      run: |
-        docker exec -i acme-sh acme.sh --server https://acme-srv  --register-account --accountemail 'acme-sh@example.com' --accountkeylength ec-256 --insecure --debug 2
-
-    - name: "[ ENROLL] acme.sh"
-      run: |
-        docker exec -i acme-sh acme.sh --server http://acme-srv --register-account --accountemail 'acme-sh@example.com' --debug --output-insecure
-
-    - name: "[ REGISTER] certbot"
-      run: |
-        docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot register --agree-tos -m 'certbot@example.com' --server http://acme-srv --no-eff-email
-
-    - name: "[ ENROLL ] HTTP-01 single domain certbot"
-      run: |
-        docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot certonly --server http://acme-srv --standalone --preferred-challenges http -d certbot.acme --cert-name certbot
-        sudo chmod 777 certbot/archive/certbot/chain1.pem
-        sudo cp certbot/archive/certbot/chain1.pem chain1.pem
-        awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "cert-" c ".pem"}' < chain1.pem
-        sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem certbot/live/certbot/cert.pem
-
-    - name: "[ * ] collecting test logs"
-      if: ${{ failure() }}
-      run: |
-        docker run -v "$(pwd)/examples/Docker/data/pgsql/pgpass":/root/.pgpass --rm --network acme postgres pg_dump -U postgres -h postgresdbsrv acme2certifier > /tmp/acme2certifier.psql
-        mkdir -p ${{ github.workspace }}/artifact/upload
-        sudo cp -rp examples/Docker/data/ ${{ github.workspace }}/artifact/data/
-        sudo cp /tmp/acme2certifier.psql ${{ github.workspace }}/artifact/data/
-        cd examples/Docker
-        docker-compose logs > ${{ github.workspace }}/artifact/docker-compose.log
-        sudo tar -C ${{ github.workspace }}/artifact/ -cvzf ${{ github.workspace }}/artifact/upload/artifact.tar.gz docker-compose.log data
-
-    - name: "[ * ] uploading artificates"
-      uses: actions/upload-artifact@v3
-      if: ${{ failure() }}
-      with:
-        name: apache-django-psql.tar.gz
-        path: ${{ github.workspace }}/artifact/upload/
-
-  nginx_django_mariadb:
-    name: "nginx_django_mariadb"
-    runs-on: ubuntu-latest
-    steps:
-    - name: "checkout GIT"
-      uses: actions/checkout@v3
-
-    - name: "[ PREPARE ] Build environment"
-      working-directory: examples/Docker/
-      run: |
-        sed -i "s/wsgi/django/g" .env
-        sed -i "s/apache2/nginx/g" .env
-        sudo mkdir -p data/mysql
-        docker network create acme
-        docker-compose up -d
-        docker-compose logs
-
-    - name: "[ PREPARE ] install mariadb"
-      working-directory: examples/Docker/
-      run: |
-        # docker run --name mariadbsrv --network acme -v $PWD/data/mysql:/var/lib/mysql -e MARIADB_ROOT_PASSWORD=foobar -d mariadb
-        docker run --name mariadbsrv --network acme -e MARIADB_ROOT_PASSWORD=foobar -d mariadb
-
-    - name: "[ PREPARE ] Sleep for 10s"
-      uses: juliangruber/sleep-action@v1
-      with:
-        time: 10s
-
-    - name: "[ PREPARE ] configure mariadb"
-      working-directory: examples/Docker/
-      run: |
-        docker exec mariadbsrv mariadb -u root --password=foobar -e"CREATE DATABASE acme2certifier CHARACTER SET UTF8;"
-        docker exec mariadbsrv mariadb -u root --password=foobar -e"GRANT ALL PRIVILEGES ON acme2certifier.* TO 'acme2certifier'@'%' IDENTIFIED BY '1mmSvDFl';"
-        docker exec mariadbsrv mariadb -u root --password=foobar -e"FLUSH PRIVILEGES;"
+        DATA_PATH: examples/Docker/data
 
-    - name: "[ PREPARE ] setup a2c with certifier_ca_handler"
+    - name: "Restart a2c"
       run: |
-        sudo cp test/ca/certsrv_ca_certs.pem examples/Docker/data/ca_certs.pem
-        sudo touch examples/Docker/data/acme_srv.cfg
-        sudo chmod 777 examples/Docker/data/acme_srv.cfg
-        sudo head -n -8 .github/openssl_ca_handler.py_acme_srv_default_handler.cfg > examples/Docker/data/acme_srv.cfg
-        sudo echo "handler_file: examples/ca_handler/certifier_ca_handler.py" >> examples/Docker/data/acme_srv.cfg
-        sudo echo "api_host: $NCM_API_HOST" >> examples/Docker/data/acme_srv.cfg
-        sudo echo "api_user: $NCM_API_USER" >> examples/Docker/data/acme_srv.cfg
-        sudo echo "api_password: $NCM_API_PASSWORD" >> examples/Docker/data/acme_srv.cfg
-        sudo echo "ca_name: $NCM_CA_NAME" >> examples/Docker/data/acme_srv.cfg
-        sudo echo "ca_bundle: $NCM_CA_BUNDLE" >> examples/Docker/data/acme_srv.cfg
-        sudo cp .github/acme2certifier_cert.pem examples/Docker/data/acme2certifier_cert.pem
-        sudo cp .github/acme2certifier_key.pem examples/Docker/data/acme2certifier_key.pem
-        sudo cp .github/django_settings_mariadb.py examples/Docker/data/settings.py
         cd examples/Docker/
-        sudo chmod 777 data/acme_srv.cfg
-        sudo echo "" >> data/acme_srv.cfg
         sudo echo "[Directory]" >> data/acme_srv.cfg
         sudo echo "url_prefix: /foo" >> data/acme_srv.cfg
+        grep -i 'django.db.backends.postgresql_psycopg2' data/settings.py
         docker-compose restart
-        docker-compose logs
-      env:
-        NCM_API_HOST: ${{ secrets.NCM_API_HOST }}
-        NCM_API_USER: ${{ secrets.NCM_API_USER }}
-        NCM_API_PASSWORD: ${{ secrets.NCM_API_PASSWORD }}
-        NCM_CA_NAME: ${{ secrets.NCM_CA_NAME }}
-        NCM_CA_BUNDLE: ${{ secrets.NCM_CA_BUNDLE }}
-
-    - name: "[ PREPARE ] Sleep for 10s"
-      uses: juliangruber/sleep-action@v1
-      with:
-        time: 10s
-
-    - name: "Test if http://acme-srv/directory is accessable"
-      run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory
-
-    - name: "Test if https://acme-srv/directory is accessable"
-      run: docker run -i --rm --network acme curlimages/curl --insecure -f https://acme-srv/directory
 
-    - name: "[ PREPARE ] prepare acme.sh container"
-      run: |
-        docker run --rm -id -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest daemon
-
-    - name: "[ ENROLL ] register via http"
-      run: |
-        docker exec -i acme-sh acme.sh --server http://acme-srv  --register-account --accountemail 'acme-sh@example.com' --accountkeylength ec-256 --debug 2
-
-    - name: "[ ENROLL ] register via https"
-      run: |
-        docker exec -i acme-sh acme.sh --server https://acme-srv  --register-account --accountemail 'acme-sh@example.com' --accountkeylength ec-256 --insecure --debug 2
-
-    - name: "[ ENROLL] acme.sh"
-      run: |
-        docker exec -i acme-sh acme.sh --server http://acme-srv --register-account --accountemail 'acme-sh@example.com' --debug --output-insecure
+    - name: "Test enrollment"
+      uses: ./.github/actions/acme_clients
 
-    - name: "[ REGISTER] certbot"
-      run: |
-        docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot register --agree-tos -m 'certbot@example.com' --server http://acme-srv --no-eff-email
-
-    - name: "[ ENROLL ] HTTP-01 single domain certbot"
-      run: |
-        docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot certonly --server http://acme-srv --standalone --preferred-challenges http -d certbot.acme --cert-name certbot
-        sudo chmod 777 certbot/archive/certbot/chain1.pem
-        sudo cp certbot/archive/certbot/chain1.pem chain1.pem
-        awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "cert-" c ".pem"}' < chain1.pem
-        sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem certbot/live/certbot/cert.pem
+    - name: "Check container configuration"
+      uses: ./.github/actions/container_check
+      with:
+        DB_HANDLER: "django"
+        WEB_SRV: ${{ matrix.websrv }}
 
     - name: "[ * ] collecting test logs"
       if: ${{ failure() }}
+      continue-on-error: true
       run: |
-        docker exec mariadbsrv mariadb-dump -u root --password=foobar acme2certifier > /tmp/acme2certifer.sql
+        docker run -v "$(pwd)/examples/Docker/data/pgsql/pgpass":/root/.pgpass --rm --network acme postgres pg_dump -U postgres -h postgresdbsrv acme2certifier > /tmp/acme2certifier.psql
         mkdir -p ${{ github.workspace }}/artifact/upload
         sudo cp -rp examples/Docker/data/ ${{ github.workspace }}/artifact/data/
-        sudo cp /tmp/acme2certifer.sql ${{ github.workspace }}/artifact/data/
+        sudo cp /tmp/acme2certifier.psql ${{ github.workspace }}/artifact/data/
         cd examples/Docker
         docker-compose logs > ${{ github.workspace }}/artifact/docker-compose.log
         sudo tar -C ${{ github.workspace }}/artifact/ -cvzf ${{ github.workspace }}/artifact/upload/artifact.tar.gz docker-compose.log data
+
     - name: "[ * ] uploading artificates"
-      uses: actions/upload-artifact@v3
+      uses: actions/upload-artifact@v4
       if: ${{ failure() }}
       with:
-        name: nginx-django-mariadb.tar.gz
+        name: ${{ matrix.websrv }}-psql.tar.gz
         path: ${{ github.workspace }}/artifact/upload/
 
-  nginx_django_psql:
-    name: "nginx_django_psql"
+  rpm_build_and_upload:
+    name: "rpm_build_and_upload"
     runs-on: ubuntu-latest
     steps:
     - name: "checkout GIT"
-      uses: actions/checkout@v3
-
-    - name: "[ PREPARE ] Build environment"
-      working-directory: examples/Docker/
-      run: |
-        sed -i "s/wsgi/django/g" .env
-        sed -i "s/apache2/nginx/g" .env
-        sudo mkdir -p data/mysql
-        sudo mkdir -p data/pgsql
-        docker network create acme
-        docker-compose up -d
-        docker-compose logs
-
-    - name: "[ PREPARE ] postgres environment"
-      run: |
-        sudo cp .github/a2c.psql examples/Docker/data/pgsql/a2c.psql
-        sudo cp .github/pgpass examples/Docker/data/pgsql/pgpass
-        sudo chmod 600 examples/Docker/data/pgsql/pgpass
-
-    - name: "[ PREPARE ] install postgres"
-      working-directory: examples/Docker/
-      run: |
-        docker run --name postgresdbsrv --network acme -e POSTGRES_PASSWORD=foobar -d postgres
-
-    - name: "[ PREPARE ] Sleep for 10s"
-      uses: juliangruber/sleep-action@v1
-      with:
-        time: 10s
-
-    - name: "[ PREPARE ] configure postgres"
-      working-directory: examples/Docker/
-      run: |
-        docker run -v "$(pwd)/data/pgsql/a2c.psql":/tmp/a2c.psql -v "$(pwd)/data/pgsql/pgpass:/root/.pgpass" --rm --network acme postgres psql -U postgres -h postgresdbsrv -f /tmp/a2c.psql
-    - name: "[ PREPARE ] Sleep for 10s"
-      uses: juliangruber/sleep-action@v1
-      with:
-        time: 10s
-
-    - name: "[ PREPARE ] setup a2c with certifier_ca_handler"
-      run: |
-        sudo cp test/ca/certsrv_ca_certs.pem examples/Docker/data/ca_certs.pem
-        sudo touch examples/Docker/data/acme_srv.cfg
-        sudo chmod 777 examples/Docker/data/acme_srv.cfg
-        sudo head -n -8 .github/openssl_ca_handler.py_acme_srv_default_handler.cfg > examples/Docker/data/acme_srv.cfg
-        sudo echo "handler_file: examples/ca_handler/certifier_ca_handler.py" >> examples/Docker/data/acme_srv.cfg
-        sudo echo "api_host: $NCM_API_HOST" >> examples/Docker/data/acme_srv.cfg
-        sudo echo "api_user: $NCM_API_USER" >> examples/Docker/data/acme_srv.cfg
-        sudo echo "api_password: $NCM_API_PASSWORD" >> examples/Docker/data/acme_srv.cfg
-        sudo echo "ca_name: $NCM_CA_NAME" >> examples/Docker/data/acme_srv.cfg
-        sudo echo "ca_bundle: $NCM_CA_BUNDLE" >> examples/Docker/data/acme_srv.cfg
-        sudo cp .github/django_settings_psql.py examples/Docker/data/settings.py
-        sudo cp .github/acme2certifier_cert.pem examples/Docker/data/acme2certifier_cert.pem
-        sudo cp .github/acme2certifier_key.pem examples/Docker/data/acme2certifier_key.pem
-        cd examples/Docker/
-        sudo chmod 777 data/acme_srv.cfg
-        sudo echo "" >> data/acme_srv.cfg
-        sudo echo "[Directory]" >> data/acme_srv.cfg
-        sudo echo "url_prefix: /foo" >> data/acme_srv.cfg
-        sudo truncate -s 0 $(docker inspect --format='{{.LogPath}}' acme2certifier_acme-srv_1)
-        docker-compose restart
-        docker-compose logs
-      env:
-        NCM_API_HOST: ${{ secrets.NCM_API_HOST }}
-        NCM_API_USER: ${{ secrets.NCM_API_USER }}
-        NCM_API_PASSWORD: ${{ secrets.NCM_API_PASSWORD }}
-        NCM_CA_NAME: ${{ secrets.NCM_CA_NAME }}
-        NCM_CA_BUNDLE: ${{ secrets.NCM_CA_BUNDLE }}
+      uses: actions/checkout@v4
 
-    - name: "[ PREPARE ] Sleep for 10s"
-      uses: juliangruber/sleep-action@v1
-      with:
-        time: 10s
-
-    - name: "Test if http://acme-srv/directory is accessable"
-      run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory
+    - name: "Build rpm package"
+      id: rpm_build
+      uses: ./.github/actions/rpm_build_upload
 
-    - name: "Test if https://acme-srv/directory is accessable"
-      run: docker run -i --rm --network acme curlimages/curl --insecure -f https://acme-srv/directory
-
-    - name: "[ PREPARE ] prepare acme.sh container"
-      run: |
-        docker run --rm -id -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest daemon
-
-    - name: "[ ENROLL ] register via http"
-      run: |
-        docker exec -i acme-sh acme.sh --server http://acme-srv  --register-account --accountemail 'acme-sh@example.com' --accountkeylength ec-256 --debug 2
-
-    - name: "[ ENROLL ] register via https"
-      run: |
-        docker exec -i acme-sh acme.sh --server https://acme-srv  --register-account --accountemail 'acme-sh@example.com' --accountkeylength ec-256 --insecure --debug 2
-
-    - name: "[ ENROLL] acme.sh"
-      run: |
-        docker exec -i acme-sh acme.sh --server http://acme-srv --register-account --accountemail 'acme-sh@example.com' --debug --output-insecure
-
-    - name: "[ REGISTER] certbot"
-      run: |
-        docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot register --agree-tos -m 'certbot@example.com' --server http://acme-srv --no-eff-email
-
-    - name: "[ ENROLL ] HTTP-01 single domain certbot"
-      run: |
-        docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot certonly --server http://acme-srv --standalone --preferred-challenges http -d certbot.acme --cert-name certbot
-        sudo chmod 777 certbot/archive/certbot/chain1.pem
-        sudo cp certbot/archive/certbot/chain1.pem chain1.pem
-        awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "cert-" c ".pem"}' < chain1.pem
-        sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem certbot/live/certbot/cert.pem
-
-    - name: "[ * ] collecting test logs"
-      if: ${{ failure() }}
-      run: |
-        docker run -v "$(pwd)/examples/Docker/data/pgsql/pgpass":/root/.pgpass --rm --network acme postgres pg_dump -U postgres -h postgresdbsrv acme2certifier > /tmp/acme2certifier.psql
-        mkdir -p ${{ github.workspace }}/artifact/upload
-        sudo cp -rp examples/Docker/data/ ${{ github.workspace }}/artifact/data/
-        sudo cp /tmp/acme2certifier.psql ${{ github.workspace }}/artifact/data/
-        cd examples/Docker
-        docker-compose logs > ${{ github.workspace }}/artifact/docker-compose.log
-        sudo tar -C ${{ github.workspace }}/artifact/ -cvzf ${{ github.workspace }}/artifact/upload/artifact.tar.gz docker-compose.log data
-
-    - name: "[ * ] uploading artificates"
-      uses: actions/upload-artifact@v3
-      if: ${{ failure() }}
-      with:
-        name: nginx-django-psql.tar.gz
-        path: ${{ github.workspace }}/artifact/upload/
 
   nginx_django_rpm_sqlite:
     name: "nginx_django_rpm_sqlite"
     runs-on: ubuntu-latest
+    needs: rpm_build_and_upload
+    strategy:
+      fail-fast: false
+      max-parallel: 1
+      matrix:
+        rhversion: [8, 9]
     steps:
     - name: "checkout GIT"
-      uses: actions/checkout@v3
-
-    - name: Retrieve Version from version.py
-      run: |
-        echo TAG_NAME=$(cat acme_srv/version.py | grep -i __version__ | head -n 1 | sed 's/__version__ = //g' | sed s/\'//g) >> $GITHUB_ENV
-    - run: echo "Latest tag is ${{ env.TAG_NAME }}"
+      uses: actions/checkout@v4
 
-    - name: update version number in spec file and path in nginx ssl config
-      run: |
-        sudo sed -i "s/__version__/${{ env.TAG_NAME }}/g" examples/install_scripts/rpm/acme2certifier.spec
-        sudo sed -i "s/\/var\/www\/acme2certifier\/volume/\/etc\/nginx/g" examples/nginx/nginx_acme_srv_ssl.conf
-        git config --global user.email "grindelsack@gmail.com"
-        git config --global user.name "rpm update"
-        git add examples/nginx
-        git commit -a -m "rpm update"
-
-    - name: build RPM package
-      id: rpm
-      uses: grindsa/rpmbuild@alma9
+    - name: "Prepare Alma environment"
+      uses: ./.github/actions/rpm_prep
       with:
-        spec_file: "examples/install_scripts/rpm/acme2certifier.spec"
-
-    - run: echo "path is ${{ steps.rpm.outputs.rpm_dir_path }}"
-
-    - name: "[ PREPARE ] setup environment for alma installation"
-      run: |
-        docker network create acme
-        sudo mkdir -p data/volume
-        sudo mkdir -p data/acme2certifier
-        sudo mkdir -p data/nginx
-        sudo chmod -R 777 data
-        sudo cp ${{ steps.rpm.outputs.rpm_dir_path }}noarch/acme2certifier-${{ env.TAG_NAME }}-1.0.noarch.rpm data
-        sudo cp examples/Docker/almalinux-systemd/django_tester.sh data
-        sudo cp .github/acme2certifier_cert.pem data/nginx/acme2certifier_cert.pem
-        sudo cp .github/acme2certifier_key.pem data/nginx/acme2certifier_key.pem
-        sudo cp .github/django_settings.py data/acme2certifier/settings.py
-        sudo sed -i "s/\/var\/www\//\/opt\//g" data/acme2certifier/settings.py
-        sudo sed -i "s/USE_I18N = True/USE_I18N = False/g" data/acme2certifier/settings.py
-
-    - name: "Retrieve rpms from SBOM repo"
-      run: |
-        git clone https://$GH_SBOM_USER:$GH_SBOM_TOKEN@github.com/$GH_SBOM_USER/sbom /tmp/sbom
-        cp /tmp/sbom/rpm-repo/RPMs/*.rpm  data
-      env:
         GH_SBOM_USER: ${{ secrets.GH_SBOM_USER }}
         GH_SBOM_TOKEN: ${{ secrets.GH_SBOM_TOKEN }}
+        RH_VERSION: ${{ matrix.rhversion }}
+        RPM_BUILD: false
 
-    - name: "[ PREPARE ] setup a2c with certifier_ca_handler"
-      run: |
-        sudo mkdir -p acme-sh
-        mkdir -p data/acme_ca
-        sudo cp test/ca/certsrv_ca_certs.pem data/acme_ca/ca_certs.pem
-        sudo touch data/volume/acme_srv.cfg
-        sudo chmod 777 data/volume/acme_srv.cfg
-        sudo head -n -8 .github/openssl_ca_handler.py_acme_srv_default_handler.cfg > data/volume/acme_srv.cfg
-        sudo echo "handler_file: /opt/acme2certifier/examples/ca_handler/certifier_ca_handler.py" >> data/volume/acme_srv.cfg
-        sudo echo "api_host: $NCM_API_HOST" >> data/volume/acme_srv.cfg
-        sudo echo "api_user: $NCM_API_USER" >> data/volume/acme_srv.cfg
-        sudo echo "api_password: $NCM_API_PASSWORD" >> data/volume/acme_srv.cfg
-        sudo echo "ca_name: $NCM_CA_NAME" >> data/volume/acme_srv.cfg
-        sudo echo "ca_bundle: $NCM_CA_BUNDLE" >> data/volume/acme_srv.cfg
-        sudo echo "profile_id: 101" >> data/volume/acme_srv.cfg
-      env:
+    - name: Download rpm package
+      uses: actions/download-artifact@v4
+      with:
+        name: acme2certifier-${{ github.run_id }}.noarch.rpm
+        path: data/
+
+    - name: "Prepare acme_srv.cfg with certifier_ca_handler"
+      uses: ./.github/actions/wf_specific/certifier_ca_handler/certifier_setup_no_profile
+      with:
+        WCCE_SSH_ACCESS_KEY: ${{ secrets.WCCE_SSH_ACCESS_KEY }}
+        WCCE_SSH_KNOWN_HOSTS: ${{ secrets.WCCE_SSH_KNOWN_HOSTS }}
+        WCCE_SSH_USER: ${{ secrets.WCCE_SSH_USER }}
+        WCCE_SSH_HOST: ${{ secrets.WCCE_SSH_HOST }}
+        WCCE_SSH_PORT: ${{ secrets.WCCE_SSH_PORT }}
         NCM_API_HOST: ${{ secrets.NCM_API_HOST }}
         NCM_API_USER: ${{ secrets.NCM_API_USER }}
         NCM_API_PASSWORD: ${{ secrets.NCM_API_PASSWORD }}
         NCM_CA_NAME: ${{ secrets.NCM_CA_NAME }}
-        NCM_CA_BUNDLE: ${{ secrets.NCM_CA_BUNDLE }}
+        DATA_PATH: data/volume
 
-    - name: "[ PREPARE ] Almalinux instance"
+    - name: "Modify Django setup"
       run: |
-        cat examples/Docker/almalinux-systemd/Dockerfile | docker build -t almalinux-systemd -f - . --no-cache
-        docker run -d -id --privileged --network acme -p 22280:80 --name=acme-srv -v "$(pwd)/data":/tmp/acme2certifier almalinux-systemd
+        sudo mkdir -p data/volume/acme_ca/certs
+        grep -i 'django.db.backends.sqlite3' data/acme2certifier/settings.py
 
-    - name: "[ RUN ] Execute install scipt"
+    - name: "Execute install scipt"
       run: |
         docker exec acme-srv sh /tmp/acme2certifier/django_tester.sh
 
-    - name: "Test http://acme-srv/directory is accessible"
-      run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory
-
-    - name: "Test if https://acme-srv/directory is accessable"
-      run: docker run -i --rm --network acme curlimages/curl --insecure -f https://acme-srv/directory
-
-    - name: "[ CURL ] install curl and socat and test connction"
-      run: |
-        sudo apt-get install -y curl socat
-        curl -f http://localhost:22280
-
-    - name: "[ PREPARE ] prepare acme.sh container"
-      run: |
-        docker run --rm -id -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest daemon
-
-    - name: "[ ENROLL ] register via http"
-      run: |
-        docker exec -i acme-sh acme.sh --server http://acme-srv  --register-account --accountemail 'acme-sh@example.com' --accountkeylength ec-256 --debug 2
-
-    - name: "[ ENROLL ] register via https"
-      run: |
-        docker exec -i acme-sh acme.sh --server https://acme-srv  --register-account --accountemail 'acme-sh@example.com' --accountkeylength ec-256 --insecure --debug 2
-
-    - name: "[ ENROLL] acme.sh"
-      run: |
-        docker exec -i acme-sh acme.sh --server https://acme-srv --accountemail 'acme-sh@example.com' --issue -d acme-sh.acme --alpn --standalone --debug 3 --insecure --output-insecure --force
-        awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "cert-" c ".pem"}' < acme-sh/acme-sh.acme_ecc/ca.cer
-        ls -la *.pem
-        openssl verify -CAfile cert-2.pem -untrusted cert-1.pem  acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer
-
-    - name: "[ REGISTER] certbot"
-      run: |
-        docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot register --agree-tos -m 'certbot@example.com' --server http://acme-srv --no-eff-email
-
-    - name: "[ ENROLL ] HTTP-01 single domain certbot"
-      run: |
-        docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot certonly --server http://acme-srv --standalone --preferred-challenges http -d certbot.acme --cert-name certbot
-        sudo chmod 777 certbot/archive/certbot/chain1.pem
-        sudo cp certbot/archive/certbot/chain1.pem chain1.pem
-        awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "cert-" c ".pem"}' < chain1.pem
-        sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem certbot/live/certbot/cert.pem
+    - name: "Test enrollment"
+      uses: ./.github/actions/acme_clients
 
     - name: "[ * ] collecting test logs"
       if: ${{ failure() }}
+      continue-on-error: true
       run: |
         mkdir -p ${{ github.workspace }}/artifact/upload
         docker exec acme-srv tar cvfz /tmp/acme2certifier/a2c.tgz /opt/acme2certifier
         docker exec acme-srv tar cvfz /tmp/acme2certifier/nginx.tgz /etc/nginx
         sudo cp -rp data/ ${{ github.workspace }}/artifact/data/
         sudo cp -rp acme-sh/ ${{ github.workspace }}/artifact/acme-sh/
+        sudo rm ${{ github.workspace }}/artifact/data/*.rpm
+        docker exec acme-srv cat /etc/nginx/nginx.conf.orig > ${{ github.workspace }}/artifact/data/nginx.conf.orig
+        docker exec acme-srv cat /etc/nginx/nginx.conf > ${{ github.workspace }}/artifact/data/nginx.conf
+        docker exec acme-srv rpm -qa > ${{ github.workspace }}/artifact/data/packages.txt
         docker exec acme-srv cat /var/log/messages > ${{ github.workspace }}/artifact/acme-srv.log
         sudo tar -C ${{ github.workspace }}/artifact/ -cvzf ${{ github.workspace }}/artifact/upload/artifact.tar.gz data acme-srv.log acme-sh
 
     - name: "[ * ] uploading artificates"
-      uses: actions/upload-artifact@v3
+      uses: actions/upload-artifact@v4
       if: ${{ failure() }}
       with:
-        name: nginx_django_rpm_sqlite.tar.gz
+        name: nginx_django_rpm_sqlite-rh${{ matrix.rhversion }}.tar.gz
         path: ${{ github.workspace }}/artifact/upload/
 
   nginx_django_rpm_mariadb:
     name: "nginx_django_rpm_mariadb"
     runs-on: ubuntu-latest
+    needs: rpm_build_and_upload
+    strategy:
+      fail-fast: false
+      max-parallel: 1
+      matrix:
+        rhversion: [9]
     steps:
     - name: "checkout GIT"
-      uses: actions/checkout@v3
+      uses: actions/checkout@v4
+
+    - name: "Prepare Alma environment"
+      uses: ./.github/actions/rpm_prep
+      with:
+        GH_SBOM_USER: ${{ secrets.GH_SBOM_USER }}
+        GH_SBOM_TOKEN: ${{ secrets.GH_SBOM_TOKEN }}
+        RH_VERSION: ${{ matrix.rhversion }}
+        DJANGO_DB: mariadb
+        RPM_BUILD: false
 
-    - name: Retrieve Version from version.py
+    - name: "Retrieve Version from version.py"
       run: |
         echo TAG_NAME=$(cat acme_srv/version.py | grep -i __version__ | head -n 1 | sed 's/__version__ = //g' | sed s/\'//g) >> $GITHUB_ENV
     - run: echo "Latest tag is ${{ env.TAG_NAME }}"
 
-    - name: update version number in spec file and path in nginx ssl config
-      run: |
-        sudo sed -i "s/__version__/${{ env.TAG_NAME }}/g" examples/install_scripts/rpm/acme2certifier.spec
-        sudo sed -i "s/\/var\/www\/acme2certifier\/volume/\/etc\/nginx/g" examples/nginx/nginx_acme_srv_ssl.conf
-        git config --global user.email "grindelsack@gmail.com"
-        git config --global user.name "rpm update"
-        git add examples/nginx
-        git commit -a -m "rpm update"
-
-    - name: build RPM package
-      id: rpm
-      uses: grindsa/rpmbuild@alma9
+    - name: Download rpm package
+      uses: actions/download-artifact@v4
       with:
-        spec_file: "examples/install_scripts/rpm/acme2certifier.spec"
-
-    - run: echo "path is ${{ steps.rpm.outputs.rpm_dir_path }}"
-
-    - name: "[ PREPARE ] setup environment for alma installation"
-      run: |
-        docker network create acme
-        sudo mkdir -p data/volume
-        sudo mkdir -p data/acme2certifier
-        sudo mkdir -p data/nginx
-        sudo chmod -R 777 data
-        sudo cp ${{ steps.rpm.outputs.rpm_dir_path }}noarch/acme2certifier-${{ env.TAG_NAME }}-1.0.noarch.rpm data
-        sudo cp examples/Docker/almalinux-systemd/django_tester.sh data
-        sudo cp .github/acme2certifier_cert.pem data/nginx/acme2certifier_cert.pem
-        sudo cp .github/acme2certifier_key.pem data/nginx/acme2certifier_key.pem
-        sudo cp .github/django_settings_mariadb.py data/acme2certifier/settings.py
-        # sudo sed -i "s/\/var\/www\//\/opt\//g" data/acme2certifier/settings.py
-        sudo sed -i "s/USE_I18N = True/USE_I18N = False/g" data/acme2certifier/settings.py
-
-    - name: "[ PREPARE ] install mariadb"
-      run: |
-        sudo mkdir -p /tmp/mysql
-        docker run --name mariadbsrv --network acme -v /tmp/mysql:/var/lib/mysql -e MARIADB_ROOT_PASSWORD=foobar -d mariadb
-        # docker run --name mariadbsrv --network acme -e MARIADB_ROOT_PASSWORD=foobar -d mariadb
+        name: acme2certifier-${{ github.run_id }}.noarch.rpm
+        path: data/
 
-    - name: "[ PREPARE ] Sleep for 10s"
-      uses: juliangruber/sleep-action@v1
+    - name: "Prepare acme_srv.cfg with certifier_ca_handler"
+      uses: ./.github/actions/wf_specific/certifier_ca_handler/certifier_setup_no_profile
       with:
-        time: 10s
-
-    - name: "[ PREPARE ] configure mariadb"
-      run: |
-        docker exec mariadbsrv mariadb -u root --password=foobar -e"CREATE DATABASE acme2certifier CHARACTER SET UTF8;"
-        docker exec mariadbsrv mariadb -u root --password=foobar -e"GRANT ALL PRIVILEGES ON acme2certifier.* TO 'acme2certifier'@'%' IDENTIFIED BY '1mmSvDFl';"
-        docker exec mariadbsrv mariadb -u root --password=foobar -e"FLUSH PRIVILEGES;"
-
-    - name: "Retrieve rpms from SBOM repo"
-      run: |
-        git clone https://$GH_SBOM_USER:$GH_SBOM_TOKEN@github.com/$GH_SBOM_USER/sbom /tmp/sbom
-        cp /tmp/sbom/rpm-repo/RPMs/*.rpm  data
-      env:
-        GH_SBOM_USER: ${{ secrets.GH_SBOM_USER }}
-        GH_SBOM_TOKEN: ${{ secrets.GH_SBOM_TOKEN }}
-
-    - name: "[ PREPARE ] setup a2c with certifier_ca_handler"
-      run: |
-        sudo mkdir -p acme-sh
-        mkdir -p data/acme_ca
-        sudo cp test/ca/certsrv_ca_certs.pem data/acme_ca/ca_certs.pem
-        sudo touch data/volume/acme_srv.cfg
-        sudo chmod 777 data/volume/acme_srv.cfg
-        sudo head -n -8 .github/openssl_ca_handler.py_acme_srv_default_handler.cfg > data/volume/acme_srv.cfg
-        sudo echo "handler_file: /opt/acme2certifier/examples/ca_handler/certifier_ca_handler.py" >> data/volume/acme_srv.cfg
-        sudo echo "api_host: $NCM_API_HOST" >> data/volume/acme_srv.cfg
-        sudo echo "api_user: $NCM_API_USER" >> data/volume/acme_srv.cfg
-        sudo echo "api_password: $NCM_API_PASSWORD" >> data/volume/acme_srv.cfg
-        sudo echo "ca_name: $NCM_CA_NAME" >> data/volume/acme_srv.cfg
-        sudo echo "ca_bundle: $NCM_CA_BUNDLE" >> data/volume/acme_srv.cfg
-        sudo echo "profile_id: 101" >> data/volume/acme_srv.cfg
-      env:
+        WCCE_SSH_ACCESS_KEY: ${{ secrets.WCCE_SSH_ACCESS_KEY }}
+        WCCE_SSH_KNOWN_HOSTS: ${{ secrets.WCCE_SSH_KNOWN_HOSTS }}
+        WCCE_SSH_USER: ${{ secrets.WCCE_SSH_USER }}
+        WCCE_SSH_HOST: ${{ secrets.WCCE_SSH_HOST }}
+        WCCE_SSH_PORT: ${{ secrets.WCCE_SSH_PORT }}
         NCM_API_HOST: ${{ secrets.NCM_API_HOST }}
         NCM_API_USER: ${{ secrets.NCM_API_USER }}
         NCM_API_PASSWORD: ${{ secrets.NCM_API_PASSWORD }}
         NCM_CA_NAME: ${{ secrets.NCM_CA_NAME }}
-        NCM_CA_BUNDLE: ${{ secrets.NCM_CA_BUNDLE }}
+        DATA_PATH: data/volume
 
-    - name: "[ PREPARE ] Almalinux instance"
+    - name: "Modify Django setup"
       run: |
-        cat examples/Docker/almalinux-systemd/Dockerfile | docker build -t almalinux-systemd -f - . --no-cache
-        docker run -d -id --privileged --network acme -p 22280:80 --name=acme-srv -v "$(pwd)/data":/tmp/acme2certifier almalinux-systemd
+        grep -i 'django.db.backends.mysql' data/acme2certifier/settings.py
 
-    - name: "[ RUN ] Execute install scipt"
+    - name: "Execute install scipt"
       run: |
         docker exec acme-srv sh /tmp/acme2certifier/django_tester.sh
 
-    - name: "Test http://acme-srv/directory is accessible"
-      run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory
-
-    - name: "Test if https://acme-srv/directory is accessable"
-      run: docker run -i --rm --network acme curlimages/curl --insecure -f https://acme-srv/directory
-
-    - name: "[ CURL ] install curl and socat and test connction"
-      run: |
-        sudo apt-get install -y curl socat
-        curl -f http://localhost:22280
-
-    - name: "[ PREPARE ] prepare acme.sh container"
-      run: |
-        docker run --rm -id -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest daemon
-
-    - name: "[ ENROLL ] register via http"
-      run: |
-        docker exec -i acme-sh acme.sh --server http://acme-srv  --register-account --accountemail 'acme-sh@example.com' --accountkeylength ec-256 --debug 2
-
-    - name: "[ ENROLL ] register via https"
-      run: |
-        docker exec -i acme-sh acme.sh --server https://acme-srv  --register-account --accountemail 'acme-sh@example.com' --accountkeylength ec-256 --insecure --debug 2
-
-    - name: "[ ENROLL] acme.sh"
-      run: |
-        docker exec -i acme-sh acme.sh --server https://acme-srv --accountemail 'acme-sh@example.com' --issue -d acme-sh.acme --alpn --standalone --debug 3 --insecure --output-insecure --force
-        awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "cert-" c ".pem"}' < acme-sh/acme-sh.acme_ecc/ca.cer
-        openssl verify -CAfile cert-2.pem -untrusted cert-1.pem  acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer
-
-    - name: "[ REGISTER] certbot"
-      run: |
-        docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot register --agree-tos -m 'certbot@example.com' --server http://acme-srv --no-eff-email
-
-    - name: "[ ENROLL ] HTTP-01 single domain certbot"
-      run: |
-        docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot certonly --server http://acme-srv --standalone --preferred-challenges http -d certbot.acme --cert-name certbot
-        sudo chmod 777 certbot/archive/certbot/chain1.pem
-        sudo cp certbot/archive/certbot/chain1.pem chain1.pem
-        awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "cert-" c ".pem"}' < chain1.pem
-        sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem certbot/live/certbot/cert.pem
+    - name: "Test enrollment"
+      uses: ./.github/actions/acme_clients
 
     - name: "[ * ] collecting test logs"
       if: ${{ failure() }}
+      continue-on-error: true
       run: |
         mkdir -p ${{ github.workspace }}/artifact/upload
         docker exec acme-srv tar cvfz /tmp/acme2certifier/a2c.tgz /opt/acme2certifier
         docker exec acme-srv tar cvfz /tmp/acme2certifier/nginx.tgz /etc/nginx
         sudo cp -rp data/ ${{ github.workspace }}/artifact/data/
         sudo cp -rp acme-sh/ ${{ github.workspace }}/artifact/acme-sh/
+        sudo rm ${{ github.workspace }}/artifact/data/*.rpm
+        docker exec acme-srv cat /etc/nginx/nginx.conf.orig > ${{ github.workspace }}/artifact/data/nginx.conf.orig
+        docker exec acme-srv cat /etc/nginx/nginx.conf > ${{ github.workspace }}/artifact/data/nginx.conf
+        docker exec acme-srv rpm -qa | sort -n > ${{ github.workspace }}/artifact/data/packages.txt
+        docker exec mariadbsrv mariadb-dump -u root --password=foobar acme2certifier > ${{ github.workspace }}/artifact/data/acme2certifer.sql
         docker exec acme-srv cat /var/log/messages > ${{ github.workspace }}/artifact/acme-srv.log
         sudo tar -C ${{ github.workspace }}/artifact/ -cvzf ${{ github.workspace }}/artifact/upload/artifact.tar.gz data acme-srv.log acme-sh /tmp/mysql
 
     - name: "[ * ] uploading artificates"
-      uses: actions/upload-artifact@v3
+      uses: actions/upload-artifact@v4
       if: ${{ failure() }}
       with:
-        name: nginx_django_rpm_mariadb.tar.gz
+        name: nginx_django_rpm_mariadb-rh${{ matrix.rhversion }}.tar.gz
         path: ${{ github.workspace }}/artifact/upload/
 
   nginx_django_rpm_psql:
     name: "nginx_django_rpm_psql"
     runs-on: ubuntu-latest
+    needs: rpm_build_and_upload
+    strategy:
+      fail-fast: false
+      max-parallel: 1
+      matrix:
+        rhversion: [8, 9]
     steps:
     - name: "checkout GIT"
-      uses: actions/checkout@v3
-
-    - name: Retrieve Version from version.py
-      run: |
-        echo TAG_NAME=$(cat acme_srv/version.py | grep -i __version__ | head -n 1 | sed 's/__version__ = //g' | sed s/\'//g) >> $GITHUB_ENV
-    - run: echo "Latest tag is ${{ env.TAG_NAME }}"
+      uses: actions/checkout@v4
 
-    - name: update version number in spec file and path in nginx ssl config
-      run: |
-        sudo sed -i "s/__version__/${{ env.TAG_NAME }}/g" examples/install_scripts/rpm/acme2certifier.spec
-        sudo sed -i "s/\/var\/www\/acme2certifier\/volume/\/etc\/nginx/g" examples/nginx/nginx_acme_srv_ssl.conf
-        git config --global user.email "grindelsack@gmail.com"
-        git config --global user.name "rpm update"
-        git add examples/nginx
-        git commit -a -m "rpm update"
-
-    - name: build RPM package
-      id: rpm
-      uses: grindsa/rpmbuild@alma9
+    - name: "Prepare Alma environment"
+      uses: ./.github/actions/rpm_prep
       with:
-        spec_file: "examples/install_scripts/rpm/acme2certifier.spec"
-
-    - run: echo "path is ${{ steps.rpm.outputs.rpm_dir_path }}"
-
-    - name: "[ PREPARE ] setup environment for alma installation"
-      run: |
-        docker network create acme
-        sudo mkdir -p data/volume
-        sudo mkdir -p data/acme2certifier
-        sudo mkdir -p data/nginx
-        sudo chmod -R 777 data
-        sudo cp ${{ steps.rpm.outputs.rpm_dir_path }}noarch/acme2certifier-${{ env.TAG_NAME }}-1.0.noarch.rpm data
-        sudo cp examples/Docker/almalinux-systemd/django_tester.sh data
-        sudo cp .github/acme2certifier_cert.pem data/nginx/acme2certifier_cert.pem
-        sudo cp .github/acme2certifier_key.pem data/nginx/acme2certifier_key.pem
-        sudo cp .github/django_settings_psql.py data/acme2certifier/settings.py
-        # sudo sed -i "s/\/var\/www\//\/opt\//g" data/acme2certifier/settings.py
-        sudo sed -i "s/USE_I18N = True/USE_I18N = False/g" data/acme2certifier/settings.py
-
-    - name: "[ PREPARE ] postgres environment"
-      run: |
-        sudo mkdir -p /tmp/pgsql/data
-        sudo cp .github/a2c.psql /tmp/pgsql/a2c.psql
-        sudo cp .github/pgpass /tmp/pgsql/pgpass
-        sudo chmod 600 /tmp/pgsql/pgpass
+        GH_SBOM_USER: ${{ secrets.GH_SBOM_USER }}
+        GH_SBOM_TOKEN: ${{ secrets.GH_SBOM_TOKEN }}
+        RH_VERSION: ${{ matrix.rhversion }}
+        DJANGO_DB: psql
+        RPM_BUILD: false
 
-    - name: "[ PREPARE ] install postgres"
+    - name: "Retrieve version from version.py"
       run: |
-        docker run --name postgresdbsrv -v /tmp/pgsql/data:/var/lib/postgresql/data --network acme -e POSTGRES_PASSWORD=foobar -d postgres
+        echo TAG_NAME=$(cat acme_srv/version.py | grep -i __version__ | head -n 1 | sed 's/__version__ = //g' | sed s/\'//g) >> $GITHUB_ENV
+    - run: echo "Latest tag is ${{ env.TAG_NAME }}"
 
-    - name: "[ PREPARE ] Sleep for 10s"
-      uses: juliangruber/sleep-action@v1
+    - name: Download rpm package
+      uses: actions/download-artifact@v4
       with:
-        time: 10s
-
-    - name: "[ PREPARE ] configure postgres"
-      run: |
-        docker run -v /tmp/pgsql/a2c.psql:/tmp/a2c.psql -v /tmp/pgsql/pgpass:/root/.pgpass --rm --network acme postgres psql -U postgres -h postgresdbsrv -f /tmp/a2c.psql
+        name: acme2certifier-${{ github.run_id }}.noarch.rpm
+        path: data/
 
-    - name: "[ PREPARE ] Sleep for 10s"
-      uses: juliangruber/sleep-action@v1
+    - name: "Prepare acme_srv.cfg with certifier_ca_handler"
+      uses: ./.github/actions/wf_specific/certifier_ca_handler/certifier_setup_no_profile
       with:
-        time: 10s
-
-    - name: "Retrieve rpms from SBOM repo"
-      run: |
-        git clone https://$GH_SBOM_USER:$GH_SBOM_TOKEN@github.com/$GH_SBOM_USER/sbom /tmp/sbom
-        cp /tmp/sbom/rpm-repo/RPMs/*.rpm  data
-      env:
-        GH_SBOM_USER: ${{ secrets.GH_SBOM_USER }}
-        GH_SBOM_TOKEN: ${{ secrets.GH_SBOM_TOKEN }}
-
-
-    - name: "[ PREPARE ] setup a2c with certifier_ca_handler"
-      run: |
-        sudo mkdir -p acme-sh
-        mkdir -p data/acme_ca
-        sudo cp test/ca/certsrv_ca_certs.pem data/acme_ca/ca_certs.pem
-        sudo touch data/volume/acme_srv.cfg
-        sudo chmod 777 data/volume/acme_srv.cfg
-        sudo head -n -8 .github/openssl_ca_handler.py_acme_srv_default_handler.cfg > data/volume/acme_srv.cfg
-        sudo echo "handler_file: /opt/acme2certifier/examples/ca_handler/certifier_ca_handler.py" >> data/volume/acme_srv.cfg
-        sudo echo "api_host: $NCM_API_HOST" >> data/volume/acme_srv.cfg
-        sudo echo "api_user: $NCM_API_USER" >> data/volume/acme_srv.cfg
-        sudo echo "api_password: $NCM_API_PASSWORD" >> data/volume/acme_srv.cfg
-        sudo echo "ca_name: $NCM_CA_NAME" >> data/volume/acme_srv.cfg
-        sudo echo "ca_bundle: $NCM_CA_BUNDLE" >> data/volume/acme_srv.cfg
-        sudo echo "profile_id: 101" >> data/volume/acme_srv.cfg
-      env:
+        WCCE_SSH_ACCESS_KEY: ${{ secrets.WCCE_SSH_ACCESS_KEY }}
+        WCCE_SSH_KNOWN_HOSTS: ${{ secrets.WCCE_SSH_KNOWN_HOSTS }}
+        WCCE_SSH_USER: ${{ secrets.WCCE_SSH_USER }}
+        WCCE_SSH_HOST: ${{ secrets.WCCE_SSH_HOST }}
+        WCCE_SSH_PORT: ${{ secrets.WCCE_SSH_PORT }}
         NCM_API_HOST: ${{ secrets.NCM_API_HOST }}
         NCM_API_USER: ${{ secrets.NCM_API_USER }}
         NCM_API_PASSWORD: ${{ secrets.NCM_API_PASSWORD }}
         NCM_CA_NAME: ${{ secrets.NCM_CA_NAME }}
-        NCM_CA_BUNDLE: ${{ secrets.NCM_CA_BUNDLE }}
-
-    - name: "[ PREPARE ] Almalinux instance"
-      run: |
-        cat examples/Docker/almalinux-systemd/Dockerfile | docker build -t almalinux-systemd -f - . --no-cache
-        docker run -d -id --privileged --network acme -p 22280:80 --name=acme-srv -v "$(pwd)/data":/tmp/acme2certifier almalinux-systemd
-
-    - name: "[ RUN ] Execute install scipt"
-      run: |
-        docker exec acme-srv sh /tmp/acme2certifier/django_tester.sh
+        DATA_PATH: data/volume
 
-    - name: "Test http://acme-srv/directory is accessible"
-      run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory
 
-    - name: "Test if https://acme-srv/directory is accessable"
-      run: docker run -i --rm --network acme curlimages/curl --insecure -f https://acme-srv/directory
-
-    - name: "[ CURL ] install curl and socat and test connction"
-      run: |
-        sudo apt-get install -y curl socat
-        curl -f http://localhost:22280
-
-    - name: "[ PREPARE ] prepare acme.sh container"
-      run: |
-        docker run --rm -id -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest daemon
-
-    - name: "[ ENROLL ] register via http"
-      run: |
-        docker exec -i acme-sh acme.sh --server http://acme-srv  --register-account --accountemail 'acme-sh@example.com' --accountkeylength ec-256 --debug 2
-
-    - name: "[ ENROLL ] register via https"
-      run: |
-        docker exec -i acme-sh acme.sh --server https://acme-srv  --register-account --accountemail 'acme-sh@example.com' --accountkeylength ec-256 --insecure --debug 2
-
-    - name: "[ ENROLL] acme.sh"
+    - name: "Prepare acme_srv.cfg with openssl_ca_handler"
       run: |
-        docker exec -i acme-sh acme.sh --server https://acme-srv --accountemail 'acme-sh@example.com' --issue -d acme-sh.acme --alpn --standalone --debug 3 --insecure --output-insecure --force
-        awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "cert-" c ".pem"}' < acme-sh/acme-sh.acme_ecc/ca.cer
-        openssl verify -CAfile cert-2.pem -untrusted cert-1.pem acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer
+        grep -i 'django.db.backends.postgresql_psycopg2' data/acme2certifier/settings.py
 
-    - name: "[ REGISTER] certbot"
+    - name: "Execute install scipt"
       run: |
-        docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot register --agree-tos -m 'certbot@example.com' --server http://acme-srv --no-eff-email
+        docker exec acme-srv sh /tmp/acme2certifier/django_tester.sh
 
-    - name: "[ ENROLL ] HTTP-01 single domain certbot"
-      run: |
-        docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot certonly --server http://acme-srv --standalone --preferred-challenges http -d certbot.acme --cert-name certbot
-        sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem certbot/live/certbot/cert.pem
+    - name: "Test enrollment"
+      uses: ./.github/actions/acme_clients
 
     - name: "[ * ] collecting test logs"
       if: ${{ failure() }}
+      continue-on-error: true
       run: |
         mkdir -p ${{ github.workspace }}/artifact/upload
         docker exec acme-srv tar cvfz /tmp/acme2certifier/a2c.tgz /opt/acme2certifier
         docker exec acme-srv tar cvfz /tmp/acme2certifier/nginx.tgz /etc/nginx
         sudo cp -rp data/ ${{ github.workspace }}/artifact/data/
         sudo cp -rp acme-sh/ ${{ github.workspace }}/artifact/acme-sh/
+        sudo rm ${{ github.workspace }}/artifact/data/*.rpm
+        docker exec acme-srv cat /etc/nginx/nginx.conf.orig > ${{ github.workspace }}/artifact/data/nginx.conf.orig
+        docker exec acme-srv cat /etc/nginx/nginx.conf > ${{ github.workspace }}/artifact/data/nginx.conf
+        docker exec acme-srv rpm -qa > ${{ github.workspace }}/artifact/data/packages.txt
         docker exec acme-srv cat /var/log/messages > ${{ github.workspace }}/artifact/acme-srv.log
         sudo tar -C ${{ github.workspace }}/artifact/ -cvzf ${{ github.workspace }}/artifact/upload/artifact.tar.gz data acme-srv.log acme-sh /tmp/pgsql
 
     - name: "[ * ] uploading artificates"
-      uses: actions/upload-artifact@v3
+      uses: actions/upload-artifact@v4
       if: ${{ failure() }}
       with:
-        name: nginx_django_rpm_psql.tar.gz
-        path: ${{ github.workspace }}/artifact/upload/
\ No newline at end of file
+        name: nginx_django_rpm_psql-rh${{ matrix.rhversion }}.tar.gz
+        path: ${{ github.workspace }}/artifact/upload/
+
+  rpm_cleanup:
+    name: "rpm_cleanup"
+    runs-on: ubuntu-latest
+    needs: [nginx_django_rpm_psql, nginx_django_rpm_mariadb, nginx_django_rpm_sqlite]
+    steps:
+    - name: "Delete artifact"
+      uses: geekyeggo/delete-artifact@v5
+      with:
+        name: acme2certifier-${{ github.run_id }}.noarch.rpm
diff --git a/.github/workflows/dns-test.yml b/.github/workflows/dns-test.yml
index 6d38b8b7..a1f925ad 100644
--- a/.github/workflows/dns-test.yml
+++ b/.github/workflows/dns-test.yml
@@ -12,47 +12,55 @@ jobs:
   dns_challenge_tests:
     name: "dns_challenge_tests"
     runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+      max-parallel: 2
+      matrix:
+        websrv: ['apache2', 'nginx']
+        dbhandler: ['wsgi', 'django']
     steps:
     - name: "checkout GIT"
-      uses: actions/checkout@v3
+      uses: actions/checkout@v4
 
-    - name: "[ PREPARE ] Build docker-compose (apache2_wsgi)"
-      working-directory: examples/Docker/
-      run: |
-        sudo mkdir -p data
-        docker network create acme
-        docker-compose up -d
-        docker-compose logs
+    - name: "Build container"
+      uses: ./.github/actions/container_prep
+      with:
+        DB_HANDLER: ${{ matrix.dbhandler }}
+        WEB_SRV: ${{ matrix.websrv }}
 
-    - name: "Test http://acme-srv/directory is accessable"
-      run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory
+    - name: "Prepare acme_srv.cfg with certifier_ca_handler"
+      uses: ./.github/actions/wf_specific/certifier_ca_handler/certifier_setup_no_profile
+      with:
+        WCCE_SSH_ACCESS_KEY: ${{ secrets.WCCE_SSH_ACCESS_KEY }}
+        WCCE_SSH_KNOWN_HOSTS: ${{ secrets.WCCE_SSH_KNOWN_HOSTS }}
+        WCCE_SSH_USER: ${{ secrets.WCCE_SSH_USER }}
+        WCCE_SSH_HOST: ${{ secrets.WCCE_SSH_HOST }}
+        WCCE_SSH_PORT: ${{ secrets.WCCE_SSH_PORT }}
+        NCM_API_HOST: ${{ secrets.NCM_API_HOST }}
+        NCM_API_USER: ${{ secrets.NCM_API_USER }}
+        NCM_API_PASSWORD: ${{ secrets.NCM_API_PASSWORD }}
+        NCM_CA_NAME: ${{ secrets.NCM_CA_NAME }}
+        ACME_SRV_SRC: .github/openssl_ca_handler.py_acme_srv_default_handler_dns.cfg
+        DATA_PATH: examples/Docker/data
 
-    - name: "[ PREPARE ] setup a2c with certifier_ca_handler"
+    - name: "Restart a2c"
       run: |
-        sudo cp test/ca/certsrv_ca_certs.pem examples/Docker/data/ca_certs.pem
-        sudo touch examples/Docker/data/acme_srv.cfg
-        sudo chmod 777 examples/Docker/data/acme_srv.cfg
-        sudo head -n -8 .github/openssl_ca_handler.py_acme_srv_default_handler_dns.cfg > examples/Docker/data/acme_srv.cfg
-        sudo echo "handler_file: examples/ca_handler/certifier_ca_handler.py" >> examples/Docker/data/acme_srv.cfg
-        sudo echo "api_host: $NCM_API_HOST" >> examples/Docker/data/acme_srv.cfg
-        sudo echo "api_user: $NCM_API_USER" >> examples/Docker/data/acme_srv.cfg
-        sudo echo "api_password: $NCM_API_PASSWORD" >> examples/Docker/data/acme_srv.cfg
-        sudo echo "ca_name: $NCM_CA_NAME" >> examples/Docker/data/acme_srv.cfg
-        sudo echo "ca_bundle: $NCM_CA_BUNDLE" >> examples/Docker/data/acme_srv.cfg
         cd examples/Docker/
         docker-compose restart
         docker-compose logs
-      env:
-        NCM_API_HOST: ${{ secrets.NCM_API_HOST }}
-        NCM_API_USER: ${{ secrets.NCM_API_USER }}
-        NCM_API_PASSWORD: ${{ secrets.NCM_API_PASSWORD }}
-        NCM_CA_NAME: ${{ secrets.NCM_CA_NAME }}
-        NCM_CA_BUNDLE: ${{ secrets.NCM_CA_BUNDLE }}
 
-    - name: "Test http://acme-srv/directory is accessable again"
+    - name: "Sleep for 10s"
+      uses: juliangruber/sleep-action@v2.0.3
+      with:
+        time: 10s
+
+    - name: "Test http://acme-srv/directory is accessible"
       run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory
 
-    - name: "[ PREPARE ] prepare acme.sh container"
+    - name: "Test if https://acme-srv/directory is accessible"
+      run: docker run -i --rm --network acme curlimages/curl --insecure -f https://acme-srv/directory
+
+    - name: "Prepare acme.sh container"
       run: |
         docker run --rm -id -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest daemon
         sudo cp .github/dns_test.sh acme-sh/
@@ -61,7 +69,7 @@ jobs:
         docker exec -i acme-sh mv /acme.sh/dns_test.sh /root/.acme.sh/dnsapi/
         docker exec -i acme-sh chmod +x /root/.acme.sh/dnsapi/dns_test.sh
 
-    - name: "[ PREPARE ] set DNS server"
+    - name: "Set DNS server"
       run: |
         cd examples/Docker/
         docker-compose stop
@@ -70,33 +78,33 @@ jobs:
         docker-compose start
         docker-compose logs
 
-    - name: "[ ENROLL ] acme.sh - single domain"
+    - name: "Enroll acme.sh - single domain"
       run: |
         docker exec -i acme-sh acme.sh --dnssleep 10 --server http://acme-srv --accountemail 'acme-sh@example.com' --issue --dns dns_test -d acme-sh.single --standalone --debug 3 --output-insecure --force
         awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "cert-" c ".pem"}' < acme-sh/acme-sh.single_ecc/ca.cer
         openssl verify -CAfile cert-2.pem -untrusted cert-1.pem acme-sh/acme-sh.single_ecc/acme-sh.single.cer
 
-    - name: "[ ENROLL ] acme.sh - two domains"
+    - name: "Enroll acme.sh - two domains"
       run: |
         docker exec -i acme-sh acme.sh --dnssleep 10 --server http://acme-srv --accountemail 'acme-sh@example.com' --issue --dns dns_test -d acme-sh.first --dns dns_test -d acme-sh.second --standalone --debug 3 --output-insecure --force
         openssl verify -CAfile cert-2.pem -untrusted cert-1.pem acme-sh/acme-sh.first_ecc/acme-sh.first.cer
 
-    - name: "[ ENROLL ] acme.sh - single wildcard domain"
+    - name: "Enroll acme.sh - single wildcard domain"
       run: |
         docker exec -i acme-sh acme.sh --dnssleep 10 --server http://acme-srv --accountemail 'acme-sh@example.com' --issue --dns dns_test -d *.acme-sh.wildcard --standalone --debug 3 --output-insecure --force
         openssl verify  -CAfile cert-2.pem -untrusted cert-1.pem acme-sh/*acme-sh.wildcard_ecc/*acme-sh.wildcard.cer
 
-    - name: "[ ENROLL ] acme.sh - double wildcard domain"
+    - name: "Enroll acme.sh - double wildcard domain"
       run: |
         docker exec -i acme-sh acme.sh --dnssleep 10 --server http://acme-srv --accountemail 'acme-sh@example.com' --issue --dns dns_test -d *.acme-sh.first-wildcard --dns dns_test -d *.acme-sh.second-wildcard --standalone --debug 3 --output-insecure --force
         openssl verify -CAfile cert-2.pem -untrusted cert-1.pem acme-sh/*.acme-sh.first-wildcard_ecc/*.acme-sh.first-wildcard.cer
 
-    - name: "[ ENROLL ] acme.sh - domain and wildcard domain"
+    - name: "Enroll acme.sh - domain and wildcard domain"
       run: |
         docker exec -i acme-sh acme.sh --dnssleep 10 --server http://acme-srv --accountemail 'acme-sh@example.com' --issue --dns dns_test -d acme-sh.fqdn-wildcard --dns dns_test -d *.acme-sh.fqdn-wildcard --standalone --debug 3 --output-insecure --force
         openssl verify -CAfile cert-2.pem -untrusted cert-1.pem acme-sh/acme-sh.fqdn-wildcard_ecc/acme-sh.fqdn-wildcard.cer
 
-    - name: "[ Test ] check TXT record exists"
+    - name: "check TXT record exists"
       if: ${{ failure() }}
       run: |
         docker exec -i acme-sh ps -a
@@ -120,69 +128,49 @@ jobs:
         sudo tar -C ${{ github.workspace }}/artifact/ -cvzf ${{ github.workspace }}/artifact/upload/artifact.tar.gz docker-compose.log data
 
     - name: "[ * ] uploading artificates"
-      uses: actions/upload-artifact@v3
+      uses: actions/upload-artifact@v4
       if: ${{ failure() }}
       with:
-        name: dns_challenge_tests.tar.gz
+        name: dns_challenge_tests-${{ matrix.websrv }}-${{ matrix.dbhandler }}.tar.gz
         path: ${{ github.workspace }}/artifact/upload/
 
 
   dns_challenge_tests_rpm:
     name: "dns_challenge_tests_rpm"
     runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+      max-parallel: 1
+      matrix:
+        rhversion: [8, 9]
+
     steps:
     - name: "checkout GIT"
-      uses: actions/checkout@v3
-
-    - name: Retrieve Version from version.py
-      run: |
-        echo TAG_NAME=$(cat acme_srv/version.py | grep -i __version__ | head -n 1 | sed 's/__version__ = //g' | sed s/\'//g) >> $GITHUB_ENV
-    - run: echo "Latest tag is ${{ env.TAG_NAME }}"
-
-    - name: update version number in spec file
-      run: |
-        # sudo sed -i "s/Source0:.*/Source0:        %{name}-%{version}.tar.gz/g" examples/install_scripts/rpm/acme2certifier.spec
-        sudo sed -i "s/__version__/${{ env.TAG_NAME }}/g" examples/install_scripts/rpm/acme2certifier.spec
-        cat examples/install_scripts/rpm/acme2certifier.spec
+      uses: actions/checkout@v4
 
-    - name: build RPM package
-      id: rpm
-      uses: grindsa/rpmbuild@alma9
+    - name: "Prepare Alma environment"
+      uses: ./.github/actions/rpm_prep
       with:
-        spec_file: "examples/install_scripts/rpm/acme2certifier.spec"
+        GH_SBOM_USER: ${{ secrets.GH_SBOM_USER }}
+        GH_SBOM_TOKEN: ${{ secrets.GH_SBOM_TOKEN }}
+        RH_VERSION: ${{ matrix.rhversion }}
 
-    - run: echo "path is ${{ steps.rpm.outputs.rpm_dir_path }}"
-
-    - name: "[ PREPARE ] setup environment for alma installation"
-      run: |
-        docker network create acme
-        sudo mkdir -p data
-        sudo chmod -R 777 data
-        sudo cp ${{ steps.rpm.outputs.rpm_dir_path }}noarch/acme2certifier-${{ env.TAG_NAME }}-1.0.noarch.rpm data
-        sudo cp examples/Docker/almalinux-systemd/rpm_tester.sh data
-
-    - name: "[ PREPARE ] setup a2c with certifier_ca_handler"
-      run: |
-        mkdir -p data/acme_ca
-        sudo cp test/ca/certsrv_ca_certs.pem data/acme_ca/ca_certs.pem
-        sudo touch data/acme_srv.cfg
-        sudo chmod 777 data/acme_srv.cfg
-        sudo head -n -8 .github/openssl_ca_handler.py_acme_srv_default_handler_dns.cfg > data/acme_srv.cfg
-        sudo echo "handler_file: examples/ca_handler/certifier_ca_handler.py" >> data/acme_srv.cfg
-        sudo echo "api_host: $NCM_API_HOST" >> data/acme_srv.cfg
-        sudo echo "api_user: $NCM_API_USER" >> data/acme_srv.cfg
-        sudo echo "api_password: $NCM_API_PASSWORD" >> data/acme_srv.cfg
-        sudo echo "ca_name: $NCM_CA_NAME" >> data/acme_srv.cfg
-        sudo echo "ca_bundle: $NCM_CA_BUNDLE" >> data/acme_srv.cfg
-        sudo echo "profile_id: 101" >> data/acme_srv.cfg
-      env:
+    - name: "Prepare acme_srv.cfg with certifier_ca_handler"
+      uses: ./.github/actions/wf_specific/certifier_ca_handler/certifier_setup_no_profile
+      with:
+        WCCE_SSH_ACCESS_KEY: ${{ secrets.WCCE_SSH_ACCESS_KEY }}
+        WCCE_SSH_KNOWN_HOSTS: ${{ secrets.WCCE_SSH_KNOWN_HOSTS }}
+        WCCE_SSH_USER: ${{ secrets.WCCE_SSH_USER }}
+        WCCE_SSH_HOST: ${{ secrets.WCCE_SSH_HOST }}
+        WCCE_SSH_PORT: ${{ secrets.WCCE_SSH_PORT }}
         NCM_API_HOST: ${{ secrets.NCM_API_HOST }}
         NCM_API_USER: ${{ secrets.NCM_API_USER }}
         NCM_API_PASSWORD: ${{ secrets.NCM_API_PASSWORD }}
         NCM_CA_NAME: ${{ secrets.NCM_CA_NAME }}
-        NCM_CA_BUNDLE: ${{ secrets.NCM_CA_BUNDLE }}
+        ACME_SRV_SRC: .github/openssl_ca_handler.py_acme_srv_default_handler_dns.cfg
+        DATA_PATH: data
 
-    - name: "[ PREPARE ] prepare acme.sh container"
+    - name: "Prepare acme.sh container"
       run: |
         docker run --rm -id -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest daemon
         sudo cp .github/dns_test.sh acme-sh/
@@ -191,50 +179,45 @@ jobs:
         docker exec -i acme-sh mv /acme.sh/dns_test.sh /root/.acme.sh/dnsapi/
         docker exec -i acme-sh chmod +x /root/.acme.sh/dnsapi/dns_test.sh
 
-    - name: "[ PREPARE ] set DNS server"
+    - name: "Set DNS server"
       run: |
         docker inspect -f '{{range.NetworkSettings.Networks}}{{.IPAddress}}{{end}}' acme-sh
         sudo sed -i "s/DNS-IP/$(docker inspect -f '{{range.NetworkSettings.Networks}}{{.IPAddress}}{{end}}' acme-sh)/g" data/acme_srv.cfg
 
-    - name: "[ PREPARE ] Almalinux instance"
-      run: |
-        cat examples/Docker/almalinux-systemd/Dockerfile | docker build -t almalinux-systemd -f - . --no-cache
-        docker run -d -id --privileged --network acme --name=acme-srv -v "$(pwd)/data":/tmp/acme2certifier almalinux-systemd
-
-    - name: "[ RUN ] Execute install scipt"
+    - name: "Execute install scipt"
       run: |
         docker exec acme-srv sh /tmp/acme2certifier/rpm_tester.sh
 
-    - name: "Test http://acme-srv/directory is accessable"
+    - name: "Test http://acme-srv/directory is accessible"
       run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory
 
-    - name: "[ ENROLL ] acme.sh - single domain"
+    - name: "Enroll acme.sh - single domain"
       run: |
         docker exec -i acme-sh acme.sh --dnssleep 10 --server http://acme-srv --accountemail 'acme-sh@example.com' --issue --dns dns_test -d acme-sh.single --standalone --debug 3 --output-insecure --force
         awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "cert-" c ".pem"}' < acme-sh/acme-sh.single_ecc/ca.cer
         openssl verify -CAfile cert-2.pem -untrusted cert-1.pem acme-sh/acme-sh.single_ecc/acme-sh.single.cer
 
-    - name: "[ ENROLL ] acme.sh - two domains"
+    - name: "Enroll acme.sh - two domains"
       run: |
         docker exec -i acme-sh acme.sh --dnssleep 10 --server http://acme-srv --accountemail 'acme-sh@example.com' --issue --dns dns_test -d acme-sh.first --dns dns_test -d acme-sh.second --standalone --debug 3 --output-insecure --force
         openssl verify -CAfile cert-2.pem -untrusted cert-1.pem acme-sh/acme-sh.first_ecc/acme-sh.first.cer
 
-    - name: "[ ENROLL ] acme.sh - single wildcard domain"
+    - name: "Enroll acme.sh - single wildcard domain"
       run: |
         docker exec -i acme-sh acme.sh --dnssleep 10 --server http://acme-srv --accountemail 'acme-sh@example.com' --issue --dns dns_test -d *.acme-sh.wildcard --standalone --debug 3 --output-insecure --force
         openssl verify -CAfile cert-2.pem -untrusted cert-1.pem acme-sh/*acme-sh.wildcard_ecc/*acme-sh.wildcard.cer
 
-    - name: "[ ENROLL ] acme.sh - double wildcard domain"
+    - name: "Enroll acme.sh - double wildcard domain"
       run: |
         docker exec -i acme-sh acme.sh --dnssleep 10 --server http://acme-srv --accountemail 'acme-sh@example.com' --issue --dns dns_test -d *.acme-sh.first-wildcard --dns dns_test -d *.acme-sh.second-wildcard --standalone --debug 3 --output-insecure --force
         openssl verify -CAfile cert-2.pem -untrusted cert-1.pem acme-sh/*.acme-sh.first-wildcard_ecc/*.acme-sh.first-wildcard.cer
 
-    - name: "[ ENROLL ] acme.sh - domain and wildcard domain"
+    - name: "Enroll acme.sh - domain and wildcard domain"
       run: |
         docker exec -i acme-sh acme.sh --dnssleep 10 --server http://acme-srv --accountemail 'acme-sh@example.com' --issue --dns dns_test -d acme-sh.fqdn-wildcard --dns dns_test -d *.acme-sh.fqdn-wildcard --standalone --debug 3 --output-insecure --force
         openssl verify -CAfile cert-2.pem -untrusted cert-1.pem acme-sh/acme-sh.fqdn-wildcard_ecc/acme-sh.fqdn-wildcard.cer
 
-    - name: "[ Test ] check TXT record exists"
+    - name: "check TXT record exists"
       if: ${{ failure() }}
       run: |
         docker exec -i acme-sh ps -a
@@ -254,13 +237,16 @@ jobs:
         mkdir -p ${{ github.workspace }}/artifact/upload
         docker exec acme-srv tar cvfz /tmp/acme2certifier/a2c.tgz /opt/acme2certifier
         sudo cp -rp data/ ${{ github.workspace }}/artifact/data/
+        sudo rm ${{ github.workspace }}/artifact/data/*.rpm
         sudo cp -rp acme-sh/ ${{ github.workspace }}/artifact/acme-sh/
+        docker exec acme-srv cat /etc/nginx/nginx.conf.orig > ${{ github.workspace }}/artifact/data/nginx.conf.orig
+        docker exec acme-srv cat /etc/nginx/nginx.conf > ${{ github.workspace }}/artifact/data/nginx.conf
         docker exec acme-srv cat /var/log/messages > ${{ github.workspace }}/artifact/acme-srv.log
         sudo tar -C ${{ github.workspace }}/artifact/ -cvzf ${{ github.workspace }}/artifact/upload/artifact.tar.gz data acme-srv.log acme-sh
 
     - name: "[ * ] uploading artificates"
-      uses: actions/upload-artifact@v3
+      uses: actions/upload-artifact@v4
       if: ${{ failure() }}
       with:
-        name: dns_challenge_tests_rpm.tar.gz
+        name: dns-rpm-rh${{ matrix.rhversion }}.tar.gz
         path: ${{ github.workspace }}/artifact/upload/
diff --git a/.github/workflows/eab-test.yml b/.github/workflows/eab-test.yml
index a3dad9bf..4ae971d5 100644
--- a/.github/workflows/eab-test.yml
+++ b/.github/workflows/eab-test.yml
@@ -12,119 +12,120 @@ jobs:
   eab_apache2_wsgi:
     name: "eab_apache2_wsgi"
     runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+      max-parallel: 2
+      matrix:
+        websrv: ['apache2', 'nginx']
+        dbhandler: ['wsgi', 'django']
     steps:
     - name: "checkout GIT"
-      uses: actions/checkout@v3
+      uses: actions/checkout@v4
 
-    - name: "[ PREPARE ] Build docker-compose (apache2_wsgi)"
-      working-directory: examples/Docker/
+    - name: "Build container"
+      uses: ./.github/actions/container_prep
+      with:
+        DB_HANDLER: ${{ matrix.dbhandler }}
+        WEB_SRV: ${{ matrix.websrv }}
+
+    - name: "Create letsencrypt folder"
       run: |
-        sudo mkdir -p data
-        docker network create acme
-        docker-compose up -d
-        docker-compose logs
+        mkdir -p certbot
+        mkdir -p lego
+        mkdir -p acme-sh
 
-    - name: "Test http://acme-srv/directory is accessable"
-      run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory
+    - name: "Prepare acme_srv.cfg with certifier_ca_handler"
+      uses: ./.github/actions/wf_specific/certifier_ca_handler/certifier_setup_no_profile
+      with:
+        WCCE_SSH_ACCESS_KEY: ${{ secrets.WCCE_SSH_ACCESS_KEY }}
+        WCCE_SSH_KNOWN_HOSTS: ${{ secrets.WCCE_SSH_KNOWN_HOSTS }}
+        WCCE_SSH_USER: ${{ secrets.WCCE_SSH_USER }}
+        WCCE_SSH_HOST: ${{ secrets.WCCE_SSH_HOST }}
+        WCCE_SSH_PORT: ${{ secrets.WCCE_SSH_PORT }}
+        NCM_API_HOST: ${{ secrets.NCM_API_HOST }}
+        NCM_API_USER: ${{ secrets.NCM_API_USER }}
+        NCM_API_PASSWORD: ${{ secrets.NCM_API_PASSWORD }}
+        NCM_CA_NAME: ${{ secrets.NCM_CA_NAME }}
+        DATA_PATH: examples/Docker/data
 
-    - name: "[ PREPARE ] setup a2c with certifier_ca_handler"
+    - name: "Restart a2c"
       run: |
-        sudo cp test/ca/certsrv_ca_certs.pem examples/Docker/data/ca_certs.pem
-        sudo touch examples/Docker/data/acme_srv.cfg
-        sudo chmod 777 examples/Docker/data/acme_srv.cfg
-        sudo head -n -8 .github/openssl_ca_handler.py_acme_srv_default_handler.cfg > examples/Docker/data/acme_srv.cfg
-        sudo echo "handler_file: examples/ca_handler/certifier_ca_handler.py" >> examples/Docker/data/acme_srv.cfg
-        sudo echo "api_host: $NCM_API_HOST" >> examples/Docker/data/acme_srv.cfg
-        sudo echo "api_user: $NCM_API_USER" >> examples/Docker/data/acme_srv.cfg
-        sudo echo "api_password: $NCM_API_PASSWORD" >> examples/Docker/data/acme_srv.cfg
-        sudo echo "ca_name: $NCM_CA_NAME" >> examples/Docker/data/acme_srv.cfg
-        sudo echo "ca_bundle: $NCM_CA_BUNDLE" >> examples/Docker/data/acme_srv.cfg
         sudo echo -e "\n\n[EABhandler]" >> examples/Docker/data/acme_srv.cfg
         sudo echo "eab_handler_file: /var/www/acme2certifier/examples/eab_handler/json_handler.py" >> examples/Docker/data/acme_srv.cfg
         sudo echo "key_file: examples/eab_handler/key_file.json" >> examples/Docker/data/acme_srv.cfg
         cd examples/Docker/
         docker-compose restart
-        docker-compose logs
-      env:
-        NCM_API_HOST: ${{ secrets.NCM_API_HOST }}
-        NCM_API_USER: ${{ secrets.NCM_API_USER }}
-        NCM_API_PASSWORD: ${{ secrets.NCM_API_PASSWORD }}
-        NCM_CA_NAME: ${{ secrets.NCM_CA_NAME }}
-        NCM_CA_BUNDLE: ${{ secrets.NCM_CA_BUNDLE }}
 
-    - name: "Test http://acme-srv/directory is accessable again"
+    - name: "Sleep for 10s"
+      uses: juliangruber/sleep-action@v2.0.3
+      with:
+        time: 10s
+
+    - name: "Test http://acme-srv/directory is accessible"
       run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory
 
-    - name: "[ PREPARE ] create letsencrypt folder"
+    - name: "Test if https://acme-srv/directory is accessible"
+      run: docker run -i --rm --network acme curlimages/curl --insecure -f https://acme-srv/directory
+
+    - name: "Fail - Register lego"
+      id: legofail
+      continue-on-error: true
       run: |
-        mkdir certbot
+        docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" -d lego.acme --http run
 
-    - name: "[ FAIL ] certbot without eab-credentials"
+    - name: "Check lego result"
+      if: steps.legofail.outcome != 'failure'
+      run: |
+        echo "legofail outcome is ${{steps.legofail.outcome }}"
+        exit 1
+
+    - name: "Enroll lego"
+      run: |
+        docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" --eab --kid keyid_02 --hmac dGhpc19pc19hX3ZlcnlfbG9uZ19obWFjX3RvX21ha2Vfc3VyZV90aGF0X2l0c19tb3JlX3RoYW5fMjU2X2JpdHM -d lego.acme --http run
+        sudo cat lego/certificates/lego.acme.issuer.crt |  awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "cert-" c ".pem"}'
+        sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem lego/certificates/lego.acme.crt
+
+    - name: "Fail - Registercertbot without eab-credentials"
       id: certbotfail
       continue-on-error: true
       run: |
          docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot register --agree-tos -m 'certbot@example.com' --server http://acme-srv --no-eff-email
 
-    - name: "[ CHECK ] certbot result "
+    - name: "check certbot result "
       if: steps.certbotfail.outcome != 'failure'
       run: |
         echo "certbot outcome is ${{steps.certbotfail.outcome }}"
         exit 1
 
-    - name: "[ REGISTER] certbot"
+    - name: "Register certbot using eab-credentials"
       run: |
-        docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot register --agree-tos -m 'certbot@example.com' --server http://acme-srv --no-eff-email --eab-kid keyid_02 --eab-hmac-key=bWFjXzAy
+        docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot register --agree-tos -m 'certbot@example.com' --server http://acme-srv --no-eff-email --eab-kid keyid_02 --eab-hmac-key=dGhpc19pc19hX3ZlcnlfbG9uZ19obWFjX3RvX21ha2Vfc3VyZV90aGF0X2l0c19tb3JlX3RoYW5fMjU2X2JpdHM
 
-    - name: "[ ENROLL ] HTTP-01 single domain certbot"
+    - name: "Enroll HTTP-01 single domain certbot"
       run: |
         docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot certonly --server http://acme-srv --standalone --preferred-challenges http -d certbot.acme --cert-name certbot
-        sudo chmod 777 certbot/archive/certbot/chain1.pem
-        sudo cp certbot/archive/certbot/chain1.pem chain1.pem
-        awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "cert-" c ".pem"}' < chain1.pem
         sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem certbot/live/certbot/cert.pem
 
-    - name: "[ PREPARE ] prepare acme.sh container"
-      run: |
-        docker run --rm -id -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest daemon
-
-    - name: "[ FAIL] acme.sh"
+    - name: "Fail - Register acme.sh"
       id: acmeshfail
       continue-on-error: true
       run: |
-        docker exec -i acme-sh acme.sh --server http://acme-srv --register-account --accountemail 'acme-sh@example.com' --debug 3
+        docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --register-account --server http://acme-srv --accountemail 'acme-sh@example.com' --debug 3
 
-    - name: "[ CHECK ] acme.sh result "
+    - name: "Check acme.sh result "
       if: steps.acmeshfail.outcome != 'failure'
       run: |
         echo "acmeshfail outcome is ${{steps.acmeshfail.outcome }}"
         exit 1
 
-    - name: "[ REGISTER] acme.sh"
-      run: |
-        docker exec -i acme-sh acme.sh --server http://acme-srv --register-account --accountemail 'acme-sh@example.com' --eab-kid keyid_02 --eab-hmac-key bWFjXzAy --debug 3
-
-    - name: "[ ENROLL] acme.sh"
+    - name: "Register acme.sh with eab-credentials"
       run: |
-        docker exec -i acme-sh acme.sh --server http://acme-srv --issue -d acme-sh.acme --standalone --debug 3 --output-insecure
-        openssl verify -CAfile cert-2.pem -untrusted cert-1.pem acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer
+        docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --register-account --server http://acme-srv --accountemail 'acme-sh@example.com' --eab-kid keyid_02 --eab-hmac-key dGhpc19pc19hX3ZlcnlfbG9uZ19obWFjX3RvX21ha2Vfc3VyZV90aGF0X2l0c19tb3JlX3RoYW5fMjU2X2JpdHM --debug 3
 
-    - name: "[ FAIL ] lego"
-      id: legofail
-      continue-on-error: true
+    - name: "Enroll acme.sh"
       run: |
-        mkdir lego
-        docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" -d lego.acme --http run
-
-    - name: "[ CHECK ] lego result "
-      if: steps.legofail.outcome != 'failure'
-      run: |
-        echo "legofail outcome is ${{steps.legofail.outcome }}"
-        exit 1
-
-    - name: "[ ENROLL ] lego"
-      run: |
-        docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" --eab --kid keyid_02 --hmac bWFjXzAy -d lego.acme --http run
-        sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem lego/certificates/lego.acme.crt
+        docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv -d acme-sh.acme --standalone --debug 3 --output-insecure
+        openssl verify -CAfile cert-2.pem -untrusted cert-1.pem  acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer
 
     - name: "[ * ] collecting test logs"
       if: ${{ failure() }}
@@ -136,65 +137,56 @@ jobs:
         sudo tar -C ${{ github.workspace }}/artifact/ -cvzf ${{ github.workspace }}/artifact/upload/artifact.tar.gz docker-compose.log data
 
     - name: "[ * ] uploading artificates"
-      uses: actions/upload-artifact@v3
+      uses: actions/upload-artifact@v4
       if: ${{ failure() }}
       with:
-        name: eab-${{ matrix.keylength }}.tar.gz
+        name: eab-${{ matrix.websrv }}-${{ matrix.dbhandler }}.tar.gz
         path: ${{ github.workspace }}/artifact/upload/
 
-  eab_apache2_wsgi_rpm:
-    name: "eab_apache2_wsgi_rpm"
+  eab_rpm:
+    name: "eab_rpm"
     runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+      max-parallel: 1
+      matrix:
+        rhversion: [8, 9]
+        execscript: ['rpm_tester.sh', 'django_tester.sh']
     steps:
     - name: "checkout GIT"
-      uses: actions/checkout@v3
-
-    - name: Retrieve Version from version.py
-      run: |
-        echo TAG_NAME=$(cat acme_srv/version.py | grep -i __version__ | head -n 1 | sed 's/__version__ = //g' | sed s/\'//g) >> $GITHUB_ENV
-    - run: echo "Latest tag is ${{ env.TAG_NAME }}"
-
-    - name: update version number in spec file
-      run: |
-        # sudo sed -i "s/Source0:.*/Source0:        %{name}-%{version}.tar.gz/g" examples/install_scripts/rpm/acme2certifier.spec
-        sudo sed -i "s/__version__/${{ env.TAG_NAME }}/g" examples/install_scripts/rpm/acme2certifier.spec
-        cat examples/install_scripts/rpm/acme2certifier.spec
+      uses: actions/checkout@v4
 
-    - name: build RPM package
-      id: rpm
-      uses: grindsa/rpmbuild@alma9
+    - name: "Prepare Alma environment"
+      uses: ./.github/actions/rpm_prep
       with:
-        spec_file: "examples/install_scripts/rpm/acme2certifier.spec"
-
-    - run: echo "path is ${{ steps.rpm.outputs.rpm_dir_path }}"
+        GH_SBOM_USER: ${{ secrets.GH_SBOM_USER }}
+        GH_SBOM_TOKEN: ${{ secrets.GH_SBOM_TOKEN }}
+        RH_VERSION: ${{ matrix.rhversion }}
 
-    - name: "[ PREPARE ] setup environment for alma installation"
+    - name: "Create letsencrypt and lego folder"
       run: |
-        docker network create acme
-        sudo mkdir -p data
-        sudo chmod -R 777 data
-        sudo cp ${{ steps.rpm.outputs.rpm_dir_path }}noarch/acme2certifier-${{ env.TAG_NAME }}-1.0.noarch.rpm data
-        sudo cp examples/Docker/almalinux-systemd/rpm_tester.sh data
+        sudo mkdir -p acme-sh
+        sudo mkdir -p certbot
+        sudo mkdir -p lego
 
-    - name: "[ PREPARE ] create letsencrypt and lego folder"
-      run: |
-        mkdir certbot
-        mkdir lego
+    - name: "Prepare acme_srv.cfg with certifier_ca_handler"
+      if: matrix.execscript == 'rpm_tester.sh'
+      uses: ./.github/actions/wf_specific/certifier_ca_handler/certifier_setup_no_profile
+      with:
+        WCCE_SSH_ACCESS_KEY: ${{ secrets.WCCE_SSH_ACCESS_KEY }}
+        WCCE_SSH_KNOWN_HOSTS: ${{ secrets.WCCE_SSH_KNOWN_HOSTS }}
+        WCCE_SSH_USER: ${{ secrets.WCCE_SSH_USER }}
+        WCCE_SSH_HOST: ${{ secrets.WCCE_SSH_HOST }}
+        WCCE_SSH_PORT: ${{ secrets.WCCE_SSH_PORT }}
+        NCM_API_HOST: ${{ secrets.NCM_API_HOST }}
+        NCM_API_USER: ${{ secrets.NCM_API_USER }}
+        NCM_API_PASSWORD: ${{ secrets.NCM_API_PASSWORD }}
+        NCM_CA_NAME: ${{ secrets.NCM_CA_NAME }}
+        DATA_PATH: data
 
-    - name: "[ PREPARE ] setup a2c with certifier_ca_handler"
+    - name: "Enable EABhandler"
+      if: matrix.execscript == 'rpm_tester.sh'
       run: |
-        mkdir -p data/acme_ca
-        sudo cp test/ca/certsrv_ca_certs.pem data/acme_ca/ca_certs.pem
-        sudo touch data/acme_srv.cfg
-        sudo chmod 777 data/acme_srv.cfg
-        sudo head -n -8 .github/openssl_ca_handler.py_acme_srv_default_handler.cfg > data/acme_srv.cfg
-        sudo echo "handler_file: /opt/acme2certifier/examples/ca_handler/certifier_ca_handler.py" >> data/acme_srv.cfg
-        sudo echo "api_host: $NCM_API_HOST" >> data/acme_srv.cfg
-        sudo echo "api_user: $NCM_API_USER" >> data/acme_srv.cfg
-        sudo echo "api_password: $NCM_API_PASSWORD" >> data/acme_srv.cfg
-        sudo echo "ca_name: $NCM_CA_NAME" >> data/acme_srv.cfg
-        sudo echo "ca_bundle: $NCM_CA_BUNDLE" >> data/acme_srv.cfg
-        sudo echo "profile_id: 101" >> data/acme_srv.cfg
         sudo echo -e "\n\n[EABhandler]" >> data/acme_srv.cfg
         sudo echo "eab_handler_file: /opt/acme2certifier/examples/eab_handler/json_handler.py" >> data/acme_srv.cfg
         sudo echo "key_file: /opt/acme2certifier/examples/eab_handler/key_file.json" >> data/acme_srv.cfg
@@ -205,84 +197,104 @@ jobs:
         NCM_CA_NAME: ${{ secrets.NCM_CA_NAME }}
         NCM_CA_BUNDLE: ${{ secrets.NCM_CA_BUNDLE }}
 
-    - name: "[ PREPARE ] Almalinux instance"
+    - name: "Prepare acme_srv.cfg with certifier_ca_handler"
+      if: matrix.execscript == 'django_tester.sh'
+      uses: ./.github/actions/wf_specific/certifier_ca_handler/certifier_setup_no_profile
+      with:
+        WCCE_SSH_ACCESS_KEY: ${{ secrets.WCCE_SSH_ACCESS_KEY }}
+        WCCE_SSH_KNOWN_HOSTS: ${{ secrets.WCCE_SSH_KNOWN_HOSTS }}
+        WCCE_SSH_USER: ${{ secrets.WCCE_SSH_USER }}
+        WCCE_SSH_HOST: ${{ secrets.WCCE_SSH_HOST }}
+        WCCE_SSH_PORT: ${{ secrets.WCCE_SSH_PORT }}
+        NCM_API_HOST: ${{ secrets.NCM_API_HOST }}
+        NCM_API_USER: ${{ secrets.NCM_API_USER }}
+        NCM_API_PASSWORD: ${{ secrets.NCM_API_PASSWORD }}
+        NCM_CA_NAME: ${{ secrets.NCM_CA_NAME }}
+        DATA_PATH: data/volume
+
+    - name: "Enable EABhandler"
+      if: matrix.execscript == 'django_tester.sh'
       run: |
-        cat examples/Docker/almalinux-systemd/Dockerfile | docker build -t almalinux-systemd -f - . --no-cache
-        docker run -d -id --privileged --network acme --name=acme-srv -v "$(pwd)/data":/tmp/acme2certifier almalinux-systemd
+        sudo echo -e "\n\n[EABhandler]" >> data/volume/acme_srv.cfg
+        sudo echo "eab_handler_file: /opt/acme2certifier/examples/eab_handler/json_handler.py" >>data/volume/acme_srv.cfg
+        sudo echo "key_file: /opt/acme2certifier/examples/eab_handler/key_file.json" >> data/volume/acme_srv.cfg
 
-    - name: "[ RUN ] Execute install scipt"
+    - name: "Execute install scipt"
       run: |
-        docker exec acme-srv sh /tmp/acme2certifier/rpm_tester.sh
+        docker exec acme-srv sh /tmp/acme2certifier/$EXEC_SCRIPT
+      env:
+        EXEC_SCRIPT: ${{ matrix.execscript }}
+
+    - name: "Sleep for 10s"
+      uses: juliangruber/sleep-action@v2.0.3
+      with:
+        time: 10s
 
     - name: "Test http://acme-srv/directory is accessible"
       run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory
 
-    - name: "[ FAIL ] certbot without eab-credentials"
+    - name: "Test if https://acme-srv/directory is accessible"
+      run: docker run -i --rm --network acme curlimages/curl --insecure -f https://acme-srv/directory
+
+    - name: "Fail - Register lego"
+      id: legofail
+      continue-on-error: true
+      run: |
+        docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" -d lego.acme --http run
+
+    - name: "Check lego result"
+      if: steps.legofail.outcome != 'failure'
+      run: |
+        echo "legofail outcome is ${{steps.legofail.outcome }}"
+        exit 1
+
+    - name: "Enroll lego"
+      run: |
+        docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" --eab --kid keyid_02 --hmac dGhpc19pc19hX3ZlcnlfbG9uZ19obWFjX3RvX21ha2Vfc3VyZV90aGF0X2l0c19tb3JlX3RoYW5fMjU2X2JpdHM -d lego.acme --http run
+        sudo cat lego/certificates/lego.acme.issuer.crt |  awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "cert-" c ".pem"}'
+        sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem lego/certificates/lego.acme.crt
+
+    - name: "Fail - Registercertbot without eab-credentials"
       id: certbotfail
       continue-on-error: true
       run: |
          docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot register --agree-tos -m 'certbot@example.com' --server http://acme-srv --no-eff-email
 
-    - name: "[ CHECK ] certbot result "
+    - name: "check certbot result "
       if: steps.certbotfail.outcome != 'failure'
       run: |
         echo "certbot outcome is ${{steps.certbotfail.outcome }}"
         exit 1
 
-    - name: "[ REGISTER] certbot"
+    - name: "Register certbot using eab-credentials"
       run: |
-        docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot register --agree-tos -m 'certbot@example.com' --server http://acme-srv --no-eff-email --eab-kid keyid_02 --eab-hmac-key=bWFjXzAy
+        docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot register --agree-tos -m 'certbot@example.com' --server http://acme-srv --no-eff-email --eab-kid keyid_02 --eab-hmac-key=dGhpc19pc19hX3ZlcnlfbG9uZ19obWFjX3RvX21ha2Vfc3VyZV90aGF0X2l0c19tb3JlX3RoYW5fMjU2X2JpdHM
 
-    - name: "[ ENROLL ] HTTP-01 single domain certbot"
+    - name: "Enroll HTTP-01 single domain certbot"
       run: |
         docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot certonly --server http://acme-srv --standalone --preferred-challenges http -d certbot.acme --cert-name certbot
-        sudo chmod 777 certbot/archive/certbot/chain1.pem
-        sudo cp certbot/archive/certbot/chain1.pem chain1.pem
-        awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "cert-" c ".pem"}' < chain1.pem
         sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem certbot/live/certbot/cert.pem
 
-    - name: "[ PREPARE ] prepare acme.sh container"
-      run: |
-        docker run --rm -id -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest daemon
-
-    - name: "[ FAIL] acme.sh"
+    - name: "Fail - Register acme.sh"
       id: acmeshfail
       continue-on-error: true
       run: |
-        docker exec -i acme-sh acme.sh --server http://acme-srv --register-account --accountemail 'acme-sh@example.com' --debug 3
+        docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --register-account --server http://acme-srv --accountemail 'acme-sh@example.com' --debug 3
 
-    - name: "[ CHECK ] acme.sh result "
+    - name: "Check acme.sh result "
       if: steps.acmeshfail.outcome != 'failure'
       run: |
         echo "acmeshfail outcome is ${{steps.acmeshfail.outcome }}"
         exit 1
 
-    - name: "[ REGISTER] acme.sh"
+    - name: "Register acme.sh with eab-credentials"
       run: |
-        docker exec -i acme-sh acme.sh --server http://acme-srv --register-account --accountemail 'acme-sh@example.com' --eab-kid keyid_02 --eab-hmac-key bWFjXzAy --debug 3
+        docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --register-account --server http://acme-srv --accountemail 'acme-sh@example.com' --eab-kid keyid_02 --eab-hmac-key dGhpc19pc19hX3ZlcnlfbG9uZ19obWFjX3RvX21ha2Vfc3VyZV90aGF0X2l0c19tb3JlX3RoYW5fMjU2X2JpdHM --debug 3
 
-    - name: "[ ENROLL] acme.sh"
+    - name: "Enroll acme.sh"
       run: |
-        docker exec -i acme-sh acme.sh --server http://acme-srv --issue -d acme-sh.acme --standalone --debug 3 --output-insecure
-        openssl verify -CAfile cert-2.pem -untrusted cert-1.pem acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer
-
-    - name: "[ FAIL ] lego"
-      id: legofail
-      continue-on-error: true
-      run: |
-        mkdir lego
-        docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" -d lego.acme --http run
-
-    - name: "[ CHECK ] lego result "
-      if: steps.legofail.outcome != 'failure'
-      run: |
-        echo "legofail outcome is ${{steps.legofail.outcome }}"
-        exit 1
-
-    - name: "[ ENROLL ] lego"
-      run: |
-        docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" --eab --kid keyid_02 --hmac bWFjXzAy -d lego.acme --http run
-        sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem lego/certificates/lego.acme.crt
+        docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv -d acme-sh.acme --standalone --debug 3 --output-insecure
+        openssl verify -CAfile cert-2.pem -untrusted cert-1.pem  acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer
 
     - name: "[ * ] collecting test logs"
       if: ${{ failure() }}
@@ -291,12 +303,16 @@ jobs:
         docker exec acme-srv tar cvfz /tmp/acme2certifier/a2c.tgz /opt/acme2certifier
         sudo cp -rp data/ ${{ github.workspace }}/artifact/data/
         sudo cp -rp acme-sh/ ${{ github.workspace }}/artifact/acme-sh/
+        sudo rm ${{ github.workspace }}/artifact/data/*.rpm
+        docker exec acme-srv cat /etc/nginx/nginx.conf.orig > ${{ github.workspace }}/artifact/data/nginx.conf.orig
+        docker exec acme-srv cat /etc/nginx/nginx.conf > ${{ github.workspace }}/artifact/data/nginx.conf
         docker exec acme-srv cat /var/log/messages > ${{ github.workspace }}/artifact/acme-srv.log
         sudo tar -C ${{ github.workspace }}/artifact/ -cvzf ${{ github.workspace }}/artifact/upload/artifact.tar.gz data acme-srv.log acme-sh
 
     - name: "[ * ] uploading artificates"
-      uses: actions/upload-artifact@v3
+      uses: actions/upload-artifact@v4
       if: ${{ failure() }}
       with:
-        name: eab-rpm.tar.gz
+        name: eab-rpm-{{ matrix.execscript }}-rh${{ matrix.rhversion }}.tar.gz
         path: ${{ github.workspace }}/artifact/upload/
+
diff --git a/.github/workflows/enrollment-timeout.yml b/.github/workflows/enrollment-timeout.yml
deleted file mode 100644
index 9d84a0ea..00000000
--- a/.github/workflows/enrollment-timeout.yml
+++ /dev/null
@@ -1,121 +0,0 @@
-name: Asynchronous enrollment and certificate reusage
-
-on:
-  push:
-  pull_request:
-    branches: [ devel ]
-  schedule:
-    # * is a special character in YAML so you have to quote this string
-    - cron:  '0 2 * * 6'
-
-jobs:
-  async_enrollment_cert_reusage:
-    name: "Async_enrollment_cert_reusage"
-    runs-on: ubuntu-latest
-    steps:
-    - name: "checkout GIT"
-      uses: actions/checkout@v3
-
-    - name: "[ PREPARE ] Build docker-compose (apache2_wsgi)"
-      working-directory: examples/Docker/
-      run: |
-        sudo mkdir -p data
-        docker network create acme
-        docker-compose up -d
-        docker-compose logs
-
-    - name: "Test http://acme-srv/directory is accessable"
-      run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory
-
-    - name: "[ PREPARE ] setup a2c with certifier_ca_handler"
-      run: |
-        sudo cp test/ca/certsrv_ca_certs.pem examples/Docker/data/ca_certs.pem
-        sudo touch examples/Docker/data/acme_srv.cfg
-        sudo chmod 777 examples/Docker/data/acme_srv.cfg
-        sudo head -n -8 .github/openssl_ca_handler.py_acme_srv_default_handler.cfg > examples/Docker/data/acme_srv.cfg
-        # sudo echo "handler_file: examples/ca_handler/certifier_ca_handler.py" >> examples/Docker/data/acme_srv.cfg
-        sudo echo "api_host: $NCM_API_HOST" >> examples/Docker/data/acme_srv.cfg
-        sudo echo "api_user: $NCM_API_USER" >> examples/Docker/data/acme_srv.cfg
-        sudo echo "api_password: $NCM_API_PASSWORD" >> examples/Docker/data/acme_srv.cfg
-        sudo echo "ca_name: $NCM_CA_NAME" >> examples/Docker/data/acme_srv.cfg
-        sudo echo "ca_bundle: $NCM_CA_BUNDLE" >> examples/Docker/data/acme_srv.cfg
-        sudo sed -i "s/revocation_reason_check_disable: False/revocation_reason_check_disable: False\\ncert_reusage_timeframe: 300/g" examples/Docker/data/acme_srv.cfg
-        sudo cp examples/ca_handler/certifier_ca_handler.py examples/Docker/data/ca_handler.py
-        sudo sed -i "s/        cert_dic = self._cert_get(csr)/        cert_dic = self._cert_get(csr)\\n        time.sleep(30)/g" examples/Docker/data/ca_handler.py
-        cd examples/Docker/
-        docker-compose restart
-        docker-compose logs
-      env:
-        NCM_API_HOST: ${{ secrets.NCM_API_HOST }}
-        NCM_API_USER: ${{ secrets.NCM_API_USER }}
-        NCM_API_PASSWORD: ${{ secrets.NCM_API_PASSWORD }}
-        NCM_CA_NAME: ${{ secrets.NCM_CA_NAME }}
-        NCM_CA_BUNDLE: ${{ secrets.NCM_CA_BUNDLE }}
-
-    - name: "[ PREPARE ] prepare acme.sh container"
-      run: |
-        docker run --rm -id -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest daemon
-
-    - name: "[ ENROLL ] acme.sh"
-      run: |
-        docker exec -i acme-sh acme.sh --server http://acme-srv --keylength 2048 --accountemail 'acme-sh@example.com' --issue -d acme-sh.acme --standalone --debug 3 --output-insecure
-        awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "cert-" c ".pem"}' < acme-sh//acme-sh.acme/ca.cer
-        openssl verify -CAfile cert-2.pem -untrusted cert-1.pem acme-sh/acme-sh.acme/acme-sh.acme.cer
-
-    - name: "[ VERIFY ] Check timeout"
-      working-directory: examples/Docker/
-      run: |
-        docker-compose logs | grep "Certificate.enroll_and_store() ended with: None:timeout"
-        sudo truncate -s 0 $(docker inspect --format='{{.LogPath}}' acme2certifier_acme-srv_1)
-
-    - name: "[ ENROLL ] acme.sh"
-      run: |
-        docker exec -i acme-sh acme.sh --server http://acme-srv --keylength 2048  --accountemail 'acme-sh@example.com' --issue -d acme-sh.acme --standalone --debug 3 --output-insecure --force
-
-    - name: "[ VERIFY ] Check certificate reusage"
-      working-directory: examples/Docker/
-      run: |
-        docker-compose logs | grep "Certificate._enroll(): reuse existing certificate"
-
-    - name: "[ ENROL] lego"
-      run: |
-        mkdir lego
-        docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" -d lego.acme  --cert.timeout 150 --http run
-
-    - name: "[ VERIFY ] Check timeout"
-      working-directory: examples/Docker/
-      run: |
-        docker-compose logs | grep "Certificate.enroll_and_store() ended with: None:timeout"
-        sudo truncate -s 0 $(docker inspect --format='{{.LogPath}}' acme2certifier_acme-srv_1)
-
-    - name: "[ REGISTER ] certbot"
-      run: |
-        docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot register --agree-tos -m 'certbot@example.com' --server http://acme-srv --no-eff-email
-
-    - name: "[ ENROLL ] certbot"
-      run: |
-        docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot certonly --server http://acme-srv --standalone --preferred-challenges http -d certbot.acme --cert-name certbot
-
-    - name: "[ VERIFY ] Check timeout"
-      working-directory: examples/Docker/
-      run: |
-        docker-compose logs | grep "Certificate.enroll_and_store() ended with: None:timeout"
-        sudo truncate -s 0 $(docker inspect --format='{{.LogPath}}' acme2certifier_acme-srv_1)
-
-
-    - name: "[ * ] collecting test data"
-      if: ${{ failure() }}
-      run: |
-        mkdir -p ${{ github.workspace }}/artifact/upload
-        sudo cp -rp examples/Docker/data/ ${{ github.workspace }}/artifact/data/
-        sudo cp -rp acme-sh/ ${{ github.workspace }}/artifact/acme-sh/
-        cd examples/Docker
-        docker-compose logs > ${{ github.workspace }}/artifact/docker-compose.log
-        sudo tar -C ${{ github.workspace }}/artifact/ -cvzf ${{ github.workspace }}/artifact/upload/artifact.tar.gz docker-compose.log data acme-sh
-
-    - name: "[ * ] uploading artifacts"
-      uses: actions/upload-artifact@v3
-      if: ${{ failure() }}
-      with:
-        name: async_enrollment_cert_reusage.tar.gz
-        path: ${{ github.workspace }}/artifact/upload/
diff --git a/.github/workflows/hooks-test.yml b/.github/workflows/hooks-test.yml
index 9a874eff..f4ed5cf1 100644
--- a/.github/workflows/hooks-test.yml
+++ b/.github/workflows/hooks-test.yml
@@ -5,49 +5,94 @@ on:
   pull_request:
     branches: [ devel ]
   schedule:
-    # * is a special character in YAML so you have to quote this string
     - cron:  '0 2 * * 6'
 
 jobs:
-  hooks_test:
-    name: "hooks_test"
+
+  container_build:
+    name: "container_build"
     runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+      matrix:
+        websrv: ['apache2', 'nginx']
+        dbhandler: ['wsgi', 'django']
+
     steps:
     - name: "checkout GIT"
-      uses: actions/checkout@v3
+      uses: actions/checkout@v4
+
+    - name: "Build container"
+      uses: ./.github/actions/container_build_upload
+      with:
+        DB_HANDLER: ${{ matrix.dbhandler }}
+        WEB_SRV: ${{ matrix.websrv }}
 
-    - name: "[ PREPARE ] Build docker-compose (apache2_wsgi)"
-      working-directory: examples/Docker/
+  hooks_tests:
+    name: "hooks_tests"
+    runs-on: ubuntu-latest
+    needs: container_build
+    strategy:
+      fail-fast: false
+      max-parallel: 2
+      matrix:
+        websrv: ['apache2', 'nginx']
+        dbhandler: ['wsgi', 'django']
+
+    steps:
+    - name: "checkout GIT"
+      uses: actions/checkout@v4
+
+    - name: "Download container"
+      uses: actions/download-artifact@v4
+      with:
+        name: a2c-${{ github.run_id }}.${{ matrix.websrv }}.${{ matrix.dbhandler }}.tar.gz
+        path: /tmp
+
+    - name: "Import container"
       run: |
-        sudo mkdir -p data/hooks
-        sudo chmod -R 777 data/hooks
-        docker network create acme
-        docker-compose up -d
-        docker-compose logs
+        sudo apt-get install -y docker-compose
+        gunzip /tmp/a2c-${{ github.run_id }}.${{ matrix.websrv }}.${{ matrix.dbhandler }}.tar.gz
+        docker load -i /tmp/a2c-${{ github.run_id }}.${{ matrix.websrv }}.${{ matrix.dbhandler }}.tar
+        docker images
 
-    - name: "Test http://acme-srv/directory is accessable"
-      run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory
+    - name: "Prepare container environment"
+      uses: ./.github/actions/container_prep
+      with:
+        DB_HANDLER: ${{ matrix.dbhandler }}
+        WEB_SRV: ${{ matrix.websrv }}
+        CONTAINER_BUILD: false
 
-    - name: "[ PREPARE ] setup a2c with certifier_ca_handler"
-      run: |
-        sudo cp test/ca/certsrv_ca_certs.pem examples/Docker/data/ca_certs.pem
-        sudo touch examples/Docker/data/acme_srv.cfg
-        sudo chmod 777 examples/Docker/data/acme_srv.cfg
-        sudo head -n -8 .github/openssl_ca_handler.py_acme_srv_default_handler.cfg > examples/Docker/data/acme_srv.cfg
-        sudo echo "handler_file: examples/ca_handler/certifier_ca_handler.py" >> examples/Docker/data/acme_srv.cfg
-        sudo echo "api_host: $NCM_API_HOST" >> examples/Docker/data/acme_srv.cfg
-        sudo echo "api_user: $NCM_API_USER" >> examples/Docker/data/acme_srv.cfg
-        sudo echo "api_password: $NCM_API_PASSWORD" >> examples/Docker/data/acme_srv.cfg
-        sudo echo "ca_name: $NCM_CA_NAME" >> examples/Docker/data/acme_srv.cfg
-        sudo echo "ca_bundle: $NCM_CA_BUNDLE" >> examples/Docker/data/acme_srv.cfg
+    - name: "Bring up a2c container"
+      uses: ./.github/actions/container_up
+      with:
+        DB_HANDLER: ${{ matrix.dbhandler }}
+        WEB_SRV: ${{ matrix.websrv }}
+
+    - name: "Prepare acme_srv.cfg with certifier_ca_handler"
+      uses: ./.github/actions/wf_specific/certifier_ca_handler/certifier_setup_no_profile
+      with:
+        WCCE_SSH_ACCESS_KEY: ${{ secrets.WCCE_SSH_ACCESS_KEY }}
+        WCCE_SSH_KNOWN_HOSTS: ${{ secrets.WCCE_SSH_KNOWN_HOSTS }}
+        WCCE_SSH_USER: ${{ secrets.WCCE_SSH_USER }}
+        WCCE_SSH_HOST: ${{ secrets.WCCE_SSH_HOST }}
+        WCCE_SSH_PORT: ${{ secrets.WCCE_SSH_PORT }}
+        NCM_API_HOST: ${{ secrets.NCM_API_HOST }}
+        NCM_API_USER: ${{ secrets.NCM_API_USER }}
+        NCM_API_PASSWORD: ${{ secrets.NCM_API_PASSWORD }}
+        NCM_CA_NAME: ${{ secrets.NCM_CA_NAME }}
+        DATA_PATH: examples/Docker/data
+
+    - name: "Restart a2c"
+      run: |
+        sudo mkdir -p examples/Docker/data/hooks
+        sudo chmod -R 777 examples/Docker/data/hooks
         sudo echo -e "\n\n[Hooks]" >> examples/Docker/data/acme_srv.cfg
         sudo echo "hooks_file: /var/www/acme2certifier/examples/hooks/cn_dump_hooks.py" >> examples/Docker/data/acme_srv.cfg
         sudo echo "save_path: volume/hooks" >> examples/Docker/data/acme_srv.cfg
         sudo echo "$HOOKS_CHECKSUM" > examples/Docker/data/hooks/checksums.sha256
-        # sudo cat examples/Docker/data/acme_srv.cfg
         cd examples/Docker/
         docker-compose restart
-        docker-compose logs
       env:
         HOOKS_CHECKSUM: ${{ secrets.HOOKS_CHECKSUM }}
         NCM_API_HOST: ${{ secrets.NCM_API_HOST }}
@@ -56,18 +101,26 @@ jobs:
         NCM_CA_NAME: ${{ secrets.NCM_CA_NAME }}
         NCM_CA_BUNDLE: ${{ secrets.NCM_CA_BUNDLE }}
 
-    - name: "Test http://acme-srv/directory is accessable again"
+    - name: "Sleep for 10s"
+      uses: juliangruber/sleep-action@v2.0.3
+      with:
+        time: 10s
+
+    - name: "Test http://acme-srv/directory is accessible"
       run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory
 
-    - name: "[ PREPARE ] create letsencrypt folder"
+    - name: "Test if https://acme-srv/directory is accessible"
+      run: docker run -i --rm --network acme curlimages/curl --insecure -f https://acme-srv/directory
+
+    - name: "create letsencrypt folder"
       run: |
         mkdir certbot
 
-    - name: "[ REGISTER] certbot"
+    - name: "Register certbot"
       run: |
         docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot register --agree-tos -m 'certbot@example.com' --server http://acme-srv --no-eff-email
 
-    - name: "[ ENROLL ] HTTP-01 single domain certbot"
+    - name: "Enroll HTTP-01 single domain certbot"
       run: |
         docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot certonly --server http://acme-srv --standalone --preferred-challenges http -d certbot.acme --cert-name certbot
         sudo chmod 777 certbot/archive/certbot/chain1.pem
@@ -75,30 +128,36 @@ jobs:
         awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "cert-" c ".pem"}' < chain1.pem
         sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem certbot/live/certbot/cert.pem
 
-    - name: "[ PREPARE ] prepare acme.sh container"
+    - name: "Prepare acme.sh container"
       run: |
         docker run --rm -id -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest daemon
 
-    - name: "[ REGISTER] acme.sh"
+    - name: "Register acme.sh"
       run: |
         docker exec -i acme-sh acme.sh --server http://acme-srv --register-account --accountemail 'acme-sh@example.com' --debug 3
 
-    - name: "[ ENROLL] acme.sh"
+    - name: "Enroll acme.sh"
       run: |
         docker exec -i acme-sh acme.sh --server http://acme-srv --issue -d acme-sh.acme --standalone --debug 3 --output-insecure
         awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "cert-" c ".pem"}' < acme-sh/acme-sh.acme_ecc/ca.cer
         openssl verify -CAfile cert-2.pem -untrusted cert-1.pem acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer
 
-    - name: "[ ENROLL ] lego"
+    - name: "Enroll lego"
       run: |
         docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" -d lego.acme --http run
         sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem lego/certificates/lego.acme.crt
 
-    - name: "[ CHECK ] compare checksums to validate hook file content"
+    - name: "Check compare checksums to validate hook file content"
       working-directory: examples/Docker/data/hooks
       run: |
         sha256sum -c checksums.sha256
 
+    - name: "Check container configuration"
+      uses: ./.github/actions/container_check
+      with:
+        DB_HANDLER: ${{ matrix.dbhandler }}
+        WEB_SRV: ${{ matrix.websrv }}
+
     - name: "[ * ] collecting test logs"
       if: ${{ failure() }}
       run: |
@@ -109,180 +168,80 @@ jobs:
         sudo tar -C ${{ github.workspace }}/artifact/ -cvzf ${{ github.workspace }}/artifact/upload/artifact.tar.gz docker-compose.log data
 
     - name: "[ * ] uploading artificates"
-      uses: actions/upload-artifact@v3
+      uses: actions/upload-artifact@v4
       if: ${{ failure() }}
       with:
-        name: hooks.tar.gz
+        name: hooks-${{ matrix.websrv }}-${{ matrix.dbhandler }}.tar.gz
         path: ${{ github.workspace }}/artifact/upload/
 
-  hooks_test_rpm:
-    name: "hooks_test_rpm"
+  hooks_exception_handling:
+    name: "hooks_exception_handling"
     runs-on: ubuntu-latest
+    needs: container_build
+    strategy:
+      fail-fast: false
+      max-parallel: 2
+      matrix:
+        websrv: ['apache2', 'nginx']
+        dbhandler: ['wsgi', 'django']
     steps:
     - name: "checkout GIT"
-      uses: actions/checkout@v3
-
-    - name: Retrieve Version from version.py
-      run: |
-        echo TAG_NAME=$(cat acme_srv/version.py | grep -i __version__ | head -n 1 | sed 's/__version__ = //g' | sed s/\'//g) >> $GITHUB_ENV
-    - run: echo "Latest tag is ${{ env.TAG_NAME }}"
+      uses: actions/checkout@v4
 
-    - name: update version number in spec file
+    - name: "Create folders"
       run: |
-        # sudo sed -i "s/Source0:.*/Source0:        %{name}-%{version}.tar.gz/g" examples/install_scripts/rpm/acme2certifier.spec
-        sudo sed -i "s/__version__/${{ env.TAG_NAME }}/g" examples/install_scripts/rpm/acme2certifier.spec
-        cat examples/install_scripts/rpm/acme2certifier.spec
+        mkdir lego
+        mkdir acme-sh
+        mkdir certbot
 
-    - name: build RPM package
-      id: rpm
-      uses: grindsa/rpmbuild@alma9
+    - name: "Download container"
+      uses: actions/download-artifact@v4
       with:
-        spec_file: "examples/install_scripts/rpm/acme2certifier.spec"
+        name: a2c-${{ github.run_id }}.${{ matrix.websrv }}.${{ matrix.dbhandler }}.tar.gz
+        path: /tmp
 
-    - run: echo "path is ${{ steps.rpm.outputs.rpm_dir_path }}"
-
-    - name: "[ PREPARE ] setup environment for alma installation"
+    - name: "Import container"
       run: |
-        docker network create acme
-        sudo mkdir -p data
-        sudo chmod -R 777 data
-        sudo cp ${{ steps.rpm.outputs.rpm_dir_path }}noarch/acme2certifier-${{ env.TAG_NAME }}-1.0.noarch.rpm data
-        sudo cp examples/Docker/almalinux-systemd/rpm_tester.sh data
+        sudo apt-get install -y docker-compose
+        gunzip /tmp/a2c-${{ github.run_id }}.${{ matrix.websrv }}.${{ matrix.dbhandler }}.tar.gz
+        docker load -i /tmp/a2c-${{ github.run_id }}.${{ matrix.websrv }}.${{ matrix.dbhandler }}.tar
+        docker images
 
-    - name: "[ PREPARE ] create letsencrypt and lego folder"
-      run: |
-        mkdir acmme-sh
-        mkdir lego
+    - name: "Prepare container environment"
+      uses: ./.github/actions/container_prep
+      with:
+        DB_HANDLER: ${{ matrix.dbhandler }}
+        WEB_SRV: ${{ matrix.websrv }}
+        CONTAINER_BUILD: false
 
-    - name: "[ PREPARE ] setup a2c with certifier_ca_handler"
-      run: |
-        mkdir -p data/acme_ca
-        sudo cp test/ca/certsrv_ca_certs.pem data/acme_ca/ca_certs.pem
-        sudo touch data/acme_srv.cfg
-        sudo chmod 777 data/acme_srv.cfg
-        sudo head -n -8 .github/openssl_ca_handler.py_acme_srv_default_handler.cfg > data/acme_srv.cfg
-        sudo echo "handler_file: /opt/acme2certifier/examples/ca_handler/certifier_ca_handler.py" >> data/acme_srv.cfg
-        sudo echo "api_host: $NCM_API_HOST" >> data/acme_srv.cfg
-        sudo echo "api_user: $NCM_API_USER" >> data/acme_srv.cfg
-        sudo echo "api_password: $NCM_API_PASSWORD" >> data/acme_srv.cfg
-        sudo echo "ca_name: $NCM_CA_NAME" >> data/acme_srv.cfg
-        sudo echo "ca_bundle: $NCM_CA_BUNDLE" >> data/acme_srv.cfg
-        sudo echo "profile_id: 101" >> data/acme_srv.cfg
-        sudo mkdir -p data/acme_ca/hooks
-        sudo chmod -R 777 data/acme_ca/hooks
-        sudo echo -e "\n\n[Hooks]" >> data/acme_srv.cfg
-        sudo echo "hooks_file: /opt/acme2certifier/examples/hooks/cn_dump_hooks.py" >> data/acme_srv.cfg
-        sudo echo "save_path: /tmp/acme2certifier/acme_ca/hooks" >> data/acme_srv.cfg
-        sudo echo "$HOOKS_CHECKSUM" > data/acme_ca/hooks/checksums.sha256
-      env:
-        HOOKS_CHECKSUM: ${{ secrets.HOOKS_CHECKSUM }}
+    - name: "Bring up a2c container"
+      uses: ./.github/actions/container_up
+      with:
+        DB_HANDLER: ${{ matrix.dbhandler }}
+        WEB_SRV: ${{ matrix.websrv }}
+
+    - name: "Prepare acme_srv.cfg with certifier_ca_handler"
+      uses: ./.github/actions/wf_specific/certifier_ca_handler/certifier_setup_no_profile
+      with:
+        WCCE_SSH_ACCESS_KEY: ${{ secrets.WCCE_SSH_ACCESS_KEY }}
+        WCCE_SSH_KNOWN_HOSTS: ${{ secrets.WCCE_SSH_KNOWN_HOSTS }}
+        WCCE_SSH_USER: ${{ secrets.WCCE_SSH_USER }}
+        WCCE_SSH_HOST: ${{ secrets.WCCE_SSH_HOST }}
+        WCCE_SSH_PORT: ${{ secrets.WCCE_SSH_PORT }}
         NCM_API_HOST: ${{ secrets.NCM_API_HOST }}
         NCM_API_USER: ${{ secrets.NCM_API_USER }}
         NCM_API_PASSWORD: ${{ secrets.NCM_API_PASSWORD }}
         NCM_CA_NAME: ${{ secrets.NCM_CA_NAME }}
-        NCM_CA_BUNDLE: ${{ secrets.NCM_CA_BUNDLE }}
-
-    - name: "[ PREPARE ] Almalinux instance"
-      run: |
-        cat examples/Docker/almalinux-systemd/Dockerfile | docker build -t almalinux-systemd -f - . --no-cache
-        docker run -d -id --privileged --network acme --name=acme-srv -v "$(pwd)/data":/tmp/acme2certifier almalinux-systemd
-
-    - name: "[ RUN ] Execute install scipt"
-      run: |
-        docker exec acme-srv sh /tmp/acme2certifier/rpm_tester.sh
-
-    - name: "Test http://acme-srv/directory is accessible"
-      run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory
-
-    - name: "[ REGISTER] certbot"
-      run: |
-        docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot register --agree-tos -m 'certbot@example.com' --server http://acme-srv --no-eff-email
-
-    - name: "[ ENROLL ] HTTP-01 single domain certbot"
-      run: |
-        docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot certonly --server http://acme-srv --standalone --preferred-challenges http -d certbot.acme --cert-name certbot
-        sudo chmod 777 certbot/archive/certbot/chain1.pem
-        sudo cp certbot/archive/certbot/chain1.pem chain1.pem
-        awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "cert-" c ".pem"}' < chain1.pem
-        sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem certbot/live/certbot/cert.pem
-
-    - name: "[ PREPARE ] prepare acme.sh container"
-      run: |
-        docker run --rm -id -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest daemon
-
-    - name: "[ REGISTER] acme.sh"
-      run: |
-        docker exec -i acme-sh acme.sh --server http://acme-srv --register-account --accountemail 'acme-sh@example.com' --debug 3
-
-    - name: "[ ENROLL] acme.sh"
-      run: |
-        docker exec -i acme-sh acme.sh --server http://acme-srv --issue -d acme-sh.acme --standalone --debug 3 --output-insecure
-        openssl verify -CAfile cert-2.pem -untrusted cert-1.pem acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer
-
-    - name: "[ ENROLL ] lego"
-      run: |
-        docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" -d lego.acme --http run
-        sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem lego/certificates/lego.acme.crt
-
-    - name: "[ CHECK ] compare checksums to validate hook file content"
-      working-directory: data/acme_ca/hooks
-      run: |
-        sha256sum -c checksums.sha256
-
-    - name: "[ * ] collecting test logs"
-      if: ${{ failure() }}
-      run: |
-        mkdir -p ${{ github.workspace }}/artifact/upload
-        docker exec acme-srv tar cvfz /tmp/acme2certifier/a2c.tgz /opt/acme2certifier
-        sudo cp -rp data/ ${{ github.workspace }}/artifact/data/
-        sudo cp -rp acme-sh/ ${{ github.workspace }}/artifact/acme-sh/
-        docker exec acme-srv cat /var/log/messages > ${{ github.workspace }}/artifact/acme-srv.log
-        sudo tar -C ${{ github.workspace }}/artifact/ -cvzf ${{ github.workspace }}/artifact/upload/artifact.tar.gz data acme-srv.log acme-sh
-
-    - name: "[ * ] uploading artificates"
-      uses: actions/upload-artifact@v3
-      if: ${{ failure() }}
-      with:
-        name: hooks-rpm.tar.gz
-        path: ${{ github.workspace }}/artifact/upload/
-
-  hooks_exception_handling:
-    name: "hooks_exception_handling"
-    runs-on: ubuntu-latest
-    steps:
-    - name: "checkout GIT"
-      uses: actions/checkout@v3
+        DATA_PATH: examples/Docker/data
 
-    - name: "[ PREPARE ] Build docker-compose (apache2_wsgi)"
-      working-directory: examples/Docker/
+    - name: "Restart a2c"
       run: |
-        sudo mkdir -p data/hooks
-        sudo chmod -R 777 data/hooks
-        docker network create acme
-        docker-compose up -d
-        docker-compose logs
-
-    - name: "Test http://acme-srv/directory is accessable"
-      run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory
-
-    - name: "[ PREPARE ] setup a2c with certifier_ca_handler"
-      run: |
-        sudo cp test/ca/certsrv_ca_certs.pem examples/Docker/data/ca_certs.pem
-        sudo touch examples/Docker/data/acme_srv.cfg
-        sudo chmod 777 examples/Docker/data/acme_srv.cfg
-        sudo head -n -8 .github/openssl_ca_handler.py_acme_srv_default_handler.cfg > examples/Docker/data/acme_srv.cfg
-        sudo echo "handler_file: examples/ca_handler/certifier_ca_handler.py" >> examples/Docker/data/acme_srv.cfg
-        sudo echo "api_host: $NCM_API_HOST" >> examples/Docker/data/acme_srv.cfg
-        sudo echo "api_user: $NCM_API_USER" >> examples/Docker/data/acme_srv.cfg
-        sudo echo "api_password: $NCM_API_PASSWORD" >> examples/Docker/data/acme_srv.cfg
-        sudo echo "ca_name: $NCM_CA_NAME" >> examples/Docker/data/acme_srv.cfg
-        sudo echo "ca_bundle: $NCM_CA_BUNDLE" >> examples/Docker/data/acme_srv.cfg
+        sudo mkdir -p examples/Docker/data/hooks
         sudo echo -e "\n\n[Hooks]" >> examples/Docker/data/acme_srv.cfg
         sudo echo "hooks_file: /var/www/acme2certifier/examples/hooks/exception_test_hooks.py" >> examples/Docker/data/acme_srv.cfg
         sudo echo "raise_pre_hook_exception: False" >> examples/Docker/data/acme_srv.cfg
         sudo echo "raise_post_hook_exception: False" >> examples/Docker/data/acme_srv.cfg
         sudo echo "raise_success_hook_exception: False" >> examples/Docker/data/acme_srv.cfg
-        # sudo cat examples/Docker/data/acme_srv.cfg
         cd examples/Docker/
         docker-compose restart
         docker-compose logs
@@ -294,55 +253,63 @@ jobs:
         NCM_CA_NAME: ${{ secrets.NCM_CA_NAME }}
         NCM_CA_BUNDLE: ${{ secrets.NCM_CA_BUNDLE }}
 
-    - name: "Test http://acme-srv/directory is accessable again"
+    - name: "Sleep for 10s"
+      uses: juliangruber/sleep-action@v2.0.3
+      with:
+        time: 10s
+
+    - name: "Test http://acme-srv/directory is accessible"
       run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory
 
-    - name: "[ PREPARE ] prepare acme.sh container"
+    - name: "Test if https://acme-srv/directory is accessible"
+      run: docker run -i --rm --network acme curlimages/curl --insecure -f https://acme-srv/directory
+
+    - name: "Prepare acme.sh container"
       run: |
         docker run --rm -id -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest daemon
 
-    - name: "[ REGISTER] acme.sh"
+    - name: "Register acme.sh"
       run: |
         docker exec -i acme-sh acme.sh --server http://acme-srv --register-account --accountemail 'acme-sh@example.com' --debug 3
 
-    - name: "[ ENROLL] acme.sh - *_pre_hook_failure not configured "
+    - name: "Enroll acme.sh - *_pre_hook_failure not configured "
       run: |
         docker exec -i acme-sh acme.sh --server http://acme-srv --issue -d acme-sh.acme --standalone --debug 3 --output-insecure
         awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "cert-" c ".pem"}' < acme-sh/acme-sh.acme_ecc/ca.cer
         openssl verify -CAfile cert-2.pem -untrusted cert-1.pem acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer
 
-    - name: "[ PREPARE  ] reconfigure hook handler to trigger pre hook exception "
+    - name: "Reconfigure hook handler to trigger pre hook exception "
       run: |
         sudo sed -i "s/raise_pre_hook_exception: False/raise_pre_hook_exception: True/g" examples/Docker/data/acme_srv.cfg
         cd examples/Docker/
         sudo truncate -s 0 $(docker inspect --format='{{.LogPath}}' acme2certifier_acme-srv_1)
         docker-compose restart
 
-    - name: "[ FAIL ] acme.sh enrollment fails due to pre-hook exception (default behaviour)"
+    - name: "acme.sh enrollment fails due to pre-hook exception (default behaviour)"
       id: prehookfailure
       continue-on-error: true
       run: |
         docker exec -i acme-sh acme.sh --server http://acme-srv --issue -d acme-sh.acme --standalone --force --debug 3 --output-insecure
 
-    - name: "[ CHECK ] result - acme.sh enrollment failed due to pre-hook exception "
+    - name: "Check result - acme.sh enrollment failed due to pre-hook exception "
       if: steps.prehookfailure.outcome != 'failure'
       run: |
         echo "prehookfailure outcome is ${{steps.prehookfailure.outcome }}"
         exit 1
 
-    - name: "[ PREPARE  ] reconfigure a2c to ignore pre-hook failures "
+    - name: "Reconfigure a2c to ignore pre-hook failures "
       run: |
         sudo echo "ignore_pre_hook_failure: True" >> examples/Docker/data/acme_srv.cfg
         cd examples/Docker/
         sudo truncate -s 0 $(docker inspect --format='{{.LogPath}}' acme2certifier_acme-srv_1)
         docker-compose restart
 
-    - name: "[ ENROLL] acme.sh - ignore pre_hook_failures "
+    - name: "Enroll acme.sh - ignore pre_hook_failures "
       run: |
         docker exec -i acme-sh acme.sh --server http://acme-srv --issue -d acme-sh.acme --standalone --force --debug 3 --output-insecure
         openssl verify -CAfile cert-2.pem -untrusted cert-1.pem acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer
 
-    - name: "[ PREPARE  ] reconfigure hook handler to trigger success hook exception "
+    - name: "Reconfigure hook handler to trigger success hook exception "
       run: |
         sudo sed -i "s/raise_pre_hook_exception: True/raise_pre_hook_exception: False/g" examples/Docker/data/acme_srv.cfg
         sudo sed -i "s/raise_success_hook_exception: False/raise_success_hook_exception: True/g" examples/Docker/data/acme_srv.cfg
@@ -350,31 +317,31 @@ jobs:
         sudo truncate -s 0 $(docker inspect --format='{{.LogPath}}' acme2certifier_acme-srv_1)
         docker-compose restart
 
-    - name: "[ FAIL ] acme.sh enrollment fails due to success-hook exception (default behaviour) "
+    - name: "acme.sh enrollment fails due to success-hook exception (default behaviour) "
       id: successhookfailure
       continue-on-error: true
       run: |
         docker exec -i acme-sh acme.sh --server http://acme-srv --issue -d acme-sh.acme --standalone --force --debug 3 --output-insecure
 
-    - name: "[ CHECK ] result - acme.sh enrollment failed due to success-hook exception "
+    - name: "Check result - acme.sh enrollment failed due to success-hook exception "
       if: steps.successhookfailure.outcome != 'failure'
       run: |
         echo "successhookfailure outcome is ${{steps.successhookfailure.outcome }}"
         exit 1
 
-    - name: "[ PREPARE  ] reconfigure a2c to ignore success-hook failures "
+    - name: "Reconfigure a2c to ignore success-hook failures "
       run: |
         sudo sed -i "s/ignore_pre_hook_failure: True/ignore_success_hook_failure: True/g" examples/Docker/data/acme_srv.cfg
         cd examples/Docker/
         sudo truncate -s 0 $(docker inspect --format='{{.LogPath}}' acme2certifier_acme-srv_1)
         docker-compose restart
 
-    - name: "[ ENROLL] acme.sh - ignore sucess_hook_failures "
+    - name: "Enroll acme.sh - ignore sucess_hook_failures "
       run: |
         docker exec -i acme-sh acme.sh --server http://acme-srv --issue -d acme-sh.acme --standalone --force --debug 3 --output-insecure
         openssl verify -CAfile cert-2.pem -untrusted cert-1.pem acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer
 
-    - name: "[ PREPARE  ] reconfigure hook handler to trigger post hook exception "
+    - name: "Reconfigure hook handler to trigger post hook exception "
       run: |
         sudo sed -i "s/raise_success_hook_exception: True/raise_success_hook_exception: False/g" examples/Docker/data/acme_srv.cfg
         sudo sed -i "s/raise_post_hook_exception: False/raise_post_hook_exception: True/g" examples/Docker/data/acme_srv.cfg
@@ -382,30 +349,36 @@ jobs:
         sudo truncate -s 0 $(docker inspect --format='{{.LogPath}}' acme2certifier_acme-srv_1)
         docker-compose restart
 
-    - name: "[ ENROLL] acme.sh - ignore post_hook_failures (default behaviour) "
+    - name: "Enroll acme.sh - ignore post_hook_failures (default behaviour) "
       run: |
         docker exec -i acme-sh acme.sh --server http://acme-srv --issue -d acme-sh.acme --standalone --force --debug 3 --output-insecure
         openssl verify -CAfile cert-2.pem -untrusted cert-1.pem acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer
 
-    - name: "[ PREPARE  ] reconfigure a2c to detect success-hook failures "
+    - name: "Reconfigure a2c to detect success-hook failures "
       run: |
         sudo sed -i "s/ignore_success_hook_failure: True/ignore_post_hook_failure: False/g" examples/Docker/data/acme_srv.cfg
         cd examples/Docker/
         sudo truncate -s 0 $(docker inspect --format='{{.LogPath}}' acme2certifier_acme-srv_1)
         docker-compose restart
 
-    - name: "[ FAIL ] acme.sh enrollment fails due to post-hook exception "
+    - name: "Acme.sh enrollment fails due to post-hook exception "
       id: posthookfailure
       continue-on-error: true
       run: |
         docker exec -i acme-sh acme.sh --server http://acme-srv --issue -d acme-sh.acme --standalone --force --debug 3 --output-insecure
 
-    - name: "[ CHECK ] result - acme.sh enrollment failed due to post-hook exception "
+    - name: "Check result - acme.sh enrollment failed due to post-hook exception "
       if: steps.posthookfailure.outcome != 'failure'
       run: |
         echo "posthookfailure outcome is ${{steps.posthookfailure.outcome }}"
         exit 1
 
+    - name: "Check container configuration"
+      uses: ./.github/actions/container_check
+      with:
+        DB_HANDLER: ${{ matrix.dbhandler }}
+        WEB_SRV: ${{ matrix.websrv }}
+
     - name: "[ * ] collecting test logs"
       if: ${{ failure() }}
       run: |
@@ -416,66 +389,208 @@ jobs:
         sudo tar -C ${{ github.workspace }}/artifact/ -cvzf ${{ github.workspace }}/artifact/upload/artifact.tar.gz docker-compose.log data
 
     - name: "[ * ] uploading artificates"
-      uses: actions/upload-artifact@v3
+      uses: actions/upload-artifact@v4
       if: ${{ failure() }}
       with:
-        name: hooks_exception_handling.tar.gz
+        name: hooks_exception_handling-${{ matrix.websrv }}-${{ matrix.dbhandler }}.tar.gz
         path: ${{ github.workspace }}/artifact/upload/
 
-  hooks_exception_handling_rpm:
-    name: "hooks_exception_handling_rpm"
+  cleanup:
+    name: "cleanup"
+    runs-on: ubuntu-latest
+    needs: [hooks_tests, hooks_exception_handling]
+    strategy:
+      fail-fast: false
+      matrix:
+        websrv: ['apache2', 'nginx']
+        dbhandler: ['wsgi', 'django']
+
+    steps:
+    - uses: geekyeggo/delete-artifact@v5
+      with:
+        name: a2c-${{ github.run_id }}.${{ matrix.websrv }}.${{ matrix.dbhandler }}.tar.gz
+
+  rpm_build_and_upload:
+    name: "rpm_build_and_upload"
     runs-on: ubuntu-latest
     steps:
     - name: "checkout GIT"
-      uses: actions/checkout@v3
+      uses: actions/checkout@v4
 
+    - name: "Build rpm package"
+      id: rpm_build
+      uses: ./.github/actions/rpm_build_upload
 
-    - name: Retrieve Version from version.py
-      run: |
-        echo TAG_NAME=$(cat acme_srv/version.py | grep -i __version__ | head -n 1 | sed 's/__version__ = //g' | sed s/\'//g) >> $GITHUB_ENV
-    - run: echo "Latest tag is ${{ env.TAG_NAME }}"
+  hooks_test_rpm:
+    name: "hooks_test_rpm"
+    runs-on: ubuntu-latest
+    needs: rpm_build_and_upload
+    strategy:
+      fail-fast: false
+      max-parallel: 1
+      matrix:
+        rhversion: [8, 9]
+    steps:
+    - name: "checkout GIT"
+      uses: actions/checkout@v4
+
+    - name: "Prepare Alma environment"
+      uses: ./.github/actions/rpm_prep
+      with:
+        GH_SBOM_USER: ${{ secrets.GH_SBOM_USER }}
+        GH_SBOM_TOKEN: ${{ secrets.GH_SBOM_TOKEN }}
+        RH_VERSION: ${{ matrix.rhversion }}
+        RPM_BUILD: false
 
-    - name: update version number in spec file
+    - name: Download rpm package
+      uses: actions/download-artifact@v4
+      with:
+        name: acme2certifier-${{ github.run_id }}.noarch.rpm
+        path: data/
+
+    - name: "create letsencrypt and lego folder"
       run: |
-        # sudo sed -i "s/Source0:.*/Source0:        %{name}-%{version}.tar.gz/g" examples/install_scripts/rpm/acme2certifier.spec
-        sudo sed -i "s/__version__/${{ env.TAG_NAME }}/g" examples/install_scripts/rpm/acme2certifier.spec
-        cat examples/install_scripts/rpm/acme2certifier.spec
+        mkdir acme-sh
+        mkdir lego
 
-    - name: build RPM package
-      id: rpm
-      uses: grindsa/rpmbuild@alma9
+    - name: "Prepare acme_srv.cfg with certifier_ca_handler"
+      uses: ./.github/actions/wf_specific/certifier_ca_handler/certifier_setup_no_profile
       with:
-        spec_file: "examples/install_scripts/rpm/acme2certifier.spec"
+        WCCE_SSH_ACCESS_KEY: ${{ secrets.WCCE_SSH_ACCESS_KEY }}
+        WCCE_SSH_KNOWN_HOSTS: ${{ secrets.WCCE_SSH_KNOWN_HOSTS }}
+        WCCE_SSH_USER: ${{ secrets.WCCE_SSH_USER }}
+        WCCE_SSH_HOST: ${{ secrets.WCCE_SSH_HOST }}
+        WCCE_SSH_PORT: ${{ secrets.WCCE_SSH_PORT }}
+        NCM_API_HOST: ${{ secrets.NCM_API_HOST }}
+        NCM_API_USER: ${{ secrets.NCM_API_USER }}
+        NCM_API_PASSWORD: ${{ secrets.NCM_API_PASSWORD }}
+        NCM_CA_NAME: ${{ secrets.NCM_CA_NAME }}
+        DATA_PATH: data
+
+    - name: "Modify acme_srv.cfg"
+      run: |
+        sudo mkdir -p data/acme_ca/hooks
+        sudo cp test/ca/sub-ca-cert.pem test/ca/root-ca-cert.pem data/acme_ca/
+        sudo chmod 777 data/acme_srv.cfg
+        sudo chmod -R 777 data/acme_ca/hooks
+        sudo echo -e "\n\n[Hooks]" >> data/acme_srv.cfg
+        sudo echo "hooks_file: /opt/acme2certifier/examples/hooks/cn_dump_hooks.py" >> data/acme_srv.cfg
+        sudo echo "save_path: /tmp/acme2certifier/acme_ca/hooks" >> data/acme_srv.cfg
+        sudo echo "$HOOKS_CHECKSUM" > data/acme_ca/hooks/checksums.sha256
+      env:
+        HOOKS_CHECKSUM: ${{ secrets.HOOKS_CHECKSUM }}
 
-    - run: echo "path is ${{ steps.rpm.outputs.rpm_dir_path }}"
+    - name: "Execute install scipt"
+      run: |
+        docker exec acme-srv sh /tmp/acme2certifier/rpm_tester.sh
+
+    - name: "Test http://acme-srv/directory is accessible"
+      run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory
+
+    - name: "Register certbot"
+      run: |
+        docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot register --agree-tos -m 'certbot@example.com' --server http://acme-srv --no-eff-email
 
-    - name: "[ PREPARE ] setup environment for alma installation"
+    - name: "Enroll HTTP-01 single domain certbot"
       run: |
-        docker network create acme
-        sudo mkdir -p data
-        sudo chmod -R 777 data
-        sudo cp ${{ steps.rpm.outputs.rpm_dir_path }}noarch/acme2certifier-${{ env.TAG_NAME }}-1.0.noarch.rpm data
-        sudo cp examples/Docker/almalinux-systemd/rpm_tester.sh data
+        docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot certonly --server http://acme-srv --standalone --preferred-challenges http -d certbot.acme --cert-name certbot
+        sudo chmod 777 certbot/archive/certbot/chain1.pem
+        sudo cp certbot/archive/certbot/chain1.pem chain1.pem
+        awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "cert-" c ".pem"}' < chain1.pem
+        sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem certbot/live/certbot/cert.pem
 
-    - name: "[ PREPARE ] create letsencrypt and lego folder"
+    - name: "Prepare acme.sh container"
       run: |
-        mkdir acmme-sh
+        docker run --rm -id -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest daemon
+
+    - name: "Register acme.sh"
+      run: |
+        docker exec -i acme-sh acme.sh --server http://acme-srv --register-account --accountemail 'acme-sh@example.com' --debug 3
+
+    - name: "Enroll acme.sh"
+      run: |
+        docker exec -i acme-sh acme.sh --server http://acme-srv --issue -d acme-sh.acme --standalone --debug 3 --output-insecure
+        awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "cert-" c ".pem"}' < acme-sh/acme-sh.acme_ecc/ca.cer
+        openssl verify -CAfile cert-2.pem -untrusted cert-1.pem acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer
+
+    - name: "Enroll lego"
+      run: |
+        docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" -d lego.acme --http run
+        sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem lego/certificates/lego.acme.crt
+
+    - name: "Compare checksums to validate hook file content"
+      working-directory: data/acme_ca/hooks
+      run: |
+        sha256sum -c checksums.sha256
+
+    - name: "[ * ] collecting test logs"
+      if: ${{ failure() }}
+      run: |
+        mkdir -p ${{ github.workspace }}/artifact/upload
+        docker exec acme-srv tar cvfz /tmp/acme2certifier/a2c.tgz /opt/acme2certifier
+        sudo cp -rp data/ ${{ github.workspace }}/artifact/data/
+        sudo cp -rp acme-sh/ ${{ github.workspace }}/artifact/acme-sh/
+        sudo rm ${{ github.workspace }}/artifact/data/*.rpm
+        docker exec acme-srv cat /etc/nginx/nginx.conf.orig > ${{ github.workspace }}/artifact/data/nginx.conf.orig
+        docker exec acme-srv cat /etc/nginx/nginx.conf > ${{ github.workspace }}/artifact/data/nginx.conf
+        docker exec acme-srv cat /var/log/messages > ${{ github.workspace }}/artifact/acme-srv.log
+        sudo tar -C ${{ github.workspace }}/artifact/ -cvzf ${{ github.workspace }}/artifact/upload/artifact.tar.gz data acme-srv.log acme-sh
+
+    - name: "[ * ] uploading artificates"
+      uses: actions/upload-artifact@v4
+      if: ${{ failure() }}
+      with:
+        name: hooks-rpm-rh${{ matrix.rhversion }}.tar.gz
+        path: ${{ github.workspace }}/artifact/upload/
+
+  hooks_exception_handling_rpm:
+    name: "hooks_exception_handling_rpm"
+    runs-on: ubuntu-latest
+    needs: rpm_build_and_upload
+    strategy:
+      fail-fast: false
+      max-parallel: 1
+      matrix:
+        rhversion: [8, 9]
+    steps:
+    - name: "checkout GIT"
+      uses: actions/checkout@v4
+
+    - name: "Prepare Alma environment"
+      uses: ./.github/actions/rpm_prep
+      with:
+        GH_SBOM_USER: ${{ secrets.GH_SBOM_USER }}
+        GH_SBOM_TOKEN: ${{ secrets.GH_SBOM_TOKEN }}
+        RH_VERSION: ${{ matrix.rhversion }}
+        RPM_BUILD: false
+
+    - name: Download rpm package
+      uses: actions/download-artifact@v4
+      with:
+        name: acme2certifier-${{ github.run_id }}.noarch.rpm
+        path: data/
+
+    - name: "create letsencrypt and lego folder"
+      run: |
+        mkdir acme-sh
         mkdir lego
 
-    - name: "[ PREPARE ] setup a2c with certifier_ca_handler"
+    - name: "Prepare acme_srv.cfg with certifier_ca_handler"
+      uses: ./.github/actions/wf_specific/certifier_ca_handler/certifier_setup_no_profile
+      with:
+        WCCE_SSH_ACCESS_KEY: ${{ secrets.WCCE_SSH_ACCESS_KEY }}
+        WCCE_SSH_KNOWN_HOSTS: ${{ secrets.WCCE_SSH_KNOWN_HOSTS }}
+        WCCE_SSH_USER: ${{ secrets.WCCE_SSH_USER }}
+        WCCE_SSH_HOST: ${{ secrets.WCCE_SSH_HOST }}
+        WCCE_SSH_PORT: ${{ secrets.WCCE_SSH_PORT }}
+        NCM_API_HOST: ${{ secrets.NCM_API_HOST }}
+        NCM_API_USER: ${{ secrets.NCM_API_USER }}
+        NCM_API_PASSWORD: ${{ secrets.NCM_API_PASSWORD }}
+        NCM_CA_NAME: ${{ secrets.NCM_CA_NAME }}
+        DATA_PATH: data
+
+    - name: "Modify acme_srv.cfg"
       run: |
-        mkdir -p data/acme_ca
-        sudo cp test/ca/certsrv_ca_certs.pem data/acme_ca/ca_certs.pem
-        sudo touch data/acme_srv.cfg
-        sudo chmod 777 data/acme_srv.cfg
-        sudo head -n -8 .github/openssl_ca_handler.py_acme_srv_default_handler.cfg > data/acme_srv.cfg
-        sudo echo "handler_file: /opt/acme2certifier/examples/ca_handler/certifier_ca_handler.py" >> data/acme_srv.cfg
-        sudo echo "api_host: $NCM_API_HOST" >> data/acme_srv.cfg
-        sudo echo "api_user: $NCM_API_USER" >> data/acme_srv.cfg
-        sudo echo "api_password: $NCM_API_PASSWORD" >> data/acme_srv.cfg
-        sudo echo "ca_name: $NCM_CA_NAME" >> data/acme_srv.cfg
-        sudo echo "ca_bundle: $NCM_CA_BUNDLE" >> data/acme_srv.cfg
-        sudo echo "profile_id: 101" >> data/acme_srv.cfg
         sudo mkdir -p data/acme_ca/hooks
         sudo chmod -R 777 data/acme_ca/hooks
         sudo echo -e "\n\n[Hooks]" >> data/acme_srv.cfg
@@ -491,110 +606,106 @@ jobs:
         NCM_CA_NAME: ${{ secrets.NCM_CA_NAME }}
         NCM_CA_BUNDLE: ${{ secrets.NCM_CA_BUNDLE }}
 
-    - name: "[ PREPARE ] Almalinux instance"
-      run: |
-        cat examples/Docker/almalinux-systemd/Dockerfile | docker build -t almalinux-systemd -f - . --no-cache
-        docker run -d -id --privileged --network acme --name=acme-srv -v "$(pwd)/data":/tmp/acme2certifier almalinux-systemd
-
-    - name: "[ RUN ] Execute install scipt"
+    - name: "Execute install scipt"
       run: |
         docker exec acme-srv sh /tmp/acme2certifier/rpm_tester.sh
 
     - name: "Test http://acme-srv/directory is accessible"
       run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory
 
-    - name: "[ PREPARE ] prepare acme.sh container"
+
+    - name: "Prepare acme.sh container"
       run: |
         docker run --rm -id -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest daemon
 
-    - name: "[ REGISTER] acme.sh"
+    - name: "Register acme.sh"
       run: |
         docker exec -i acme-sh acme.sh --server http://acme-srv --register-account --accountemail 'acme-sh@example.com' --debug 3
 
-    - name: "[ ENROLL] acme.sh - *_pre_hook_failure not configured "
+    - name: "Enroll acme.sh - *_pre_hook_failure not configured "
       run: |
         docker exec -i acme-sh acme.sh --server http://acme-srv --issue -d acme-sh.acme --standalone --debug 3 --output-insecure
         awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "cert-" c ".pem"}' < acme-sh/acme-sh.acme_ecc/ca.cer
         openssl verify -CAfile cert-2.pem -untrusted cert-1.pem acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer
 
-    - name: "[ PREPARE  ] reconfigure hook handler to trigger pre hook exception "
+    - name: "reconfigure hook handler to trigger pre hook exception "
       run: |
         sudo sed -i "s/raise_pre_hook_exception: False/raise_pre_hook_exception: True/g" data/acme_srv.cfg
         docker exec acme-srv sh /tmp/acme2certifier/rpm_tester.sh restart
 
-    - name: "[ FAIL ] acme.sh enrollment fails due to pre-hook exception (default behaviour)"
+    - name: "acme.sh enrollment fails due to pre-hook exception (default behaviour)"
       id: prehookfailure
       continue-on-error: true
       run: |
         docker exec -i acme-sh acme.sh --server http://acme-srv --issue -d acme-sh.acme --standalone --force --debug 3 --output-insecure
 
-    - name: "[ CHECK ] result - acme.sh enrollment failed due to pre-hook exception "
+    - name: "Check result - acme.sh enrollment failed due to pre-hook exception "
       if: steps.prehookfailure.outcome != 'failure'
       run: |
         echo "prehookfailure outcome is ${{steps.prehookfailure.outcome }}"
         exit 1
 
-    - name: "[ PREPARE  ] reconfigure a2c to ignore pre-hook failures "
+    - name: "reconfigure a2c to ignore pre-hook failures "
       run: |
         sudo echo "ignore_pre_hook_failure: True" >> data/acme_srv.cfg
         docker exec acme-srv sh /tmp/acme2certifier/rpm_tester.sh restart
 
-    - name: "[ ENROLL] acme.sh - ignore pre_hook_failures "
+    - name: "Enroll acme.sh - ignore pre_hook_failures "
       run: |
         docker exec -i acme-sh acme.sh --server http://acme-srv --issue -d acme-sh.acme --standalone --force --debug 3 --output-insecure
         openssl verify -CAfile cert-2.pem -untrusted cert-1.pem acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer
 
-    - name: "[ PREPARE  ] reconfigure hook handler to trigger success hook exception "
+    - name: "reconfigure hook handler to trigger success hook exception "
       run: |
         sudo sed -i "s/raise_pre_hook_exception: True/raise_pre_hook_exception: False/g" data/acme_srv.cfg
         sudo sed -i "s/raise_success_hook_exception: False/raise_success_hook_exception: True/g" data/acme_srv.cfg
         docker exec acme-srv sh /tmp/acme2certifier/rpm_tester.sh restart
 
-    - name: "[ FAIL ] acme.sh enrollment fails due to success-hook exception (default behaviour) "
+    - name: "acme.sh enrollment fails due to success-hook exception (default behaviour) "
       id: successhookfailure
       continue-on-error: true
       run: |
         docker exec -i acme-sh acme.sh --server http://acme-srv --issue -d acme-sh.acme --standalone --force --debug 3 --output-insecure
 
-    - name: "[ CHECK ] result - acme.sh enrollment failed due to success-hook exception "
+    - name: "Check result - acme.sh enrollment failed due to success-hook exception "
       if: steps.successhookfailure.outcome != 'failure'
       run: |
         echo "successhookfailure outcome is ${{steps.successhookfailure.outcome }}"
         exit 1
 
-    - name: "[ PREPARE  ] reconfigure a2c to ignore success-hook failures "
+    - name: "reconfigure a2c to ignore success-hook failures "
       run: |
         sudo sed -i "s/ignore_pre_hook_failure: True/ignore_success_hook_failure: True/g" data/acme_srv.cfg
         docker exec acme-srv sh /tmp/acme2certifier/rpm_tester.sh restart
 
-    - name: "[ ENROLL] acme.sh - ignore sucess_hook_failures "
+    - name: "Enroll acme.sh - ignore sucess_hook_failures "
       run: |
         docker exec -i acme-sh acme.sh --server http://acme-srv --issue -d acme-sh.acme --standalone --force --debug 3 --output-insecure
         openssl verify -CAfile cert-2.pem -untrusted cert-1.pem acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer
 
-    - name: "[ PREPARE  ] reconfigure hook handler to trigger post hook exception "
+    - name: "reconfigure hook handler to trigger post hook exception "
       run: |
         sudo sed -i "s/raise_success_hook_exception: True/raise_success_hook_exception: False/g" data/acme_srv.cfg
         sudo sed -i "s/raise_post_hook_exception: False/raise_post_hook_exception: True/g" data/acme_srv.cfg
         docker exec acme-srv sh /tmp/acme2certifier/rpm_tester.sh restart
 
-    - name: "[ ENROLL] acme.sh - ignore post_hook_failures (default behaviour) "
+    - name: "Enroll acme.sh - ignore post_hook_failures (default behaviour) "
       run: |
         docker exec -i acme-sh acme.sh --server http://acme-srv --issue -d acme-sh.acme --standalone --force --debug 3 --output-insecure
         openssl verify -CAfile cert-2.pem -untrusted cert-1.pem acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer
 
-    - name: "[ PREPARE  ] reconfigure a2c to detect success-hook failures "
+    - name: "reconfigure a2c to detect success-hook failures "
       run: |
         sudo sed -i "s/ignore_success_hook_failure: True/ignore_post_hook_failure: False/g" data/acme_srv.cfg
         docker exec acme-srv sh /tmp/acme2certifier/rpm_tester.sh restart
 
-    - name: "[ FAIL ] acme.sh enrollment fails due to post-hook exception "
+    - name: "acme.sh enrollment fails due to post-hook exception "
       id: posthookfailure
       continue-on-error: true
       run: |
         docker exec -i acme-sh acme.sh --server http://acme-srv --issue -d acme-sh.acme --standalone --force --debug 3 --output-insecure
 
-    - name: "[ CHECK ] result - acme.sh enrollment failed due to post-hook exception "
+    - name: "Check result - acme.sh enrollment failed due to post-hook exception "
       if: steps.posthookfailure.outcome != 'failure'
       run: |
         echo "posthookfailure outcome is ${{steps.posthookfailure.outcome }}"
@@ -607,12 +718,17 @@ jobs:
         docker exec acme-srv tar cvfz /tmp/acme2certifier/a2c.tgz /opt/acme2certifier
         sudo cp -rp data/ ${{ github.workspace }}/artifact/data/
         sudo cp -rp acme-sh/ ${{ github.workspace }}/artifact/acme-sh/
+        sudo rm ${{ github.workspace }}/artifact/data/*.rpm
+        docker exec acme-srv cat /etc/nginx/nginx.conf.orig > ${{ github.workspace }}/artifact/data/nginx.conf.orig
+        docker exec acme-srv cat /etc/nginx/nginx.conf > ${{ github.workspace }}/artifact/data/nginx.conf
         docker exec acme-srv cat /var/log/messages > ${{ github.workspace }}/artifact/acme-srv.log
         sudo tar -C ${{ github.workspace }}/artifact/ -cvzf ${{ github.workspace }}/artifact/upload/artifact.tar.gz data acme-srv.log acme-sh
 
     - name: "[ * ] uploading artificates"
-      uses: actions/upload-artifact@v3
+      uses: actions/upload-artifact@v4
       if: ${{ failure() }}
       with:
-        name: hooks-rpm.tar.gz
-        path: ${{ github.workspace }}/artifact/upload/
\ No newline at end of file
+        name: hooks-rpm-rh${{ matrix.rhversion }}.tar.gz
+        path: ${{ github.workspace }}/artifact/upload/
+
+
diff --git a/.github/workflows/ip-address-tests.yml b/.github/workflows/ip-address-tests.yml
index 1bddb1a7..82df5c35 100644
--- a/.github/workflows/ip-address-tests.yml
+++ b/.github/workflows/ip-address-tests.yml
@@ -9,160 +9,58 @@ on:
     - cron:  '0 2 * * 6'
 
 jobs:
-  ip_apache2_wsgi:
-    name: "ip_apache2_wsgi"
+  ip_tests:
+    name: "ip_tests"
     runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+      max-parallel: 2
+      matrix:
+        websrv: ['apache2', 'nginx']
+        dbhandler: ['wsgi', 'django']
     steps:
     - name: "checkout GIT"
-      uses: actions/checkout@v3
+      uses: actions/checkout@v4
 
-    - name: "[ PREPARE ] get runner ip"
+    - name: "get runner ip"
       run: |
         echo RUNNER_IP=$(ip addr show eth0 | grep -i "inet " | cut -d ' ' -f 6 | cut -d '/' -f 1) >> $GITHUB_ENV
         echo RUNNER_PATH=$(pwd | sed 's_/_\\/_g') >> $GITHUB_ENV
     - run: echo "runner IP is ${{ env.RUNNER_IP }}"
 
-    - name: "Build docker-compose (apache2_wsgi)"
-      working-directory: examples/Docker/
-      run: |
-        sudo mkdir -p data
-        docker network create acme
-        docker-compose up -d
-        docker-compose logs
+    - name: "Build container"
+      uses: ./.github/actions/container_prep
+      with:
+        DB_HANDLER: ${{ matrix.dbhandler }}
+        WEB_SRV: ${{ matrix.websrv }}
 
-    - name: "[ PREPARE ] setup a2c with certifier_ca_handler"
-      run: |
-        sudo cp test/ca/certsrv_ca_certs.pem examples/Docker/data/ca_certs.pem
-        sudo touch examples/Docker/data/acme_srv.cfg
-        sudo chmod 777 examples/Docker/data/acme_srv.cfg
-        sudo head -n -8 .github/openssl_ca_handler.py_acme_srv_default_handler.cfg > examples/Docker/data/acme_srv.cfg
-        sudo echo "handler_file: examples/ca_handler/certifier_ca_handler.py" >> examples/Docker/data/acme_srv.cfg
-        sudo echo "api_host: $NCM_API_HOST" >> examples/Docker/data/acme_srv.cfg
-        sudo echo "api_user: $NCM_API_USER" >> examples/Docker/data/acme_srv.cfg
-        sudo echo "api_password: $NCM_API_PASSWORD" >> examples/Docker/data/acme_srv.cfg
-        sudo echo "ca_name: $NCM_CA_NAME" >> examples/Docker/data/acme_srv.cfg
-        sudo echo "ca_bundle: $NCM_CA_BUNDLE" >> examples/Docker/data/acme_srv.cfg
-        sudo cp .github/acme2certifier.pem examples/Docker/data/acme2certifier.pem
-        cd examples/Docker/
-        docker-compose restart
-        docker-compose logs
-      env:
+    - name: "Prepare acme_srv.cfg with certifier_ca_handler"
+      uses: ./.github/actions/wf_specific/certifier_ca_handler/certifier_setup_no_profile
+      with:
+        WCCE_SSH_ACCESS_KEY: ${{ secrets.WCCE_SSH_ACCESS_KEY }}
+        WCCE_SSH_KNOWN_HOSTS: ${{ secrets.WCCE_SSH_KNOWN_HOSTS }}
+        WCCE_SSH_USER: ${{ secrets.WCCE_SSH_USER }}
+        WCCE_SSH_HOST: ${{ secrets.WCCE_SSH_HOST }}
+        WCCE_SSH_PORT: ${{ secrets.WCCE_SSH_PORT }}
         NCM_API_HOST: ${{ secrets.NCM_API_HOST }}
         NCM_API_USER: ${{ secrets.NCM_API_USER }}
         NCM_API_PASSWORD: ${{ secrets.NCM_API_PASSWORD }}
         NCM_CA_NAME: ${{ secrets.NCM_CA_NAME }}
-        NCM_CA_BUNDLE: ${{ secrets.NCM_CA_BUNDLE }}
-
-    - name: "Sleep for 5s"
-      uses: juliangruber/sleep-action@v1
-      with:
-        time: 5s
-
-    - name: "Test http://acme-srv/directory is accessable"
-      run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory
-
-    - name: "Test if https://acme-srv/directory is accessable"
-      run: docker run -i --rm --network acme curlimages/curl --insecure -f https://acme-srv/directory
-
-    - name: "create lego folder"
-      run: |
-        mkdir lego
-
-    - name: "Enroll HTTP-01 single domain and ip address "
-      run: |
-        docker run -i -p 80:80 -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" -d lego.acme -d $RUNNER_IP --http run
-        sudo chmod 777 lego/certificates/lego.acme.issuer.crt
-        sudo cp lego/certificates/lego.acme.issuer.crt lego.acme.issuer.crt
-        sudo awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "cert-" c ".pem"}' < lego.acme.issuer.crt
-        sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem lego/certificates/lego.acme.crt
-        sudo openssl x509 -in lego/certificates/lego.acme.crt --text --noout | grep "IP Address"
-      env:
-        RUNNER_IP: ${{ env.RUNNER_IP }}
+        DATA_PATH: examples/Docker/data
 
-    - name: "[ * ] collecting test logs"
-      if: ${{ failure() }}
+    - name: "Restart a2c"
       run: |
-        mkdir -p ${{ github.workspace }}/artifact/upload
-        sudo cp -rp examples/Docker/data/ ${{ github.workspace }}/artifact/data/
-        sudo cp -rp lego/ ${{ github.workspace }}/artifact/lego/
-        cd examples/Docker
-        docker-compose logs > ${{ github.workspace }}/artifact/docker-compose.log
-        sudo tar -C ${{ github.workspace }}/artifact/ -cvzf ${{ github.workspace }}/artifact/upload/artifact.tar.gz docker-compose.log data lego
-
-    - name: "[ * ] uploading artificates"
-      uses: actions/upload-artifact@v3
-      if: ${{ failure() }}
-      with:
-        name: ip_apache2_wsgi.tar.gz
-        path: ${{ github.workspace }}/artifact/upload/
-
-  ip_apache2_django:
-    name: "ip_apache2_django"
-    runs-on: ubuntu-latest
-    steps:
-    - name: "checkout GIT"
-      uses: actions/checkout@v3
-
-    - name: "[ PREPARE ] get runner ip"
-      run: |
-        echo RUNNER_IP=$(ip addr show eth0 | grep -i "inet " | cut -d ' ' -f 6 | cut -d '/' -f 1) >> $GITHUB_ENV
-        echo RUNNER_PATH=$(pwd | sed 's_/_\\/_g') >> $GITHUB_ENV
-    - run: echo "runner IP is ${{ env.RUNNER_IP }}"
-
-    - name: "Build docker-compose (apache2_django)"
-      working-directory: examples/Docker/
-      run: |
-        sed -i "s/wsgi/django/g" .env
-        sudo mkdir -p data
-        docker network create acme
-        docker-compose up -d
-        docker-compose logs
-
-    - name: "[ PREPARE ] setup a2c with certifier_ca_handler"
-      run: |
-        sudo cp test/ca/certsrv_ca_certs.pem examples/Docker/data/ca_certs.pem
-        sudo touch examples/Docker/data/acme_srv.cfg
-        sudo chmod 777 examples/Docker/data/acme_srv.cfg
-        sudo head -n -8 .github/openssl_ca_handler.py_acme_srv_default_handler.cfg > examples/Docker/data/acme_srv.cfg
-        sudo echo "handler_file: examples/ca_handler/certifier_ca_handler.py" >> examples/Docker/data/acme_srv.cfg
-        sudo echo "api_host: $NCM_API_HOST" >> examples/Docker/data/acme_srv.cfg
-        sudo echo "api_user: $NCM_API_USER" >> examples/Docker/data/acme_srv.cfg
-        sudo echo "api_password: $NCM_API_PASSWORD" >> examples/Docker/data/acme_srv.cfg
-        sudo echo "ca_name: $NCM_CA_NAME" >> examples/Docker/data/acme_srv.cfg
-        sudo echo "ca_bundle: $NCM_CA_BUNDLE" >> examples/Docker/data/acme_srv.cfg
-        sudo cp .github/django_settings.py examples/Docker/data/settings.py
-        sudo cp .github/acme2certifier.pem examples/Docker/data/acme2certifier.pem
         cd examples/Docker/
         docker-compose restart
         docker-compose logs
-      env:
-        NCM_API_HOST: ${{ secrets.NCM_API_HOST }}
-        NCM_API_USER: ${{ secrets.NCM_API_USER }}
-        NCM_API_PASSWORD: ${{ secrets.NCM_API_PASSWORD }}
-        NCM_CA_NAME: ${{ secrets.NCM_CA_NAME }}
-        NCM_CA_BUNDLE: ${{ secrets.NCM_CA_BUNDLE }}
 
-    - name: "Sleep for 5s"
-      uses: juliangruber/sleep-action@v1
-      with:
-        time: 5s
-
-    - name: "Test http://acme-srv/directory is accessable"
-      run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory
-
-    - name: "Test if https://acme-srv/directory is accessable"
-      run: docker run -i --rm --network acme curlimages/curl --insecure -f https://acme-srv/directory
-
-    - name: "create lego folder"
-      run: |
-        mkdir lego
+    - name: "Test enrollment"
+      uses: ./.github/actions/acme_clients
 
     - name: "Enroll HTTP-01 single domain and ip address "
       run: |
+        sudo rm -rf lego/*
         docker run -i -p 80:80 -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" -d lego.acme -d $RUNNER_IP --http run
-        sudo chmod 777 lego/certificates/lego.acme.issuer.crt
-        sudo cp lego/certificates/lego.acme.issuer.crt lego.acme.issuer.crt
-        sudo awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "cert-" c ".pem"}' < lego.acme.issuer.crt
         sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem lego/certificates/lego.acme.crt
         sudo openssl x509 -in lego/certificates/lego.acme.crt --text --noout | grep "IP Address"
       env:
@@ -179,170 +77,80 @@ jobs:
         sudo tar -C ${{ github.workspace }}/artifact/ -cvzf ${{ github.workspace }}/artifact/upload/artifact.tar.gz docker-compose.log data lego
 
     - name: "[ * ] uploading artificates"
-      uses: actions/upload-artifact@v3
+      uses: actions/upload-artifact@v4
       if: ${{ failure() }}
       with:
-        name: ip_apache2_django.tar.gz
+        name: ip_tests-${{ matrix.websrv }}-${{ matrix.dbhandler }}.tar.gz
         path: ${{ github.workspace }}/artifact/upload/
 
-  ip_nginx_wsgi:
-    name: "ip_nginx_wsgi"
+  ip_rpm:
+    name: "ip_rpm"
     runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+      max-parallel: 1
+      matrix:
+        rhversion: [8, 9]
+        execscript: ['rpm_tester.sh', 'django_tester.sh']
     steps:
     - name: "checkout GIT"
-      uses: actions/checkout@v3
+      uses: actions/checkout@v4
 
-    - name: "[ PREPARE ] get runner ip"
+    - name: "get runner ip"
       run: |
         echo RUNNER_IP=$(ip addr show eth0 | grep -i "inet " | cut -d ' ' -f 6 | cut -d '/' -f 1) >> $GITHUB_ENV
         echo RUNNER_PATH=$(pwd | sed 's_/_\\/_g') >> $GITHUB_ENV
     - run: echo "runner IP is ${{ env.RUNNER_IP }}"
 
-    - name: "Build docker-compose (nginx_wsgi)"
-      working-directory: examples/Docker/
-      run: |
-        sed -i "s/apache2/nginx/g" .env
-        sudo mkdir -p data
-        docker network create acme
-        docker-compose up -d
-        docker-compose logs
+    - name: "Prepare Alma environment"
+      uses: ./.github/actions/rpm_prep
+      with:
+        GH_SBOM_USER: ${{ secrets.GH_SBOM_USER }}
+        GH_SBOM_TOKEN: ${{ secrets.GH_SBOM_TOKEN }}
+        RH_VERSION: ${{ matrix.rhversion }}
 
-    - name: "[ PREPARE ] setup a2c with certifier_ca_handler"
-      run: |
-        sudo cp test/ca/certsrv_ca_certs.pem examples/Docker/data/ca_certs.pem
-        sudo touch examples/Docker/data/acme_srv.cfg
-        sudo chmod 777 examples/Docker/data/acme_srv.cfg
-        sudo head -n -8 .github/openssl_ca_handler.py_acme_srv_default_handler.cfg > examples/Docker/data/acme_srv.cfg
-        sudo echo "handler_file: examples/ca_handler/certifier_ca_handler.py" >> examples/Docker/data/acme_srv.cfg
-        sudo echo "api_host: $NCM_API_HOST" >> examples/Docker/data/acme_srv.cfg
-        sudo echo "api_user: $NCM_API_USER" >> examples/Docker/data/acme_srv.cfg
-        sudo echo "api_password: $NCM_API_PASSWORD" >> examples/Docker/data/acme_srv.cfg
-        sudo echo "ca_name: $NCM_CA_NAME" >> examples/Docker/data/acme_srv.cfg
-        sudo echo "ca_bundle: $NCM_CA_BUNDLE" >> examples/Docker/data/acme_srv.cfg
-        sudo cp .github/acme2certifier_cert.pem examples/Docker/data/acme2certifier_cert.pem
-        sudo cp .github/acme2certifier_key.pem examples/Docker/data/acme2certifier_key.pem
-        cd examples/Docker/
-        docker-compose restart
-        docker-compose logs
-      env:
+    - name: "WSGI - Prepare acme_srv.cfg with certifier_ca_handler"
+      if: matrix.execscript == 'rpm_tester.sh'
+      uses: ./.github/actions/wf_specific/certifier_ca_handler/certifier_setup_no_profile
+      with:
+        WCCE_SSH_ACCESS_KEY: ${{ secrets.WCCE_SSH_ACCESS_KEY }}
+        WCCE_SSH_KNOWN_HOSTS: ${{ secrets.WCCE_SSH_KNOWN_HOSTS }}
+        WCCE_SSH_USER: ${{ secrets.WCCE_SSH_USER }}
+        WCCE_SSH_HOST: ${{ secrets.WCCE_SSH_HOST }}
+        WCCE_SSH_PORT: ${{ secrets.WCCE_SSH_PORT }}
         NCM_API_HOST: ${{ secrets.NCM_API_HOST }}
         NCM_API_USER: ${{ secrets.NCM_API_USER }}
         NCM_API_PASSWORD: ${{ secrets.NCM_API_PASSWORD }}
         NCM_CA_NAME: ${{ secrets.NCM_CA_NAME }}
-        NCM_CA_BUNDLE: ${{ secrets.NCM_CA_BUNDLE }}
-
-    - name: "Sleep for 5s"
-      uses: juliangruber/sleep-action@v1
-      with:
-        time: 5s
+        DATA_PATH: data
 
-    - name: "Test http://acme-srv/directory is accessable"
-      run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory
-
-    - name: "Test if https://acme-srv/directory is accessable"
-      run: docker run -i --rm --network acme curlimages/curl --insecure -f https://acme-srv/directory
-
-    - name: "create lego folder"
-      run: |
-        mkdir lego
-
-    - name: "Enroll HTTP-01 single domain and ip address "
-      run: |
-        docker run -i -p 80:80 -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" -d lego.acme -d $RUNNER_IP --http run
-        sudo chmod 777 lego/certificates/lego.acme.issuer.crt
-        sudo cp lego/certificates/lego.acme.issuer.crt lego.acme.issuer.crt
-        sudo awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "cert-" c ".pem"}' < lego.acme.issuer.crt
-        sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem lego/certificates/lego.acme.crt
-        sudo openssl x509 -in lego/certificates/lego.acme.crt --text --noout | grep "IP Address"
-      env:
-        RUNNER_IP: ${{ env.RUNNER_IP }}
-
-    - name: "[ * ] collecting test logs"
-      if: ${{ failure() }}
-      run: |
-        mkdir -p ${{ github.workspace }}/artifact/upload
-        sudo cp -rp examples/Docker/data/ ${{ github.workspace }}/artifact/data/
-        sudo cp -rp lego/ ${{ github.workspace }}/artifact/lego/
-        cd examples/Docker
-        docker-compose logs > ${{ github.workspace }}/artifact/docker-compose.log
-        sudo tar -C ${{ github.workspace }}/artifact/ -cvzf ${{ github.workspace }}/artifact/upload/artifact.tar.gz docker-compose.log data lego
-
-    - name: "[ * ] uploading artificates"
-      uses: actions/upload-artifact@v3
-      if: ${{ failure() }}
+    - name: "Django - Prepare acme_srv.cfg with certifier_ca_handler"
+      if: matrix.execscript == 'django_tester.sh'
+      uses: ./.github/actions/wf_specific/certifier_ca_handler/certifier_setup_no_profile
       with:
-        name: ip_nginx_wsgi.tar.gz
-        path: ${{ github.workspace }}/artifact/upload/
-
-  ip_nginx_django:
-    name: "ip_nginx_django"
-    runs-on: ubuntu-latest
-    steps:
-    - name: "checkout GIT"
-      uses: actions/checkout@v3
-
-    - name: "[ PREPARE ] get runner ip"
-      run: |
-        echo RUNNER_IP=$(ip addr show eth0 | grep -i "inet " | cut -d ' ' -f 6 | cut -d '/' -f 1) >> $GITHUB_ENV
-        echo RUNNER_PATH=$(pwd | sed 's_/_\\/_g') >> $GITHUB_ENV
-    - run: echo "runner IP is ${{ env.RUNNER_IP }}"
-
-    - name: "Build docker-compose (nginx_django)"
-      working-directory: examples/Docker/
-      run: |
-        sed -i "s/wsgi/django/g" .env
-        sed -i "s/apache2/nginx/g" .env
-        sudo mkdir -p data
-        docker network create acme
-        docker-compose up -d
-        docker-compose logs
-
-    - name: "[ PREPARE ] setup a2c with certifier_ca_handler"
-      run: |
-        sudo cp test/ca/certsrv_ca_certs.pem examples/Docker/data/ca_certs.pem
-        sudo touch examples/Docker/data/acme_srv.cfg
-        sudo chmod 777 examples/Docker/data/acme_srv.cfg
-        sudo head -n -8 .github/openssl_ca_handler.py_acme_srv_default_handler.cfg > examples/Docker/data/acme_srv.cfg
-        sudo echo "handler_file: examples/ca_handler/certifier_ca_handler.py" >> examples/Docker/data/acme_srv.cfg
-        sudo echo "api_host: $NCM_API_HOST" >> examples/Docker/data/acme_srv.cfg
-        sudo echo "api_user: $NCM_API_USER" >> examples/Docker/data/acme_srv.cfg
-        sudo echo "api_password: $NCM_API_PASSWORD" >> examples/Docker/data/acme_srv.cfg
-        sudo echo "ca_name: $NCM_CA_NAME" >> examples/Docker/data/acme_srv.cfg
-        sudo echo "ca_bundle: $NCM_CA_BUNDLE" >> examples/Docker/data/acme_srv.cfg
-        sudo cp .github/django_settings.py examples/Docker/data/settings.py
-        sudo cp .github/acme2certifier_cert.pem examples/Docker/data/acme2certifier_cert.pem
-        sudo cp .github/acme2certifier_key.pem examples/Docker/data/acme2certifier_key.pem
-        cd examples/Docker/
-        docker-compose restart
-        docker-compose logs
-      env:
+        WCCE_SSH_ACCESS_KEY: ${{ secrets.WCCE_SSH_ACCESS_KEY }}
+        WCCE_SSH_KNOWN_HOSTS: ${{ secrets.WCCE_SSH_KNOWN_HOSTS }}
+        WCCE_SSH_USER: ${{ secrets.WCCE_SSH_USER }}
+        WCCE_SSH_HOST: ${{ secrets.WCCE_SSH_HOST }}
+        WCCE_SSH_PORT: ${{ secrets.WCCE_SSH_PORT }}
         NCM_API_HOST: ${{ secrets.NCM_API_HOST }}
         NCM_API_USER: ${{ secrets.NCM_API_USER }}
         NCM_API_PASSWORD: ${{ secrets.NCM_API_PASSWORD }}
         NCM_CA_NAME: ${{ secrets.NCM_CA_NAME }}
-        NCM_CA_BUNDLE: ${{ secrets.NCM_CA_BUNDLE }}
-
-    - name: "Sleep for 5s"
-      uses: juliangruber/sleep-action@v1
-      with:
-        time: 5s
-
-    - name: "Test http://acme-srv/directory is accessable"
-      run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory
-
-    - name: "Test if https://acme-srv/directory is accessable"
-      run: docker run -i --rm --network acme curlimages/curl --insecure -f https://acme-srv/directory
+        DATA_PATH: data/volume
 
-    - name: "create lego folder"
+    - name: "Execute install scipt"
       run: |
-        mkdir lego
+        docker exec acme-srv sh /tmp/acme2certifier/$EXEC_SCRIPT
+      env:
+        EXEC_SCRIPT: ${{ matrix.execscript }}
+
+    - name: "Test enrollment"
+      uses: ./.github/actions/acme_clients
 
     - name: "Enroll HTTP-01 single domain and ip address "
       run: |
         docker run -i -p 80:80 -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" -d lego.acme -d $RUNNER_IP --http run
-        sudo chmod 777 lego/certificates/lego.acme.issuer.crt
-        sudo cp lego/certificates/lego.acme.issuer.crt lego.acme.issuer.crt
-        sudo awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "cert-" c ".pem"}' < lego.acme.issuer.crt
         sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem lego/certificates/lego.acme.crt
         sudo openssl x509 -in lego/certificates/lego.acme.crt --text --noout | grep "IP Address"
       env:
@@ -352,15 +160,19 @@ jobs:
       if: ${{ failure() }}
       run: |
         mkdir -p ${{ github.workspace }}/artifact/upload
-        sudo cp -rp examples/Docker/data/ ${{ github.workspace }}/artifact/data/
+        docker exec acme-srv tar cvfz /tmp/acme2certifier/a2c.tgz /opt/acme2certifier
+        sudo cp -rp data/ ${{ github.workspace }}/artifact/data/
         sudo cp -rp lego/ ${{ github.workspace }}/artifact/lego/
-        cd examples/Docker
-        docker-compose logs > ${{ github.workspace }}/artifact/docker-compose.log
-        sudo tar -C ${{ github.workspace }}/artifact/ -cvzf ${{ github.workspace }}/artifact/upload/artifact.tar.gz docker-compose.log data lego
+        sudo rm ${{ github.workspace }}/artifact/data/*.rpm
+        docker exec acme-srv cat /etc/nginx/nginx.conf.orig > ${{ github.workspace }}/artifact/data/nginx.conf.orig
+        docker exec acme-srv cat /etc/nginx/nginx.conf > ${{ github.workspace }}/artifact/data/nginx.conf
+        docker exec acme-srv cat /var/log/messages > ${{ github.workspace }}/artifact/acme-srv.log
+        sudo tar -C ${{ github.workspace }}/artifact/ -cvzf ${{ github.workspace }}/artifact/upload/artifact.tar.gz data acme-srv.log lego
 
     - name: "[ * ] uploading artificates"
-      uses: actions/upload-artifact@v3
+      uses: actions/upload-artifact@v4
       if: ${{ failure() }}
       with:
-        name: ip_nginx_django.tar.gz
+        name: ip_wsgi_rpm-rh${{ matrix.rhversion }}-${{ matrix.execscript }}.tar.gz
         path: ${{ github.workspace }}/artifact/upload/
+
diff --git a/.github/workflows/ipv6-test.yml b/.github/workflows/ipv6-test.yml
index 1961964c..d3c55445 100644
--- a/.github/workflows/ipv6-test.yml
+++ b/.github/workflows/ipv6-test.yml
@@ -9,204 +9,70 @@ jobs:
   ipv6_apache2_wsgi:
     name: "ipv6_apache2_wsgi"
     runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+      max-parallel: 2
+      matrix:
+        websrv: ['apache2', 'nginx']
+        dbhandler: ['wsgi', 'django']
+
     steps:
     - name: "checkout GIT"
-      uses: actions/checkout@v3
-    - name: "[ PREPARE ] Build docker-compose (apache2_wsgi)"
-      working-directory: examples/Docker/
-      run: |
-        sudo mkdir -p data
-        docker network create acme --ipv6 --subnet "fdbb:6445:65b4:0a60::/64"
-        docker-compose up -d
-        docker-compose logs
+      uses: actions/checkout@v4
 
-    - name: "Test http://acme-srv/directory is accessable"
-      run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory
+    - name: "Build container"
+      uses: ./.github/actions/container_prep
+      with:
+        DB_HANDLER: ${{ matrix.dbhandler }}
+        WEB_SRV: ${{ matrix.websrv }}
+        IPV6: true
 
-    - name: "[ PREPARE ] setup a2c with certifier_ca_handler"
-      run: |
-        sudo cp test/ca/certsrv_ca_certs.pem examples/Docker/data/ca_certs.pem
-        sudo touch examples/Docker/data/acme_srv.cfg
-        sudo chmod 777 examples/Docker/data/acme_srv.cfg
-        sudo head -n -8 .github/openssl_ca_handler.py_acme_srv_default_handler.cfg > examples/Docker/data/acme_srv.cfg
-        sudo echo "handler_file: examples/ca_handler/certifier_ca_handler.py" >> examples/Docker/data/acme_srv.cfg
-        sudo echo "api_host: $NCM_API_HOST" >> examples/Docker/data/acme_srv.cfg
-        sudo echo "api_user: $NCM_API_USER" >> examples/Docker/data/acme_srv.cfg
-        sudo echo "api_password: $NCM_API_PASSWORD" >> examples/Docker/data/acme_srv.cfg
-        sudo echo "ca_name: $NCM_CA_NAME" >> examples/Docker/data/acme_srv.cfg
-        sudo echo "ca_bundle: $NCM_CA_BUNDLE" >> examples/Docker/data/acme_srv.cfg
-        cd examples/Docker/
-        docker-compose restart
-        docker-compose logs
-      env:
+    - name: "Prepare acme_srv.cfg with certifier_ca_handler"
+      uses: ./.github/actions/wf_specific/certifier_ca_handler/certifier_setup_no_profile
+      with:
+        WCCE_SSH_ACCESS_KEY: ${{ secrets.WCCE_SSH_ACCESS_KEY }}
+        WCCE_SSH_KNOWN_HOSTS: ${{ secrets.WCCE_SSH_KNOWN_HOSTS }}
+        WCCE_SSH_USER: ${{ secrets.WCCE_SSH_USER }}
+        WCCE_SSH_HOST: ${{ secrets.WCCE_SSH_HOST }}
+        WCCE_SSH_PORT: ${{ secrets.WCCE_SSH_PORT }}
         NCM_API_HOST: ${{ secrets.NCM_API_HOST }}
         NCM_API_USER: ${{ secrets.NCM_API_USER }}
         NCM_API_PASSWORD: ${{ secrets.NCM_API_PASSWORD }}
         NCM_CA_NAME: ${{ secrets.NCM_CA_NAME }}
-        NCM_CA_BUNDLE: ${{ secrets.NCM_CA_BUNDLE }}
-
-    - name: "create acme-sh folder"
-      run: |
-        mkdir acme-sh
-
-    - name: "[ PREPARE ] prepare acme.sh container"
-      run: |
-        docker run --rm -id -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest daemon
-
-    - name: "[ ENROLL ] HTTP-01 single domain acme.sh using ipv6"
-      run: |
-        docker exec -i acme-sh acme.sh --server http://acme-srv --keylength 2048 --accountemail 'acme-sh@example.com' --issue -d acme-sh.acme --standalone --listen-v6 --debug 3 --output-insecure
-        awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "cert-" c ".pem"}' < acme-sh/acme-sh.acme/ca.cer
-        openssl verify -CAfile cert-2.pem -untrusted cert-1.pem acme-sh/acme-sh.acme/acme-sh.acme.cer
-
-    - name: "[ ENROLL ] HTTP-01 single domain acme.sh using ipv6 with ipv4 fallback"
-      run: |
-        docker exec -i acme-sh acme.sh --server http://acme-srv --keylength 2048 --accountemail 'acme-sh@example.com' --issue -d acme-sh.acme --standalone --listen-v4 --debug 3 --output-insecure --force
-        openssl verify -CAfile cert-2.pem -untrusted cert-1.pem  acme-sh/acme-sh.acme/acme-sh.acme.cer
-
-    - name: "[ * ] collecting test logs"
-      if: ${{ failure() }}
-      run: |
-        mkdir -p ${{ github.workspace }}/artifact/upload
-        sudo cp -rp examples/Docker/data/ ${{ github.workspace }}/artifact/data/
-        sudo cp -rp acme-sh/ ${{ github.workspace }}/artifact/acme-sh/
-        cd examples/Docker
-        docker-compose logs > ${{ github.workspace }}/artifact/docker-compose.log
-        sudo tar -C ${{ github.workspace }}/artifact/ -cvzf ${{ github.workspace }}/artifact/upload/artifact.tar.gz docker-compose.log data acme-sh
-
-    - name: "[ * ] uploading artificates"
-      uses: actions/upload-artifact@v3
-      if: ${{ failure() }}
-      with:
-        name: ipv6_apache2_wsgi.tar.gz
-        path: ${{ github.workspace }}/artifact/upload/
+        DATA_PATH: examples/Docker/data
 
-  ipv6_nginx_wsgi:
-    name: "ipv6_nginx_wsgi"
-    runs-on: ubuntu-latest
-    steps:
-    - name: "checkout GIT"
-      uses: actions/checkout@v3
-    - name: "[ PREPARE ] Build docker-compose (nginx_wsgi)"
-      working-directory: examples/Docker/
+    - name: "Restart a2c"
       run: |
-        sed -i "s/apache2/nginx/g" .env
-        sudo mkdir -p data
-        docker network create acme --ipv6 --subnet "fdbb:6445:65b4:0a60::/64"
-        docker-compose up -d
-        docker-compose logs
-
-    - name: "[ PREPARE ] setup a2c with certifier_ca_handler"
-      run: |
-        sudo cp test/ca/certsrv_ca_certs.pem examples/Docker/data/ca_certs.pem
-        sudo touch examples/Docker/data/acme_srv.cfg
-        sudo chmod 777 examples/Docker/data/acme_srv.cfg
-        sudo head -n -8 .github/openssl_ca_handler.py_acme_srv_default_handler.cfg > examples/Docker/data/acme_srv.cfg
-        sudo echo "handler_file: examples/ca_handler/certifier_ca_handler.py" >> examples/Docker/data/acme_srv.cfg
-        sudo echo "api_host: $NCM_API_HOST" >> examples/Docker/data/acme_srv.cfg
-        sudo echo "api_user: $NCM_API_USER" >> examples/Docker/data/acme_srv.cfg
-        sudo echo "api_password: $NCM_API_PASSWORD" >> examples/Docker/data/acme_srv.cfg
-        sudo echo "ca_name: $NCM_CA_NAME" >> examples/Docker/data/acme_srv.cfg
-        sudo echo "ca_bundle: $NCM_CA_BUNDLE" >> examples/Docker/data/acme_srv.cfg
         cd examples/Docker/
         docker-compose restart
         docker-compose logs
-      env:
-        NCM_API_HOST: ${{ secrets.NCM_API_HOST }}
-        NCM_API_USER: ${{ secrets.NCM_API_USER }}
-        NCM_API_PASSWORD: ${{ secrets.NCM_API_PASSWORD }}
-        NCM_CA_NAME: ${{ secrets.NCM_CA_NAME }}
-        NCM_CA_BUNDLE: ${{ secrets.NCM_CA_BUNDLE }}
-
-    - name: "create acme-sh folder"
-      run: |
-        mkdir acme-sh
-
-    - name: "[ PREPARE ] prepare acme.sh container"
-      run: |
-        docker run --rm -id -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest daemon
-
-    - name: "[ ENROLL ] HTTP-01 single domain acme.sh using ipv6"
-      run: |
-        docker exec -i acme-sh acme.sh --server http://acme-srv --keylength 2048 --accountemail 'acme-sh@example.com' --issue -d acme-sh.acme --standalone --listen-v6 --debug 3 --output-insecure
-        awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "cert-" c ".pem"}' < acme-sh/acme-sh.acme/ca.cer
-        openssl verify -CAfile cert-2.pem -untrusted cert-1.pem acme-sh/acme-sh.acme/acme-sh.acme.cer
-
-    - name: "[ ENROLL ] HTTP-01 single domain acme.sh using ipv6 with ipv4 fallback"
-      run: |
-        docker exec -i acme-sh acme.sh --server http://acme-srv --keylength 2048 --accountemail 'acme-sh@example.com' --issue -d acme-sh.acme --standalone --listen-v4 --debug 3 --output-insecure --force
-        openssl verify -CAfile cert-2.pem -untrusted cert-1.pem  acme-sh/acme-sh.acme/acme-sh.acme.cer
 
-    - name: "[ * ] collecting test logs"
-      if: ${{ failure() }}
-      run: |
-        mkdir -p ${{ github.workspace }}/artifact/upload
-        sudo cp -rp examples/Docker/data/ ${{ github.workspace }}/artifact/data/
-        sudo cp -rp acme-sh/ ${{ github.workspace }}/artifact/acme-sh/
-        cd examples/Docker
-        docker-compose logs > ${{ github.workspace }}/artifact/docker-compose.log
-        sudo tar -C ${{ github.workspace }}/artifact/ -cvzf ${{ github.workspace }}/artifact/upload/artifact.tar.gz docker-compose.log data acme-sh
-
-    - name: "[ * ] uploading artificates"
-      uses: actions/upload-artifact@v3
-      if: ${{ failure() }}
+    - name: "Sleep for 10s"
+      uses: juliangruber/sleep-action@v2.0.3
       with:
-        name: ipv6_nginx_wsgi.tar.gz
-        path: ${{ github.workspace }}/artifact/upload/
+        time: 10s
 
-  ipv6_apache2_django:
-    name: "ipv6_apache2_django"
-    runs-on: ubuntu-latest
-    steps:
-    - name: "checkout GIT"
-      uses: actions/checkout@v3
-    - name: "[ PREPARE ] Build docker-compose (apache2_django)"
-      working-directory: examples/Docker/
-      run: |
-        sed -i "s/wsgi/django/g" .env
-        sudo mkdir -p data
-        docker network create acme --ipv6 --subnet "fdbb:6445:65b4:0a60::/64"
-        docker-compose up -d
-        docker-compose logs
+    - name: "Test http://acme-srv/directory is accessible"
+      run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory
 
-    - name: "[ PREPARE ] setup a2c with certifier_ca_handler"
-      run: |
-        sudo cp test/ca/certsrv_ca_certs.pem examples/Docker/data/ca_certs.pem
-        sudo touch examples/Docker/data/acme_srv.cfg
-        sudo chmod 777 examples/Docker/data/acme_srv.cfg
-        sudo head -n -8 .github/openssl_ca_handler.py_acme_srv_default_handler.cfg > examples/Docker/data/acme_srv.cfg
-        sudo echo "handler_file: examples/ca_handler/certifier_ca_handler.py" >> examples/Docker/data/acme_srv.cfg
-        sudo echo "api_host: $NCM_API_HOST" >> examples/Docker/data/acme_srv.cfg
-        sudo echo "api_user: $NCM_API_USER" >> examples/Docker/data/acme_srv.cfg
-        sudo echo "api_password: $NCM_API_PASSWORD" >> examples/Docker/data/acme_srv.cfg
-        sudo echo "ca_name: $NCM_CA_NAME" >> examples/Docker/data/acme_srv.cfg
-        sudo echo "ca_bundle: $NCM_CA_BUNDLE" >> examples/Docker/data/acme_srv.cfg
-        sudo cp .github/django_settings.py examples/Docker/data/settings.py
-        cd examples/Docker/
-        docker-compose restart
-        docker-compose logs
-      env:
-        NCM_API_HOST: ${{ secrets.NCM_API_HOST }}
-        NCM_API_USER: ${{ secrets.NCM_API_USER }}
-        NCM_API_PASSWORD: ${{ secrets.NCM_API_PASSWORD }}
-        NCM_CA_NAME: ${{ secrets.NCM_CA_NAME }}
-        NCM_CA_BUNDLE: ${{ secrets.NCM_CA_BUNDLE }}
+    - name: "Test if https://acme-srv/directory is accessible"
+      run: docker run -i --rm --network acme curlimages/curl --insecure -f https://acme-srv/directory
 
     - name: "create acme-sh folder"
       run: |
         mkdir acme-sh
 
-    - name: "[ PREPARE ] prepare acme.sh container"
+    - name: "prepare acme.sh container"
       run: |
         docker run --rm -id -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest daemon
 
-    - name: "[ ENROLL ] HTTP-01 single domain acme.sh using ipv6"
+    - name: "Enroll HTTP-01 single domain acme.sh using ipv6"
       run: |
         docker exec -i acme-sh acme.sh --server http://acme-srv --keylength 2048 --accountemail 'acme-sh@example.com' --issue -d acme-sh.acme --standalone --listen-v6 --debug 3 --output-insecure
         awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "cert-" c ".pem"}' < acme-sh/acme-sh.acme/ca.cer
         openssl verify -CAfile cert-2.pem -untrusted cert-1.pem acme-sh/acme-sh.acme/acme-sh.acme.cer
 
-    - name: "[ ENROLL ] HTTP-01 single domain acme.sh using ipv6 with ipv4 fallback"
+    - name: "Enroll HTTP-01 single domain acme.sh using ipv6 with ipv4 fallback"
       run: |
         docker exec -i acme-sh acme.sh --server http://acme-srv --keylength 2048 --accountemail 'acme-sh@example.com' --issue -d acme-sh.acme --standalone --listen-v4 --debug 3 --output-insecure --force
         openssl verify -CAfile cert-2.pem -untrusted cert-1.pem  acme-sh/acme-sh.acme/acme-sh.acme.cer
@@ -220,84 +86,92 @@ jobs:
         cd examples/Docker
         docker-compose logs > ${{ github.workspace }}/artifact/docker-compose.log
         sudo tar -C ${{ github.workspace }}/artifact/ -cvzf ${{ github.workspace }}/artifact/upload/artifact.tar.gz docker-compose.log data acme-sh
+
     - name: "[ * ] uploading artificates"
-      uses: actions/upload-artifact@v3
+      uses: actions/upload-artifact@v4
       if: ${{ failure() }}
       with:
-        name: ipv6_apache2_django.tar.gz
+        name: ipv6_tests-${{ matrix.websrv }}-${{ matrix.dbhandler }}.tar.gz
         path: ${{ github.workspace }}/artifact/upload/
 
-  ipv6_nginx_django:
-    name: "ipv6_nginx_django"
+  rpm_ipv6:
+    name: "rpm_ipv6"
     runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+      max-parallel: 1
+      matrix:
+        rhversion: [8, 9]
+        execscript: ['rpm_tester.sh', 'django_tester.sh']
+
     steps:
     - name: "checkout GIT"
-      uses: actions/checkout@v3
-    - name: "[ PREPARE ] Build docker-compose (nginx_django)"
-      working-directory: examples/Docker/
-      run: |
-        sed -i "s/wsgi/django/g" .env
-        sed -i "s/apache2/nginx/g" .env
-        sudo mkdir -p data
-        docker network create acme --ipv6 --subnet "fdbb:6445:65b4:0a60::/64"
-        docker-compose up -d
-        docker-compose logs
+      uses: actions/checkout@v4
 
-    - name: "create acme-sh folder"
-      run: |
-        mkdir acme-sh
+    - name: "Prepare Alma environment"
+      uses: ./.github/actions/rpm_prep
+      with:
+        GH_SBOM_USER: ${{ secrets.GH_SBOM_USER }}
+        GH_SBOM_TOKEN: ${{ secrets.GH_SBOM_TOKEN }}
+        RH_VERSION: ${{ matrix.rhversion }}
+        IPV6: true
 
-    - name: "[ PREPARE ] setup a2c with certifier_ca_handler"
+    - name: "create lego and certbot folder"
       run: |
-        sudo cp test/ca/certsrv_ca_certs.pem examples/Docker/data/ca_certs.pem
-        sudo touch examples/Docker/data/acme_srv.cfg
-        sudo chmod 777 examples/Docker/data/acme_srv.cfg
-        sudo head -n -8 .github/openssl_ca_handler.py_acme_srv_default_handler.cfg > examples/Docker/data/acme_srv.cfg
-        sudo echo "handler_file: examples/ca_handler/certifier_ca_handler.py" >> examples/Docker/data/acme_srv.cfg
-        sudo echo "api_host: $NCM_API_HOST" >> examples/Docker/data/acme_srv.cfg
-        sudo echo "api_user: $NCM_API_USER" >> examples/Docker/data/acme_srv.cfg
-        sudo echo "api_password: $NCM_API_PASSWORD" >> examples/Docker/data/acme_srv.cfg
-        sudo echo "ca_name: $NCM_CA_NAME" >> examples/Docker/data/acme_srv.cfg
-        sudo echo "ca_bundle: $NCM_CA_BUNDLE" >> examples/Docker/data/acme_srv.cfg
-        sudo cp .github/django_settings.py examples/Docker/data/settings.py
-        cd examples/Docker/
-        docker-compose restart
-        docker-compose logs
-      env:
+        mkdir lego
+        mkdir certbot
+
+    - name: "Prepare acme_srv.cfg with certifier_ca_handler"
+      uses: ./.github/actions/wf_specific/certifier_ca_handler/certifier_setup_no_profile
+      with:
+        WCCE_SSH_ACCESS_KEY: ${{ secrets.WCCE_SSH_ACCESS_KEY }}
+        WCCE_SSH_KNOWN_HOSTS: ${{ secrets.WCCE_SSH_KNOWN_HOSTS }}
+        WCCE_SSH_USER: ${{ secrets.WCCE_SSH_USER }}
+        WCCE_SSH_HOST: ${{ secrets.WCCE_SSH_HOST }}
+        WCCE_SSH_PORT: ${{ secrets.WCCE_SSH_PORT }}
         NCM_API_HOST: ${{ secrets.NCM_API_HOST }}
         NCM_API_USER: ${{ secrets.NCM_API_USER }}
         NCM_API_PASSWORD: ${{ secrets.NCM_API_PASSWORD }}
         NCM_CA_NAME: ${{ secrets.NCM_CA_NAME }}
-        NCM_CA_BUNDLE: ${{ secrets.NCM_CA_BUNDLE }}
+        DATA_PATH: data
+
+    - name: "Execute install scipt"
+      run: |
+        docker exec acme-srv sh /tmp/acme2certifier/$EXEC_SCRIPT
+      env:
+        EXEC_SCRIPT: ${{ matrix.execscript }}
 
-    - name: "[ PREPARE ] prepare acme.sh container"
+    - name: "Prepare acme.sh container"
       run: |
         docker run --rm -id -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest daemon
 
-    - name: "[ ENROLL ] HTTP-01 single domain acme.sh using ipv6"
+    - name: "Enroll acme.sh"
       run: |
-        docker exec -i acme-sh acme.sh --server http://acme-srv --keylength 2048 --accountemail 'acme-sh@example.com' --issue -d acme-sh.acme --standalone --listen-v6 --debug 3 --output-insecure
-        awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "cert-" c ".pem"}' < acme-sh/acme-sh.acme/ca.cer
-        openssl verify -CAfile cert-2.pem -untrusted cert-1.pem acme-sh/acme-sh.acme/acme-sh.acme.cer
+        docker exec -i acme-sh acme.sh --server http://acme-srv --accountemail 'acme-sh@example.com' --issue -d acme-sh.acme --standalone --listen-v6 --debug 3 --output-insecure
+        awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "cert-" c ".pem"}' < acme-sh/acme-sh.acme_ecc/ca.cer
+        openssl verify -CAfile cert-2.pem -untrusted cert-1.pem acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer
 
-    - name: "[ ENROLL ] HTTP-01 single domain acme.sh using ipv6 with ipv4 fallback"
+    - name: "Enroll acme.sh using ipv6 with ipv4 fallback"
       run: |
         docker exec -i acme-sh acme.sh --server http://acme-srv --keylength 2048 --accountemail 'acme-sh@example.com' --issue -d acme-sh.acme --standalone --listen-v4 --debug 3 --output-insecure --force
-        openssl verify -CAfile cert-2.pem -untrusted cert-1.pem  acme-sh/acme-sh.acme/acme-sh.acme.cer
+        openssl verify -CAfile cert-2.pem -untrusted cert-1.pem acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer
 
     - name: "[ * ] collecting test logs"
       if: ${{ failure() }}
       run: |
         mkdir -p ${{ github.workspace }}/artifact/upload
-        sudo cp -rp examples/Docker/data/ ${{ github.workspace }}/artifact/data/
-        sudo cp -rp acme-sh/ ${{ github.workspace }}/artifact/acme-sh/
-        cd examples/Docker
-        docker-compose logs > ${{ github.workspace }}/artifact/docker-compose.log
-        sudo tar -C ${{ github.workspace }}/artifact/ -cvzf ${{ github.workspace }}/artifact/upload/artifact.tar.gz docker-compose.log data acme-sh
+        docker exec acme-srv tar cvfz /tmp/acme2certifier/a2c.tgz /opt/acme2certifier
+        sudo cp -rp data/ ${{ github.workspace }}/artifact/data/
+        sudo rm ${{ github.workspace }}/artifact/data/*.rpm
+        docker exec acme-srv cat /etc/nginx/nginx.conf.orig > ${{ github.workspace }}/artifact/data/nginx.conf.orig
+        docker exec acme-srv cat /etc/nginx/nginx.conf > ${{ github.workspace }}/artifact/data/nginx.conf
+        docker exec acme-srv cat /var/log/messages > ${{ github.workspace }}/artifact/acme-srv.log
+        sudo tar -C ${{ github.workspace }}/artifact/ -cvzf ${{ github.workspace }}/artifact/upload/artifact.tar.gz data acme-srv.log
 
     - name: "[ * ] uploading artificates"
-      uses: actions/upload-artifact@v3
+      uses: actions/upload-artifact@v4
       if: ${{ failure() }}
       with:
-        name: ipv6_nginx_django.tar.gz
+        name: rpm_ipv6-rh${{ matrix.rhversion }}.tar.gz
         path: ${{ github.workspace }}/artifact/upload/
+
diff --git a/.github/workflows/lego-application-test.yml b/.github/workflows/lego-application-test.yml
deleted file mode 100644
index dde018ae..00000000
--- a/.github/workflows/lego-application-test.yml
+++ /dev/null
@@ -1,417 +0,0 @@
-name: Application Tests - lego
-
-on:
-  push:
-  pull_request:
-    branches: [ devel ]
-  schedule:
-    # * is a special character in YAML so you have to quote this string
-    - cron:  '0 2 * * 6'
-
-jobs:
-
-  lego_apache2_wsgi:
-    name: "lego_apache2_wsgi"
-    runs-on: ubuntu-latest
-    strategy:
-      fail-fast: false
-      matrix:
-        keylength: [rsa2048, rsa4096, ec256]
-    steps:
-    - name: "checkout GIT"
-      uses: actions/checkout@v3
-
-    - name: "[ PREPARE ] Build docker-compose (apache2_wsgi)"
-      working-directory: examples/Docker/
-      run: |
-        sudo mkdir -p data
-        docker network create acme
-        docker-compose up -d
-        docker-compose logs
-
-    - name: "Test http://acme-srv/directory is accessable"
-      run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory
-
-    - name: "[ PREPARE ] setup a2c with certifier_ca_handler"
-      run: |
-        sudo cp test/ca/certsrv_ca_certs.pem examples/Docker/data/ca_certs.pem
-        sudo touch examples/Docker/data/acme_srv.cfg
-        sudo chmod 777 examples/Docker/data/acme_srv.cfg
-        sudo head -n -8 .github/openssl_ca_handler.py_acme_srv_default_handler.cfg > examples/Docker/data/acme_srv.cfg
-        sudo echo "handler_file: examples/ca_handler/certifier_ca_handler.py" >> examples/Docker/data/acme_srv.cfg
-        sudo echo "api_host: $NCM_API_HOST" >> examples/Docker/data/acme_srv.cfg
-        sudo echo "api_user: $NCM_API_USER" >> examples/Docker/data/acme_srv.cfg
-        sudo echo "api_password: $NCM_API_PASSWORD" >> examples/Docker/data/acme_srv.cfg
-        sudo echo "ca_name: $NCM_CA_NAME" >> examples/Docker/data/acme_srv.cfg
-        sudo echo "ca_bundle: $NCM_CA_BUNDLE" >> examples/Docker/data/acme_srv.cfg
-        cd examples/Docker/
-        docker-compose restart
-        docker-compose logs
-      env:
-        NCM_API_HOST: ${{ secrets.NCM_API_HOST }}
-        NCM_API_USER: ${{ secrets.NCM_API_USER }}
-        NCM_API_PASSWORD: ${{ secrets.NCM_API_PASSWORD }}
-        NCM_CA_NAME: ${{ secrets.NCM_CA_NAME }}
-        NCM_CA_BUNDLE: ${{ secrets.NCM_CA_BUNDLE }}
-
-    - name: "create lego folder"
-      run: |
-        mkdir lego
-
-    - name: "[ ENROLL ] HTTP-01 single domain lego"
-      run: |
-        docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --key-type ${{ matrix.keylength }} --email "lego@example.com" -d lego.acme --http run
-        sudo chmod 777 lego/certificates/lego.acme.issuer.crt
-        sudo cp lego/certificates/lego.acme.issuer.crt lego.acme.issuer.crt
-        sudo awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "cert-" c ".pem"}' < lego.acme.issuer.crt
-        sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem lego/certificates/lego.acme.crt
-
-    - name: "[ RENEW ] HTTP-01 single domain lego"
-      run: |
-        docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --key-type ${{ matrix.keylength }} --email "lego@example.com" -d lego.acme --http renew
-        sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem lego/certificates/lego.acme.crt
-
-    - name: "[ REVOKE ] HTTP-01 single domain lego"
-      run: |
-        docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --key-type ${{ matrix.keylength }} --email "lego@example.com" -d lego.acme revoke
-
-    - name: "[ ENROLL ] HTTP-01 2x domain lego"
-      run: |
-        docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --key-type ${{ matrix.keylength }} --email "lego@example.com" -d lego.acme -d lego --http run
-        sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem lego/certificates/lego.acme.crt
-
-    - name: "[ RENEW ] HTTP-01 2x domain lego"
-      run: |
-        docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --key-type ${{ matrix.keylength }} --email "lego@example.com" -d lego.acme -d lego --http renew
-        sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem lego/certificates/lego.acme.crt
-
-    - name: "[ REVOKE ] HTTP-01 2x domain lego"
-      run: |
-        docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --key-type ${{ matrix.keylength }} --email "lego@example.com" -d lego.acme revoke
-
-    - name: "[ * ] collecting test logs"
-      if: ${{ failure() }}
-      run: |
-        mkdir -p ${{ github.workspace }}/artifact/upload
-        sudo cp -rp examples/Docker/data/ ${{ github.workspace }}/artifact/data/
-        sudo cp -rp lego/ ${{ github.workspace }}/artifact/lego/
-        cd examples/Docker
-        docker-compose logs > ${{ github.workspace }}/artifact/docker-compose.log
-        sudo tar -C ${{ github.workspace }}/artifact/ -cvzf ${{ github.workspace }}/artifact/upload/artifact.tar.gz docker-compose.log data lego
-
-    - name: "[ * ] uploading artificates"
-      uses: actions/upload-artifact@v3
-      if: ${{ failure() }}
-      with:
-        name: lego_key-${{ matrix.keylength }}.tar.gz
-        path: ${{ github.workspace }}/artifact/upload/
-
-  lego_apache2_django:
-    name: "lego_apache2_django"
-    runs-on: ubuntu-latest
-    strategy:
-      fail-fast: false
-      matrix:
-        keylength: [rsa2048, rsa4096, ec256]
-    steps:
-    - name: "checkout GIT"
-      uses: actions/checkout@v3
-
-    - name: "[ PREPARE ] Build docker-compose (apache2_django)"
-      working-directory: examples/Docker/
-      run: |
-        sed -i "s/wsgi/django/g" .env
-        sudo mkdir -p data
-        docker network create acme
-        docker-compose up -d
-        docker-compose logs
-
-    - name: "[ WAIT ] Sleep for 10s"
-      uses: juliangruber/sleep-action@v1
-      with:
-        time: 10s
-
-    - name: "Test http://acme-srv/directory is accessable"
-      run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory
-
-    - name: "[ PREPARE ] setup a2c with certifier_ca_handler"
-      run: |
-        sudo cp test/ca/certsrv_ca_certs.pem examples/Docker/data/ca_certs.pem
-        sudo touch examples/Docker/data/acme_srv.cfg
-        sudo chmod 777 examples/Docker/data/acme_srv.cfg
-        sudo head -n -8 .github/openssl_ca_handler.py_acme_srv_default_handler.cfg > examples/Docker/data/acme_srv.cfg
-        sudo echo "handler_file: examples/ca_handler/certifier_ca_handler.py" >> examples/Docker/data/acme_srv.cfg
-        sudo echo "api_host: $NCM_API_HOST" >> examples/Docker/data/acme_srv.cfg
-        sudo echo "api_user: $NCM_API_USER" >> examples/Docker/data/acme_srv.cfg
-        sudo echo "api_password: $NCM_API_PASSWORD" >> examples/Docker/data/acme_srv.cfg
-        sudo echo "ca_name: $NCM_CA_NAME" >> examples/Docker/data/acme_srv.cfg
-        sudo echo "ca_bundle: $NCM_CA_BUNDLE" >> examples/Docker/data/acme_srv.cfg
-        sudo cp .github/acme2certifier.pem examples/Docker/data/acme2certifier.pem
-        sudo cp .github/django_settings.py examples/Docker/data/settings.py
-        cd examples/Docker/
-        docker-compose restart
-        docker-compose logs
-      env:
-        NCM_API_HOST: ${{ secrets.NCM_API_HOST }}
-        NCM_API_USER: ${{ secrets.NCM_API_USER }}
-        NCM_API_PASSWORD: ${{ secrets.NCM_API_PASSWORD }}
-        NCM_CA_NAME: ${{ secrets.NCM_CA_NAME }}
-        NCM_CA_BUNDLE: ${{ secrets.NCM_CA_BUNDLE }}
-
-    - name: "create lego folder"
-      run: |
-        mkdir lego
-
-    - name: "[ ENROLL ] HTTP-01 single domain lego"
-      run: |
-        docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --key-type ${{ matrix.keylength }} --email "lego@example.com" -d lego.acme --http run
-        sudo chmod 777 lego/certificates/lego.acme.issuer.crt
-        sudo cp lego/certificates/lego.acme.issuer.crt lego.acme.issuer.crt
-        sudo awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "cert-" c ".pem"}' < lego.acme.issuer.crt
-        sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem lego/certificates/lego.acme.crt
-
-    - name: "[ RENEW ] HTTP-01 single domain lego"
-      run: |
-        docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --key-type ${{ matrix.keylength }} --email "lego@example.com" -d lego.acme --http renew
-        sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem lego/certificates/lego.acme.crt
-
-    - name: "[ REVOKE ] HTTP-01 single domain lego"
-      run: |
-        docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --key-type ${{ matrix.keylength }} --email "lego@example.com" -d lego.acme revoke
-
-    - name: "[ ENROLL ] HTTP-01 2x domain lego"
-      run: |
-        docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --key-type ${{ matrix.keylength }} --email "lego@example.com" -d lego.acme -d lego --http run
-        sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem lego/certificates/lego.acme.crt
-
-    - name: "[ RENEW ] HTTP-01 2x domain lego"
-      run: |
-        docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --key-type ${{ matrix.keylength }} --email "lego@example.com" -d lego.acme -d lego --http renew
-        sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem lego/certificates/lego.acme.crt
-
-    - name: "[ REVOKE ] HTTP-01 2x domain lego"
-      run: |
-        docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --key-type ${{ matrix.keylength }} --email "lego@example.com" -d lego.acme revoke
-
-    - name: "[ * ] collecting test logs"
-      if: ${{ failure() }}
-      run: |
-        mkdir -p ${{ github.workspace }}/artifact/upload
-        sudo cp -rp examples/Docker/data/ ${{ github.workspace }}/artifact/data/
-        sudo cp -rp lego/ ${{ github.workspace }}/artifact/lego/
-        cd examples/Docker
-        docker-compose logs > ${{ github.workspace }}/artifact/docker-compose.log
-        sudo tar -C ${{ github.workspace }}/artifact/ -cvzf ${{ github.workspace }}/artifact/upload/artifact.tar.gz docker-compose.log data lego
-
-    - name: "[ * ] uploading artificates"
-      uses: actions/upload-artifact@v3
-      if: ${{ failure() }}
-      with:
-        name: lego_key-${{ matrix.keylength }}.tar.gz
-        path: ${{ github.workspace }}/artifact/upload/
-
-  lego_nginx_wsgi:
-    name: "lego_nginx_wsgi"
-    runs-on: ubuntu-latest
-    strategy:
-      fail-fast: false
-      matrix:
-        keylength: [rsa2048, rsa4096, ec256]
-    steps:
-    - name: "checkout GIT"
-      uses: actions/checkout@v3
-
-    - name: "[ PREPARE ] Build docker-compose (nginx_django)"
-      working-directory: examples/Docker/
-      run: |
-        sed -i "s/apache2/nginx/g" .env
-        sudo mkdir -p data
-        docker network create acme
-        docker-compose up -d
-        docker-compose logs
-
-    - name: "[ WAIT ] Sleep for 10s"
-      uses: juliangruber/sleep-action@v1
-      with:
-        time: 10s
-
-    - name: "Test http://acme-srv/directory is accessable"
-      run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory
-
-    - name: "[ PREPARE ] setup a2c with certifier_ca_handler"
-      run: |
-        sudo cp test/ca/certsrv_ca_certs.pem examples/Docker/data/ca_certs.pem
-        sudo touch examples/Docker/data/acme_srv.cfg
-        sudo chmod 777 examples/Docker/data/acme_srv.cfg
-        sudo head -n -8 .github/openssl_ca_handler.py_acme_srv_default_handler.cfg > examples/Docker/data/acme_srv.cfg
-        sudo echo "handler_file: examples/ca_handler/certifier_ca_handler.py" >> examples/Docker/data/acme_srv.cfg
-        sudo echo "api_host: $NCM_API_HOST" >> examples/Docker/data/acme_srv.cfg
-        sudo echo "api_user: $NCM_API_USER" >> examples/Docker/data/acme_srv.cfg
-        sudo echo "api_password: $NCM_API_PASSWORD" >> examples/Docker/data/acme_srv.cfg
-        sudo echo "ca_name: $NCM_CA_NAME" >> examples/Docker/data/acme_srv.cfg
-        sudo echo "ca_bundle: $NCM_CA_BUNDLE" >> examples/Docker/data/acme_srv.cfg
-        cd examples/Docker/
-        docker-compose restart
-        docker-compose logs
-      env:
-        NCM_API_HOST: ${{ secrets.NCM_API_HOST }}
-        NCM_API_USER: ${{ secrets.NCM_API_USER }}
-        NCM_API_PASSWORD: ${{ secrets.NCM_API_PASSWORD }}
-        NCM_CA_NAME: ${{ secrets.NCM_CA_NAME }}
-        NCM_CA_BUNDLE: ${{ secrets.NCM_CA_BUNDLE }}
-
-    - name: "create lego folder"
-      run: |
-        mkdir lego
-
-    - name: "[ ENROLL ] HTTP-01 single domain lego"
-      run: |
-        docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --key-type ${{ matrix.keylength }} --email "lego@example.com" -d lego.acme --http run
-        sudo chmod 777 lego/certificates/lego.acme.issuer.crt
-        sudo cp lego/certificates/lego.acme.issuer.crt lego.acme.issuer.crt
-        sudo awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "cert-" c ".pem"}' < lego.acme.issuer.crt
-        sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem lego/certificates/lego.acme.crt
-
-    - name: "[ RENEW ] HTTP-01 single domain lego"
-      run: |
-        docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --key-type ${{ matrix.keylength }} --email "lego@example.com" -d lego.acme --http renew
-        sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem lego/certificates/lego.acme.crt
-
-    - name: "[ REVOKE ] HTTP-01 single domain lego"
-      run: |
-        docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --key-type ${{ matrix.keylength }} --email "lego@example.com" -d lego.acme revoke
-
-    - name: "[ ENROLL ] HTTP-01 2x domain lego"
-      run: |
-        docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --key-type ${{ matrix.keylength }} --email "lego@example.com" -d lego.acme -d lego --http run
-        sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem lego/certificates/lego.acme.crt
-
-    - name: "[ RENEW ] HTTP-01 2x domain lego"
-      run: |
-        docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --key-type ${{ matrix.keylength }} --email "lego@example.com" -d lego.acme -d lego --http renew
-        sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem lego/certificates/lego.acme.crt
-
-    - name: "[ REVOKE ] HTTP-01 2x domain lego"
-      run: |
-        docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --key-type ${{ matrix.keylength }} --email "lego@example.com" -d lego.acme revoke
-
-    - name: "[ * ] collecting test logs"
-      if: ${{ failure() }}
-      run: |
-        mkdir -p ${{ github.workspace }}/artifact/upload
-        sudo cp -rp examples/Docker/data/ ${{ github.workspace }}/artifact/data/
-        sudo cp -rp lego/ ${{ github.workspace }}/artifact/lego/
-        cd examples/Docker
-        docker-compose logs > ${{ github.workspace }}/artifact/docker-compose.log
-        sudo tar -C ${{ github.workspace }}/artifact/ -cvzf ${{ github.workspace }}/artifact/upload/artifact.tar.gz docker-compose.log data lego
-
-    - name: "[ * ] uploading artificates"
-      uses: actions/upload-artifact@v3
-      if: ${{ failure() }}
-      with:
-        name: lego_key-${{ matrix.keylength }}.tar.gz
-        path: ${{ github.workspace }}/artifact/upload/
-
-  lego_nginx_django:
-    name: "lego_nginx_django"
-    runs-on: ubuntu-latest
-    strategy:
-      fail-fast: false
-      matrix:
-        keylength: [rsa2048, rsa4096, ec256]
-    steps:
-    - name: "checkout GIT"
-      uses: actions/checkout@v3
-
-    - name: "[ PREPARE ] Build docker-compose (nginx_django)"
-      working-directory: examples/Docker/
-      run: |
-        sed -i "s/wsgi/django/g" .env
-        sed -i "s/apache2/nginx/g" .env
-        sudo mkdir -p data
-        docker network create acme
-        docker-compose up -d
-        docker-compose logs
-
-    - name: "[ WAIT ] Sleep for 10s"
-      uses: juliangruber/sleep-action@v1
-      with:
-        time: 10s
-
-    - name: "Test http://acme-srv/directory is accessable"
-      run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory
-
-    - name: "[ PREPARE ] setup a2c with certifier_ca_handler"
-      run: |
-        sudo cp test/ca/certsrv_ca_certs.pem examples/Docker/data/ca_certs.pem
-        sudo touch examples/Docker/data/acme_srv.cfg
-        sudo chmod 777 examples/Docker/data/acme_srv.cfg
-        sudo head -n -8 .github/openssl_ca_handler.py_acme_srv_default_handler.cfg > examples/Docker/data/acme_srv.cfg
-        sudo echo "handler_file: examples/ca_handler/certifier_ca_handler.py" >> examples/Docker/data/acme_srv.cfg
-        sudo echo "api_host: $NCM_API_HOST" >> examples/Docker/data/acme_srv.cfg
-        sudo echo "api_user: $NCM_API_USER" >> examples/Docker/data/acme_srv.cfg
-        sudo echo "api_password: $NCM_API_PASSWORD" >> examples/Docker/data/acme_srv.cfg
-        sudo echo "ca_name: $NCM_CA_NAME" >> examples/Docker/data/acme_srv.cfg
-        sudo echo "ca_bundle: $NCM_CA_BUNDLE" >> examples/Docker/data/acme_srv.cfg
-        sudo cp .github/django_settings.py examples/Docker/data/settings.py
-        cd examples/Docker/
-        docker-compose restart
-        docker-compose logs
-      env:
-        NCM_API_HOST: ${{ secrets.NCM_API_HOST }}
-        NCM_API_USER: ${{ secrets.NCM_API_USER }}
-        NCM_API_PASSWORD: ${{ secrets.NCM_API_PASSWORD }}
-        NCM_CA_NAME: ${{ secrets.NCM_CA_NAME }}
-        NCM_CA_BUNDLE: ${{ secrets.NCM_CA_BUNDLE }}
-
-    - name: "create lego folder"
-      run: |
-        mkdir lego
-
-    - name: "[ ENROLL ] HTTP-01 single domain lego"
-      run: |
-        docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --key-type ${{ matrix.keylength }} --email "lego@example.com" -d lego.acme --http run
-        sudo chmod 777 lego/certificates/lego.acme.issuer.crt
-        sudo cp lego/certificates/lego.acme.issuer.crt lego.acme.issuer.crt
-        sudo awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "cert-" c ".pem"}' < lego.acme.issuer.crt
-        sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem lego/certificates/lego.acme.crt
-
-    - name: "[ RENEW ] HTTP-01 single domain lego"
-      run: |
-        docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --key-type ${{ matrix.keylength }} --email "lego@example.com" -d lego.acme --http renew
-        sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem lego/certificates/lego.acme.crt
-
-    - name: "[ REVOKE ] HTTP-01 single domain lego"
-      run: |
-        docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --key-type ${{ matrix.keylength }} --email "lego@example.com" -d lego.acme revoke
-
-    - name: "[ ENROLL ] HTTP-01 2x domain lego"
-      run: |
-        docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --key-type ${{ matrix.keylength }} --email "lego@example.com" -d lego.acme -d lego --http run
-        sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem lego/certificates/lego.acme.crt
-
-    - name: "[ RENEW ] HTTP-01 2x domain lego"
-      run: |
-        docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --key-type ${{ matrix.keylength }} --email "lego@example.com" -d lego.acme -d lego --http renew
-        sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem lego/certificates/lego.acme.crt
-
-    - name: "[ REVOKE ] HTTP-01 2x domain lego"
-      run: |
-        docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --key-type ${{ matrix.keylength }} --email "lego@example.com" -d lego.acme revoke
-
-    - name: "[ * ] collecting test logs"
-      if: ${{ failure() }}
-      run: |
-        mkdir -p ${{ github.workspace }}/artifact/upload
-        sudo cp -rp examples/Docker/data/ ${{ github.workspace }}/artifact/data/
-        sudo cp -rp lego/ ${{ github.workspace }}/artifact/lego/
-        cd examples/Docker
-        docker-compose logs > ${{ github.workspace }}/artifact/docker-compose.log
-        sudo tar -C ${{ github.workspace }}/artifact/ -cvzf ${{ github.workspace }}/artifact/upload/artifact.tar.gz docker-compose.log data lego
-
-    - name: "[ * ] uploading artificates"
-      uses: actions/upload-artifact@v3
-      if: ${{ failure() }}
-      with:
-        name: lego_key-${{ matrix.keylength }}.tar.gz
-        path: ${{ github.workspace }}/artifact/upload/
diff --git a/.github/workflows/manual-install-test.yml b/.github/workflows/manual-install-test.yml
deleted file mode 100644
index 12439684..00000000
--- a/.github/workflows/manual-install-test.yml
+++ /dev/null
@@ -1,576 +0,0 @@
-name: Manual Installation tests
-
-on:
-  push:
-  pull_request:
-    branches: [ devel ]
-  schedule:
-    # * is a special character in YAML so you have to quote this string
-    - cron:  '0 2 * * 6'
-
-jobs:
-  apache2_wsgi:
-    name: "apache2_wsgi"
-    runs-on: ubuntu-latest
-    steps:
-    - name: "checkout GIT"
-      uses: actions/checkout@v3
-
-    - name: "[ PREPARE ] get runner ip"
-      run: |
-        echo RUNNER_IP=$(ip addr show eth0 | grep -i "inet " | cut -d ' ' -f 6 | cut -d '/' -f 1) >> $GITHUB_ENV
-        echo RUNNER_PATH=$(pwd | sed 's_/_\\/_g') >> $GITHUB_ENV
-    - run: echo "runner IP is ${{ env.RUNNER_IP }}"
-
-    - name: Branch name
-      run: echo running on branch ${GITHUB_REF##*/}
-
-    - name: "Run install script"
-      run: |
-        sudo mkdir -p data
-        chmod a+rx examples/install_scripts/a2c-ubuntu22-apache2.sh
-        examples/install_scripts/a2c-ubuntu22-apache2.sh ${GITHUB_REF##*/}
-
-    - name: "Local modification to get a2c running"
-      run: |
-        sudo apt-get install -y socat
-        sudo chmod 777 /var/www/acme2certifier/acme_srv/acme_srv.cfg
-        sudo head -n -8 .github/openssl_ca_handler.py_acme_srv_default_handler.cfg > /var/www/acme2certifier/acme_srv/acme_srv.cfg
-        sudo echo "handler_file: examples/ca_handler/certifier_ca_handler.py" >> /var/www/acme2certifier/acme_srv/acme_srv.cfg
-        sudo echo "api_host: $NCM_API_HOST" >> /var/www/acme2certifier/acme_srv/acme_srv.cfg
-        sudo echo "api_user: $NCM_API_USER" >>  /var/www/acme2certifier/acme_srv/acme_srv.cfg
-        sudo echo "api_password: $NCM_API_PASSWORD" >> /var/www/acme2certifier/acme_srv/acme_srv.cfg
-        sudo echo "ca_name: $NCM_CA_NAME" >>  /var/www/acme2certifier/acme_srv/acme_srv.cfg
-        sudo echo "ca_bundle: $NCM_CA_BUNDLE" >> /var/www/acme2certifier/acme_srv/acme_srv.cfg
-        sudo echo "profile_id: 101" >> /var/www/acme2certifier/acme_srv/acme_srv.cfg
-        sudo sed -i "s/Listen 80/Listen 8080/g" /etc/apache2/ports.conf
-        sudo sed -i "s/*:80/*:8080/g" /etc/apache2/sites-available/acme2certifier.conf
-        sudo sed -i "s/examples\/ca_handler/\/var\/www\/acme2certifier\/examples\/ca_handler/g"  /var/www/acme2certifier/acme_srv/acme_srv.cfg
-        sudo sed -i "s/volume\/acme_ca/\/var\/www\/acme2certifier\/volume\/acme_ca/g"  /var/www/acme2certifier/acme_srv/acme_srv.cfg
-        sudo sed -i "s/challenge_validation_disable: False/challenge_validation_disable: True/g"  /var/www/acme2certifier/acme_srv/acme_srv.cfg
-        sudo service apache2 restart
-        cat /var/www/acme2certifier/acme_srv/acme_srv.cfg
-      env:
-        NCM_API_HOST: ${{ secrets.NCM_API_HOST }}
-        NCM_API_USER: ${{ secrets.NCM_API_USER }}
-        NCM_API_PASSWORD: ${{ secrets.NCM_API_PASSWORD }}
-        NCM_CA_NAME: ${{ secrets.NCM_CA_NAME }}
-        NCM_CA_BUNDLE: ${{ secrets.NCM_CA_BUNDLE }}
-
-    - name: "Test http://acme-srv/directory is accessable"
-      run: curl -f http://127.0.0.1:8080/directory
-
-    - name: "[ PREPARE ] prepare acme.sh container"
-      run: |
-        docker run --rm -id -v "$(pwd)/acme-sh":/acme.sh --name=acme-sh neilpang/acme.sh:latest daemon
-
-    - name: "[ REGISTER] acme.sh"
-      run: |
-        docker exec -i acme-sh acme.sh --server http://${{ env.RUNNER_IP }}:8080 --register-account --accountemail 'acme-sh@example.com' --debug 3
-
-    - name: "[ ENROLL] acme.sh"
-      run: |
-        docker exec -i acme-sh acme.sh --server http://${{ env.RUNNER_IP }}:8080 --issue -d acme-sh.acme --standalone --debug 3 --output-insecure
-        awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "cert-" c ".pem"}' < acme-sh/acme-sh.acme_ecc/ca.cer
-        openssl verify -CAfile cert-2.pem -untrusted cert-1.pem  acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer
-
-    - name: "[ * ] collecting test logs"
-      if: ${{ failure() }}
-      run: |
-        mkdir -p ${{ github.workspace }}/artifact/upload
-        sudo cp -rp /var/log/apache2 ${{ github.workspace }}/artifact/data/
-        sudo tar -C ${{ github.workspace }}/artifact/ -cvzf ${{ github.workspace }}/artifact/upload/artifact.tar.gz data
-
-    - name: "[ * ] uploading artificates"
-      uses: actions/upload-artifact@v3
-      if: ${{ failure() }}
-      with:
-        name: apache.tar.gz
-        path: ${{ github.workspace }}/artifact/upload/
-
-  nginx_wsgi:
-    name: "nginx_wsgi"
-    runs-on: ubuntu-latest
-    steps:
-    - name: "checkout GIT"
-      uses: actions/checkout@v3
-
-    - name: "[ PREPARE ] get runner ip"
-      run: |
-        echo RUNNER_IP=$(ip addr show eth0 | grep -i "inet " | cut -d ' ' -f 6 | cut -d '/' -f 1) >> $GITHUB_ENV
-        echo RUNNER_PATH=$(pwd | sed 's_/_\\/_g') >> $GITHUB_ENV
-    - run: echo "runner IP is ${{ env.RUNNER_IP }}"
-
-    - name: Branch name
-      run: echo running on branch ${GITHUB_REF##*/}
-
-    - name: "Run install script"
-      run: |
-        sudo mkdir -p data
-        sh examples/install_scripts/a2c-ubuntu22-nginx.sh
-
-    - name: "Local modification to get a2c running"
-      run: |
-        sudo apt-get install -y socat
-        sudo chmod 777 /var/www/acme2certifier/acme_srv/acme_srv.cfg
-        sudo head -n -8 .github/openssl_ca_handler.py_acme_srv_default_handler.cfg > /var/www/acme2certifier/acme_srv/acme_srv.cfg
-        sudo echo "handler_file: examples/ca_handler/certifier_ca_handler.py" >> /var/www/acme2certifier/acme_srv/acme_srv.cfg
-        sudo echo "api_host: $NCM_API_HOST" >> /var/www/acme2certifier/acme_srv/acme_srv.cfg
-        sudo echo "api_user: $NCM_API_USER" >>  /var/www/acme2certifier/acme_srv/acme_srv.cfg
-        sudo echo "api_password: $NCM_API_PASSWORD" >> /var/www/acme2certifier/acme_srv/acme_srv.cfg
-        sudo echo "ca_name: $NCM_CA_NAME" >>  /var/www/acme2certifier/acme_srv/acme_srv.cfg
-        sudo echo "ca_bundle: $NCM_CA_BUNDLE" >> /var/www/acme2certifier/acme_srv/acme_srv.cfg
-        sudo echo "profile_id: 101" >> /var/www/acme2certifier/acme_srv/acme_srv.cfg
-        sudo sed -i "s/listen 80/listen 8080/g" /etc/nginx/sites-enabled/acme_srv.conf
-        sudo sed -i "s/listen [::]:80/listen [::]:8080/g" /etc/nginx/sites-enabled/acme_srv.conf
-        sudo sed -i "s/examples\/ca_handler/\/var\/www\/acme2certifier\/examples\/ca_handler/g"  /var/www/acme2certifier/acme_srv/acme_srv.cfg
-        sudo sed -i "s/volume\/acme_ca/\/var\/www\/acme2certifier\/volume\/acme_ca/g"  /var/www/acme2certifier/acme_srv/acme_srv.cfg
-        sudo sed -i "s/challenge_validation_disable: False/challenge_validation_disable: True/g"  /var/www/acme2certifier/acme_srv/acme_srv.cfg
-        sudo service nginx restart
-      env:
-        NCM_API_HOST: ${{ secrets.NCM_API_HOST }}
-        NCM_API_USER: ${{ secrets.NCM_API_USER }}
-        NCM_API_PASSWORD: ${{ secrets.NCM_API_PASSWORD }}
-        NCM_CA_NAME: ${{ secrets.NCM_CA_NAME }}
-        NCM_CA_BUNDLE: ${{ secrets.NCM_CA_BUNDLE }}
-
-    - name: "Test http://acme-srv/directory is accessable"
-      run: curl -f http://127.0.0.1:8080/directory
-
-    - name: "[ PREPARE ] prepare acme.sh container"
-      run: |
-        docker run --rm -id -v "$(pwd)/acme-sh":/acme.sh --name=acme-sh neilpang/acme.sh:latest daemon
-
-    - name: "[ REGISTER] acme.sh"
-      run: |
-        docker exec -i acme-sh acme.sh --server http://${{ env.RUNNER_IP }}:8080 --register-account --accountemail 'acme-sh@example.com' --debug 3
-
-    - name: "[ ENROLL] acme.sh"
-      run: |
-        docker exec -i acme-sh acme.sh --server http://${{ env.RUNNER_IP }}:8080 --issue -d acme-sh.acme --standalone --debug 3 --output-insecure
-        awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "cert-" c ".pem"}' < acme-sh/acme-sh.acme_ecc/ca.cer
-        openssl verify -CAfile cert-2.pem -untrusted cert-1.pem  acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer
-
-    - name: "[ * ] collecting test logs"
-      if: ${{ failure() }}
-      run: |
-        mkdir -p ${{ github.workspace }}/artifact/upload
-        sudo cp -rp /var/log/apache2 ${{ github.workspace }}/artifact/data/
-        sudo tar -C ${{ github.workspace }}/artifact/ -cvzf ${{ github.workspace }}/artifact/upload/artifact.tar.gz data
-
-    - name: "[ * ] uploading artificates"
-      uses: actions/upload-artifact@v3
-      if: ${{ failure() }}
-      with:
-        name: nginx.tar.gz
-        path: ${{ github.workspace }}/artifact/upload/
-
-  alma_nginx_wsgi:
-    name: "alma_nginx_wsgi"
-    runs-on: ubuntu-latest
-    steps:
-    - name: "checkout GIT"
-      uses: actions/checkout@v3
-
-    - name: "[ PREPARE ] get runner ip"
-      run: |
-        echo RUNNER_IP=$(ip addr show eth0 | grep -i "inet " | cut -d ' ' -f 6 | cut -d '/' -f 1) >> $GITHUB_ENV
-        echo RUNNER_PATH=$(pwd | sed 's_/_\\/_g') >> $GITHUB_ENV
-    - run: echo "runner IP is ${{ env.RUNNER_IP }}"
-
-    - name: Branch name
-      run: echo running on branch ${GITHUB_REF##*/}
-
-    - name: "[ PREPARE ] environment"
-      run: |
-        docker network create acme
-        echo "exit 0" >> examples/install_scripts/a2c-centos9-nginx.sh
-
-    - name: "[ PREPARE ] Almalinux instance"
-      run: |
-        cat examples/Docker/almalinux-systemd/Dockerfile | docker build -t almalinux-systemd -f - . --no-cache
-        docker run -d -id --privileged --network acme --name=acme-srv -v "$(pwd)/":/tmp/acme2certifier almalinux-systemd
-
-    - name: "[ RUN ] Execute install scipt"
-      run: |
-        docker exec acme-srv sh /tmp/acme2certifier/examples/Docker/almalinux-systemd/script_tester.sh
-
-    - name: "Test http://acme-srv/directory is accessible"
-      run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory
-
-    - name: "[ PREPARE ] prepare acme.sh container"
-      run: |
-        sudo mkdir acme-sh
-        docker run --rm -id -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest daemon
-
-    - name: "[ REGISTER] acme.sh"
-      run: |
-        docker exec -i acme-sh acme.sh --server http://acme-srv --register-account --accountemail 'acme-sh@example.com' --debug 3
-
-    - name: "[ ENROLL] acme.sh"
-      run: |
-        docker exec -i acme-sh acme.sh --server http://acme-srv --issue -d acme-sh.acme --standalone --debug 3 --output-insecure
-        openssl verify -CAfile test/ca/root-ca-cert.pem -untrusted test/ca/sub-ca-cert.pem acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer
-
-    - name: "[ * ] collecting test logs"
-      if: ${{ failure() }}
-      run: |
-        mkdir -p ${{ github.workspace }}/artifact/upload
-        sudo cp -rp acme-sh/ ${{ github.workspace }}/artifact/acme-sh/
-        docker exec acme-srv cat /var/log/messages > ${{ github.workspace }}/artifact/acme-srv.log
-        sudo tar -C ${{ github.workspace }}/artifact/ -cvzf ${{ github.workspace }}/artifact/upload/artifact.tar.gz acme-srv.log acme-sh
-
-    - name: "[ * ] uploading artificates"
-      uses: actions/upload-artifact@v3
-      if: ${{ failure() }}
-      with:
-        name: alma_nginx_wsgi.tar.gz
-        path: ${{ github.workspace }}/artifact/upload/
-
-  alma_nginx_wsgi_rpm:
-    name: "alma_nginx_wsgi_rpm"
-    runs-on: ubuntu-latest
-    steps:
-    - name: "checkout GIT"
-      uses: actions/checkout@v3
-
-    - name: Branch name
-      run: echo running on branch ${GITHUB_REF##*/}
-
-    - name: Retrieve Version from version.py
-      run: |
-        echo TAG_NAME=$(cat acme_srv/version.py | grep -i __version__ | head -n 1 | sed 's/__version__ = //g' | sed s/\'//g) >> $GITHUB_ENV
-    - run: echo "Latest tag is ${{ env.TAG_NAME }}"
-
-    - name: update version number in spec file
-      run: |
-        # sudo sed -i "s/Source0:.*/Source0:        %{name}-%{version}.tar.gz/g" examples/install_scripts/rpm/acme2certifier.spec
-        sudo sed -i "s/__version__/${{ env.TAG_NAME }}/g" examples/install_scripts/rpm/acme2certifier.spec
-        cat examples/install_scripts/rpm/acme2certifier.spec
-
-    - name: build RPM package
-      id: rpm
-      uses: grindsa/rpmbuild@alma9
-      with:
-        spec_file: "examples/install_scripts/rpm/acme2certifier.spec"
-
-    - run: echo "path is ${{ steps.rpm.outputs.rpm_dir_path }}"
-
-    - name: "[ PREPARE ] Setup environment"
-      run: |
-        docker network create acme
-        mkdir -p data/acme_ca/certs/
-        sudo cp ${{ steps.rpm.outputs.rpm_dir_path }}noarch/acme2certifier-${{ env.TAG_NAME }}-1.0.noarch.rpm data
-        sudo cp .github/openssl_ca_handler.py_acme_srv_choosen_handler.cfg data/acme_srv.cfg
-        sudo chmod 777 data/acme_srv.cfg
-        sudo head -n -8 .github/openssl_ca_handler.py_acme_srv_default_handler.cfg > data/acme_srv.cfg
-        sudo echo "handler_file: examples/ca_handler/certifier_ca_handler.py" >> data/acme_srv.cfg
-        sudo echo "api_host: $NCM_API_HOST" >> data/acme_srv.cfg
-        sudo echo "api_user: $NCM_API_USER" >>  data/acme_srv.cfg
-        sudo echo "api_password: $NCM_API_PASSWORD" >> data/acme_srv.cfg
-        sudo echo "ca_name: $NCM_CA_NAME" >>  data/acme_srv.cfg
-        sudo echo "ca_bundle: $NCM_CA_BUNDLE" >> data/acme_srv.cfg
-        sudo echo "profile_id: 101" >> data/acme_srv.cfg
-        sudo cp examples/Docker/almalinux-systemd/rpm_tester.sh data
-        cat data/acme_srv.cfg
-      env:
-        NCM_API_HOST: ${{ secrets.NCM_API_HOST }}
-        NCM_API_USER: ${{ secrets.NCM_API_USER }}
-        NCM_API_PASSWORD: ${{ secrets.NCM_API_PASSWORD }}
-        NCM_CA_NAME: ${{ secrets.NCM_CA_NAME }}
-        NCM_CA_BUNDLE: ${{ secrets.NCM_CA_BUNDLE }}
-
-    - name: "[ PREPARE ] Almalinux instance"
-      run: |
-        cat examples/Docker/almalinux-systemd/Dockerfile | docker build -t almalinux-systemd -f - . --no-cache
-        docker run -d -id --privileged --network acme --name=acme-srv -v "$(pwd)/data":/tmp/acme2certifier almalinux-systemd
-
-    - name: "[ RUN ] Execute install scipt"
-      run: |
-        docker exec acme-srv sh /tmp/acme2certifier/rpm_tester.sh
-
-    - name: "Test http://acme-srv/directory is accessible"
-      run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory
-
-    - name: "[ PREPARE ] prepare acme.sh container"
-      run: |
-        sudo mkdir acme-sh
-        docker run --rm -id -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest daemon
-
-    - name: "[ REGISTER] acme.sh"
-      run: |
-        docker exec -i acme-sh acme.sh --server http://acme-srv --register-account --accountemail 'acme-sh@example.com' --debug 3
-
-    - name: "[ ENROLL] acme.sh"
-      run: |
-        docker exec -i acme-sh acme.sh --server http://acme-srv --issue -d acme-sh.acme --standalone --debug 3 --output-insecure
-        awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "cert-" c ".pem"}' < acme-sh/acme-sh.acme_ecc/ca.cer
-        openssl verify -CAfile cert-2.pem -untrusted cert-1.pem  acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer
-
-    - name: "[ * ] collecting test logs"
-      if: ${{ failure() }}
-      run: |
-        mkdir -p ${{ github.workspace }}/artifact/upload
-        sudo cp -rp data/ ${{ github.workspace }}/artifact/data/
-        sudo cp -rp acme-sh/ ${{ github.workspace }}/artifact/acme-sh/
-        docker exec acme-srv cat /var/log/messages > ${{ github.workspace }}/artifact/acme-srv.log
-        sudo tar -C ${{ github.workspace }}/artifact/ -cvzf ${{ github.workspace }}/artifact/upload/artifact.tar.gz data acme-srv.log acme-sh
-
-    - name: "[ * ] uploading artificates"
-      uses: actions/upload-artifact@v3
-      if: ${{ failure() }}
-      with:
-        name: alma_nginx_wsgi_rpm.tar.gz
-        path: ${{ github.workspace }}/artifact/upload/
-
-  deb_apache2:
-    name: "deb_apache2"
-    runs-on: ubuntu-latest
-    steps:
-    - name: "checkout GIT"
-      uses: actions/checkout@v3
-
-    - name: "[ PREPARE ] get runner ip"
-      run: |
-        echo RUNNER_IP=$(ip addr show eth0 | grep -i "inet " | cut -d ' ' -f 6 | cut -d '/' -f 1) >> $GITHUB_ENV
-        echo RUNNER_PATH=$(pwd | sed 's_/_\\/_g') >> $GITHUB_ENV
-    - run: echo "runner IP is ${{ env.RUNNER_IP }}"
-
-    - name: Retrieve Version from version.py
-      run: |
-        echo TAG_NAME=$(cat acme_srv/version.py | grep -i __version__ | head -n 1 | sed 's/__version__ = //g' | sed s/\'//g) >> $GITHUB_ENV
-    - run: echo "Latest tag is ${{ env.TAG_NAME }}"
-
-    - name: "[ PREPARE ] environment to build deb package"
-      run: |
-        sudo apt-get update && sudo apt-get -y upgrade
-        sudo apt-get -y install build-essential fakeroot dpkg-dev devscripts debhelper
-        rm setup.py
-        cp -R examples/install_scripts/debian ./
-        sudo sed -i "s/__version__/${{ env.TAG_NAME }}/g" debian/changelog
-        cd ../
-        tar cvfz ../acme2certifier_${{ env.TAG_NAME }}.orig.tar.gz ./
-
-
-    - name: "[ BUILD ] build debian package"
-      run: |
-        dpkg-buildpackage -uc -us
-        dpkg -c ../acme2certifier_${{ env.TAG_NAME }}-1_all.deb
-
-    - name: "[ Install ] install apache2 and acme2certifier packages"
-      run: |
-        sudo apt-get update
-        sudo apt-get install -y apache2  apache2-data  libapache2-mod-wsgi-py3
-        sudo apt-get install -y ../acme2certifier_${{ env.TAG_NAME }}-1_all.deb
-
-    - name: "[ PREPARE ] configure a2c"
-      run: |
-        sudo cp /var/www/acme2certifier/examples/apache2/apache_wsgi.conf /etc/apache2/sites-available/acme2certifier.conf
-        sudo a2ensite acme2certifier
-        sudo rm /etc/apache2/sites-enabled/000-default.conf
-        sudo cp .github/openssl_ca_handler.py_acme_srv_choosen_handler.cfg /var/www/acme2certifier/acme_srv/acme_srv.cfg
-        sudo chmod 777 /var/www/acme2certifier/acme_srv/acme_srv.cfg
-        sudo head -n -8 .github/openssl_ca_handler.py_acme_srv_default_handler.cfg > /var/www/acme2certifier/acme_srv/acme_srv.cfg
-        sudo echo "handler_file: examples/ca_handler/certifier_ca_handler.py" >> /var/www/acme2certifier/acme_srv/acme_srv.cfg
-        sudo echo "api_host: $NCM_API_HOST" >> /var/www/acme2certifier/acme_srv/acme_srv.cfg
-        sudo echo "api_user: $NCM_API_USER" >>  /var/www/acme2certifier/acme_srv/acme_srv.cfg
-        sudo echo "api_password: $NCM_API_PASSWORD" >> /var/www/acme2certifier/acme_srv/acme_srv.cfg
-        sudo echo "ca_name: $NCM_CA_NAME" >>  /var/www/acme2certifier/acme_srv/acme_srv.cfg
-        sudo echo "ca_bundle: $NCM_CA_BUNDLE" >> /var/www/acme2certifier/acme_srv/acme_srv.cfg
-        sudo echo "profile_id: 101" >> /var/www/acme2certifier/acme_srv/acme_srv.cfg
-        sudo chown -R www-data.www-data /var/www/acme2certifier
-        sudo systemctl start apache2
-      env:
-        NCM_API_HOST: ${{ secrets.NCM_API_HOST }}
-        NCM_API_USER: ${{ secrets.NCM_API_USER }}
-        NCM_API_PASSWORD: ${{ secrets.NCM_API_PASSWORD }}
-        NCM_CA_NAME: ${{ secrets.NCM_CA_NAME }}
-        NCM_CA_BUNDLE: ${{ secrets.NCM_CA_BUNDLE }}
-
-    - name: "[ TEST ] Test http://acme-srv/directory is accessable"
-      run: curl -f http://127.0.0.1/directory
-
-    - name: "[ PREPARE ] Modfiy configuration to allow certifiate enrollment"
-      run: |
-        # sudo apt-get install -y socat
-        sudo sed -i "s/Listen 80/Listen 8080/g" /etc/apache2/ports.conf
-        sudo sed -i "s/*:80/*:8080/g" /etc/apache2/sites-available/acme2certifier.conf
-        sudo sed -i "s/examples\/ca_handler/\/var\/www\/acme2certifier\/examples\/ca_handler/g"  /var/www/acme2certifier/acme_srv/acme_srv.cfg
-        sudo sed -i "s/volume\/acme_ca/\/var\/www\/acme2certifier\/volume\/acme_ca/g"  /var/www/acme2certifier/acme_srv/acme_srv.cfg
-        sudo sed -i "s/challenge_validation_disable: False/challenge_validation_disable: True/g"  /var/www/acme2certifier/acme_srv/acme_srv.cfg
-        sudo systemctl restart apache2
-
-    - name: "[ TEST ] Test http://acme-srv/directory is accessable"
-      run: curl -f http://127.0.0.1:8080/directory
-
-    - name: "[ PREPARE ] prepare acme.sh container"
-      run: |
-        docker run --rm -id -v "$(pwd)/acme-sh":/acme.sh --name=acme-sh neilpang/acme.sh:latest daemon
-
-    - name: "[ REGISTER] acme.sh"
-      run: |
-        docker exec -i acme-sh acme.sh --server http://${{ env.RUNNER_IP }}:8080 --register-account --accountemail 'acme-sh@example.com' --debug 3
-
-    - name: "[ ENROLL] acme.sh"
-      run: |
-        docker exec -i acme-sh acme.sh --server http://${{ env.RUNNER_IP }}:8080 --issue -d acme-sh.acme --standalone --debug 3 --output-insecure
-        awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "cert-" c ".pem"}' < acme-sh/acme-sh.acme_ecc/ca.cer
-        openssl verify -CAfile cert-2.pem -untrusted cert-1.pem  acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer
-
-    - name: "[ * ] collecting test logs"
-      if: ${{ failure() }}
-      run: |
-        mkdir -p ${{ github.workspace }}/artifact/upload
-        sudo cp -rp /var/log/apache2 ${{ github.workspace }}/artifact/data/
-        sudo tar -C ${{ github.workspace }}/artifact/ -cvzf ${{ github.workspace }}/artifact/upload/artifact.tar.gz data
-
-    - name: "[ * ] uploading artificates"
-      uses: actions/upload-artifact@v3
-      if: ${{ failure() }}
-      with:
-        name: deb_apache.tar.gz
-        path: ${{ github.workspace }}/artifact/upload/
-
-  deb_nginx:
-    name: "deb_nginx"
-    runs-on: ubuntu-latest
-    steps:
-    - name: "checkout GIT"
-      uses: actions/checkout@v3
-
-    - name: "[ PREPARE ] get runner ip"
-      run: |
-        echo RUNNER_IP=$(ip addr show eth0 | grep -i "inet " | cut -d ' ' -f 6 | cut -d '/' -f 1) >> $GITHUB_ENV
-        echo RUNNER_PATH=$(pwd | sed 's_/_\\/_g') >> $GITHUB_ENV
-    - run: echo "runner IP is ${{ env.RUNNER_IP }}"
-
-    - name: Retrieve Version from version.py
-      run: |
-        echo TAG_NAME=$(cat acme_srv/version.py | grep -i __version__ | head -n 1 | sed 's/__version__ = //g' | sed s/\'//g) >> $GITHUB_ENV
-    - run: echo "Latest tag is ${{ env.TAG_NAME }}"
-
-    - name: "[ PREPARE ] environment to build deb package"
-      run: |
-        sudo apt-get update && sudo apt-get -y upgrade
-        sudo apt-get -y install build-essential fakeroot dpkg-dev devscripts debhelper
-        rm setup.py
-        cp -R examples/install_scripts/debian ./
-        sudo sed -i "s/__version__/${{ env.TAG_NAME }}/g" debian/changelog
-        cd ../
-        tar cvfz ../acme2certifier_${{ env.TAG_NAME }}.orig.tar.gz ./
-
-    - name: "[ BUILD ] build debian package"
-      run: |
-        dpkg-buildpackage -uc -us
-        dpkg -c ../acme2certifier_${{ env.TAG_NAME }}-1_all.deb
-
-    - name: "[ Install ] install nginx and acme2certifier packages"
-      run: |
-        sudo apt-get update
-        sudo apt-get install -y python3-pip nginx uwsgi uwsgi-plugin-python3
-        sudo apt-get install -y ../acme2certifier_${{ env.TAG_NAME }}-1_all.deb
-
-    - name: "[PREPARE] Local modification to get a2c running"
-      run: |
-        sed -i "s/run\/uwsgi\/acme.sock/var\/www\/acme2certifier\/acme.sock/g" examples/nginx/nginx_acme_srv.conf
-        sudo cp examples/nginx/nginx_acme_srv.conf /etc/nginx/sites-available/acme_srv.conf
-        sudo rm /etc/nginx/sites-enabled/default
-        sudo ln -s /etc/nginx/sites-available/acme_srv.conf /etc/nginx/sites-enabled/acme_srv.conf
-        sudo chown -R www-data.www-data /var/www/acme2certifier/
-        sudo systemctl start nginx
-
-    - name: "[PREPARE] Modify uwsgi configuration file"
-      run: |
-        sed -i "s/\/run\/uwsgi\/acme.sock/acme.sock/g" examples/nginx/acme2certifier.ini
-        sed -i "s/nginx/www-data/g" examples/nginx/acme2certifier.ini
-        echo "plugins=python3" >> examples/nginx/acme2certifier.ini
-        sudo cp examples/nginx/acme2certifier.ini /var/www/acme2certifier
-
-    - name: "[PREPARE] create a2c service"
-      run: |
-        cat <<EOT > acme2certifier.service
-        [Unit]
-        Description=uWSGI instance to serve acme2certifier
-        After=network.target
-
-        [Service]
-        User=www-data
-        Group=www-data
-        WorkingDirectory=/var/www/acme2certifier
-        Environment="PATH=/var/www/acme2certifier"
-        ExecStart=uwsgi --ini acme2certifier.ini
-
-        [Install]
-        WantedBy=multi-user.target
-        EOT
-
-        sudo cp acme2certifier.service /etc/systemd/system/acme2certifier.service
-        sudo systemctl start acme2certifier
-        sudo systemctl enable acme2certifier
-
-    - name: "[ TEST ] Test http://acme-srv/directory is accessable"
-      run: curl -f http://127.0.0.1/directory
-
-    - name: "[ PREPARE ] configure a2c"
-      run: |
-        sudo cp /var/www/acme2certifier/examples/apache2/apache_wsgi.conf /etc/apache2/sites-available/acme2certifier.conf
-        sudo a2ensite acme2certifier
-        sudo rm /etc/apache2/sites-enabled/000-default.conf
-        sudo chmod 777 /var/www/acme2certifier/acme_srv/acme_srv.cfg
-        sudo cp .github/openssl_ca_handler.py_acme_srv_choosen_handler.cfg /var/www/acme2certifier/acme_srv/acme_srv.cfg
-        sudo head -n -8 .github/openssl_ca_handler.py_acme_srv_default_handler.cfg > /var/www/acme2certifier/acme_srv/acme_srv.cfg
-        sudo echo "handler_file: examples/ca_handler/certifier_ca_handler.py" >> /var/www/acme2certifier/acme_srv/acme_srv.cfg
-        sudo echo "api_host: $NCM_API_HOST" >> /var/www/acme2certifier/acme_srv/acme_srv.cfg
-        sudo echo "api_user: $NCM_API_USER" >>  /var/www/acme2certifier/acme_srv/acme_srv.cfg
-        sudo echo "api_password: $NCM_API_PASSWORD" >> /var/www/acme2certifier/acme_srv/acme_srv.cfg
-        sudo echo "ca_name: $NCM_CA_NAME" >>  /var/www/acme2certifier/acme_srv/acme_srv.cfg
-        sudo echo "ca_bundle: $NCM_CA_BUNDLE" >> /var/www/acme2certifier/acme_srv/acme_srv.cfg
-        sudo echo "profile_id: 101" >> /var/www/acme2certifier/acme_srv/acme_srv.cfg
-        sudo chown -R www-data.www-data /var/www/acme2certifier
-        sudo systemctl start nginx
-      env:
-        NCM_API_HOST: ${{ secrets.NCM_API_HOST }}
-        NCM_API_USER: ${{ secrets.NCM_API_USER }}
-        NCM_API_PASSWORD: ${{ secrets.NCM_API_PASSWORD }}
-        NCM_CA_NAME: ${{ secrets.NCM_CA_NAME }}
-
-    - name: "[ PREPARE ] Modfiy configuration to allow certifiate enrollment"
-      run: |
-        sudo sed -i "s/listen 80/listen 8080/g" /etc/nginx/sites-enabled/acme_srv.conf
-        sudo sed -i "s/listen [::]:80/listen [::]:8080/g" /etc/nginx/sites-enabled/acme_srv.conf
-        sudo sed -i "s/examples\/ca_handler/\/var\/www\/acme2certifier\/examples\/ca_handler/g"  /var/www/acme2certifier/acme_srv/acme_srv.cfg
-        sudo sed -i "s/volume\/acme_ca/\/var\/www\/acme2certifier\/volume\/acme_ca/g"  /var/www/acme2certifier/acme_srv/acme_srv.cfg
-        sudo sed -i "s/challenge_validation_disable: False/challenge_validation_disable: True/g"  /var/www/acme2certifier/acme_srv/acme_srv.cfg
-        sudo systemctl restart nginx
-
-    - name: "[ TEST ] Test http://acme-srv/directory is accessable"
-      run: curl -f http://127.0.0.1:8080/directory
-
-    - name: "[ PREPARE ] prepare acme.sh container"
-      run: |
-        docker run --rm -id -v "$(pwd)/acme-sh":/acme.sh --name=acme-sh neilpang/acme.sh:latest daemon
-
-    - name: "[ REGISTER] acme.sh"
-      run: |
-        docker exec -i acme-sh acme.sh --server http://${{ env.RUNNER_IP }}:8080 --register-account --accountemail 'acme-sh@example.com' --debug 3
-
-    - name: "[ ENROLL] acme.sh"
-      run: |
-        docker exec -i acme-sh acme.sh --server http://${{ env.RUNNER_IP }}:8080 --issue -d acme-sh.acme --standalone --debug 3 --output-insecure
-        awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "cert-" c ".pem"}' < acme-sh/acme-sh.acme_ecc/ca.cer
-        openssl verify -CAfile cert-2.pem -untrusted cert-1.pem  acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer
-
-    - name: "[ * ] collecting test logs"
-      if: ${{ failure() }}
-      run: |
-        mkdir -p ${{ github.workspace }}/artifact/upload
-        sudo cp -rp /var/log/nginx ${{ github.workspace }}/artifact/data/
-        sudo tar -C ${{ github.workspace }}/artifact/ -cvzf ${{ github.workspace }}/artifact/upload/artifact.tar.gz data
-
-    - name: "[ * ] uploading artificates"
-      uses: actions/upload-artifact@v3
-      if: ${{ failure() }}
-      with:
-        name: deb_nginx.tar.gz
-        path: ${{ github.workspace }}/artifact/upload/
-
diff --git a/.github/workflows/markdown-check.yml b/.github/workflows/markdown-check.yml
deleted file mode 100644
index 3cb45b18..00000000
--- a/.github/workflows/markdown-check.yml
+++ /dev/null
@@ -1,30 +0,0 @@
-# workflow to run the acme2certifier unittest suite
-
-name: Markdown check
-
-on:
-  push:
-  pull_request:
-    branches: [ devel ]
-  schedule:
-    # * is a special character in YAML so you have to quote this string
-    - cron:  '0 2 * * 6'
-
-jobs:
-  markdown-check:
-    runs-on: ubuntu-latest
-    steps:
-    - uses: actions/checkout@master
-    - uses: gaurav-nelson/github-action-markdown-link-check@v1
-    - name: Lint changelog file root
-      uses: avto-dev/markdown-lint@v1
-      with:
-        args: '*.md'
-    - name: Lint changelog file docs
-      uses: avto-dev/markdown-lint@v1
-      with:
-        args: './docs/*.md'
-    - name: Lint changelog file docker
-      uses: avto-dev/markdown-lint@v1
-      with:
-        args: './examples/Docker/*.md'
diff --git a/.github/workflows/proxy-test.yml b/.github/workflows/proxy-test.yml
deleted file mode 100644
index 23833cbe..00000000
--- a/.github/workflows/proxy-test.yml
+++ /dev/null
@@ -1,478 +0,0 @@
-name: Proxy tests
-
-on:
-  push:
-  pull_request:
-    branches: [ devel ]
-  schedule:
-    # * is a special character in YAML so you have to quote this string
-    - cron:  '0 2 * * 6'
-
-jobs:
-  proxy_tests:
-    name: "proxy_tests"
-    runs-on: ubuntu-latest
-    steps:
-
-    - name: "checkout GIT"
-      uses: actions/checkout@v3
-
-    - name: "[ PREPARE ] create network"
-      run: |
-        docker network create acme
-
-    - name: "[ PREPARE ] proxy container"
-      run: |
-        docker pull mosajjal/pproxy:latest
-        docker run -d -it --name=proxy --network acme --rm -p 8080:8080 mosajjal/pproxy:latest -vv &
-
-    - name: "[ PREPARE ] Sleep for 10s"
-      uses: juliangruber/sleep-action@v1
-      with:
-        time: 10s
-
-    - name: "[ PREPARE ] Build docker-compose (apache2_wsgi)"
-      working-directory: examples/Docker/
-      run: |
-        sudo mkdir -p data
-        docker-compose up -d
-        docker-compose logs
-
-    - name: "Test http://acme-srv/directory is accessable"
-      run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory
-
-    - name: "[ PREPARE ] setup certifier ca_handler for socks proxy usage"
-      run: |
-        sudo cp examples/ca_handler/certifier_ca_handler.py examples/Docker/data/ca_handler.py
-        sudo cp .github/openssl_ca_handler.py_acme_srv_default_handler.cfg examples/Docker/data/acme_srv.cfg
-        sudo chmod 777 examples/Docker/data/acme_srv.cfg
-        sudo head -n -8 .github/openssl_ca_handler.py_acme_srv_default_handler.cfg > examples/Docker/data/acme_srv.cfg
-        sudo echo "api_host: ${{ secrets.NCM_API_HOST }}" >> examples/Docker/data/acme_srv.cfg
-        sudo echo "api_user: ${{ secrets.NCM_API_USER }}" >> examples/Docker/data/acme_srv.cfg
-        sudo echo "api_password: ${{ secrets.NCM_API_PASSWORD }}" >> examples/Docker/data/acme_srv.cfg
-        sudo echo "ca_name: ${{ secrets.NCM_CA_NAME }}" >> examples/Docker/data/acme_srv.cfg
-        sudo echo "ca_bundle: ${{ secrets.NCM_CA_BUNDLE }}" >> examples/Docker/data/acme_srv.cfg
-        sudo sed -i "s/debug: True/debug: True\nproxy_server_list: {\"ncm.nclm.eu\$\": \"socks5:\/\/proxy.acme:8080\"}/g" examples/Docker/data/acme_srv.cfg
-        cd examples/Docker/
-        docker-compose restart
-        docker-compose logs
-
-    - name: "[ PREPARE ] prepare acme.sh container"
-      run: |
-        docker run --rm -id -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest daemon
-
-    - name: "[ ENROLL ] via certifier ca_handler"
-      run: |
-        docker exec -i acme-sh acme.sh --server http://acme-srv --accountemail 'acme-sh@example.com' --issue -d acme-sh.acme --standalone --debug 3 --output-insecure --force
-        awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "cert-" c ".pem"}' < acme-sh/acme-sh.acme_ecc/ca.cer
-        openssl verify -CAfile cert-2.pem -untrusted cert-1.pem acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer
-
-    - name: "[ REVOKE ] via certifier ca_handler"
-      run: |
-        docker exec -i acme-sh acme.sh --server http://acme-srv --revoke -d acme-sh.acme --standalone --debug 3 --output-insecure
-
-    - name: "[ CHECK ] proxy logs"
-      run: |
-        docker logs proxy | grep socks5 | grep -- "->"
-        docker stop proxy
-        docker run -d -it --name=proxy --network acme --rm -p 8080:8080 mosajjal/pproxy:latest -vv &
-
-    - name: "[ PREPARE ] setup certifier ca_handler for http proxy usage"
-      run: |
-        sudo cp examples/ca_handler/certifier_ca_handler.py examples/Docker/data/ca_handler.py
-        sudo cp .github/openssl_ca_handler.py_acme_srv_default_handler.cfg examples/Docker/data/acme_srv.cfg
-        sudo chmod 777 examples/Docker/data/acme_srv.cfg
-        sudo head -n -8 .github/openssl_ca_handler.py_acme_srv_default_handler.cfg > examples/Docker/data/acme_srv.cfg
-        sudo echo "api_host: ${{ secrets.NCM_API_HOST }}" >> examples/Docker/data/acme_srv.cfg
-        sudo echo "api_user: ${{ secrets.NCM_API_USER }}" >> examples/Docker/data/acme_srv.cfg
-        sudo echo "api_password: ${{ secrets.NCM_API_PASSWORD }}" >> examples/Docker/data/acme_srv.cfg
-        sudo echo "ca_name: ${{ secrets.NCM_CA_NAME }}" >> examples/Docker/data/acme_srv.cfg
-        sudo echo "ca_bundle: ${{ secrets.NCM_CA_BUNDLE }}" >> examples/Docker/data/acme_srv.cfg
-        sudo sed -i "s/debug: True/debug: True\nproxy_server_list: {\"ncm.nclm.eu\$\": \"http:\/\/proxy.acme:8080\"}/g" examples/Docker/data/acme_srv.cfg
-        cd examples/Docker/
-        docker-compose restart
-        docker-compose logs
-
-    - name: "[ ENROLL ] via certifier ca_handler"
-      run: |
-        docker exec -i acme-sh acme.sh --server http://acme-srv --accountemail 'acme-sh@example.com' --issue -d acme-sh.acme --standalone --debug 3 --output-insecure --force
-        awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "cert-" c ".pem"}' < acme-sh/acme-sh.acme_ecc/ca.cer
-        openssl verify -CAfile cert-2.pem -untrusted cert-1.pem acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer
-
-    - name: "[ REVOKE ] via certifier ca_handler"
-      run: |
-        docker exec -i acme-sh acme.sh --server http://acme-srv --revoke -d acme-sh.acme --standalone --debug 3 --output-insecure
-
-    - name: "[ CHECK ] proxy logs"
-      run: |
-        docker logs proxy | grep http | grep -- "->"
-        docker stop proxy
-        docker run -d -it --name=proxy --network acme --rm -p 8080:8080 mosajjal/pproxy:latest -vv &
-
-    - name: "[ PREPARE ] setup nclm ca_handler for socks proxy usage"
-      run: |
-        sudo cp examples/ca_handler/nclm_ca_handler.py examples/Docker/data/ca_handler.py
-        sudo cp .github/openssl_ca_handler.py_acme_srv_default_handler.cfg examples/Docker/data/acme_srv.cfg
-        sudo chmod 777 examples/Docker/data/acme_srv.cfg
-        sudo head -n -8 .github/openssl_ca_handler.py_acme_srv_default_handler.cfg > examples/Docker/data/acme_srv.cfg
-        sudo echo "api_host: ${{ secrets.NCLM_API_HOST }}" >> examples/Docker/data/acme_srv.cfg
-        sudo echo "api_user: ${{ secrets.NCLM_API_USER }}" >> examples/Docker/data/acme_srv.cfg
-        sudo echo "api_password: ${{ secrets.NCLM_API_PASSWORD }}" >> examples/Docker/data/acme_srv.cfg
-        sudo echo "tsg_name: ${{ secrets.NCLM_TSG_NAME }}" >> examples/Docker/data/acme_srv.cfg
-        sudo echo "ca_name: ${{ secrets.NCLM_CA_NAME }}" >> examples/Docker/data/acme_srv.cfg
-        sudo echo "ca_id_list: [${{ secrets.NCLM_CA_ID_LIST }}]" >> examples/Docker/data/acme_srv.cfg
-        sudo sed -i "s/debug: True/debug: True\nproxy_server_list: {\"nclm.eu\$\": \"socks5:\/\/proxy.acme:8080\"}/g" examples/Docker/data/acme_srv.cfg
-        cd examples/Docker/
-        docker-compose restart
-        docker-compose logs
-
-    - name: "[ ENROLL ] via nclm ca_handler"
-      run: |
-        docker exec -i acme-sh acme.sh --server http://acme-srv --accountemail 'acme-sh@example.com' --issue -d acme-sh.acme --standalone --debug 3 --output-insecure --force
-        # openssl verify -CAfile acme.sh/acme-sh.acme/ca.cer acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer
-
-    - name: "[ CHECK ] proxy logs"
-      run: |
-        docker logs proxy | grep socks5 | grep -- "->"
-        docker stop proxy
-        docker run -d -it --name=proxy --network acme --rm -p 8080:8080 mosajjal/pproxy:latest -vv &
-
-    - name: "[ PREPARE ] setup nclm ca_handler for http proxy usage"
-      run: |
-        sudo cp examples/ca_handler/nclm_ca_handler.py examples/Docker/data/ca_handler.py
-        sudo cp .github/openssl_ca_handler.py_acme_srv_default_handler.cfg examples/Docker/data/acme_srv.cfg
-        sudo chmod 777 examples/Docker/data/acme_srv.cfg
-        sudo head -n -8 .github/openssl_ca_handler.py_acme_srv_default_handler.cfg > examples/Docker/data/acme_srv.cfg
-        sudo echo "api_host: ${{ secrets.NCLM_API_HOST }}" >> examples/Docker/data/acme_srv.cfg
-        sudo echo "api_user: ${{ secrets.NCLM_API_USER }}" >> examples/Docker/data/acme_srv.cfg
-        sudo echo "api_password: ${{ secrets.NCLM_API_PASSWORD }}" >> examples/Docker/data/acme_srv.cfg
-        sudo echo "tsg_name: ${{ secrets.NCLM_TSG_NAME }}" >> examples/Docker/data/acme_srv.cfg
-        sudo echo "ca_name: ${{ secrets.NCLM_CA_NAME }}" >> examples/Docker/data/acme_srv.cfg
-        sudo echo "ca_id_list: [${{ secrets.NCLM_CA_ID_LIST }}]" >> examples/Docker/data/acme_srv.cfg
-        sudo sed -i "s/debug: True/debug: True\nproxy_server_list: {\"nclm.eu\$\": \"http:\/\/proxy.acme:8080\"}/g" examples/Docker/data/acme_srv.cfg
-        cd examples/Docker/
-        docker-compose restart
-        docker-compose logs
-
-    - name: "[ ENROLL ] via nclm ca_handler"
-      run: |
-        docker exec -i acme-sh acme.sh --server http://acme-srv --accountemail 'acme-sh@example.com' --issue -d acme-sh.acme --standalone --debug 3 --output-insecure --force
-        # openssl verify -CAfile acme.sh/acme-sh.acme/ca.cer acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer
-
-    - name: "[ CHECK ] proxy logs"
-      run: |
-        docker logs proxy | grep http | grep -- "->"
-        docker stop proxy
-        docker run -d -it --name=proxy --network acme --rm -p 8080:8080 mosajjal/pproxy:latest -vv &
-
-    - name: "[ stop ] proxy container"
-      run: |
-        docker stop proxy
-
-    - name: "[ * ] collecting test logs"
-      if: ${{ failure() }}
-      run: |
-        mkdir -p ${{ github.workspace }}/artifact/upload
-        sudo cp -rp examples/Docker/data/ ${{ github.workspace }}/artifact/data/
-        cd examples/Docker
-        docker-compose logs > ${{ github.workspace }}/artifact/docker-compose.log
-        sudo tar -C ${{ github.workspace }}/artifact/ -cvzf ${{ github.workspace }}/artifact/upload/artifact.tar.gz docker-compose.log data
-
-    - name: "[ * ] uploading artificates"
-      uses: actions/upload-artifact@v3
-      if: ${{ failure() }}
-      with:
-        name: proxy.tar.gz
-        path: ${{ github.workspace }}/artifact/upload/
-
-
-  proxy_tests_rpm:
-    name: "proxy_tests_rpm"
-    runs-on: ubuntu-latest
-    steps:
-
-    - name: "checkout GIT"
-      uses: actions/checkout@v3
-
-    - name: Retrieve Version from version.py
-      run: |
-        echo TAG_NAME=$(cat acme_srv/version.py | grep -i __version__ | head -n 1 | sed 's/__version__ = //g' | sed s/\'//g) >> $GITHUB_ENV
-    - run: echo "Latest tag is ${{ env.TAG_NAME }}"
-
-    - name: update version number in spec file
-      run: |
-        # sudo sed -i "s/Source0:.*/Source0:        %{name}-%{version}.tar.gz/g" examples/install_scripts/rpm/acme2certifier.spec
-        sudo sed -i "s/__version__/${{ env.TAG_NAME }}/g" examples/install_scripts/rpm/acme2certifier.spec
-        cat examples/install_scripts/rpm/acme2certifier.spec
-
-    - name: build RPM package
-      id: rpm
-      uses: grindsa/rpmbuild@alma9
-      with:
-        spec_file: "examples/install_scripts/rpm/acme2certifier.spec"
-
-    - run: echo "path is ${{ steps.rpm.outputs.rpm_dir_path }}"
-
-    - name: "[ PREPARE ] setup environment for alma installation"
-      run: |
-        docker network create acme
-        sudo mkdir -p data
-        sudo chmod -R 777 data
-        sudo cp ${{ steps.rpm.outputs.rpm_dir_path }}noarch/acme2certifier-${{ env.TAG_NAME }}-1.0.noarch.rpm data
-        # sudo cp examples/install_scripts/rpm/*.rpm data
-        sudo cp examples/Docker/almalinux-systemd/rpm_tester.sh data
-
-    - name: "Retrieve rpms from SBOM repo"
-      run: |
-        git clone https://$GH_SBOM_USER:$GH_SBOM_TOKEN@github.com/$GH_SBOM_USER/sbom /tmp/sbom
-        cp /tmp/sbom/rpm-repo/RPMs/*ntlm*.rpm  data
-      env:
-        GH_SBOM_USER: ${{ secrets.GH_SBOM_USER }}
-        GH_SBOM_TOKEN: ${{ secrets.GH_SBOM_TOKEN }}
-
-    - name: "[ PREPARE ] proxy container"
-      run: |
-        docker pull mosajjal/pproxy:latest
-        docker run -d -it --name=proxy --network acme --rm -p 8080:8080 mosajjal/pproxy:latest -vv &
-
-    - name: "[ PREPARE ] Sleep for 10s"
-      uses: juliangruber/sleep-action@v1
-      with:
-        time: 10s
-
-    - name: Retrieve proxy-ip
-      run: |
-        echo PROXY_IP=$(docker inspect -f '{{range.NetworkSettings.Networks}}{{.IPAddress}}{{end}}' proxy) >> $GITHUB_ENV
-    - run: echo "Latest tag is ${{ env.PROXY_IP }}"
-
-    - name: "[ PREPARE ] prepare acme_srv.cfg with certifier_ca_handler and socks proxy usage"
-      run: |
-        mkdir -p data/acme_ca
-        sudo cp test/ca/certsrv_ca_certs.pem data/acme_ca/ca_certs.pem
-        sudo touch data/acme_srv.cfg
-        sudo chmod 777 data/acme_srv.cfg
-        sudo head -n -8 .github/openssl_ca_handler.py_acme_srv_default_handler.cfg > data/acme_srv.cfg
-        sudo echo "handler_file: examples/ca_handler/certifier_ca_handler.py" >> data/acme_srv.cfg
-        sudo echo "api_host: $NCM_API_HOST" >> data/acme_srv.cfg
-        sudo echo "api_user: $NCM_API_USER" >> data/acme_srv.cfg
-        sudo echo "api_password: $NCM_API_PASSWORD" >> data/acme_srv.cfg
-        sudo echo "ca_name: $NCM_CA_NAME" >> data/acme_srv.cfg
-        sudo echo "ca_bundle: $NCM_CA_BUNDLE" >> data/acme_srv.cfg
-        sudo sed -i "s/debug: True/debug: True\nproxy_server_list: {\"ncm.nclm.eu\$\": \"socks5:\/\/proxy.acme:8080\"}/g" data/acme_srv.cfg
-      env:
-        NCM_API_HOST: ${{ secrets.NCM_API_HOST }}
-        NCM_API_USER: ${{ secrets.NCM_API_USER }}
-        NCM_API_PASSWORD: ${{ secrets.NCM_API_PASSWORD }}
-        NCM_CA_NAME: ${{ secrets.NCM_CA_NAME }}
-        NCM_CA_BUNDLE: ${{ secrets.NCM_CA_BUNDLE }}
-
-    - name: "[ PREPARE ] Almalinux instance"
-      run: |
-        cat examples/Docker/almalinux-systemd/Dockerfile | docker build -t almalinux-systemd -f - . --no-cache
-        docker run -d -id --privileged --network acme --name=acme-srv -v "$(pwd)/data":/tmp/acme2certifier almalinux-systemd
-
-    - name: "[ RUN ] Execute install scipt"
-      run: |
-        docker exec acme-srv sh /tmp/acme2certifier/rpm_tester.sh
-
-    - name: "Test if http://acme-srv/directory is accessible"
-      run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory
-
-    - name: "[ PREPARE ] prepare acme.sh container"
-      run: |
-        docker run --rm -id -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest daemon
-
-    - name: "[ ENROLL ] acme.sh - http challenge validation"
-      run: |
-        docker exec -i acme-sh acme.sh --server http://acme-srv --accountemail 'acme-sh@example.com' --issue -d acme-sh.acme -d acme-sh. --standalone --debug 3 --output-insecure --force
-        awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "cert-" c ".pem"}' < acme-sh/acme-sh.acme_ecc/ca.cer
-        openssl verify -CAfile cert-2.pem -untrusted cert-1.pem  acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer
-
-    - name: "[ CHECK ] proxy logs"
-      run: |
-        docker logs proxy | grep socks5 | grep -- "->"
-        docker stop proxy
-        docker run -d -it --name=proxy --network acme --rm -p 8080:8080 mosajjal/pproxy:latest -vv &
-
-    - name: "[ ENROLL ] acme.sh - alpn challenge validation"
-      run: |
-        docker exec -i acme-sh acme.sh --server http://acme-srv --accountemail 'acme-sh@example.com' --issue -d acme-sh.acme --alpn -d acme-sh. --alpn --standalone --debug 3 --output-insecure --force
-        openssl verify -CAfile cert-2.pem -untrusted cert-1.pem  acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer
-
-    - name: "[ CHECK ] proxy logs"
-      run: |
-        docker logs proxy | grep socks5 | grep -- "->"
-        docker stop proxy
-        docker run -d -it --name=proxy --network acme --rm -p 8080:8080 mosajjal/pproxy:latest -vv &
-
-    - name: "[ REVOKE ] via certifier ca_handler"
-      run: |
-        docker exec -i acme-sh acme.sh --server http://acme-srv --revoke -d acme-sh.acme --standalone --debug 3 --output-insecure
-
-    - name: "[ CHECK ] proxy logs"
-      run: |
-        docker logs proxy | grep socks5 | grep -- "->"
-        docker stop proxy
-        docker run -d -it --name=proxy --network acme --rm -p 8080:8080 mosajjal/pproxy:latest -vv &
-
-    - name: "[ PREPARE ] prepare acme_srv.cfg with certifier_ca_handler and http proxy usage"
-      run: |
-        mkdir -p data/acme_ca
-        sudo cp test/ca/certsrv_ca_certs.pem data/acme_ca/ca_certs.pem
-        sudo touch data/acme_srv.cfg
-        sudo chmod 777 data/acme_srv.cfg
-        sudo head -n -8 .github/openssl_ca_handler.py_acme_srv_default_handler.cfg > data/acme_srv.cfg
-        sudo echo "handler_file: examples/ca_handler/certifier_ca_handler.py" >> data/acme_srv.cfg
-        sudo echo "api_host: $NCM_API_HOST" >> data/acme_srv.cfg
-        sudo echo "api_user: $NCM_API_USER" >> data/acme_srv.cfg
-        sudo echo "api_password: $NCM_API_PASSWORD" >> data/acme_srv.cfg
-        sudo echo "ca_name: $NCM_CA_NAME" >> data/acme_srv.cfg
-        sudo echo "ca_bundle: $NCM_CA_BUNDLE" >> data/acme_srv.cfg
-        sudo sed -i "s/debug: True/debug: True\nproxy_server_list: {\"ncm.nclm.eu\$\": \"http:\/\/proxy.acme:8080\"}/g" data/acme_srv.cfg
-      env:
-        NCM_API_HOST: ${{ secrets.NCM_API_HOST }}
-        NCM_API_USER: ${{ secrets.NCM_API_USER }}
-        NCM_API_PASSWORD: ${{ secrets.NCM_API_PASSWORD }}
-        NCM_CA_NAME: ${{ secrets.NCM_CA_NAME }}
-        NCM_CA_BUNDLE: ${{ secrets.NCM_CA_BUNDLE }}
-
-    - name: "[ PREPARE  ] reconfigure a2c "
-      run: |
-        docker exec acme-srv sh /tmp/acme2certifier/rpm_tester.sh restart
-
-    - name: "Test if http://acme-srv/directory is accessible"
-      run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory
-
-    - name: "[ ENROLL ] acme.sh - http challenge validation"
-      run: |
-        docker exec -i acme-sh acme.sh --server http://acme-srv --accountemail 'acme-sh@example.com' --issue -d acme-sh.acme -d acme-sh. --standalone --debug 3 --output-insecure --force
-        awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "cert-" c ".pem"}' < acme-sh/acme-sh.acme_ecc/ca.cer
-        openssl verify -CAfile cert-2.pem -untrusted cert-1.pem  acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer
-
-    - name: "[ CHECK ] proxy logs"
-      run: |
-        docker logs proxy | grep http | grep -- "->"
-        docker stop proxy
-        docker run -d -it --name=proxy --network acme --rm -p 8080:8080 mosajjal/pproxy:latest -vv &
-
-    - name: "[ ENROLL ] acme.sh - alpn challenge validation"
-      run: |
-        docker exec -i acme-sh acme.sh --server http://acme-srv --accountemail 'acme-sh@example.com' --issue -d acme-sh.acme --alpn -d acme-sh. --alpn --standalone --debug 3 --output-insecure --force
-        openssl verify -CAfile cert-2.pem -untrusted cert-1.pem  acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer
-
-    - name: "[ CHECK ] proxy logs"
-      run: |
-        docker logs proxy | grep http | grep -- "->"
-        docker stop proxy
-        docker run -d -it --name=proxy --network acme --rm -p 8080:8080 mosajjal/pproxy:latest -vv &
-
-    - name: "[ REVOKE ] via certifier ca_handler"
-      run: |
-        docker exec -i acme-sh acme.sh --server http://acme-srv --revoke -d acme-sh.acme --standalone --debug 3 --output-insecure
-
-    - name: "[ CHECK ] proxy logs"
-      run: |
-        docker logs proxy | grep http | grep -- "->"
-        docker stop proxy
-        docker run -d -it --name=proxy --network acme --rm -p 8080:8080 mosajjal/pproxy:latest -vv &
-
-    - name: "[ PREPARE ] setup using nclm_ca_handler"
-      run: |
-
-    - name: "[ PREPARE ] prepare acme_srv.cfg with nclm_ca_handler and socks proxy usage"
-      run: |
-        mkdir -p data/acme_ca
-        sudo cp test/ca/certsrv_ca_certs.pem data/acme_ca/ca_certs.pem
-        sudo touch data/acme_srv.cfg
-        sudo chmod 777 data/acme_srv.cfg
-        sudo head -n -8 .github/openssl_ca_handler.py_acme_srv_default_handler.cfg > data/acme_srv.cfg
-        sudo echo "handler_file: examples/ca_handler/nclm_ca_handler.py" >> data/acme_srv.cfg
-        sudo echo "api_host: $NCLM_API_HOST" >> data/acme_srv.cfg
-        sudo echo "api_user: $NCLM_API_USER" >> data/acme_srv.cfg
-        sudo echo "api_password: $NCLM_API_PASSWORD" >> data/acme_srv.cfg
-        sudo echo "tsg_name: $NCLM_TSG_NAME" >> data/acme_srv.cfg
-        sudo echo "ca_name: $NCLM_CA_NAME" >> data/acme_srv.cfg
-        sudo echo "ca_id_list: [$NCLM_CA_ID_LIST]" >> data/acme_srv.cfg
-        sudo sed -i "s/revocation_reason_check_disable: False/revocation_reason_check_disable: False\nenrollment_timeout: 30/g" data/acme_srv.cfg
-        sudo sed -i "s/debug: True/debug: True\nproxy_server_list: {\"nclm.eu\$\": \"socks5:\/\/proxy.acme:8080\"}/g" data/acme_srv.cfg
-      env:
-        NCLM_API_HOST: ${{ secrets.NCLM_API_HOST }}
-        NCLM_API_USER: ${{ secrets.NCLM_API_USER }}
-        NCLM_API_PASSWORD: ${{ secrets.NCLM_API_PASSWORD }}
-        NCLM_TSG_NAME: ${{ secrets.NCLM_TSG_NAME }}
-        NCLM_CA_NAME: ${{ secrets.NCLM_CA_NAME }}
-        NCLM_CA_ID_LIST: ${{ secrets.NCLM_CA_ID_LIST }}
-
-    - name: "[ PREPARE  ] reconfigure a2c "
-      run: |
-        docker exec acme-srv sh /tmp/acme2certifier/rpm_tester.sh restart
-
-    - name: "[ ENROLL ] via nclm_ca_handler"
-      run: |
-        docker exec -i acme-sh acme.sh --server http://acme-srv --accountemail 'acme-sh@example.com' --issue -d acme-sh.acme --standalone --debug 3 --output-insecure --force &
-
-    - name: "[ CHECK ] proxy logs"
-      run: |
-        docker logs proxy | grep socks5 | grep -- "->"
-        docker stop proxy
-        docker run -d -it --name=proxy --network acme --rm -p 8080:8080 mosajjal/pproxy:latest -vv &
-
-    - name: "[ PREPARE ] prepare acme_srv.cfg with nclm_ca_handler and http proxy usage"
-      run: |
-        mkdir -p data/acme_ca
-        sudo cp test/ca/certsrv_ca_certs.pem data/acme_ca/ca_certs.pem
-        sudo touch data/acme_srv.cfg
-        sudo chmod 777 data/acme_srv.cfg
-        sudo head -n -8 .github/openssl_ca_handler.py_acme_srv_default_handler.cfg > data/acme_srv.cfg
-        sudo echo "handler_file: examples/ca_handler/nclm_ca_handler.py" >> data/acme_srv.cfg
-        sudo echo "api_host: $NCLM_API_HOST" >> data/acme_srv.cfg
-        sudo echo "api_user: $NCLM_API_USER" >> data/acme_srv.cfg
-        sudo echo "api_password: $NCLM_API_PASSWORD" >> data/acme_srv.cfg
-        sudo echo "tsg_name: $NCLM_TSG_NAME" >> data/acme_srv.cfg
-        sudo echo "ca_name: $NCLM_CA_NAME" >> data/acme_srv.cfg
-        sudo echo "ca_id_list: [$NCLM_CA_ID_LIST]" >> data/acme_srv.cfg
-        sudo sed -i "s/revocation_reason_check_disable: False/revocation_reason_check_disable: False\nenrollment_timeout: 30/g" data/acme_srv.cfg
-        sudo sed -i "s/debug: True/debug: True\nproxy_server_list: {\"nclm.eu\$\": \"http:\/\/proxy.acme:8080\"}/g" data/acme_srv.cfg
-      env:
-        NCLM_API_HOST: ${{ secrets.NCLM_API_HOST }}
-        NCLM_API_USER: ${{ secrets.NCLM_API_USER }}
-        NCLM_API_PASSWORD: ${{ secrets.NCLM_API_PASSWORD }}
-        NCLM_TSG_NAME: ${{ secrets.NCLM_TSG_NAME }}
-        NCLM_CA_NAME: ${{ secrets.NCLM_CA_NAME }}
-        NCLM_CA_ID_LIST: ${{ secrets.NCLM_CA_ID_LIST }}
-
-    - name: "[ PREPARE  ] reconfigure a2c "
-      run: |
-        docker exec acme-srv sh /tmp/acme2certifier/rpm_tester.sh restart
-
-    - name: "[ ENROLL ] via nclm_ca_handler"
-      run: |
-        docker exec -i acme-sh acme.sh --server http://acme-srv --accountemail 'acme-sh@example.com' --issue -d acme-sh.acme --standalone --debug 3 --output-insecure --force &
-
-    - name: "[ CHECK ] proxy logs"
-      run: |
-        docker logs proxy | grep http | grep -- "->"
-        docker stop proxy
-        docker run -d -it --name=proxy --network acme --rm -p 8080:8080 mosajjal/pproxy:latest -vv &
-
-    - name: "[ stop ] proxy container"
-      run: |
-        docker stop proxy
-
-    - name: "[ * ] collecting test logs"
-      if: ${{ failure() }}
-      run: |
-        mkdir -p ${{ github.workspace }}/artifact/upload
-        docker exec acme-srv tar cvfz /tmp/acme2certifier/a2c.tgz /opt/acme2certifier
-        sudo cp -rp data/ ${{ github.workspace }}/artifact/data/
-        sudo cp -rp acme-sh/ ${{ github.workspace }}/artifact/acme-sh/
-        docker exec acme-srv cat /var/log/messages > ${{ github.workspace }}/artifact/acme-srv.log
-        docker logs proxy > ${{ github.workspace }}/artifact/proxy.log
-        sudo tar -C ${{ github.workspace }}/artifact/ -cvzf ${{ github.workspace }}/artifact/upload/artifact.tar.gz data proxy.log acme-srv.log acme-sh
-
-    - name: "[ * ] uploading artificates"
-      uses: actions/upload-artifact@v3
-      if: ${{ failure() }}
-      with:
-        name: proxy-rpm.tar.gz
-        path: ${{ github.workspace }}/artifact/upload/
\ No newline at end of file
diff --git a/.github/workflows/push_images_to_dockerhub.yml b/.github/workflows/push_images_to_dockerhub.yml
deleted file mode 100644
index 7b3b9caa..00000000
--- a/.github/workflows/push_images_to_dockerhub.yml
+++ /dev/null
@@ -1,319 +0,0 @@
-name: Push images to dockerhub and ghcr.io
-on:
-  push:
-    branches:
-      - "master"
-  schedule:
-    # * is a special character in YAML so you have to quote this string
-    - cron:  '0 4 * * 6'
-jobs:
-
-  #update_docker_hub_description:
-  #  runs-on: ubuntu-latest
-  #  steps:
-  #  - uses: actions/checkout@v3
-  #  - name: Docker Hub Description
-  #    uses: peter-evans/dockerhub-description@v2
-  #    env:
-  #      DOCKERHUB_USERNAME: ${{ secrets.DOCKERHUB_USER }}
-  #      DOCKERHUB_PASSWORD: ${{ secrets.DOCKERHUB_PASSWORD }}
-  #      DOCKERHUB_REPOSITORY: grindsa/acme2certifier
-
-
-  build_and_upload_images_to_hub:
-    name: Push images to dockerhub and github
-    runs-on: ubuntu-latest
-    steps:
-      - name: "Get current version"
-        uses: oprypin/find-latest-tag@v1
-        with:
-          repository: ${{ github.repository }}  # The repository to scan.
-          releases-only: true  # We know that all relevant tags have a GitHub release for them.
-        id: acme2certifier_ver  # The step ID to refer to later.
-
-      - name: Checkout code
-        uses: actions/checkout@v3
-
-      - name: "Retrieve Version from version.py"
-        run: |
-          echo APP_NAME=$(echo ${{ github.repository }} | awk -F / '{print $2}') >> $GITHUB_ENV
-          echo TAG_NAME=$(cat acme_srv/version.py | grep -i __version__ | head -n 1 | sed 's/__version__ = //g' | sed s/\'//g) >> $GITHUB_ENV
-
-      - run: echo "Repo is at version ${{ steps.acme2certifier_ver.outputs.tag }}"
-      - run: echo "APP tag is ${{ env.APP_NAME }}"
-      - run: echo "Latest tag is ${{ env.TAG_NAME }}"
-
-      - name: "Create images"
-        run: |
-          cat examples/Docker/apache2/wsgi/Dockerfile | docker build -t grindsa/acme2certifier:apache2-wsgi -t grindsa/acme2certifier:${{ env.TAG_NAME }}-apache2-wsgi -t ghcr.io/grindsa/acme2certifier:apache2-wsgi -t ghcr.io/grindsa/acme2certifier:${{ env.TAG_NAME }}-apache2-wsgi -f - . --no-cache
-          cat examples/Docker/apache2/django/Dockerfile | docker build -t grindsa/acme2certifier:apache2-django -t grindsa/acme2certifier:${{ env.TAG_NAME }}-apache2-django -t ghcr.io/grindsa/acme2certifier:apache2-django -t ghcr.io/grindsa/acme2certifier:${{ env.TAG_NAME }}-apache2-django -f - .  --no-cache
-          cat examples/Docker/nginx/wsgi/Dockerfile | docker build -t grindsa/acme2certifier:nginx-wsgi -t grindsa/acme2certifier:${{ env.TAG_NAME }}-nginx-wsgi -t ghcr.io/grindsa/acme2certifier:nginx-wsgi -t ghcr.io/grindsa/acme2certifier:${{ env.TAG_NAME }}-nginx-wsgi -f - . --no-cache
-          cat examples/Docker/nginx/django/Dockerfile | docker build -t grindsa/acme2certifier:nginx-django -t grindsa/acme2certifier:${{ env.TAG_NAME }}-nginx-django -t ghcr.io/grindsa/acme2certifier:nginx-django -t ghcr.io/grindsa/acme2certifier:${{ env.TAG_NAME }}-nginx-django -f - .  --no-cache
-
-      - name: "upload images to hub.docker.com"
-        run: |
-          docker login -u ${{ secrets.DOCKERHUB_USER }} -p ${{ secrets.DOCKERHUB_TOKEN }}
-          docker push -a grindsa/acme2certifier
-
-      - name: "upload images to ghcr.io"
-        run: |
-          docker login ghcr.io -u ${{ secrets.GHCR_USER }} -p ${{ secrets.GHCR_TOKEN }}
-          docker push -a ghcr.io/grindsa/acme2certifier
-
-      - name: "Install syft"
-        run: |
-          sudo curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s -- -b /usr/local/bin
-
-      - name: "Retrieve SBOM repo"
-        run: |
-          git clone https://$GH_SBOM_USER:$GH_SBOM_TOKEN@github.com/$GH_SBOM_USER/sbom /tmp/sbom
-        env:
-          GH_SBOM_USER: ${{ secrets.GH_SBOM_USER }}
-          GH_SBOM_TOKEN: ${{ secrets.GH_SBOM_TOKEN }}
-
-      - name: "Generate SBOMs for a2c images "
-        run: |
-          mkdir -p /tmp/sbom/sbom/acme2certifier
-          syft grindsa/acme2certifier:apache2-wsgi > /tmp/sbom/sbom/acme2certifier/acme2certifier-apache2-wsgi_sbom.txt
-          syft grindsa/acme2certifier:apache2-wsgi -o json > /tmp/sbom/sbom/acme2certifier/acme2certifier_apache2-wsgi_sbom.json
-          syft grindsa/acme2certifier:apache2-django > /tmp/sbom/sbom/acme2certifier/acme2certifier-apache2-django_sbom.txt
-          syft grindsa/acme2certifier:apache2-django -o json > /tmp/sbom/sbom/acme2certifier/acme2certifier_apache2-django_sbom.json
-          syft grindsa/acme2certifier:nginx-wsgi > /tmp/sbom/sbom/acme2certifier/acme2certifier-nginx-wsgi_sbom.txt
-          syft grindsa/acme2certifier:nginx-wsgi -o json > /tmp/sbom/sbom/acme2certifier/acme2certifier_nginx-wsgi_sbom.json
-          syft grindsa/acme2certifier:nginx-django > /tmp/sbom/sbom/acme2certifier/acme2certifier-nginx-django_sbom.txt
-          syft grindsa/acme2certifier:nginx-django -o json > /tmp/sbom/sbom/acme2certifier/acme2certifier_nginx-django_sbom.json
-
-      - name: "Upload Changes"
-        run: |
-          cd /tmp/sbom
-          git config --global user.email "grindelsack@gmail.com"
-          git config --global user.name "SBOM Generator"
-          git add sbom/acme2certifier/
-          git commit -a -m "SBOM update"
-          git push
-
-      - name: "delete images from local repository"
-        run: |
-          docker rmi $(docker images grindsa/acme2certifier -q) --no-prune --force
-
-  apache2_wsgi:
-    name: Test acme2certifier:apache2-wsgi image
-    needs: [build_and_upload_images_to_hub]
-    runs-on: ubuntu-latest
-    steps:
-
-      - name: Checkout code
-        uses: actions/checkout@v3
-
-      - name: "[ PREPARE ] setup openssl ca_handler"
-        run: |
-          docker network create acme
-          sudo mkdir -p examples/Docker/data
-          sudo cp examples/ca_handler/openssl_ca_handler.py examples/Docker/data/ca_handler.py
-          sudo mkdir -p examples/Docker/data/acme_ca/certs
-          sudo cp test/ca/sub-ca-key.pem test/ca/sub-ca-crl.pem test/ca/sub-ca-cert.pem test/ca/root-ca-cert.pem examples/Docker/data/acme_ca/
-          sudo cp .github/openssl_ca_handler.py_acme_srv_default_handler.cfg examples/Docker/data/acme_srv.cfg
-
-      - name: "[ PREPARE ] apache2 django container"
-        run: |
-          docker run -d -p 80:80 --rm -id --network acme --name=acme-srv -v "$(pwd)/examples/Docker/data":/var/www/acme2certifier/volume/ grindsa/acme2certifier:apache2-wsgi
-
-      - name: "[ PREPARE ] prepare acme.sh container"
-        run: |
-          docker run --rm -id -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest daemon
-
-      - name: "[ ENROLL ] via openssl ca_handler"
-        run: |
-          docker exec -i acme-sh acme.sh --server http://acme-srv --accountemail 'acme-sh@example.com' --issue -d acme-sh.acme --standalone --debug 3 --output-insecure --force
-          openssl verify -CAfile examples/Docker/data/acme_ca/root-ca-cert.pem -untrusted examples/Docker/data/acme_ca/sub-ca-cert.pem acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer
-
-      - name: "[ DEACTIVATE ] acme.sh"
-        run: |
-          docker exec -i acme-sh acme.sh --server http://acme-srv --deactivate-account --debug 2 --output-insecure
-
-      - name: "[ * ] collecting test data"
-        if: ${{ failure() }}
-        run: |
-          mkdir -p ${{ github.workspace }}/artifact/upload
-          sudo cp -rp examples/Docker/data/ ${{ github.workspace }}/artifact/data/
-          sudo cp -rp acme-sh/ ${{ github.workspace }}/artifact/acme-sh/
-          cd examples/Docker
-          docker logs acme-srv > ${{ github.workspace }}/artifact/docker.log
-          sudo tar -C ${{ github.workspace }}/artifact/ -cvzf ${{ github.workspace }}/artifact/upload/artifact.tar.gz docker.log data acme-sh
-
-      - name: "[ * ] uploading artifacts"
-        uses: actions/upload-artifact@v3
-        if: ${{ failure() }}
-        with:
-          name: apache_wsgi.tar.gz
-          path: ${{ github.workspace }}/artifact/upload/
-
-  test_apache2_django:
-    name: Test acme2certifier:apache2-django image
-    needs: [build_and_upload_images_to_hub]
-    runs-on: ubuntu-latest
-    steps:
-
-      - name: Checkout code
-        uses: actions/checkout@v3
-
-      - name: "[ PREPARE ] setup openssl ca_handler and django config"
-        run: |
-          docker network create acme
-          sudo mkdir -p examples/Docker/data
-          sudo cp examples/ca_handler/openssl_ca_handler.py examples/Docker/data/ca_handler.py
-          sudo mkdir -p examples/Docker/data/acme_ca/certs
-          sudo cp test/ca/sub-ca-key.pem test/ca/sub-ca-crl.pem test/ca/sub-ca-cert.pem test/ca/root-ca-cert.pem examples/Docker/data/acme_ca/
-          sudo cp .github/openssl_ca_handler.py_acme_srv_default_handler.cfg examples/Docker/data/acme_srv.cfg
-          sudo cp .github/django_settings.py examples/Docker/data/settings.py
-
-      - name: "[ PREPARE ] apache2 wsgi container"
-        run: |
-          docker run -d -p 80:80 --rm -id --network acme --name=acme-srv -v "$(pwd)/examples/Docker/data":/var/www/acme2certifier/volume/ grindsa/acme2certifier:apache2-django
-
-      - name: "[ PREPARE ] Sleep for 10s"
-        uses: juliangruber/sleep-action@v1
-        with:
-          time: 5s
-
-      - name: "[ PREPARE ] django update"
-        run: |
-          docker exec acme-srv python3 /var/www/acme2certifier/tools/django_update.py
-          sudo chmod a+w examples/Docker/data/db.sqlite3
-
-      - name: "[ PREPARE ] prepare acme.sh container"
-        run: |
-          docker run --rm -id -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest daemon
-
-      - name: "[ ENROLL ] via openssl ca_handler"
-        run: |
-          docker exec -i acme-sh acme.sh --server http://acme-srv --accountemail 'acme-sh@example.com' --issue -d acme-sh.acme --standalone --debug 3 --output-insecure --force
-          openssl verify -CAfile examples/Docker/data/acme_ca/root-ca-cert.pem -untrusted examples/Docker/data/acme_ca/sub-ca-cert.pem acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer
-
-      - name: "[ DEACTIVATE ] acme.sh"
-        run: |
-          docker exec -i acme-sh acme.sh --server http://acme-srv --deactivate-account --debug 2 --output-insecure
-
-      - name: "[ * ] collecting test data"
-        if: ${{ failure() }}
-        run: |
-          mkdir -p ${{ github.workspace }}/artifact/upload
-          sudo cp -rp examples/Docker/data/ ${{ github.workspace }}/artifact/data/
-          sudo cp -rp acme-sh/ ${{ github.workspace }}/artifact/acme-sh/
-          cd examples/Docker
-          docker logs acme-srv > ${{ github.workspace }}/artifact/docker.log
-          sudo tar -C ${{ github.workspace }}/artifact/ -cvzf ${{ github.workspace }}/artifact/upload/artifact.tar.gz docker.log data acme-sh
-
-      - name: "[ * ] uploading artifacts"
-        uses: actions/upload-artifact@v3
-        if: ${{ failure() }}
-        with:
-          name: apache_django.tar.gz
-          path: ${{ github.workspace }}/artifact/upload/
-
-  nginx_wsgi:
-    name: Test acme2certifier:nginx-wsgi image
-    needs: [build_and_upload_images_to_hub]
-    runs-on: ubuntu-latest
-    steps:
-
-      - name: Checkout code
-        uses: actions/checkout@v3
-
-      - name: "[ PREPARE ] setup openssl ca_handler"
-        run: |
-          docker network create acme
-          sudo mkdir -p examples/Docker/data
-          sudo cp examples/ca_handler/openssl_ca_handler.py examples/Docker/data/ca_handler.py
-          sudo mkdir -p examples/Docker/data/acme_ca/certs
-          sudo cp test/ca/sub-ca-key.pem test/ca/sub-ca-crl.pem test/ca/sub-ca-cert.pem test/ca/root-ca-cert.pem examples/Docker/data/acme_ca/
-          sudo cp .github/openssl_ca_handler.py_acme_srv_default_handler.cfg examples/Docker/data/acme_srv.cfg
-
-      - name: "[ PREPARE ] nginx wsgi container"
-        run: |
-          docker run -d -p 80:80 --rm -id --network acme --name=acme-srv -v "$(pwd)/examples/Docker/data":/var/www/acme2certifier/volume/ grindsa/acme2certifier:nginx-wsgi
-
-      - name: "[ PREPARE ] prepare acme.sh container"
-        run: |
-          docker run --rm -id -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest daemon
-
-      - name: "[ ENROLL ] via openssl ca_handler"
-        run: |
-          docker exec -i acme-sh acme.sh --server http://acme-srv --accountemail 'acme-sh@example.com' --issue -d acme-sh.acme --standalone --debug 3 --output-insecure --force
-          openssl verify -CAfile examples/Docker/data/acme_ca/root-ca-cert.pem -untrusted examples/Docker/data/acme_ca/sub-ca-cert.pem acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer
-
-      - name: "[ DEACTIVATE ] acme.sh"
-        run: |
-          docker exec -i acme-sh acme.sh --server http://acme-srv --deactivate-account --debug 2 --output-insecure
-
-      - name: "[ * ] collecting test data"
-        if: ${{ failure() }}
-        run: |
-          mkdir -p ${{ github.workspace }}/artifact/upload
-          sudo cp -rp examples/Docker/data/ ${{ github.workspace }}/artifact/data/
-          sudo cp -rp acme-sh/ ${{ github.workspace }}/artifact/acme-sh/
-          cd examples/Docker
-          docker logs acme-srv > ${{ github.workspace }}/artifact/docker.log
-          sudo tar -C ${{ github.workspace }}/artifact/ -cvzf ${{ github.workspace }}/artifact/upload/artifact.tar.gz docker.log data acme-sh
-
-      - name: "[ * ] uploading artifacts"
-        uses: actions/upload-artifact@v3
-        if: ${{ failure() }}
-        with:
-          name: nginx_wsgi.tar.gz
-          path: ${{ github.workspace }}/artifact/upload/
-
-  test_nginx_django:
-    name: Test acme2certifier:nginx-django image
-    needs: [build_and_upload_images_to_hub]
-    runs-on: ubuntu-latest
-    steps:
-
-      - name: Checkout code
-        uses: actions/checkout@v3
-
-      - name: "[ PREPARE ] setup openssl ca_handler and django config"
-        run: |
-          docker network create acme
-          sudo mkdir -p examples/Docker/data
-          sudo cp examples/ca_handler/openssl_ca_handler.py examples/Docker/data/ca_handler.py
-          sudo mkdir -p examples/Docker/data/acme_ca/certs
-          sudo cp test/ca/sub-ca-key.pem test/ca/sub-ca-crl.pem test/ca/sub-ca-cert.pem test/ca/root-ca-cert.pem examples/Docker/data/acme_ca/
-          sudo cp .github/openssl_ca_handler.py_acme_srv_default_handler.cfg examples/Docker/data/acme_srv.cfg
-          sudo cp .github/django_settings.py examples/Docker/data/settings.py
-
-      - name: "[ PREPARE ] nginx django container"
-        run: |
-          docker run -d -p 80:80 --rm -id --network acme --name=acme-srv -v "$(pwd)/examples/Docker/data":/var/www/acme2certifier/volume/ grindsa/acme2certifier:nginx-django
-          # docker exec acme-srv python3 /var/www/acme2certifier/tools/django_update.py
-          # sudo chmod a+w examples/Docker/data/db.sqlite3
-
-      - name: "[ PREPARE ] prepare acme.sh container"
-        run: |
-          docker run --rm -id -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest daemon
-
-      - name: "[ ENROLL ] via openssl ca_handler"
-        run: |
-          docker exec -i acme-sh acme.sh --server http://acme-srv --accountemail 'acme-sh@example.com' --issue -d acme-sh.acme --standalone --debug 3 --output-insecure --force
-          openssl verify -CAfile examples/Docker/data/acme_ca/root-ca-cert.pem -untrusted examples/Docker/data/acme_ca/sub-ca-cert.pem acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer
-
-      - name: "[ DEACTIVATE ] acme.sh"
-        run: |
-          docker exec -i acme-sh acme.sh --server http://acme-srv --deactivate-account --debug 2 --output-insecure
-
-      - name: "[ * ] collecting test data"
-        if: ${{ failure() }}
-        run: |
-          mkdir -p ${{ github.workspace }}/artifact/upload
-          sudo cp -rp examples/Docker/data/ ${{ github.workspace }}/artifact/data/
-          sudo cp -rp acme-sh/ ${{ github.workspace }}/artifact/acme-sh/
-          cd examples/Docker
-          docker logs acme-srv > ${{ github.workspace }}/artifact/docker.log
-          sudo tar -C ${{ github.workspace }}/artifact/ -cvzf ${{ github.workspace }}/artifact/upload/artifact.tar.gz docker.log data acme-sh
-
-      - name: "[ * ] uploading artifacts"
-        uses: actions/upload-artifact@v3
-        if: ${{ failure() }}
-        with:
-          name: nginx_django.tar.gz
-          path: ${{ github.workspace }}/artifact/upload/
diff --git a/.github/workflows/push_rpm.yml b/.github/workflows/push_rpm.yml
index f3934de4..9e04959e 100644
--- a/.github/workflows/push_rpm.yml
+++ b/.github/workflows/push_rpm.yml
@@ -22,6 +22,20 @@ jobs:
       - run: echo "APP tag is ${{ env.APP_NAME }}"
       - run: echo "Latest tag is ${{ env.TAG_NAME }}"
 
+      - name: Retrieve dbversion numbers from version.py and fixture.xml
+        run: |
+          echo DB_VERSION=$(cat acme_srv/version.py | grep -i __dbversion__ | head -n 1 | sed 's/__dbversion__ = //g' | sed s/\'//g) >> $GITHUB_ENV
+          echo FIXTURE_VERSION=$(awk '/name: dbversion/{getline; print $2}' examples/django/acme_srv/fixture/status.yaml | tr -d "'") >> $GITHUB_ENV
+
+      - run: echo "db verion is ${{ env.DB_VERSION }}"
+      - run: echo "fixture verion is ${{ env.FIXTURE_VERSION }}"
+
+      - name: Check fixture version
+        if: env.DB_VERSION != env.FIXTURE_VERSION
+        run: |
+          echo "Fixture version is not equal to db version"
+          exit 1
+
       - name: "[ PREPARE ] update version number in spec file"
         run: |
           sudo sed -i "s/__version__/${{ env.TAG_NAME }}/g" examples/install_scripts/rpm/acme2certifier.spec
diff --git a/.github/workflows/python-test.yml b/.github/workflows/python-test.yml
deleted file mode 100644
index 8cd772bc..00000000
--- a/.github/workflows/python-test.yml
+++ /dev/null
@@ -1,78 +0,0 @@
-# workflow to run the acme2certifier unittest suite
-
-name: Python Tests
-
-on:
-  push:
-  pull_request:
-    branches: [ devel ]
-  schedule:
-    # * is a special character in YAML so you have to quote this string
-    - cron:  '0 2 * * 6'
-jobs:
-  unittest:
-    runs-on: ubuntu-latest
-    strategy:
-      matrix:
-        python_version: ['3.x', '3.12', '3.11', '3.10', '3.9', '3.8']
-    name: Python Unittest (${{ matrix.python_version }})
-    steps:
-    - uses: actions/checkout@v3
-    - name: Set up Python ${{ matrix.python_version }}
-      uses: actions/setup-python@v4
-      with:
-        python-version: ${{ matrix.python_version }}
-    - name: Install dependencies
-      run: |
-        python -m pip install --upgrade pip
-        pip install pytest
-        if [ -f requirements.txt ]; then pip install -r requirements.txt; fi
-    - name: cp
-      run: |
-         cp examples/ca_handler/skeleton_ca_handler.py acme_srv/ca_handler.py
-         cp examples/acme_srv.cfg acme_srv/
-    - name: Python test
-      run: |
-        pytest
-  pylint:
-    runs-on: ubuntu-latest
-    strategy:
-      matrix:
-        python_version: [3.x, 3.8]
-    name: Pylint test (${{ matrix.python_version }})
-    steps:
-      - uses: actions/checkout@v3
-      - name: Set up Python ${{ matrix.python_version }}
-        uses: actions/setup-python@v4
-        with:
-          python-version: ${{ matrix.python_version }}
-      - name: Install dependencies
-        run: |
-          python -m pip install --upgrade pip
-          pip install pylint pylint-exit
-          if [ -f requirements.txt ]; then pip install -r requirements.txt; fi
-      - name: cp
-        run: |
-          cp examples/ca_handler/skeleton_ca_handler.py acme_srv/ca_handler.py
-          cp examples/db_handler/wsgi_handler.py acme_srv/db_handler.py
-          cp examples/acme_srv.cfg acme_srv/
-      - name: "Pylint folder: acme"
-        run: |
-          pylint --rcfile=".github/pylintrc" acme_srv/ || pylint-exit $?
-      - name: "Pylint folder: tools"
-        run: |
-          pylint --rcfile=".github/pylintrc" tools/*.py || pylint-exit $?
-      - name: "Pylint folder: examples/db_handler"
-        run: |
-          pylint --rcfile=".github/pylintrc" examples/db_handler/*.py || pylint-exit $?
-      - name: "Pylint folder: examples/ca_handler"
-        run: |
-          pylint --rcfile=".github/pylintrc" examples/ca_handler/*.py || pylint-exit $?
-
-      - name: "Linting with pycodestyle"
-        run: |
-          pip install pycodestyle
-          cp .github/pycodestyle ~/.config/pycodestyle
-          pycodestyle --show-source examples/.
-          pycodestyle --show-source acme_srv/.
-          pycodestyle --show-source tools/.
diff --git a/.github/workflows/tnauth-test.yml b/.github/workflows/tnauth-test.yml
deleted file mode 100644
index 7443791a..00000000
--- a/.github/workflows/tnauth-test.yml
+++ /dev/null
@@ -1,184 +0,0 @@
-name: Tnauth Tests
-
-on:
-  push:
-  pull_request:
-    branches: [ devel ]
-  schedule:
-    # * is a special character in YAML so you have to quote this string
-    - cron:  '0 2 * * 6'
-
-jobs:
-  tnauth_tests:
-    name: "tnauth_tests"
-    runs-on: ubuntu-latest
-    steps:
-    - name: "checkout GIT"
-      uses: actions/checkout@v3
-
-    - name: "[ PREPARE ] Build docker-compose (apache2_wsgi)"
-      working-directory: examples/Docker/
-      run: |
-        sudo mkdir -p data
-        docker network create acme
-        docker-compose up -d
-        docker-compose logs
-
-    - name: "Test http://acme-srv/directory is accessable"
-      run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory
-
-    - name: "[ PREPARE ] setup a2c with certifier_ca_handler"
-      run: |
-        sudo cp test/ca/certsrv_ca_certs.pem examples/Docker/data/ca_certs.pem
-        sudo touch examples/Docker/data/acme_srv.cfg
-        sudo chmod 777 examples/Docker/data/acme_srv.cfg
-        sudo head -n -8 .github/openssl_ca_handler.py_acme_srv_default_handler.cfg > examples/Docker/data/acme_srv.cfg
-        sudo echo "handler_file: examples/ca_handler/certifier_ca_handler.py" >> examples/Docker/data/acme_srv.cfg
-        sudo echo "api_host: $NCM_API_HOST" >> examples/Docker/data/acme_srv.cfg
-        sudo echo "api_user: $NCM_API_USER" >> examples/Docker/data/acme_srv.cfg
-        sudo echo "api_password: $NCM_API_PASSWORD" >> examples/Docker/data/acme_srv.cfg
-        sudo echo "ca_name: $NCM_CA_NAME" >> examples/Docker/data/acme_srv.cfg
-        sudo echo "ca_bundle: $NCM_CA_BUNDLE" >> examples/Docker/data/acme_srv.cfg
-        sudo sed -i "s/tnauthlist_support: False/tnauthlist_support: True/g" examples/Docker/data/acme_srv.cfg
-        cd examples/Docker/
-        docker-compose restart
-        docker-compose logs
-      env:
-        NCM_API_HOST: ${{ secrets.NCM_API_HOST }}
-        NCM_API_USER: ${{ secrets.NCM_API_USER }}
-        NCM_API_PASSWORD: ${{ secrets.NCM_API_PASSWORD }}
-        NCM_CA_NAME: ${{ secrets.NCM_CA_NAME }}
-        NCM_CA_BUNDLE: ${{ secrets.NCM_CA_BUNDLE }}
-
-    - name: "[ CURL ] install curl and socat and test connction"
-      run: |
-        sudo apt-get install -y curl socat
-        curl -f http://localhost:22280
-
-    - name: "[ ACME.SH ] install acme.sh"
-      run: |
-        mkdir /tmp/acme_sh
-        curl -kL https://github.com/grindsa/acme.sh/archive/tnauth_list_support.tar.gz | tar xz -C /tmp/acme_sh --strip-components=1
-
-    - name: "[ ACME.SH ] enroll certificate using tnauth identifier"
-      run: |
-        cd /tmp/acme_sh
-        /tmp/acme_sh/acme.sh --server http://127.0.0.1:22280 --accountemail grindsa@tnauth.acme --issue -d cert.acme.local --tnauth 123456 --spctoken 1234 --standalone --force --debug 2
-        ls -la
-
-    - name: "[ * ] collecting test logs"
-      if: ${{ failure() }}
-      run: |
-        mkdir -p ${{ github.workspace }}/artifact/upload
-        sudo cp -rp examples/Docker/data/ ${{ github.workspace }}/artifact/data/
-        cd examples/Docker
-        docker-compose logs > ${{ github.workspace }}/artifact/docker-compose.log
-        sudo tar -C ${{ github.workspace }}/artifact/ -cvzf ${{ github.workspace }}/artifact/upload/artifact.tar.gz docker-compose.log data
-
-    - name: "[ * ] uploading artificates"
-      uses: actions/upload-artifact@v3
-      if: ${{ failure() }}
-      with:
-        name: tnauth.tar.gz
-        path: ${{ github.workspace }}/artifact/upload/
-
-
-  tnauth_rpm_tests:
-    name: "tnauth_rpm_tests"
-    runs-on: ubuntu-latest
-    steps:
-    - name: "checkout GIT"
-      uses: actions/checkout@v3
-
-    - name: Retrieve Version from version.py
-      run: |
-        echo TAG_NAME=$(cat acme_srv/version.py | grep -i __version__ | head -n 1 | sed 's/__version__ = //g' | sed s/\'//g) >> $GITHUB_ENV
-    - run: echo "Latest tag is ${{ env.TAG_NAME }}"
-
-    - name: update version number in spec file
-      run: |
-        # sudo sed -i "s/Source0:.*/Source0:        %{name}-%{version}.tar.gz/g" examples/install_scripts/rpm/acme2certifier.spec
-        sudo sed -i "s/__version__/${{ env.TAG_NAME }}/g" examples/install_scripts/rpm/acme2certifier.spec
-        cat examples/install_scripts/rpm/acme2certifier.spec
-
-    - name: build RPM package
-      id: rpm
-      uses: grindsa/rpmbuild@alma9
-      with:
-        spec_file: "examples/install_scripts/rpm/acme2certifier.spec"
-
-    - run: echo "path is ${{ steps.rpm.outputs.rpm_dir_path }}"
-
-    - name: "[ PREPARE ] setup environment for alma installation"
-      run: |
-        docker network create acme
-        sudo mkdir -p data
-        sudo chmod -R 777 data
-        sudo cp ${{ steps.rpm.outputs.rpm_dir_path }}noarch/acme2certifier-${{ env.TAG_NAME }}-1.0.noarch.rpm data
-        sudo cp examples/Docker/almalinux-systemd/rpm_tester.sh data
-
-    - name: "[ PREPARE ] setup a2c with certifier_ca_handler"
-      run: |
-        mkdir -p data/acme_ca
-        sudo cp test/ca/certsrv_ca_certs.pem data/acme_ca/ca_certs.pem
-        sudo touch data/acme_srv.cfg
-        sudo chmod 777 data/acme_srv.cfg
-        sudo head -n -8 .github/openssl_ca_handler.py_acme_srv_default_handler.cfg > data/acme_srv.cfg
-        sudo echo "handler_file: /opt/acme2certifier/examples/ca_handler/certifier_ca_handler.py" >> data/acme_srv.cfg
-        sudo echo "api_host: $NCM_API_HOST" >> data/acme_srv.cfg
-        sudo echo "api_user: $NCM_API_USER" >> data/acme_srv.cfg
-        sudo echo "api_password: $NCM_API_PASSWORD" >> data/acme_srv.cfg
-        sudo echo "ca_name: $NCM_CA_NAME" >> data/acme_srv.cfg
-        sudo echo "ca_bundle: $NCM_CA_BUNDLE" >> data/acme_srv.cfg
-        sudo echo "profile_id: 101" >> data/acme_srv.cfg
-        sudo sed -i "s/tnauthlist_support: False/tnauthlist_support: True/g" data/acme_srv.cfg
-      env:
-        NCM_API_HOST: ${{ secrets.NCM_API_HOST }}
-        NCM_API_USER: ${{ secrets.NCM_API_USER }}
-        NCM_API_PASSWORD: ${{ secrets.NCM_API_PASSWORD }}
-        NCM_CA_NAME: ${{ secrets.NCM_CA_NAME }}
-        NCM_CA_BUNDLE: ${{ secrets.NCM_CA_BUNDLE }}
-
-    - name: "[ PREPARE ] Almalinux instance"
-      run: |
-        cat examples/Docker/almalinux-systemd/Dockerfile | docker build -t almalinux-systemd -f - . --no-cache
-        docker run -d -id --privileged --network acme -p 22280:80 --name=acme-srv -v "$(pwd)/data":/tmp/acme2certifier almalinux-systemd
-
-    - name: "[ RUN ] Execute install scipt"
-      run: |
-        docker exec acme-srv sh /tmp/acme2certifier/rpm_tester.sh
-
-    - name: "Test http://acme-srv/directory is accessible"
-      run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory
-
-    - name: "[ CURL ] install curl and socat and test connction"
-      run: |
-        sudo apt-get install -y curl socat
-        curl -f http://localhost:22280
-
-    - name: "[ ACME.SH ] install acme.sh"
-      run: |
-        mkdir /tmp/acme_sh
-        curl -kL https://github.com/grindsa/acme.sh/archive/tnauth_list_support.tar.gz | tar xz -C /tmp/acme_sh --strip-components=1
-
-    - name: "[ ACME.SH ] enroll certificate using tnauth identifier"
-      run: |
-        cd /tmp/acme_sh
-        /tmp/acme_sh/acme.sh --server http://127.0.0.1:22280 --accountemail grindsa@tnauth.acme --issue -d cert.acme.local --tnauth 123456 --spctoken 1234 --standalone --force --debug 2
-
-    - name: "[ * ] collecting test logs"
-      if: ${{ failure() }}
-      run: |
-        mkdir -p ${{ github.workspace }}/artifact/upload
-        docker exec acme-srv tar cvfz /tmp/acme2certifier/a2c.tgz /opt/acme2certifier
-        sudo cp -rp data/ ${{ github.workspace }}/artifact/data/
-        sudo cp -rp /tmp/acme_sh/ ${{ github.workspace }}/artifact/acme_sh/
-        docker exec acme-srv cat /var/log/messages > ${{ github.workspace }}/artifact/acme-srv.log
-        sudo tar -C ${{ github.workspace }}/artifact/ -cvzf ${{ github.workspace }}/artifact/upload/artifact.tar.gz data acme-srv.log acme_sh
-
-    - name: "[ * ] uploading artificates"
-      uses: actions/upload-artifact@v3
-      if: ${{ failure() }}
-      with:
-        name: tnauth-rpm.tar.gz
-        path: ${{ github.workspace }}/artifact/upload/
diff --git a/.github/workflows/traffic-application-test.yml b/.github/workflows/traffic-application-test.yml
deleted file mode 100644
index c826b92f..00000000
--- a/.github/workflows/traffic-application-test.yml
+++ /dev/null
@@ -1,102 +0,0 @@
-name: Application Tests - traefik
-
-on:
-  push:
-  pull_request:
-    branches: [ devel ]
-  schedule:
-    # * is a special character in YAML so you have to quote this string
-    - cron:  '0 2 * * 6'
-
-jobs:
-
-  traefik_apache2_wsgi:
-    name: "traefik_apache2_wsgi"
-    runs-on: ubuntu-latest
-    strategy:
-      fail-fast: false
-      matrix:
-        challenge_type: [tlschallenge=true, httpchallenge.entrypoint=web]
-    steps:
-    - name: "checkout GIT"
-      uses: actions/checkout@v3
-
-    - name: "get runner information"
-      run: |
-        echo RUNNER_IP=$(ip addr show eth0 | grep -i "inet " | cut -d ' ' -f 6 | cut -d '/' -f 1) >> $GITHUB_ENV
-        echo RUNNER_HOSTNAME=$(hostname -f) >> $GITHUB_ENV
-
-    - run: echo "runner IP is ${{ env.RUNNER_IP }}"
-    - run: echo "runner hostname is ${{ env.RUNNER_HOSTNAME }}"
-
-    - name: "Build docker-compose (apache2_wsgi)"
-      working-directory: examples/Docker/
-      run: |
-        sudo mkdir -p data
-        docker network create acme
-        docker-compose up -d
-        docker-compose logs
-
-    - name: "Test http://acme-srv/directory is accessable"
-      run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory
-
-    - name: "[ PREPARE ] setup a2c with certifier_ca_handler"
-      run: |
-        sudo cp test/ca/certsrv_ca_certs.pem examples/Docker/data/ca_certs.pem
-        sudo touch examples/Docker/data/acme_srv.cfg
-        sudo chmod 777 examples/Docker/data/acme_srv.cfg
-        sudo head -n -8 .github/openssl_ca_handler.py_acme_srv_default_handler.cfg > examples/Docker/data/acme_srv.cfg
-        sudo echo "handler_file: examples/ca_handler/certifier_ca_handler.py" >> examples/Docker/data/acme_srv.cfg
-        sudo echo "api_host: $NCM_API_HOST" >> examples/Docker/data/acme_srv.cfg
-        sudo echo "api_user: $NCM_API_USER" >> examples/Docker/data/acme_srv.cfg
-        sudo echo "api_password: $NCM_API_PASSWORD" >> examples/Docker/data/acme_srv.cfg
-        sudo echo "ca_name: $NCM_CA_NAME" >> examples/Docker/data/acme_srv.cfg
-        sudo echo "ca_bundle: $NCM_CA_BUNDLE" >> examples/Docker/data/acme_srv.cfg
-        cd examples/Docker/
-        docker-compose restart
-        docker-compose logs
-      env:
-        NCM_API_HOST: ${{ secrets.NCM_API_HOST }}
-        NCM_API_USER: ${{ secrets.NCM_API_USER }}
-        NCM_API_PASSWORD: ${{ secrets.NCM_API_PASSWORD }}
-        NCM_CA_NAME: ${{ secrets.NCM_CA_NAME }}
-        NCM_CA_BUNDLE: ${{ secrets.NCM_CA_BUNDLE }}
-
-    - name: "setup and instanciate traefik"
-      run: |
-        mkdir traefik
-        sudo cp .github/traefik-matrix.yml traefik/docker-compose.yml
-        sudo sed -i "s/whoami.acme/${{ env.RUNNER_HOSTNAME }}/g" traefik/docker-compose.yml
-        sudo sed -i "s/CHALLENGE_TYPE/${{ matrix.challenge_type }}/g" traefik/docker-compose.yml
-        cd traefik
-        docker-compose up -d
-
-    - name: "Sleep for 30s"
-      uses: juliangruber/sleep-action@v1
-      with:
-        time: 30s
-
-    - name: "check for certificate"
-      working-directory: traefik
-      run: |
-        sudo cat letsencrypt/acme.json | jq -r '.a2c | .Certificates | . [] | .certificate ' | base64 -d |  awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "cert-" c ".pem"}'
-        openssl verify -CAfile cert-3.pem -untrusted cert-2.pem cert-1.pem
-
-    - name: "[ * ] collecting test logs"
-      if: ${{ failure() }}
-      run: |
-        mkdir -p ${{ github.workspace }}/artifact/upload
-        docker logs traefik > traefik/traefik.log
-        sudo cp -rp examples/Docker/data/ ${{ github.workspace }}/artifact/data/
-        sudo cp -rp traefik/ ${{ github.workspace }}/artifact/traefik/
-        cd examples/Docker
-        docker-compose logs > ${{ github.workspace }}/artifact/docker-compose.log
-        sudo tar -C ${{ github.workspace }}/artifact/ -cvzf ${{ github.workspace }}/artifact/upload/artifact.tar.gz docker-compose.log data traefik
-
-    - name: "[ * ] uploading artificates"
-      uses: actions/upload-artifact@v3
-      if: ${{ failure() }}
-      with:
-        name: traffic-${{ matrix.challenge_type }}.tar.gz
-        path: ${{ github.workspace }}/artifact/upload/
-
diff --git a/.github/workflows/upgrade_tests..yml b/.github/workflows/upgrade_tests..yml
deleted file mode 100644
index 8975ace0..00000000
--- a/.github/workflows/upgrade_tests..yml
+++ /dev/null
@@ -1,1399 +0,0 @@
-name: Upgrade Tests
-
-on:
-  push:
-  pull_request:
-    branches: [ devel ]
-  schedule:
-    # * is a special character in YAML so you have to quote this string
-    - cron:  '0 2 * * 6'
-
-jobs:
-
-  wsgi_upgrade_apache2:
-    name: "wsgi_upgrade_apache2"
-    runs-on: ubuntu-latest
-    steps:
-    - name: "checkout GIT"
-      uses: actions/checkout@v3
-
-    - name: "[ PREPARE ] prepare environment"
-      working-directory: examples/Docker/
-      run: |
-        docker network create acme
-
-    - name: "[ PREPARE ] setup a2c with certifier_ca_handler"
-      run: |
-        sudo mkdir -p examples/Docker/data
-        sudo touch examples/Docker/data/acme_srv.cfg
-        sudo chmod 777 examples/Docker/data/acme_srv.cfg
-        sudo head -n -8 .github/openssl_ca_handler.py_acme_srv_default_handler.cfg > examples/Docker/data/acme_srv.cfg
-        sudo echo "handler_file: examples/ca_handler/certifier_ca_handler.py" >> examples/Docker/data/acme_srv.cfg
-        sudo echo "api_host: $NCM_API_HOST" >> examples/Docker/data/acme_srv.cfg
-        sudo echo "api_user: $NCM_API_USER" >> examples/Docker/data/acme_srv.cfg
-        sudo echo "api_password: $NCM_API_PASSWORD" >> examples/Docker/data/acme_srv.cfg
-        sudo echo "ca_name: $NCM_CA_NAME" >> examples/Docker/data/acme_srv.cfg
-        sudo echo "ca_bundle: $NCM_CA_BUNDLE" >> examples/Docker/data/acme_srv.cfg
-        sudo cp .github/acme2certifier.pem examples/Docker/data/acme2certifier.pem
-      env:
-        NCM_API_HOST: ${{ secrets.NCM_API_HOST }}
-        NCM_API_USER: ${{ secrets.NCM_API_USER }}
-        NCM_API_PASSWORD: ${{ secrets.NCM_API_PASSWORD }}
-        NCM_CA_NAME: ${{ secrets.NCM_CA_NAME }}
-        NCM_CA_BUNDLE: ${{ secrets.NCM_CA_BUNDLE }}
-
-    - name: "[ PREPARE ] install a2c 0.19.3"
-      run: |
-        docker run -d -p 80:80 -p 443:443 --rm -id --network acme --name=acme-srv -v "$(pwd)/examples/Docker/data":/var/www/acme2certifier/volume/ grindsa/acme2certifier:0.19.3-apache2-wsgi
-        docker logs acme-srv
-
-    - name: "[ PREPARE ] Sleep for 5s"
-      uses: juliangruber/sleep-action@v1
-      with:
-        time: 5s
-
-    - name: "Test if http://acme-srv/directory is accessable"
-      run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory
-
-    - name: "Test if https://acme-srv/directory is accessable"
-      run: docker run -i --rm --network acme curlimages/curl --insecure -f https://acme-srv/directory
-
-    - name: "[ PREPARE ] prepare acme.sh container"
-      run: |
-        sudo mkdir -p "$(pwd)/examples/Docker/data/acme-sh"
-        docker run --rm -id -v "$(pwd)/examples/Docker/data/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest daemon
-
-    - name: "[ ENROLL ] register via http"
-      run: |
-        docker exec -i acme-sh acme.sh --server http://acme-srv  --register-account --accountemail 'acme-sh@example.com' --accountkeylength ec-256 --debug 2
-
-    - name: "[ ENROLL ] register via https"
-      run: |
-        docker exec -i acme-sh acme.sh --server https://acme-srv  --register-account --accountemail 'acme-sh@example.com' --accountkeylength ec-256 --insecure --debug 2
-
-    - name: "[ ENROLL] acme.sh"
-      run: |
-        docker exec -i acme-sh acme.sh --server http://acme-srv --register-account --accountemail 'acme-sh@example.com' --debug --output-insecure
-
-    - name: "[ REGISTER] certbot"
-      run: |
-        sudo mkdir -p "$(pwd)/examples/Docker/data/certbot"
-        docker run -i --rm --name certbot --network acme -v "$(pwd)/examples/Docker/data/certbot":/etc/letsencrypt/ certbot/certbot register --agree-tos -m 'certbot@example.com' --server http://acme-srv --no-eff-email
-
-    - name: "[ ENROLL ] HTTP-01 single domain certbot"
-      run: |
-        docker run -i --rm --name certbot --network acme -v "$(pwd)/examples/Docker/data/certbot":/etc/letsencrypt/ certbot/certbot certonly --server http://acme-srv --standalone --preferred-challenges http -d certbot.acme --cert-name certbot
-        sudo chmod 777 examples/Docker/data/certbot/archive/certbot/chain1.pem
-        sudo cp examples/Docker/data/certbot/archive/certbot/chain1.pem chain1.pem
-        awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "cert-" c ".pem"}' < chain1.pem
-        sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem examples/Docker/data/certbot/live/certbot/cert.pem
-
-    - name: "[ PREPARE ] Upgrade to latest a2c build"
-      working-directory: examples/Docker/
-      run: |
-        docker stop acme-srv
-        sudo chmod -R 777 data
-        docker-compose up -d
-        docker-compose logs
-
-    - name: "[ PREPARE ] Sleep for 5s"
-      uses: juliangruber/sleep-action@v1
-      with:
-        time: 5s
-
-    - name: "Test if http://acme-srv/directory is accessable"
-      run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory
-
-    - name: "Test if https://acme-srv/directory is accessable"
-      run: docker run -i --rm --network acme curlimages/curl --insecure -f https://acme-srv/directory
-
-    - name: "[ ENROLL ] register via http"
-      run: |
-        docker exec -i acme-sh acme.sh --server http://acme-srv  --register-account --accountemail 'acme-sh@example.com' --accountkeylength ec-256 --debug 2
-
-    - name: "[ ENROLL ] register via https"
-      run: |
-        docker exec -i acme-sh acme.sh --server https://acme-srv  --register-account --accountemail 'acme-sh@example.com' --accountkeylength ec-256 --insecure --debug 2
-
-    - name: "[ ENROLL] acme.sh"
-      run: |
-        docker exec -i acme-sh acme.sh --server http://acme-srv --register-account --accountemail 'acme-sh@example.com' --debug --output-insecure
-
-    - name: "[ REGISTER] certbot"
-      run: |
-        sudo mkdir -p "$(pwd)/examples/Docker/data/certbot2"
-        docker run -i --rm --name certbot --network acme -v "$(pwd)/examples/Docker/data/certbot2":/etc/letsencrypt/ certbot/certbot register --agree-tos -m 'certbot@example.com' --server http://acme-srv --no-eff-email
-
-    - name: "[ ENROLL ] HTTP-01 single domain certbot"
-      run: |
-        docker run -i --rm --name certbot --network acme -v "$(pwd)/examples/Docker/data/certbot":/etc/letsencrypt/ certbot/certbot certonly --force-renew --server http://acme-srv --standalone --preferred-challenges http -d certbot.acme --cert-name certbot
-        sudo chmod 777 examples/Docker/data/certbot/archive/certbot/chain1.pem
-        sudo cp examples/Docker/data/certbot/archive/certbot/chain1.pem chain1.pem
-        awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "cert-" c ".pem"}' < chain1.pem
-        sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem examples/Docker/data/certbot/live/certbot/cert.pem
-
-    - name: "[ * ] collecting test logs"
-      if: ${{ failure() }}
-      run: |
-        docker logs acme2certifier_acme-srv_1
-        mkdir -p ${{ github.workspace }}/artifact/upload
-        sudo cp -rp examples/Docker/data/ ${{ github.workspace }}/artifact/data/
-        cd examples/Docker
-        docker-compose logs > ${{ github.workspace }}/artifact/docker-compose.log
-        sudo tar -C ${{ github.workspace }}/artifact/ -cvzf ${{ github.workspace }}/artifact/upload/artifact.tar.gz docker-compose.log data
-
-    - name: "[ * ] uploading artificates"
-      uses: actions/upload-artifact@v3
-      if: ${{ failure() }}
-      with:
-        name: apache2-wsgi-upgrade.tar.gz
-        path: ${{ github.workspace }}/artifact/upload/
-
-  wsgi_upgrade_nginx:
-    name: "wsgi_upgrade_nginx"
-    runs-on: ubuntu-latest
-    steps:
-    - name: "checkout GIT"
-      uses: actions/checkout@v3
-
-    - name: "[ PREPARE ] prepare environment"
-      working-directory: examples/Docker/
-      run: |
-        docker network create acme
-
-    - name: "[ PREPARE ] setup a2c with certifier_ca_handler"
-      run: |
-        sudo mkdir -p examples/Docker/data
-        sudo touch examples/Docker/data/acme_srv.cfg
-        sudo chmod 777 examples/Docker/data/acme_srv.cfg
-        sudo head -n -8 .github/openssl_ca_handler.py_acme_srv_default_handler.cfg > examples/Docker/data/acme_srv.cfg
-        sudo echo "handler_file: examples/ca_handler/certifier_ca_handler.py" >> examples/Docker/data/acme_srv.cfg
-        sudo echo "api_host: $NCM_API_HOST" >> examples/Docker/data/acme_srv.cfg
-        sudo echo "api_user: $NCM_API_USER" >> examples/Docker/data/acme_srv.cfg
-        sudo echo "api_password: $NCM_API_PASSWORD" >> examples/Docker/data/acme_srv.cfg
-        sudo echo "ca_name: $NCM_CA_NAME" >> examples/Docker/data/acme_srv.cfg
-        sudo echo "ca_bundle: $NCM_CA_BUNDLE" >> examples/Docker/data/acme_srv.cfg
-        sudo cp .github/acme2certifier_cert.pem examples/Docker/data/acme2certifier_cert.pem
-        sudo cp .github/acme2certifier_key.pem examples/Docker/data/acme2certifier_key.pem
-      env:
-        NCM_API_HOST: ${{ secrets.NCM_API_HOST }}
-        NCM_API_USER: ${{ secrets.NCM_API_USER }}
-        NCM_API_PASSWORD: ${{ secrets.NCM_API_PASSWORD }}
-        NCM_CA_NAME: ${{ secrets.NCM_CA_NAME }}
-        NCM_CA_BUNDLE: ${{ secrets.NCM_CA_BUNDLE }}
-
-    - name: "[ PREPARE ] install a2c 0.19.3"
-      run: |
-        docker run -d -p 80:80 -p 443:443 --rm -id --network acme --name=acme-srv -v "$(pwd)/examples/Docker/data":/var/www/acme2certifier/volume/ grindsa/acme2certifier:0.19.3-nginx-wsgi
-        docker logs acme-srv
-
-    - name: "[ PREPARE ] Sleep for 5s"
-      uses: juliangruber/sleep-action@v1
-      with:
-        time: 5s
-
-    - name: "Test if http://acme-srv/directory is accessable"
-      run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory
-
-    - name: "Test if https://acme-srv/directory is accessable"
-      run: docker run -i --rm --network acme curlimages/curl --insecure -f https://acme-srv/directory
-
-    - name: "[ PREPARE ] prepare acme.sh container"
-      run: |
-        sudo mkdir -p "$(pwd)/examples/Docker/data/acme-sh"
-        docker run --rm -id -v "$(pwd)/examples/Docker/data/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest daemon
-
-    - name: "[ ENROLL ] register via http"
-      run: |
-        docker exec -i acme-sh acme.sh --server http://acme-srv  --register-account --accountemail 'acme-sh@example.com' --accountkeylength ec-256 --debug 2
-
-    - name: "[ ENROLL ] register via https"
-      run: |
-        docker exec -i acme-sh acme.sh --server https://acme-srv  --register-account --accountemail 'acme-sh@example.com' --accountkeylength ec-256 --insecure --debug 2
-
-    - name: "[ ENROLL] acme.sh"
-      run: |
-        docker exec -i acme-sh acme.sh --server http://acme-srv --register-account --accountemail 'acme-sh@example.com' --debug --output-insecure
-
-    - name: "[ REGISTER] certbot"
-      run: |
-        sudo mkdir -p "$(pwd)/examples/Docker/data/certbot"
-        docker run -i --rm --name certbot --network acme -v "$(pwd)/examples/Docker/data/certbot":/etc/letsencrypt/ certbot/certbot register --agree-tos -m 'certbot@example.com' --server http://acme-srv --no-eff-email
-
-    - name: "[ ENROLL ] HTTP-01 single domain certbot"
-      run: |
-        docker run -i --rm --name certbot --network acme -v "$(pwd)/examples/Docker/data/certbot":/etc/letsencrypt/ certbot/certbot certonly --server http://acme-srv --standalone --preferred-challenges http -d certbot.acme --cert-name certbot
-        sudo chmod 777 examples/Docker/data/certbot/archive/certbot/chain1.pem
-        sudo cp examples/Docker/data/certbot/archive/certbot/chain1.pem chain1.pem
-        awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "cert-" c ".pem"}' < chain1.pem
-        sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem examples/Docker/data/certbot/live/certbot/cert.pem
-
-    - name: "[ PREPARE ] Upgrade to latest a2c build"
-      working-directory: examples/Docker/
-      run: |
-        docker stop acme-srv
-        sudo chmod -R 777 data
-        sed -i "s/apache2/nginx/g" .env
-        docker-compose up -d
-        docker-compose logs
-
-    - name: "[ PREPARE ] Sleep for 5s"
-      uses: juliangruber/sleep-action@v1
-      with:
-        time: 5s
-
-    - name: "Test if http://acme-srv/directory is accessable"
-      run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory
-
-    - name: "Test if https://acme-srv/directory is accessable"
-      run: docker run -i --rm --network acme curlimages/curl --insecure -f https://acme-srv/directory
-
-    - name: "[ ENROLL ] register via http"
-      run: |
-        docker exec -i acme-sh acme.sh --server http://acme-srv  --register-account --accountemail 'acme-sh@example.com' --accountkeylength ec-256 --debug 2
-
-    - name: "[ ENROLL ] register via https"
-      run: |
-        docker exec -i acme-sh acme.sh --server https://acme-srv  --register-account --accountemail 'acme-sh@example.com' --accountkeylength ec-256 --insecure --debug 2
-
-    - name: "[ ENROLL] acme.sh"
-      run: |
-        docker exec -i acme-sh acme.sh --server http://acme-srv --register-account --accountemail 'acme-sh@example.com' --debug --output-insecure
-
-    - name: "[ REGISTER] certbot"
-      run: |
-        sudo mkdir -p "$(pwd)/examples/Docker/data/certbot2"
-        docker run -i --rm --name certbot --network acme -v "$(pwd)/examples/Docker/data/certbot2":/etc/letsencrypt/ certbot/certbot register --agree-tos -m 'certbot@example.com' --server http://acme-srv --no-eff-email
-
-    - name: "[ ENROLL ] HTTP-01 single domain certbot"
-      run: |
-        docker run -i --rm --name certbot --network acme -v "$(pwd)/examples/Docker/data/certbot":/etc/letsencrypt/ certbot/certbot certonly --force-renew --server http://acme-srv --standalone --preferred-challenges http -d certbot.acme --cert-name certbot
-        sudo chmod 777 examples/Docker/data/certbot/archive/certbot/chain1.pem
-        sudo cp examples/Docker/data/certbot/archive/certbot/chain1.pem chain1.pem
-        awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "cert-" c ".pem"}' < chain1.pem
-        sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem examples/Docker/data/certbot/live/certbot/cert.pem
-
-    - name: "[ * ] collecting test logs"
-      if: ${{ failure() }}
-      run: |
-        docker logs acme2certifier_acme-srv_1
-        mkdir -p ${{ github.workspace }}/artifact/upload
-        sudo cp -rp examples/Docker/data/ ${{ github.workspace }}/artifact/data/
-        cd examples/Docker
-        docker-compose logs > ${{ github.workspace }}/artifact/docker-compose.log
-        sudo tar -C ${{ github.workspace }}/artifact/ -cvzf ${{ github.workspace }}/artifact/upload/artifact.tar.gz docker-compose.log data
-
-    - name: "[ * ] uploading artificates"
-      uses: actions/upload-artifact@v3
-      if: ${{ failure() }}
-      with:
-        name: nginx-wsgi-upgrade.tar.gz
-        path: ${{ github.workspace }}/artifact/upload/
-
-
-  django_upgrade_apache2:
-    name: "django_upgrade_apache2"
-    runs-on: ubuntu-latest
-    steps:
-    - name: "checkout GIT"
-      uses: actions/checkout@v3
-
-    - name: "[ PREPARE ] prepare environment"
-      working-directory: examples/Docker/
-      run: |
-        docker network create acme
-        sudo mkdir -p data/mysql
-
-    - name: "[ PREPARE ] install mariadb"
-      working-directory: examples/Docker/
-      run: |
-        # docker run --name mariadbsrv --network acme -v $PWD/data/mysql:/var/lib/mysql -e MARIADB_ROOT_PASSWORD=foobar -d mariadb
-        docker run --name mariadbsrv --network acme -e MARIADB_ROOT_PASSWORD=foobar -d mariadb
-
-    - name: "[ PREPARE ] Sleep for 10s"
-      uses: juliangruber/sleep-action@v1
-      with:
-        time: 10s
-
-    - name: "[ PREPARE ] configure mariadb"
-      working-directory: examples/Docker/
-      run: |
-        docker exec mariadbsrv mariadb -u root --password=foobar -e"CREATE DATABASE acme2certifier CHARACTER SET UTF8;"
-        docker exec mariadbsrv mariadb -u root --password=foobar -e"GRANT ALL PRIVILEGES ON acme2certifier.* TO 'acme2certifier'@'%' IDENTIFIED BY '1mmSvDFl';"
-        docker exec mariadbsrv mariadb -u root --password=foobar -e"FLUSH PRIVILEGES;"
-
-    - name: "[ PREPARE ] setup a2c with certifier_ca_handler"
-      run: |
-        sudo mkdir -p examples/Docker/data
-        sudo touch examples/Docker/data/acme_srv.cfg
-        sudo chmod 777 examples/Docker/data/acme_srv.cfg
-        sudo head -n -8 .github/openssl_ca_handler.py_acme_srv_default_handler.cfg > examples/Docker/data/acme_srv.cfg
-        sudo echo "handler_file: examples/ca_handler/certifier_ca_handler.py" >> examples/Docker/data/acme_srv.cfg
-        sudo echo "api_host: $NCM_API_HOST" >> examples/Docker/data/acme_srv.cfg
-        sudo echo "api_user: $NCM_API_USER" >> examples/Docker/data/acme_srv.cfg
-        sudo echo "api_password: $NCM_API_PASSWORD" >> examples/Docker/data/acme_srv.cfg
-        sudo echo "ca_name: $NCM_CA_NAME" >> examples/Docker/data/acme_srv.cfg
-        sudo echo "ca_bundle: $NCM_CA_BUNDLE" >> examples/Docker/data/acme_srv.cfg
-        sudo cp .github/django_settings_mariadb.py examples/Docker/data/settings.py
-        sudo chmod 777 examples/Docker/data/settings.py
-        sudo sed -i "s/    'acme_srv'/    'acme'/g" examples/Docker/data/settings.py
-        sudo cp .github/acme2certifier.pem examples/Docker/data/acme2certifier.pem
-      env:
-        NCM_API_HOST: ${{ secrets.NCM_API_HOST }}
-        NCM_API_USER: ${{ secrets.NCM_API_USER }}
-        NCM_API_PASSWORD: ${{ secrets.NCM_API_PASSWORD }}
-        NCM_CA_NAME: ${{ secrets.NCM_CA_NAME }}
-        NCM_CA_BUNDLE: ${{ secrets.NCM_CA_BUNDLE }}
-
-    - name: "[ PREPARE ] install a2c 0.19.3"
-      run: |
-        docker run -d -p 80:80 -p 443:443 --rm -id --network acme --name=acme-srv -v "$(pwd)/examples/Docker/data":/var/www/acme2certifier/volume/ grindsa/acme2certifier:0.19.3-apache2-django
-        docker logs acme-srv
-
-    - name: "[ PREPARE ] Sleep for 5s"
-      uses: juliangruber/sleep-action@v1
-      with:
-        time: 5s
-
-    - name: "Test if http://acme-srv/directory is accessable"
-      run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory
-
-    - name: "Test if https://acme-srv/directory is accessable"
-      run: docker run -i --rm --network acme curlimages/curl --insecure -f https://acme-srv/directory
-
-    - name: "[ PREPARE ] prepare acme.sh container"
-      run: |
-        sudo mkdir -p "$(pwd)/examples/Docker/data/acme-sh"
-        docker run --rm -id -v "$(pwd)/examples/Docker/data/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest daemon
-
-    - name: "[ ENROLL ] register via http"
-      run: |
-        docker exec -i acme-sh acme.sh --server http://acme-srv  --register-account --accountemail 'acme-sh@example.com' --accountkeylength ec-256 --debug 2
-
-    - name: "[ ENROLL ] register via https"
-      run: |
-        docker exec -i acme-sh acme.sh --server https://acme-srv  --register-account --accountemail 'acme-sh@example.com' --accountkeylength ec-256 --insecure --debug 2
-
-    - name: "[ ENROLL] acme.sh"
-      run: |
-        docker exec -i acme-sh acme.sh --server http://acme-srv --register-account --accountemail 'acme-sh@example.com' --debug --output-insecure
-
-    - name: "[ REGISTER] certbot"
-      run: |
-        sudo mkdir -p "$(pwd)/examples/Docker/data/certbot"
-        docker run -i --rm --name certbot --network acme -v "$(pwd)/examples/Docker/data/certbot":/etc/letsencrypt/ certbot/certbot register --agree-tos -m 'certbot@example.com' --server http://acme-srv --no-eff-email
-
-    - name: "[ ENROLL ] HTTP-01 single domain certbot"
-      run: |
-        docker run -i --rm --name certbot --network acme -v "$(pwd)/examples/Docker/data/certbot":/etc/letsencrypt/ certbot/certbot certonly --server http://acme-srv --standalone --preferred-challenges http -d certbot.acme --cert-name certbot
-        sudo chmod 777 examples/Docker/data/certbot/archive/certbot/chain1.pem
-        sudo cp examples/Docker/data/certbot/archive/certbot/chain1.pem chain1.pem
-        awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "cert-" c ".pem"}' < chain1.pem
-        sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem examples/Docker/data/certbot/live/certbot/cert.pem
-
-    - name: "[ PREPARE ] Upgrade to latest a2c build"
-      working-directory: examples/Docker/
-      run: |
-        docker stop acme-srv
-        sudo chmod -R 777 data
-        sed -i "s/wsgi/django/g" .env
-        docker-compose up -d
-        docker-compose logs
-
-    - name: "[ PREPARE ] Sleep for 5s"
-      uses: juliangruber/sleep-action@v1
-      with:
-        time: 5s
-
-    - name: "Test if http://acme-srv/directory is accessable"
-      run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory
-
-    - name: "Test if https://acme-srv/directory is accessable"
-      run: docker run -i --rm --network acme curlimages/curl --insecure -f https://acme-srv/directory
-
-    - name: "[ ENROLL ] register via http"
-      run: |
-        docker exec -i acme-sh acme.sh --server http://acme-srv  --register-account --accountemail 'acme-sh@example.com' --accountkeylength ec-256 --debug 2
-
-    - name: "[ ENROLL ] register via https"
-      run: |
-        docker exec -i acme-sh acme.sh --server https://acme-srv  --register-account --accountemail 'acme-sh@example.com' --accountkeylength ec-256 --insecure --debug 2
-
-    - name: "[ ENROLL] acme.sh"
-      run: |
-        docker exec -i acme-sh acme.sh --server http://acme-srv --register-account --accountemail 'acme-sh@example.com' --debug --output-insecure
-
-    - name: "[ REGISTER] certbot"
-      run: |
-        sudo mkdir -p "$(pwd)/examples/Docker/data/certbot2"
-        docker run -i --rm --name certbot --network acme -v "$(pwd)/examples/Docker/data/certbot2":/etc/letsencrypt/ certbot/certbot register --agree-tos -m 'certbot@example.com' --server http://acme-srv --no-eff-email
-
-    - name: "[ ENROLL ] HTTP-01 single domain certbot"
-      run: |
-        docker run -i --rm --name certbot --network acme -v "$(pwd)/examples/Docker/data/certbot":/etc/letsencrypt/ certbot/certbot certonly --force-renew --server http://acme-srv --standalone --preferred-challenges http -d certbot.acme --cert-name certbot
-        sudo chmod 777 examples/Docker/data/certbot/archive/certbot/chain1.pem
-        sudo cp examples/Docker/data/certbot/archive/certbot/chain1.pem chain1.pem
-        awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "cert-" c ".pem"}' < chain1.pem
-        sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem examples/Docker/data/certbot/live/certbot/cert.pem
-
-    - name: "[ * ] collecting test logs"
-      if: ${{ failure() }}
-      run: |
-        docker logs acme2certifier_acme-srv_1
-        docker exec mariadbsrv mysqldump -u root --password=foobar acme2certifier > /tmp/acme2certifer.sql
-        mkdir -p ${{ github.workspace }}/artifact/upload
-        sudo cp -rp examples/Docker/data/ ${{ github.workspace }}/artifact/data/
-        sudo cp /tmp/acme2certifer.sql ${{ github.workspace }}/artifact/data/
-        cd examples/Docker
-        docker-compose logs > ${{ github.workspace }}/artifact/docker-compose.log
-        sudo tar -C ${{ github.workspace }}/artifact/ -cvzf ${{ github.workspace }}/artifact/upload/artifact.tar.gz docker-compose.log data
-
-    - name: "[ * ] uploading artificates"
-      uses: actions/upload-artifact@v3
-      if: ${{ failure() }}
-      with:
-        name: apache2-django-upgrade.tar.gz
-        path: ${{ github.workspace }}/artifact/upload/
-
-  django_upgrade_nginx:
-    name: "django_upgrade_nginx"
-    runs-on: ubuntu-latest
-    steps:
-    - name: "checkout GIT"
-      uses: actions/checkout@v3
-
-    - name: "[ PREPARE ] prepare environment"
-      working-directory: examples/Docker/
-      run: |
-        docker network create acme
-        sudo mkdir -p data/mysql
-
-    - name: "[ PREPARE ] install mariadb"
-      working-directory: examples/Docker/
-      run: |
-        # docker run --name mariadbsrv --network acme -v $PWD/data/mysql:/var/lib/mysql -e MARIADB_ROOT_PASSWORD=foobar -d mariadb
-        docker run --name mariadbsrv --network acme -e MARIADB_ROOT_PASSWORD=foobar -d mariadb
-
-    - name: "[ PREPARE ] Sleep for 10s"
-      uses: juliangruber/sleep-action@v1
-      with:
-        time: 10s
-
-    - name: "[ PREPARE ] configure mariadb"
-      working-directory: examples/Docker/
-      run: |
-        docker exec mariadbsrv mariadb -u root --password=foobar -e"CREATE DATABASE acme2certifier CHARACTER SET UTF8;"
-        docker exec mariadbsrv mariadb -u root --password=foobar -e"GRANT ALL PRIVILEGES ON acme2certifier.* TO 'acme2certifier'@'%' IDENTIFIED BY '1mmSvDFl';"
-        docker exec mariadbsrv mariadb -u root --password=foobar -e"FLUSH PRIVILEGES;"
-
-    - name: "[ PREPARE ] setup a2c with certifier_ca_handler"
-      run: |
-        sudo mkdir -p examples/Docker/data
-        sudo touch examples/Docker/data/acme_srv.cfg
-        sudo chmod 777 examples/Docker/data/acme_srv.cfg
-        sudo head -n -8 .github/openssl_ca_handler.py_acme_srv_default_handler.cfg > examples/Docker/data/acme_srv.cfg
-        sudo echo "handler_file: examples/ca_handler/certifier_ca_handler.py" >> examples/Docker/data/acme_srv.cfg
-        sudo echo "api_host: $NCM_API_HOST" >> examples/Docker/data/acme_srv.cfg
-        sudo echo "api_user: $NCM_API_USER" >> examples/Docker/data/acme_srv.cfg
-        sudo echo "api_password: $NCM_API_PASSWORD" >> examples/Docker/data/acme_srv.cfg
-        sudo echo "ca_name: $NCM_CA_NAME" >> examples/Docker/data/acme_srv.cfg
-        sudo echo "ca_bundle: $NCM_CA_BUNDLE" >> examples/Docker/data/acme_srv.cfg
-        sudo cp .github/django_settings_mariadb.py examples/Docker/data/settings.py
-        sudo chmod 777 examples/Docker/data/settings.py
-        sudo sed -i "s/    'acme_srv'/    'acme'/g" examples/Docker/data/settings.py
-        sudo cp .github/acme2certifier_cert.pem examples/Docker/data/acme2certifier_cert.pem
-        sudo cp .github/acme2certifier_key.pem examples/Docker/data/acme2certifier_key.pem
-      env:
-        NCM_API_HOST: ${{ secrets.NCM_API_HOST }}
-        NCM_API_USER: ${{ secrets.NCM_API_USER }}
-        NCM_API_PASSWORD: ${{ secrets.NCM_API_PASSWORD }}
-        NCM_CA_NAME: ${{ secrets.NCM_CA_NAME }}
-        NCM_CA_BUNDLE: ${{ secrets.NCM_CA_BUNDLE }}
-
-    - name: "[ PREPARE ] install a2c 0.19.3"
-      run: |
-        docker run -d -p 80:80 -p 443:443 --rm -id --network acme --name=acme-srv -v "$(pwd)/examples/Docker/data":/var/www/acme2certifier/volume/ grindsa/acme2certifier:0.19.3-nginx-django
-        docker logs acme-srv
-
-    - name: "[ PREPARE ] Sleep for 5s"
-      uses: juliangruber/sleep-action@v1
-      with:
-        time: 5s
-
-    - name: "Test if http://acme-srv/directory is accessable"
-      run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory
-
-    - name: "Test if https://acme-srv/directory is accessable"
-      run: docker run -i --rm --network acme curlimages/curl --insecure -f https://acme-srv/directory
-
-    - name: "[ PREPARE ] prepare acme.sh container"
-      run: |
-        sudo mkdir -p "$(pwd)/examples/Docker/data/acme-sh"
-        docker run --rm -id -v "$(pwd)/examples/Docker/data/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest daemon
-
-    - name: "[ ENROLL ] register via http"
-      run: |
-        docker exec -i acme-sh acme.sh --server http://acme-srv  --register-account --accountemail 'acme-sh@example.com' --accountkeylength ec-256 --debug 2
-
-    - name: "[ ENROLL ] register via https"
-      run: |
-        docker exec -i acme-sh acme.sh --server https://acme-srv  --register-account --accountemail 'acme-sh@example.com' --accountkeylength ec-256 --insecure --debug 2
-
-    - name: "[ ENROLL] acme.sh"
-      run: |
-        docker exec -i acme-sh acme.sh --server http://acme-srv --register-account --accountemail 'acme-sh@example.com' --debug --output-insecure
-
-    - name: "[ REGISTER] certbot"
-      run: |
-        sudo mkdir -p "$(pwd)/examples/Docker/data/certbot"
-        docker run -i --rm --name certbot --network acme -v "$(pwd)/examples/Docker/data/certbot":/etc/letsencrypt/ certbot/certbot register --agree-tos -m 'certbot@example.com' --server http://acme-srv --no-eff-email
-
-    - name: "[ ENROLL ] HTTP-01 single domain certbot"
-      run: |
-        docker run -i --rm --name certbot --network acme -v "$(pwd)/examples/Docker/data/certbot":/etc/letsencrypt/ certbot/certbot certonly --server http://acme-srv --standalone --preferred-challenges http -d certbot.acme --cert-name certbot
-        sudo chmod 777 examples/Docker/data/certbot/archive/certbot/chain1.pem
-        sudo cp examples/Docker/data/certbot/archive/certbot/chain1.pem chain1.pem
-        awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "cert-" c ".pem"}' < chain1.pem
-        sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem examples/Docker/data/certbot/live/certbot/cert.pem
-
-    - name: "[ PREPARE ] Upgrade to latest a2c build"
-      working-directory: examples/Docker/
-      run: |
-        docker stop acme-srv
-        sudo chmod -R 777 data
-        sed -i "s/wsgi/django/g" .env
-        sed -i "s/apache2/nginx/g" .env
-        docker-compose up -d
-        docker-compose logs
-
-    - name: "[ PREPARE ] Sleep for 5s"
-      uses: juliangruber/sleep-action@v1
-      with:
-        time: 5s
-
-    - name: "Test if http://acme-srv/directory is accessable"
-      run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory
-
-    - name: "Test if https://acme-srv/directory is accessable"
-      run: docker run -i --rm --network acme curlimages/curl --insecure -f https://acme-srv/directory
-
-    - name: "[ ENROLL ] register via http"
-      run: |
-        docker exec -i acme-sh acme.sh --server http://acme-srv  --register-account --accountemail 'acme-sh@example.com' --accountkeylength ec-256 --debug 2
-
-    - name: "[ ENROLL ] register via https"
-      run: |
-        docker exec -i acme-sh acme.sh --server https://acme-srv  --register-account --accountemail 'acme-sh@example.com' --accountkeylength ec-256 --insecure --debug 2
-
-    - name: "[ ENROLL] acme.sh"
-      run: |
-        docker exec -i acme-sh acme.sh --server http://acme-srv --register-account --accountemail 'acme-sh@example.com' --debug --output-insecure
-
-    - name: "[ REGISTER] certbot"
-      run: |
-        sudo mkdir -p "$(pwd)/examples/Docker/data/certbot2"
-        docker run -i --rm --name certbot --network acme -v "$(pwd)/examples/Docker/data/certbot2":/etc/letsencrypt/ certbot/certbot register --agree-tos -m 'certbot@example.com' --server http://acme-srv --no-eff-email
-
-    - name: "[ ENROLL ] HTTP-01 single domain certbot"
-      run: |
-        docker run -i --rm --name certbot --network acme -v "$(pwd)/examples/Docker/data/certbot":/etc/letsencrypt/ certbot/certbot certonly --force-renew --server http://acme-srv --standalone --preferred-challenges http -d certbot.acme --cert-name certbot
-        sudo chmod 777 examples/Docker/data/certbot/archive/certbot/chain1.pem
-        sudo cp examples/Docker/data/certbot/archive/certbot/chain1.pem chain1.pem
-        awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "cert-" c ".pem"}' < chain1.pem
-        sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem examples/Docker/data/certbot/live/certbot/cert.pem
-
-    - name: "[ * ] collecting test logs"
-      if: ${{ failure() }}
-      run: |
-        docker logs acme2certifier_acme-srv_1
-        docker exec mariadbsrv mysqldump -u root --password=foobar acme2certifier > /tmp/acme2certifer.sql
-        mkdir -p ${{ github.workspace }}/artifact/upload
-        sudo cp -rp examples/Docker/data/ ${{ github.workspace }}/artifact/data/
-        sudo cp /tmp/acme2certifer.sql ${{ github.workspace }}/artifact/data/
-        cd examples/Docker
-        docker-compose logs > ${{ github.workspace }}/artifact/docker-compose.log
-        sudo tar -C ${{ github.workspace }}/artifact/ -cvzf ${{ github.workspace }}/artifact/upload/artifact.tar.gz docker-compose.log data
-    - name: "[ * ] uploading artificates"
-      uses: actions/upload-artifact@v3
-      if: ${{ failure() }}
-      with:
-        name: nginx-django-upgrade.tar.gz
-        path: ${{ github.workspace }}/artifact/upload/
-
-  rpm_wsgi_upgrade_nginx:
-    name: "rpm_wsgi_upgrade_nginx"
-    runs-on: ubuntu-latest
-    steps:
-    - name: "checkout GIT"
-      uses: actions/checkout@v3
-
-    - name: Retrieve Version from version.py
-      run: |
-        echo TAG_NAME=$(cat acme_srv/version.py | grep -i __version__ | head -n 1 | sed 's/__version__ = //g' | sed s/\'//g) >> $GITHUB_ENV
-    - run: echo "Latest tag is ${{ env.TAG_NAME }}"
-
-    - name: update version number in spec file and path in nginx ssl config
-      run: |
-        sudo sed -i "s/__version__/${{ env.TAG_NAME }}/g" examples/install_scripts/rpm/acme2certifier.spec
-        sudo sed -i "s/\/var\/www\/acme2certifier\/volume/\/etc\/nginx/g" examples/nginx/nginx_acme_srv_ssl.conf
-        git config --global user.email "grindelsack@gmail.com"
-        git config --global user.name "rpm update"
-        git add examples/nginx
-        git commit -a -m "rpm update"
-
-    - name: build RPM package
-      id: rpm
-      uses: grindsa/rpmbuild@alma9
-      with:
-        spec_file: "examples/install_scripts/rpm/acme2certifier.spec"
-
-    - run: echo "path is ${{ steps.rpm.outputs.rpm_dir_path }}"
-
-    - name: "[ PREPARE ] setup environment for alma installation"
-      run: |
-        docker network create acme
-        sudo mkdir -p data/volume
-        sudo mkdir -p data/acme2certifier
-        sudo mkdir -p data/nginx/conf.d
-        sudo chmod -R 777 data
-        sudo cp examples/Docker/almalinux-systemd/rpm_tester.sh data
-        wget -P data/ https://github.com/grindsa/acme2certifier/releases/download/0.23.2/acme2certifier-0.23.2-1.0.noarch.rpm
-        sudo cp examples/Docker/almalinux-systemd/rpm_tester.sh data
-        sudo cp .github/acme2certifier_cert.pem data/nginx/acme2certifier_cert.pem
-        sudo cp .github/acme2certifier_key.pem data/nginx/acme2certifier_key.pem
-        sudo cp examples/nginx/nginx_acme_srv_ssl.conf data/nginx/conf.d
-        sudo sed -i "s/\/var\/www\/acme2certifier\/volume/\/etc\/nginx/g"  data/nginx/conf.d/nginx_acme_srv_ssl.conf
-
-    - name: "Retrieve rpms from SBOM repo"
-      run: |
-        git clone https://$GH_SBOM_USER:$GH_SBOM_TOKEN@github.com/$GH_SBOM_USER/sbom /tmp/sbom
-        cp /tmp/sbom/rpm-repo/RPMs/*.rpm  data
-      env:
-        GH_SBOM_USER: ${{ secrets.GH_SBOM_USER }}
-        GH_SBOM_TOKEN: ${{ secrets.GH_SBOM_TOKEN }}
-
-    - name: "[ PREPARE ] setup a2c with certifier_ca_handler"
-      run: |
-        sudo mkdir acme-sh
-        mkdir -p data/acme_ca
-        sudo cp test/ca/certsrv_ca_certs.pem data/acme_ca/ca_certs.pem
-        sudo touch data/acme_srv.cfg
-        sudo chmod 777 data/acme_srv.cfg
-        sudo head -n -8 .github/openssl_ca_handler.py_acme_srv_default_handler.cfg > data/acme_srv.cfg
-        sudo echo "handler_file: examples/ca_handler/certifier_ca_handler.py" >> data/acme_srv.cfg
-        sudo echo "api_host: $NCM_API_HOST" >> data/acme_srv.cfg
-        sudo echo "api_user: $NCM_API_USER" >> data/acme_srv.cfg
-        sudo echo "api_password: $NCM_API_PASSWORD" >> data/acme_srv.cfg
-        sudo echo "ca_name: $NCM_CA_NAME" >> data/acme_srv.cfg
-        sudo echo "ca_bundle: $NCM_CA_BUNDLE" >> data/acme_srv.cfg
-        sudo echo "profile_id: 101" >> data/acme_srv.cfg
-        sudo sed -i "s/examples\/ca_handler/\/opt\/acme2certifier\/examples\/ca_handler/g" data/acme_srv.cfg
-        sudo sed -i "s/volume\/acme_ca/\/opt\/acme2certifier\/volume\/acme_ca/g" data/acme_srv.cfg
-      env:
-        NCM_API_HOST: ${{ secrets.NCM_API_HOST }}
-        NCM_API_USER: ${{ secrets.NCM_API_USER }}
-        NCM_API_PASSWORD: ${{ secrets.NCM_API_PASSWORD }}
-        NCM_CA_NAME: ${{ secrets.NCM_CA_NAME }}
-        NCM_CA_BUNDLE: ${{ secrets.NCM_CA_BUNDLE }}
-
-    - name: "[ PREPARE ] Almalinux instance"
-      run: |
-        cat examples/Docker/almalinux-systemd/Dockerfile | docker build -t almalinux-systemd -f - . --no-cache
-        docker run -d -id --privileged --network acme -p 22280:80 --name=acme-srv -v "$(pwd)/data":/tmp/acme2certifier almalinux-systemd
-
-    - name: "[ RUN ] Execute install scipt"
-      run: |
-        docker exec acme-srv sh /tmp/acme2certifier/rpm_tester.sh
-        sudo docker cp data/nginx acme-srv:/etc
-        sudo docker cp data/volume/ acme-srv:/opt/acme2certifier/
-        docker exec acme-srv chmod -R 777 /opt/acme2certifier/volume
-
-    - name: "Test http://acme-srv/directory is accessible"
-      run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory
-
-    - name: "[ CURL ] install curl and socat and test connction"
-      run: |
-        sudo apt-get install -y curl socat
-        curl -f http://localhost:22280
-
-    - name: "[ PREPARE ] prepare acme.sh container"
-      run: |
-        docker run --rm -id -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest daemon
-
-    - name: "[ ENROLL ] register via http"
-      run: |
-        docker exec -i acme-sh acme.sh --server http://acme-srv  --register-account --accountemail 'acme-sh@example.com' --accountkeylength ec-256 --debug 2
-
-    - name: "[ ENROLL] acme.sh"
-      run: |
-        docker exec -i acme-sh acme.sh --server http://acme-srv --accountemail 'acme-sh@example.com' --issue -d acme-sh.acme --alpn --standalone --debug 3 --insecure --output-insecure --force
-        awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "cert-" c ".pem"}' < acme-sh/acme-sh.acme_ecc/ca.cer
-        openssl verify -CAfile cert-2.pem -untrusted cert-1.pem  acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer
-
-    - name: "[ REGISTER] certbot"
-      run: |
-        docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot register --agree-tos -m 'certbot@example.com' --server http://acme-srv --no-eff-email
-
-    - name: "[ ENROLL ] HTTP-01 single domain certbot"
-      run: |
-        docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot certonly --server http://acme-srv --standalone --preferred-challenges http -d certbot.acme --cert-name certbot
-        sudo chmod 777 certbot/archive/certbot/chain1.pem
-        sudo cp certbot/archive/certbot/chain1.pem chain1.pem
-        awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "cert-" c ".pem"}' < chain1.pem
-        sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem certbot/live/certbot/cert.pem
-
-    - name: "Update acme2certifier"
-      run: |
-        docker cp ${{ steps.rpm.outputs.rpm_dir_path }}noarch/acme2certifier-${{ env.TAG_NAME }}-1.0.noarch.rpm acme-srv:/tmp
-        # docker exec acme-srv rpm -Uvh /tmp/acme2certifier-${{ env.TAG_NAME }}-1.0.noarch.rpm
-        docker exec acme-srv yum -y localinstall /tmp/acme2certifier-${{ env.TAG_NAME }}-1.0.noarch.rpm
-        docker cp data/acme_srv.cfg acme-srv:/opt/acme2certifier/acme_srv
-        docker exec -w /opt/acme2certifier acme-srv python3 tools/db_update.py
-        docker restart acme-srv
-        docker stop acme-sh
-        sudo rm -rf $PWD/certbot/*
-        sudo rm -rf $PWD/acme-sh/*
-
-    - name: "[ PREPARE ] Sleep for 10s"
-      uses: juliangruber/sleep-action@v1
-      with:
-        time: 10s
-
-    - name: "Test http://acme-srv/directory is accessible"
-      run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory
-
-    - name: "[ PREPARE ] prepare acme.sh container"
-      run: |
-        docker run --rm -id -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest daemon
-
-    - name: "[ ENROLL ] register via http"
-      run: |
-        docker exec -i acme-sh acme.sh --server http://acme-srv  --register-account --accountemail 'acme-sh@example.com' --accountkeylength ec-256 --debug 2
-
-    - name: "[ ENROLL] acme.sh"
-      run: |
-        docker exec -i acme-sh acme.sh --server http://acme-srv --accountemail 'acme-sh@example.com' --issue -d acme-sh.acme --alpn --standalone --debug 3 --insecure --output-insecure --force
-        openssl verify -CAfile cert-2.pem -untrusted cert-1.pem  acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer
-
-    - name: "[ REGISTER] certbot"
-      run: |
-        docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot register --agree-tos -m 'certbot@example.com' --server http://acme-srv --no-eff-email
-
-    - name: "[ ENROLL ] HTTP-01 single domain certbot"
-      run: |
-        docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot certonly --server http://acme-srv --standalone --preferred-challenges http -d certbot.acme --cert-name certbot
-        sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem certbot/live/certbot/cert.pem
-
-    - name: "[ * ] collecting test logs"
-      if: ${{ failure() }}
-      run: |
-        mkdir -p ${{ github.workspace }}/artifact/upload
-        docker exec acme-srv tar cvfz /tmp/acme2certifier/a2c.tgz /opt/acme2certifier
-        docker exec acme-srv tar cvfz /tmp/acme2certifier/nginx.tgz /etc/nginx
-        sudo cp -rp data/ ${{ github.workspace }}/artifact/data/
-        sudo cp -rp acme-sh/ ${{ github.workspace }}/artifact/acme-sh/
-        docker exec acme-srv cat /var/log/messages > ${{ github.workspace }}/artifact/acme-srv.log
-        sudo tar -C ${{ github.workspace }}/artifact/ -cvzf ${{ github.workspace }}/artifact/upload/artifact.tar.gz data acme-srv.log acme-sh
-
-    - name: "[ * ] uploading artificates"
-      uses: actions/upload-artifact@v3
-      if: ${{ failure() }}
-      with:
-        name: rpm_wsgi_upgrade_nginx.tar.gz
-        path: ${{ github.workspace }}/artifact/upload/
-
-  rpm_django_upgrade_nginx_mariadb:
-    name: "rpm_django_upgrade_nginx_mariadb"
-    runs-on: ubuntu-latest
-    steps:
-    - name: "checkout GIT"
-      uses: actions/checkout@v3
-
-    - name: Retrieve Version from version.py
-      run: |
-        echo TAG_NAME=$(cat acme_srv/version.py | grep -i __version__ | head -n 1 | sed 's/__version__ = //g' | sed s/\'//g) >> $GITHUB_ENV
-    - run: echo "Latest tag is ${{ env.TAG_NAME }}"
-
-    - name: update version number in spec file and path in nginx ssl config
-      run: |
-        sudo sed -i "s/__version__/${{ env.TAG_NAME }}/g" examples/install_scripts/rpm/acme2certifier.spec
-        sudo sed -i "s/\/var\/www\/acme2certifier\/volume/\/etc\/nginx/g" examples/nginx/nginx_acme_srv_ssl.conf
-        git config --global user.email "grindelsack@gmail.com"
-        git config --global user.name "rpm update"
-        git add examples/nginx
-        git commit -a -m "rpm update"
-
-    - name: build RPM package
-      id: rpm
-      uses: grindsa/rpmbuild@alma9
-      with:
-        spec_file: "examples/install_scripts/rpm/acme2certifier.spec"
-
-    - run: echo "path is ${{ steps.rpm.outputs.rpm_dir_path }}"
-
-    - name: "[ PREPARE ] setup environment for alma installation"
-      run: |
-        sudo mkdir acme-sh
-        docker network create acme
-        sudo mkdir -p data/volume
-        sudo mkdir -p data/acme2certifier
-        sudo mkdir -p data/nginx/conf.d
-        sudo chmod -R 777 data
-        wget -P data/ https://github.com/grindsa/acme2certifier/releases/download/0.23.2/acme2certifier-0.23.2-1.0.noarch.rpm
-        sudo cp examples/Docker/almalinux-systemd/rpm_tester.sh data
-        sudo cp examples/Docker/almalinux-systemd/django_tester.sh data
-        sudo cp .github/acme2certifier_cert.pem data/nginx/acme2certifier_cert.pem
-        sudo cp .github/acme2certifier_key.pem data/nginx/acme2certifier_key.pem
-        sudo cp .github/django_settings_mariadb.py data/acme2certifier/settings.py
-        # sudo sed -i "s/\/var\/www\//\/opt\//g" data/acme2certifier/settings.py
-        sudo sed -i "s/USE_I18N = True/USE_I18N = False/g" data/acme2certifier/settings.py
-        sudo cp examples/nginx/nginx_acme_srv_ssl.conf data/nginx/conf.d
-        sudo sed -i "s/\/var\/www\/acme2certifier\/volume/\/etc\/nginx/g"  data/nginx/conf.d/nginx_acme_srv_ssl.conf
-
-    - name: "[ PREPARE ] install mariadb"
-      working-directory: examples/Docker/
-      run: |
-        # docker run --name mariadbsrv --network acme -v $PWD/data/mysql:/var/lib/mysql -e MARIADB_ROOT_PASSWORD=foobar -d mariadb
-        docker run --name mariadbsrv --network acme -e MARIADB_ROOT_PASSWORD=foobar -d mariadb
-
-    - name: "[ PREPARE ] Sleep for 10s"
-      uses: juliangruber/sleep-action@v1
-      with:
-        time: 10s
-
-    - name: "[ PREPARE ] configure mariadb"
-      working-directory: examples/Docker/
-      run: |
-        docker exec mariadbsrv mariadb -u root --password=foobar -e"CREATE DATABASE acme2certifier CHARACTER SET UTF8;"
-        docker exec mariadbsrv mariadb -u root --password=foobar -e"GRANT ALL PRIVILEGES ON acme2certifier.* TO 'acme2certifier'@'%' IDENTIFIED BY '1mmSvDFl';"
-        docker exec mariadbsrv mariadb -u root --password=foobar -e"FLUSH PRIVILEGES;"
-
-    - name: "Retrieve rpms from SBOM repo"
-      run: |
-        git clone https://$GH_SBOM_USER:$GH_SBOM_TOKEN@github.com/$GH_SBOM_USER/sbom /tmp/sbom
-        cp /tmp/sbom/rpm-repo/RPMs/*.rpm  data
-      env:
-        GH_SBOM_USER: ${{ secrets.GH_SBOM_USER }}
-        GH_SBOM_TOKEN: ${{ secrets.GH_SBOM_TOKEN }}
-
-    - name: "[ PREPARE ] setup a2c with certifier_ca_handler"
-      run: |
-        mkdir -p data/acme_ca
-        sudo cp test/ca/certsrv_ca_certs.pem data/acme_ca/ca_certs.pem
-        sudo touch data/volume/acme_srv.cfg
-        sudo chmod 777 data/volume/acme_srv.cfg
-        sudo head -n -8 .github/openssl_ca_handler.py_acme_srv_default_handler.cfg > data/volume/acme_srv.cfg
-        sudo echo "handler_file: examples/ca_handler/certifier_ca_handler.py" >> data/volume/acme_srv.cfg
-        sudo echo "api_host: $NCM_API_HOST" >> data/volume/acme_srv.cfg
-        sudo echo "api_user: $NCM_API_USER" >> data/volume/acme_srv.cfg
-        sudo echo "api_password: $NCM_API_PASSWORD" >> data/volume/acme_srv.cfg
-        sudo echo "ca_name: $NCM_CA_NAME" >> data/volume/acme_srv.cfg
-        sudo echo "ca_bundle: $NCM_CA_BUNDLE" >> data/volume/acme_srv.cfg
-        sudo echo "profile_id: 101" >> data/volume/acme_srv.cfg
-        # sudo sed -i "s/examples\/ca_handler/\/opt\/acme2certifier\/examples\/ca_handler/g" data/volume/acme_srv.cfg
-        # sudo sed -i "s/volume\/acme_ca/\/opt\/acme2certifier\/volume\/acme_ca/g" data/volume/acme_srv.cfg
-      env:
-        NCM_API_HOST: ${{ secrets.NCM_API_HOST }}
-        NCM_API_USER: ${{ secrets.NCM_API_USER }}
-        NCM_API_PASSWORD: ${{ secrets.NCM_API_PASSWORD }}
-        NCM_CA_NAME: ${{ secrets.NCM_CA_NAME }}
-        NCM_CA_BUNDLE: ${{ secrets.NCM_CA_BUNDLE }}
-
-    - name: "[ PREPARE ] Almalinux instance"
-      run: |
-        cat examples/Docker/almalinux-systemd/Dockerfile | docker build -t almalinux-systemd -f - . --no-cache
-        docker run -d -id --privileged --network acme -p 22280:80 --name=acme-srv -v "$(pwd)/data":/tmp/acme2certifier almalinux-systemd
-
-    - name: "[ RUN ] Execute install scipt"
-      run: |
-        docker exec acme-srv sh /tmp/acme2certifier/django_tester.sh
-
-    - name: "Test http://acme-srv/directory is accessible"
-      run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory
-
-    - name: "Test if https://acme-srv/directory is accessable"
-      run: docker run -i --rm --network acme curlimages/curl --insecure -f https://acme-srv/directory
-
-    - name: "[ CURL ] install curl and socat and test connction"
-      run: |
-        sudo apt-get install -y curl socat
-        curl -f http://localhost:22280
-
-    - name: "[ PREPARE ] prepare acme.sh container"
-      run: |
-        docker run --rm -id -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest daemon
-
-    - name: "[ ENROLL ] register via http"
-      run: |
-        docker exec -i acme-sh acme.sh --server http://acme-srv  --register-account --accountemail 'acme-sh@example.com' --accountkeylength ec-256 --debug 2
-
-    - name: "[ ENROLL] acme.sh"
-      run: |
-        docker exec -i acme-sh acme.sh --server http://acme-srv --accountemail 'acme-sh@example.com' --issue -d acme-sh.acme --alpn --standalone --debug 3 --insecure --output-insecure --force
-        awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "cert-" c ".pem"}' < acme-sh/acme-sh.acme_ecc/ca.cer
-        openssl verify -CAfile cert-2.pem -untrusted cert-1.pem  acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer
-
-    - name: "[ REGISTER] certbot"
-      run: |
-        docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot register --agree-tos -m 'certbot@example.com' --server http://acme-srv --no-eff-email
-
-    - name: "[ ENROLL ] HTTP-01 single domain certbot"
-      run: |
-        docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot certonly --server http://acme-srv --standalone --preferred-challenges http -d certbot.acme --cert-name certbot
-        sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem certbot/live/certbot/cert.pem
-
-    - name: "Update acme2certifier"
-      run: |
-        docker cp ${{ steps.rpm.outputs.rpm_dir_path }}noarch/acme2certifier-${{ env.TAG_NAME }}-1.0.noarch.rpm acme-srv:/tmp
-        # docker exec acme-srv rpm -Uvh /tmp/acme2certifier-${{ env.TAG_NAME }}-1.0.noarch.rpm
-        docker exec acme-srv yum -y localinstall /tmp/acme2certifier-${{ env.TAG_NAME }}-1.0.noarch.rpm
-        docker cp data/volume/acme_srv.cfg acme-srv:/opt/acme2certifier/acme_srv
-        docker exec -w /opt/acme2certifier acme-srv cp examples/django/acme_srv/*.py acme_srv/
-        docker exec -w /opt/acme2certifier acme-srv python3 tools/django_update.py
-        docker restart acme-srv
-        docker stop acme-sh
-        sudo rm -rf $PWD/certbot/*
-        sudo rm -rf $PWD/acme-sh/*
-
-    - name: "[ PREPARE ] Sleep for 10s"
-      uses: juliangruber/sleep-action@v1
-      with:
-        time: 10s
-
-    - name: "Test http://acme-srv/directory is accessible"
-      run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory
-
-    - name: "[ PREPARE ] prepare acme.sh container"
-      run: |
-        docker run --rm -id -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest daemon
-
-    - name: "[ ENROLL ] register via http"
-      run: |
-        docker exec -i acme-sh acme.sh --server http://acme-srv  --register-account --accountemail 'acme-sh@example.com' --accountkeylength ec-256 --debug 2
-
-    - name: "[ ENROLL] acme.sh"
-      run: |
-        docker exec -i acme-sh acme.sh --server http://acme-srv --accountemail 'acme-sh@example.com' --issue -d acme-sh.acme --alpn --standalone --debug 3 --insecure --output-insecure --force
-        openssl verify -CAfile cert-2.pem -untrusted cert-1.pem  acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer
-
-    - name: "[ REGISTER] certbot"
-      run: |
-        docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot register --agree-tos -m 'certbot@example.com' --server http://acme-srv --no-eff-email
-
-    - name: "[ ENROLL ] HTTP-01 single domain certbot"
-      run: |
-        docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot certonly --server http://acme-srv --standalone --preferred-challenges http -d certbot.acme --cert-name certbot
-        sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem certbot/live/certbot/cert.pem
-
-    - name: "[ * ] collecting test logs"
-      if: ${{ failure() }}
-      run: |
-        mkdir -p ${{ github.workspace }}/artifact/upload
-        docker exec acme-srv tar cvfz /tmp/acme2certifier/a2c.tgz /opt/acme2certifier
-        docker exec acme-srv tar cvfz /tmp/acme2certifier/nginx.tgz /etc/nginx
-        sudo cp -rp data/ ${{ github.workspace }}/artifact/data/
-        sudo cp -rp acme-sh/ ${{ github.workspace }}/artifact/acme-sh/
-        sudo cp -rp certbot/ ${{ github.workspace }}/artifact/certbot/
-        docker exec acme-srv cat /var/log/messages > ${{ github.workspace }}/artifact/acme-srv.log
-        sudo tar -C ${{ github.workspace }}/artifact/ -cvzf ${{ github.workspace }}/artifact/upload/artifact.tar.gz data acme-srv.log acme-sh certbot
-
-    - name: "[ * ] uploading artificates"
-      uses: actions/upload-artifact@v3
-      if: ${{ failure() }}
-      with:
-        name: rpm_django_upgrade_nginx_mariadb.tar.gz
-        path: ${{ github.workspace }}/artifact/upload/
-
-  rpm_django_upgrade_nginx_sqlite:
-    name: "rpm_django_upgrade_nginx_sqlite"
-    runs-on: ubuntu-latest
-    steps:
-    - name: "checkout GIT"
-      uses: actions/checkout@v3
-
-    - name: Retrieve Version from version.py
-      run: |
-        echo TAG_NAME=$(cat acme_srv/version.py | grep -i __version__ | head -n 1 | sed 's/__version__ = //g' | sed s/\'//g) >> $GITHUB_ENV
-    - run: echo "Latest tag is ${{ env.TAG_NAME }}"
-
-    - name: update version number in spec file and path in nginx ssl config
-      run: |
-        sudo sed -i "s/__version__/${{ env.TAG_NAME }}/g" examples/install_scripts/rpm/acme2certifier.spec
-        sudo sed -i "s/\/var\/www\/acme2certifier\/volume/\/etc\/nginx/g" examples/nginx/nginx_acme_srv_ssl.conf
-        git config --global user.email "grindelsack@gmail.com"
-        git config --global user.name "rpm update"
-        git add examples/nginx
-        git commit -a -m "rpm update"
-
-    - name: build RPM package
-      id: rpm
-      uses: grindsa/rpmbuild@alma9
-      with:
-        spec_file: "examples/install_scripts/rpm/acme2certifier.spec"
-
-    - run: echo "path is ${{ steps.rpm.outputs.rpm_dir_path }}"
-
-    - name: "[ PREPARE ] setup environment for alma installation"
-      run: |
-        sudo mkdir acme-sh
-        docker network create acme
-        sudo mkdir -p data/volume
-        sudo mkdir -p data/acme2certifier
-        sudo mkdir -p data/nginx/conf.d
-        sudo chmod -R 777 data
-        wget -P data/ https://github.com/grindsa/acme2certifier/releases/download/0.23.2/acme2certifier-0.23.2-1.0.noarch.rpm
-        sudo cp examples/Docker/almalinux-systemd/rpm_tester.sh data
-        sudo cp examples/Docker/almalinux-systemd/django_tester.sh data
-        sudo cp .github/acme2certifier_cert.pem data/nginx/acme2certifier_cert.pem
-        sudo cp .github/acme2certifier_key.pem data/nginx/acme2certifier_key.pem
-        sudo cp .github/django_settings.py data/acme2certifier/settings.py
-        sudo sed -i "s/\/var\/www\//\/opt\//g" data/acme2certifier/settings.py
-        sudo sed -i "s/USE_I18N = True/USE_I18N = False/g" data/acme2certifier/settings.py
-        sudo cp examples/nginx/nginx_acme_srv_ssl.conf data/nginx/conf.d
-        sudo sed -i "s/\/var\/www\/acme2certifier\/volume/\/etc\/nginx/g"  data/nginx/conf.d/nginx_acme_srv_ssl.conf
-
-    - name: "Retrieve rpms from SBOM repo"
-      run: |
-        git clone https://$GH_SBOM_USER:$GH_SBOM_TOKEN@github.com/$GH_SBOM_USER/sbom /tmp/sbom
-        cp /tmp/sbom/rpm-repo/RPMs/*.rpm  data
-      env:
-        GH_SBOM_USER: ${{ secrets.GH_SBOM_USER }}
-        GH_SBOM_TOKEN: ${{ secrets.GH_SBOM_TOKEN }}
-
-    - name: "[ PREPARE ] setup a2c with certifier_ca_handler"
-      run: |
-        mkdir -p data/acme_ca
-        sudo cp test/ca/certsrv_ca_certs.pem data/acme_ca/ca_certs.pem
-        sudo touch data/volume/acme_srv.cfg
-        sudo chmod 777 data/volume/acme_srv.cfg
-        sudo head -n -8 .github/openssl_ca_handler.py_acme_srv_default_handler.cfg > data/volume/acme_srv.cfg
-        sudo echo "handler_file: examples/ca_handler/certifier_ca_handler.py" >> data/volume/acme_srv.cfg
-        sudo echo "api_host: $NCM_API_HOST" >> data/volume/acme_srv.cfg
-        sudo echo "api_user: $NCM_API_USER" >> data/volume/acme_srv.cfg
-        sudo echo "api_password: $NCM_API_PASSWORD" >> data/volume/acme_srv.cfg
-        sudo echo "ca_name: $NCM_CA_NAME" >> data/volume/acme_srv.cfg
-        sudo echo "ca_bundle: $NCM_CA_BUNDLE" >> data/volume/acme_srv.cfg
-        sudo echo "profile_id: 101" >> data/volume/acme_srv.cfg
-        # sudo sed -i "s/examples\/ca_handler/\/opt\/acme2certifier\/examples\/ca_handler/g" data/volume/acme_srv.cfg
-        # sudo sed -i "s/volume\/acme_ca/\/opt\/acme2certifier\/volume\/acme_ca/g" data/volume/acme_srv.cfg
-      env:
-        NCM_API_HOST: ${{ secrets.NCM_API_HOST }}
-        NCM_API_USER: ${{ secrets.NCM_API_USER }}
-        NCM_API_PASSWORD: ${{ secrets.NCM_API_PASSWORD }}
-        NCM_CA_NAME: ${{ secrets.NCM_CA_NAME }}
-        NCM_CA_BUNDLE: ${{ secrets.NCM_CA_BUNDLE }}
-
-    - name: "[ PREPARE ] Almalinux instance"
-      run: |
-        cat examples/Docker/almalinux-systemd/Dockerfile | docker build -t almalinux-systemd -f - . --no-cache
-        docker run -d -id --privileged --network acme -p 22280:80 --name=acme-srv -v "$(pwd)/data":/tmp/acme2certifier almalinux-systemd
-
-    - name: "[ RUN ] Execute install scipt"
-      run: |
-        docker exec acme-srv sh /tmp/acme2certifier/django_tester.sh
-
-    - name: "Test http://acme-srv/directory is accessible"
-      run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory
-
-    - name: "Test if https://acme-srv/directory is accessable"
-      run: docker run -i --rm --network acme curlimages/curl --insecure -f https://acme-srv/directory
-
-    - name: "[ CURL ] install curl and socat and test connction"
-      run: |
-        sudo apt-get install -y curl socat
-        curl -f http://localhost:22280
-
-    - name: "[ PREPARE ] prepare acme.sh container"
-      run: |
-        docker run --rm -id -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest daemon
-
-    - name: "[ ENROLL ] register via http"
-      run: |
-        docker exec -i acme-sh acme.sh --server http://acme-srv  --register-account --accountemail 'acme-sh@example.com' --accountkeylength ec-256 --debug 2
-
-    - name: "[ ENROLL] acme.sh"
-      run: |
-        docker exec -i acme-sh acme.sh --server http://acme-srv --accountemail 'acme-sh@example.com' --issue -d acme-sh.acme --alpn --standalone --debug 3 --insecure --output-insecure --force
-        awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "cert-" c ".pem"}' < acme-sh/acme-sh.acme_ecc/ca.cer
-        openssl verify -CAfile cert-2.pem -untrusted cert-1.pem acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer
-
-    - name: "[ REGISTER] certbot"
-      run: |
-        docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot register --agree-tos -m 'certbot@example.com' --server http://acme-srv --no-eff-email
-
-    - name: "[ ENROLL ] HTTP-01 single domain certbot"
-      run: |
-        docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot certonly --server http://acme-srv --standalone --preferred-challenges http -d certbot.acme --cert-name certbot
-        sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem certbot/live/certbot/cert.pem
-
-    - name: "Update acme2certifier"
-      run: |
-        docker cp ${{ steps.rpm.outputs.rpm_dir_path }}noarch/acme2certifier-${{ env.TAG_NAME }}-1.0.noarch.rpm acme-srv:/tmp
-        # docker exec acme-srv rpm -Uvh /tmp/acme2certifier-${{ env.TAG_NAME }}-1.0.noarch.rpm
-        docker exec acme-srv yum -y localinstall /tmp/acme2certifier-${{ env.TAG_NAME }}-1.0.noarch.rpm
-        docker cp data/volume/acme_srv.cfg acme-srv:/opt/acme2certifier/acme_srv
-        docker exec -w /opt/acme2certifier acme-srv cp examples/django/acme_srv/*.py acme_srv/
-        docker exec -w /opt/acme2certifier acme-srv python3 tools/django_update.py
-        docker restart acme-srv
-        docker stop acme-sh
-        sudo rm -rf $PWD/certbot/*
-        sudo rm -rf $PWD/acme-sh/*
-
-    - name: "[ PREPARE ] Sleep for 10s"
-      uses: juliangruber/sleep-action@v1
-      with:
-        time: 10s
-
-    - name: "Test http://acme-srv/directory is accessible"
-      run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory
-
-    - name: "[ PREPARE ] prepare acme.sh container"
-      run: |
-        docker run --rm -id -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest daemon
-
-    - name: "[ ENROLL ] register via http"
-      run: |
-        docker exec -i acme-sh acme.sh --server http://acme-srv  --register-account --accountemail 'acme-sh@example.com' --accountkeylength ec-256 --debug 2
-
-    - name: "[ ENROLL] acme.sh"
-      run: |
-        docker exec -i acme-sh acme.sh --server http://acme-srv --accountemail 'acme-sh@example.com' --issue -d acme-sh.acme --alpn --standalone --debug 3 --insecure --output-insecure --force
-        openssl verify -CAfile cert-2.pem -untrusted cert-1.pem acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer
-
-    - name: "[ REGISTER] certbot"
-      run: |
-        docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot register --agree-tos -m 'certbot@example.com' --server http://acme-srv --no-eff-email
-
-    - name: "[ ENROLL ] HTTP-01 single domain certbot"
-      run: |
-        docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot certonly --server http://acme-srv --standalone --preferred-challenges http -d certbot.acme --cert-name certbot
-        sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem certbot/live/certbot/cert.pem
-
-    - name: "[ * ] collecting test logs"
-      if: ${{ failure() }}
-      run: |
-        mkdir -p ${{ github.workspace }}/artifact/upload
-        docker exec acme-srv tar cvfz /tmp/acme2certifier/a2c.tgz /opt/acme2certifier
-        docker exec acme-srv tar cvfz /tmp/acme2certifier/nginx.tgz /etc/nginx
-        sudo cp -rp data/ ${{ github.workspace }}/artifact/data/
-        sudo cp -rp acme-sh/ ${{ github.workspace }}/artifact/acme-sh/
-        sudo cp -rp certbot/ ${{ github.workspace }}/artifact/certbot/
-        docker exec acme-srv cat /var/log/messages > ${{ github.workspace }}/artifact/acme-srv.log
-        sudo tar -C ${{ github.workspace }}/artifact/ -cvzf ${{ github.workspace }}/artifact/upload/artifact.tar.gz data acme-srv.log acme-sh certbot
-
-    - name: "[ * ] uploading artificates"
-      uses: actions/upload-artifact@v3
-      if: ${{ failure() }}
-      with:
-        name: rpm_django_upgrade_nginx_sqlite.tar.gz
-        path: ${{ github.workspace }}/artifact/upload/
-
-  rpm_django_upgrade_nginx_psql:
-    name: "rpm_django_upgrade_nginx_psql"
-    runs-on: ubuntu-latest
-    steps:
-    - name: "checkout GIT"
-      uses: actions/checkout@v3
-
-    - name: Retrieve Version from version.py
-      run: |
-        echo TAG_NAME=$(cat acme_srv/version.py | grep -i __version__ | head -n 1 | sed 's/__version__ = //g' | sed s/\'//g) >> $GITHUB_ENV
-    - run: echo "Latest tag is ${{ env.TAG_NAME }}"
-
-    - name: update version number in spec file and path in nginx ssl config
-      run: |
-        sudo sed -i "s/__version__/${{ env.TAG_NAME }}/g" examples/install_scripts/rpm/acme2certifier.spec
-        sudo sed -i "s/\/var\/www\/acme2certifier\/volume/\/etc\/nginx/g" examples/nginx/nginx_acme_srv_ssl.conf
-        git config --global user.email "grindelsack@gmail.com"
-        git config --global user.name "rpm update"
-        git add examples/nginx
-        git commit -a -m "rpm update"
-
-    - name: build RPM package
-      id: rpm
-      uses: grindsa/rpmbuild@alma9
-      with:
-        spec_file: "examples/install_scripts/rpm/acme2certifier.spec"
-
-    - run: echo "path is ${{ steps.rpm.outputs.rpm_dir_path }}"
-
-    - name: "[ PREPARE ] setup environment for alma installation"
-      run: |
-        docker network create acme
-        sudo mkdir -p data/volume
-        sudo mkdir -p data/acme2certifier
-        sudo mkdir -p data/nginx/conf.d
-        sudo chmod -R 777 data
-        wget -P data/ https://github.com/grindsa/acme2certifier/releases/download/0.23.2/acme2certifier-0.23.2-1.0.noarch.rpm
-        sudo cp examples/Docker/almalinux-systemd/rpm_tester.sh data
-        sudo cp examples/Docker/almalinux-systemd/django_tester.sh data
-        sudo cp .github/acme2certifier_cert.pem data/nginx/acme2certifier_cert.pem
-        sudo cp .github/acme2certifier_key.pem data/nginx/acme2certifier_key.pem
-        sudo cp .github/django_settings_psql.py data/acme2certifier/settings.py
-        # sudo sed -i "s/\/var\/www\//\/opt\//g" data/acme2certifier/settings.py
-        sudo sed -i "s/USE_I18N = True/USE_I18N = False/g" data/acme2certifier/settings.py
-        sudo cp examples/nginx/nginx_acme_srv_ssl.conf data/nginx/conf.d
-        sudo sed -i "s/\/var\/www\/acme2certifier\/volume/\/etc\/nginx/g"  data/nginx/conf.d/nginx_acme_srv_ssl.conf
-
-    - name: "[ PREPARE ] postgres environment"
-      run: |
-        sudo mkdir -p /tmp/data/pgsql
-        sudo cp .github/a2c.psql /tmp/data/pgsql/a2c.psql
-        sudo cp .github/pgpass /tmp//data/pgsql/pgpass
-        sudo chmod 600 /tmp/data/pgsql/pgpass
-
-    - name: "[ PREPARE ] install postgres"
-      working-directory: /tmp
-      run: |
-        docker run --name postgresdbsrv --network acme -e POSTGRES_PASSWORD=foobar -d postgres
-
-    - name: "[ PREPARE ] Sleep for 10s"
-      uses: juliangruber/sleep-action@v1
-      with:
-        time: 10s
-
-    - name: "[ PREPARE ] configure postgres"
-      working-directory: /tmp
-      run: |
-        docker run -v "$(pwd)/data/pgsql/a2c.psql":/tmp/a2c.psql -v "$(pwd)/data/pgsql/pgpass:/root/.pgpass" --rm --network acme postgres psql -U postgres -h postgresdbsrv -f /tmp/a2c.psql
-
-    - name: "[ PREPARE ] Sleep for 10s"
-      uses: juliangruber/sleep-action@v1
-      with:
-        time: 10s
-
-    - name: "Retrieve rpms from SBOM repo"
-      run: |
-        git clone https://$GH_SBOM_USER:$GH_SBOM_TOKEN@github.com/$GH_SBOM_USER/sbom /tmp/sbom
-        cp /tmp/sbom/rpm-repo/RPMs/*.rpm  data
-      env:
-        GH_SBOM_USER: ${{ secrets.GH_SBOM_USER }}
-        GH_SBOM_TOKEN: ${{ secrets.GH_SBOM_TOKEN }}
-
-    - name: "[ PREPARE ] setup a2c with certifier_ca_handler"
-      run: |
-        mkdir -p data/acme_ca
-        sudo cp test/ca/certsrv_ca_certs.pem data/acme_ca/ca_certs.pem
-        sudo touch data/volume/acme_srv.cfg
-        sudo chmod 777 data/volume/acme_srv.cfg
-        sudo head -n -8 .github/openssl_ca_handler.py_acme_srv_default_handler.cfg > data/volume/acme_srv.cfg
-        sudo echo "handler_file: examples/ca_handler/certifier_ca_handler.py" >> data/volume/acme_srv.cfg
-        sudo echo "api_host: $NCM_API_HOST" >> data/volume/acme_srv.cfg
-        sudo echo "api_user: $NCM_API_USER" >> data/volume/acme_srv.cfg
-        sudo echo "api_password: $NCM_API_PASSWORD" >> data/volume/acme_srv.cfg
-        sudo echo "ca_name: $NCM_CA_NAME" >> data/volume/acme_srv.cfg
-        sudo echo "ca_bundle: $NCM_CA_BUNDLE" >> data/volume/acme_srv.cfg
-        sudo echo "profile_id: 101" >> data/volume/acme_srv.cfg
-        # sudo sed -i "s/examples\/ca_handler/\/opt\/acme2certifier\/examples\/ca_handler/g" data/volume/acme_srv.cfg
-        # sudo sed -i "s/volume\/acme_ca/\/opt\/acme2certifier\/volume\/acme_ca/g" data/volume/acme_srv.cfg
-      env:
-        NCM_API_HOST: ${{ secrets.NCM_API_HOST }}
-        NCM_API_USER: ${{ secrets.NCM_API_USER }}
-        NCM_API_PASSWORD: ${{ secrets.NCM_API_PASSWORD }}
-        NCM_CA_NAME: ${{ secrets.NCM_CA_NAME }}
-        NCM_CA_BUNDLE: ${{ secrets.NCM_CA_BUNDLE }}
-
-    - name: "[ PREPARE ] Almalinux instance"
-      run: |
-        cat examples/Docker/almalinux-systemd/Dockerfile | docker build -t almalinux-systemd -f - . --no-cache
-        docker run -d -id --privileged --network acme -p 22280:80 --name=acme-srv -v "$(pwd)/data":/tmp/acme2certifier almalinux-systemd
-
-    - name: "[ RUN ] Execute install scipt"
-      run: |
-        docker exec acme-srv sh /tmp/acme2certifier/django_tester.sh
-
-    - name: "Test http://acme-srv/directory is accessible"
-      run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory
-
-    - name: "Test if https://acme-srv/directory is accessable"
-      run: docker run -i --rm --network acme curlimages/curl --insecure -f https://acme-srv/directory
-
-    - name: "[ CURL ] install curl and socat and test connction"
-      run: |
-        sudo apt-get install -y curl socat
-        curl -f http://localhost:22280
-
-    - name: "[ PREPARE ] prepare acme.sh container"
-      run: |
-        docker run --rm -id -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest daemon
-
-    - name: "[ ENROLL ] register via http"
-      run: |
-        docker exec -i acme-sh acme.sh --server http://acme-srv  --register-account --accountemail 'acme-sh@example.com' --accountkeylength ec-256 --debug 2
-
-    - name: "[ ENROLL] acme.sh"
-      run: |
-        docker exec -i acme-sh acme.sh --server http://acme-srv --accountemail 'acme-sh@example.com' --issue -d acme-sh.acme --alpn --standalone --debug 3 --insecure --output-insecure --force
-        awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "cert-" c ".pem"}' < acme-sh/acme-sh.acme_ecc/ca.cer
-        openssl verify -CAfile cert-2.pem -untrusted cert-1.pem acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer
-
-    - name: "[ REGISTER] certbot"
-      run: |
-        docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot register --agree-tos -m 'certbot@example.com' --server http://acme-srv --no-eff-email
-
-    - name: "[ ENROLL ] HTTP-01 single domain certbot"
-      run: |
-        docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot certonly --server http://acme-srv --standalone --preferred-challenges http -d certbot.acme --cert-name certbot
-        sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem certbot/live/certbot/cert.pem
-
-    - name: "Update acme2certifier"
-      run: |
-        docker cp ${{ steps.rpm.outputs.rpm_dir_path }}noarch/acme2certifier-${{ env.TAG_NAME }}-1.0.noarch.rpm acme-srv:/tmp/acme2certifier
-        # docker exec acme-srv rpm -Uvh /tmp/acme2certifier/acme2certifier-${{ env.TAG_NAME }}-1.0.noarch.rpm
-        docker exec acme-srv yum -y localinstall /tmp/acme2certifier/acme2certifier-${{ env.TAG_NAME }}-1.0.noarch.rpm
-        docker cp data/volume/acme_srv.cfg acme-srv:/opt/acme2certifier/acme_srv
-        docker exec -w /opt/acme2certifier acme-srv cp examples/django/acme_srv/*.py acme_srv/
-        docker exec -w /opt/acme2certifier acme-srv python3 tools/django_update.py
-        docker restart acme-srv
-        docker stop acme-sh
-        sudo rm -rf $PWD/certbot/*
-        sudo rm -rf $PWD/acme-sh/*
-
-    - name: "[ PREPARE ] Sleep for 10s"
-      uses: juliangruber/sleep-action@v1
-      with:
-        time: 10s
-
-    - name: "Test http://acme-srv/directory is accessible"
-      run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory
-
-    - name: "[ PREPARE ] prepare acme.sh container"
-      run: |
-        docker run --rm -id -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest daemon
-
-    - name: "[ ENROLL ] register via http"
-      run: |
-        docker exec -i acme-sh acme.sh --server http://acme-srv  --register-account --accountemail 'acme-sh@example.com' --accountkeylength ec-256 --debug 2
-
-    - name: "[ ENROLL] acme.sh"
-      run: |
-        docker exec -i acme-sh acme.sh --server http://acme-srv --accountemail 'acme-sh@example.com' --issue -d acme-sh.acme --alpn --standalone --debug 3 --insecure --output-insecure --force
-        openssl verify -CAfile cert-2.pem -untrusted cert-1.pem acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer
-
-    - name: "[ REGISTER] certbot"
-      run: |
-        docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot register --agree-tos -m 'certbot@example.com' --server http://acme-srv --no-eff-email
-
-    - name: "[ ENROLL ] HTTP-01 single domain certbot"
-      run: |
-        docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot certonly --server http://acme-srv --standalone --preferred-challenges http -d certbot.acme --cert-name certbot
-        sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem certbot/live/certbot/cert.pem
-
-    - name: "[ * ] collecting test logs"
-      if: ${{ failure() }}
-      run: |
-        mkdir -p ${{ github.workspace }}/artifact/upload
-        docker exec acme-srv tar cvfz /tmp/acme2certifier/a2c.tgz /opt/acme2certifier
-        docker exec acme-srv tar cvfz /tmp/acme2certifier/nginx.tgz /etc/nginx
-        sudo cp -rp data/ ${{ github.workspace }}/artifact/data/
-        sudo cp -rp acme-sh/ ${{ github.workspace }}/artifact/acme-sh/
-        sudo cp -rp certbot/ ${{ github.workspace }}/artifact/certbot/
-        docker exec acme-srv cat /var/log/messages > ${{ github.workspace }}/artifact/acme-srv.log
-        sudo tar -C ${{ github.workspace }}/artifact/ -cvzf ${{ github.workspace }}/artifact/upload/artifact.tar.gz data acme-srv.log acme-sh certbot
-
-    - name: "[ * ] uploading artificates"
-      uses: actions/upload-artifact@v3
-      if: ${{ failure() }}
-      with:
-        name: rpm_django_upgrade_nginx_psql.tar.gz
-        path: ${{ github.workspace }}/artifact/upload/
\ No newline at end of file
diff --git a/.github/workflows/winacme-application-test.yml b/.github/workflows/winacme-application-test.yml
deleted file mode 100644
index 28c5862d..00000000
--- a/.github/workflows/winacme-application-test.yml
+++ /dev/null
@@ -1,165 +0,0 @@
-name: Application Tests - win-acme
-
-on:
-  push:
-  pull_request:
-    branches: [ devel ]
-  schedule:
-    # * is a special character in YAML so you have to quote this string
-    - cron:  '0 2 * * 6'
-
-jobs:
-
-  win_acme:
-    name: "win_acme"
-    runs-on: windows-latest
-
-    steps:
-    - name: "checkout GIT"
-      uses: actions/checkout@v3
-
-    - name: "[ PREPARE ] get RunnerIP"
-      run: |
-        Get-NetIPAddress -AddressFamily IPv4
-        # $runner_ip=(Get-NetIPAddress -AddressFamily IPv4 -InterfaceAlias 'Ethernet').IPAddress
-        $runner_ip=(Get-NetIPAddress -AddressFamily IPv4 -InterfaceAlias 'vEthernet (nat)').IPAddress
-        echo RUNNER_IP=$runner_ip >> $env:GITHUB_ENV
-
-    - name: "[ PREPARE ] echo RunnerIP"
-      run:  echo $env:RUNNER_IP
-
-    - name: "[ PREPARE ] Create DNS entries "
-      run: |
-        Invoke-RestMethod -ContentType "application/json" -Method PUT -Uri ${{ secrets.CF_DYNAMOP_URL }} -Headers @{Authorization="Bearer ${{ secrets.CF_TOKEN }}"} -UseBasicParsing -Body '{"type":"A","name":"${{ secrets.CF_WINACME1_NAME }}","content":"${{ env.RUNNER_IP }}","ttl":120,"proxied":false}'
-
-    - name: "[ PREPARE ] Build local acme2certifier environment"
-      run: |
-        python -m pip install --upgrade pip
-        pip install -r requirements.txt
-        pip install django==3.2
-        pip install django-sslserver
-        pip install pyyaml
-        cp examples/db_handler/django_handler.py acme_srv/db_handler.py
-        cp examples/django/* .\ -Recurse -Force
-        (Get-Content .github/django_settings.py) -replace '/var/www/acme2certifier/volume/db.sqlite3', 'volume/db.sqlite3' | Set-Content acme2certifier/settings.py
-        (Get-Content acme2certifier/settings.py) -replace 'django.contrib.staticfiles', 'sslserver' | Set-Content acme2certifier/settings.py
-        cat acme2certifier/settings.py
-        cp examples/ca_handler/certifier_ca_handler.py acme2certifier/ca_handler.py
-        # cp .github/openssl_ca_handler.py_acme_srv_choosen_handler.cfg acme_srv/acme_srv.cfg
-        gc -head 21 .github/openssl_ca_handler.py_acme_srv_choosen_handler.cfg > acme_srv/acme_srv.cfg
-        echo "handler_file: examples/ca_handler/certifier_ca_handler.py" >> acme_srv/acme_srv.cfg
-        echo "api_host: $env:NCM_API_HOST" >> acme_srv/acme_srv.cfg
-        echo "api_user: $env:NCM_API_USER" >> acme_srv/acme_srv.cfg
-        echo "api_password: $env:NCM_API_PASSWORD" >> acme_srv/acme_srv.cfg
-        echo "ca_name: $env:NCM_CA_NAME" >> acme_srv/acme_srv.cfg
-        echo "ca_bundle: $env:NCM_CA_BUNDLE" >> acme_srv/acme_srv.cfg
-        cp .github/acme2certifier_cert.pem acme2certifier/acme2certifier_cert.pem
-        cp .github/acme2certifier_key.pem acme2certifier/acme2certifier_key.pem
-        mkdir .\volume/acme_ca/certs
-        cp test/ca/*.pem volume/acme_ca/
-        certutil  -addstore -enterprise -f -v root volume\acme_ca\root-ca-cert.pem
-        certutil  -addstore -enterprise -f -v root volume\acme_ca\sub-ca-cert.pem
-      env:
-        NCM_API_HOST: ${{ secrets.NCM_API_HOST }}
-        NCM_API_USER: ${{ secrets.NCM_API_USER }}
-        NCM_API_PASSWORD: ${{ secrets.NCM_API_PASSWORD }}
-        NCM_CA_NAME: ${{ secrets.NCM_CA_NAME }}
-        NCM_CA_BUNDLE: ${{ secrets.NCM_CA_BUNDLE }}
-
-    - name: "[ PREPARE ] configure server"
-      run: |
-        python manage.py makemigrations
-        python manage.py migrate
-        python manage.py loaddata acme_srv/fixture/status.yaml
-
-    - name: "[ PREPARE ] try to get up the server"
-      run: |
-        Start-Process powershell {python .\manage.py runserver 0.0.0.0:8080 3>&1 2>&1 > volume\redirection.log}
-    - name: "[ PREPARE ] Sleep for 5s"
-      uses: juliangruber/sleep-action@v1
-      with:
-        time: 5s
-
-    - name: "[ TEST ] Test if directory ressource is accessable"
-      run: |
-        get-Process python
-        Invoke-RestMethod -Uri http://127.0.0.1:8080/directory -NoProxy -TimeoutSec 5
-        [System.Net.Dns]::GetHostByName('localhost').HostName
-        ([System.Net.Dns]::GetHostByName(($env:computerName))).Hostname
-
-    - name: "[ PREPARE ] Download win-acme"
-      run: |
-        Invoke-RestMethod -Uri https://github.com/win-acme/win-acme/releases/download/v2.2.6.1571/win-acme.v2.2.6.1571.x64.trimmed.zip -OutFile win-acme.zip
-        Expand-Archive .\win-acme.zip
-        mkdir win-acme\certs
-        dir win-acme\*
-
-    - name: "[ ENROLL ] Enroll certificate via win-acme"
-      run: |
-        .\win-acme\wacs.exe --baseuri http://127.0.0.1:8080 --emailaddress=grindsa@bar.local --pemfilespath win-acme\certs --source manual --host ${{ secrets.CF_WINACME1_NAME }},${{ secrets.CF_WINACME2_NAME }}  --store pemfiles  --force
-
-    - name: "[ PREPARE ] try to get up the sslserver"
-      run: |
-        Start-Process powershell {python .\manage.py runsslserver 0.0.0.0:443 --certificate acme2certifier/acme2certifier_cert.pem --key acme2certifier/acme2certifier_key.pem 3>&1 2>&1 > volume\redirection_ssl.log}
-
-    - name: "[ PREPARE ] Sleep for 5s"
-      uses: juliangruber/sleep-action@v1
-      with:
-        time: 5s
-
-    - name: "[ TEST ] Test if directory ressource is accessable"
-      run: |
-        get-Process python
-        Invoke-RestMethod -SkipCertificateCheck -Uri https://localhost -NoProxy -TimeoutSec 5
-        [System.Net.Dns]::GetHostByName('localhost').HostName
-        ([System.Net.Dns]::GetHostByName(($env:computerName))).Hostname
-
-    - name: "[ PREPARE ] Install and configure Posh-ACME"
-      run: |
-        Install-Module -Name Posh-ACME -Scope CurrentUser -Force
-
-    - name: "Create account via Posh-ACME"
-      run: |
-        set-PAServer -DirectoryUrl https://localhost/directory -SkipCertificateCheck
-        $DebugPreference = 'Continue'
-        New-PAAccount -Contact 'foo@bar.local'
-        $ACC_1 = (Get-PAAccount | Out-String -Stream | Select-String -Pattern "valid")
-        echo ACC1=$ACC_1 >> $env:GITHUB_ENV
-        Export-PAAccountKEy -OutputFile foo.key
-        echo $env:ACC_1
-
-    - name: "Recreate account via Posh-ACME"
-      run: |
-        $DebugPreference = 'Continue'
-        Get-PAAccount | Remove-PAAccount -Force
-        Get-PAAccount
-        New-PAAccount -Contact 'win4@bar.local' -AcceptTOS -OnlyReturnExisting  -KeyFile foo.key
-        Get-PAAccount -Refresh
-        $ACC_2 = (Get-PAAccount | Out-String -Stream | Select-String -Pattern "valid")
-        echo ACC2=$ACC_2 >> $env:GITHUB_ENV
-        echo $env:ACC_2
-
-    - name: "Rollover account key"
-      run: |
-        $DebugPreference = 'Continue'
-        Set-PAAccount -KeyRollover
-
-    - name: "[ ENROLL ] Enroll Certificate via Posh-ACME"
-      # if: $env:ACC_1 == env.ACC_2
-      run: |
-        $DebugPreference = 'Continue'
-        New-PACertificate ${{ secrets.CF_WINACME1_NAME }} -Plugin WebSelfHost -PluginArgs @{}  -Force
-
-    - name: "[ * ] collecting test logs"
-      if: ${{ failure() }}
-      run: |
-        mkdir ${{ github.workspace }}\artifact\upload
-        cp volume ${{ github.workspace }}\artifact\upload/ -Recurse -Force
-        cp acme_srv\acme_srv.cfg ${{ github.workspace }}\artifact\upload
-
-    - name: "[ * ] uploading artificates"
-      uses: actions/upload-artifact@v3
-      if: ${{ failure() }}
-      with:
-        name: win-acme.tar.gz
-        path: ${{ github.workspace }}/artifact/upload/
diff --git a/.github/workflows/wsgi_handler-test.yml b/.github/workflows/wsgi_handler-test.yml
index 695f65d1..fff1e755 100644
--- a/.github/workflows/wsgi_handler-test.yml
+++ b/.github/workflows/wsgi_handler-test.yml
@@ -3,7 +3,7 @@ name: WSGI handler tests
 on:
   push:
   pull_request:
-    branches: [ devel, db_file_customization ]
+    branches: [ devel]
   schedule:
     # * is a special character in YAML so you have to quote this string
     - cron:  '0 2 * * 6'
@@ -12,55 +12,52 @@ jobs:
   a2_cust_db_file:
     name: "a2_cust_db_file"
     runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+      max-parallel: 1
+      matrix:
+        websrv: ['apache2', 'nginx']
     steps:
     - name: "checkout GIT"
-      uses: actions/checkout@v3
+      uses: actions/checkout@v4
 
-    - name: "[ PREPARE ] Build docker-compose (apache2_wsgi)"
-      working-directory: examples/Docker/
-      run: |
-        sudo mkdir -p data
-        docker network create acme
-        sudo touch data/acme_srv.cfg
-        sudo chmod 777 data/acme_srv.cfg
-        sudo head -n -8 ../../.github/openssl_ca_handler.py_acme_srv_default_handler.cfg > data/acme_srv.cfg
-        sudo echo "handler_file: examples/ca_handler/certifier_ca_handler.py" >> data/acme_srv.cfg
-        sudo echo "api_host: $NCM_API_HOST" >> data/acme_srv.cfg
-        sudo echo "api_user: $NCM_API_USER" >> data/acme_srv.cfg
-        sudo echo "api_password: $NCM_API_PASSWORD" >> data/acme_srv.cfg
-        sudo echo "ca_name: $NCM_CA_NAME" >> data/acme_srv.cfg
-        sudo echo "ca_bundle: $NCM_CA_BUNDLE" >> data/acme_srv.cfg
-        sudo echo "[DBhandler]" >> data/acme_srv.cfg
-        sudo echo "dbfile: volume/a2c.db" >> data/acme_srv.cfg
-        sudo echo "[Directory]" >> data/acme_srv.cfg
-        sudo echo "url_prefix: /foo" >> data/acme_srv.cfg
-        docker-compose up -d
-        docker-compose logs
-      env:
+    - name: "Build container"
+      uses: ./.github/actions/container_prep
+      with:
+        DB_HANDLER: wsgi
+        WEB_SRV: ${{ matrix.websrv }}
+
+    - name: "Prepare acme_srv.cfg with certifier_ca_handler"
+      uses: ./.github/actions/wf_specific/certifier_ca_handler/certifier_setup_no_profile
+      with:
+        WCCE_SSH_ACCESS_KEY: ${{ secrets.WCCE_SSH_ACCESS_KEY }}
+        WCCE_SSH_KNOWN_HOSTS: ${{ secrets.WCCE_SSH_KNOWN_HOSTS }}
+        WCCE_SSH_USER: ${{ secrets.WCCE_SSH_USER }}
+        WCCE_SSH_HOST: ${{ secrets.WCCE_SSH_HOST }}
+        WCCE_SSH_PORT: ${{ secrets.WCCE_SSH_PORT }}
         NCM_API_HOST: ${{ secrets.NCM_API_HOST }}
         NCM_API_USER: ${{ secrets.NCM_API_USER }}
         NCM_API_PASSWORD: ${{ secrets.NCM_API_PASSWORD }}
         NCM_CA_NAME: ${{ secrets.NCM_CA_NAME }}
-        NCM_CA_BUNDLE: ${{ secrets.NCM_CA_BUNDLE }}
-
-    - name: "Test http://acme-srv/directory is accessable"
-      run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory
-
-    - name: "[ PREPARE ] prepare acme.sh container"
-      run: |
-        docker run --rm -id -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest daemon
+        DATA_PATH: examples/Docker/data
 
-    - name: "[ ENROLL ] acme.sh"
+    - name: "Restart a2c"
       run: |
-        docker exec -i acme-sh acme.sh --server http://acme-srv --accountemail 'acme-sh@example.com' --issue -d acme-sh.acme --standalone --debug 3 --output-insecure --force
-        awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "cert-" c ".pem"}' < acme-sh/acme-sh.acme_ecc/ca.cer
-        openssl verify -CAfile cert-2.pem -untrusted cert-1.pem  acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer
-
-    - name: "[ ENROLL ] lego"
-      run: |
-        mkdir lego
-        docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" -d lego.acme --http run
-        sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem lego/certificates/lego.acme.crt
+        sudo echo "[DBhandler]" >> examples/Docker/data/acme_srv.cfg
+        sudo echo "dbfile: volume/a2c.db" >> examples/Docker/data/acme_srv.cfg
+        sudo echo "[Directory]" >> examples/Docker/data/acme_srv.cfg
+        sudo echo "url_prefix: /foo" >> examples/Docker/data/acme_srv.cfg
+        cd examples/Docker/
+        docker-compose restart
+
+    - name: "Test enrollment"
+      uses: ./.github/actions/acme_clients
+
+    - name: "Check container configuration"
+      uses: ./.github/actions/container_check
+      with:
+        DB_HANDLER: wsgi
+        WEB_SRV: ${{ matrix.websrv }}
 
     - name: "[ * ] collecting test logs"
       if: ${{ failure() }}
@@ -72,40 +69,51 @@ jobs:
         sudo tar -C ${{ github.workspace }}/artifact/ -cvzf ${{ github.workspace }}/artifact/upload/artifact.tar.gz docker-compose.log data
 
     - name: "[ * ] uploading artificates"
-      uses: actions/upload-artifact@v3
+      uses: actions/upload-artifact@v4
       if: ${{ failure() }}
       with:
-        name: a2_custdb.tar.gz
+        name: a2_custdb.${{ matrix.websrv }}.tar.gz
         path: ${{ github.workspace }}/artifact/upload/
 
-  nginx_cust_db_file:
-    name: "nginx_cust__db_file"
+  rpm_cust_db_file:
+    name: "rpm_cust_db_file"
     runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+      max-parallel: 1
+      matrix:
+        rhversion: [8, 9]
     steps:
     - name: "checkout GIT"
-      uses: actions/checkout@v3
+      uses: actions/checkout@v4
 
-    - name: "[ PREPARE ] Build docker-compose (nginx_wsgi)"
-      working-directory: examples/Docker/
+    - name: "Prepare Alma environment"
+      uses: ./.github/actions/rpm_prep
+      with:
+        GH_SBOM_USER: ${{ secrets.GH_SBOM_USER }}
+        GH_SBOM_TOKEN: ${{ secrets.GH_SBOM_TOKEN }}
+        RH_VERSION: ${{ matrix.rhversion }}
+
+    - name: "Prepare acme_srv.cfg with certifier_ca_handler"
+      uses: ./.github/actions/wf_specific/certifier_ca_handler/certifier_setup_no_profile
+      with:
+        WCCE_SSH_ACCESS_KEY: ${{ secrets.WCCE_SSH_ACCESS_KEY }}
+        WCCE_SSH_KNOWN_HOSTS: ${{ secrets.WCCE_SSH_KNOWN_HOSTS }}
+        WCCE_SSH_USER: ${{ secrets.WCCE_SSH_USER }}
+        WCCE_SSH_HOST: ${{ secrets.WCCE_SSH_HOST }}
+        WCCE_SSH_PORT: ${{ secrets.WCCE_SSH_PORT }}
+        NCM_API_HOST: ${{ secrets.NCM_API_HOST }}
+        NCM_API_USER: ${{ secrets.NCM_API_USER }}
+        NCM_API_PASSWORD: ${{ secrets.NCM_API_PASSWORD }}
+        NCM_CA_NAME: ${{ secrets.NCM_CA_NAME }}
+        DATA_PATH: data
+
+    - name: "Prepare acme_srv.cfg with openssl_ca_handler"
       run: |
-        sed -i "s/apache2/nginx/g" .env
-        sudo mkdir -p data
-        docker network create acme
-        sudo touch data/acme_srv.cfg
-        sudo chmod 777 data/acme_srv.cfg
-        sudo head -n -8 ../../.github/openssl_ca_handler.py_acme_srv_default_handler.cfg > data/acme_srv.cfg
-        sudo echo "handler_file: examples/ca_handler/certifier_ca_handler.py" >> data/acme_srv.cfg
-        sudo echo "api_host: $NCM_API_HOST" >> data/acme_srv.cfg
-        sudo echo "api_user: $NCM_API_USER" >> data/acme_srv.cfg
-        sudo echo "api_password: $NCM_API_PASSWORD" >> data/acme_srv.cfg
-        sudo echo "ca_name: $NCM_CA_NAME" >> data/acme_srv.cfg
-        sudo echo "ca_bundle: $NCM_CA_BUNDLE" >> data/acme_srv.cfg
         sudo echo "[DBhandler]" >> data/acme_srv.cfg
-        sudo echo "dbfile: volume/a2c.db" >> data/acme_srv.cfg
+        sudo echo "dbfile: /opt/acme2certifier/volume/a2c.db" >> data/acme_srv.cfg
         sudo echo "[Directory]" >> data/acme_srv.cfg
         sudo echo "url_prefix: /foo" >> data/acme_srv.cfg
-        docker-compose up -d
-        docker-compose logs
         sleep 5
       env:
         NCM_API_HOST: ${{ secrets.NCM_API_HOST }}
@@ -114,37 +122,29 @@ jobs:
         NCM_CA_NAME: ${{ secrets.NCM_CA_NAME }}
         NCM_CA_BUNDLE: ${{ secrets.NCM_CA_BUNDLE }}
 
-    - name: "Test http://acme-srv/directory is accessable"
-      run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory
-
-    - name: "[ PREPARE ] prepare acme.sh container"
+    - name: "Execute install scipt"
       run: |
-        docker run --rm -id -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest daemon
+        docker exec acme-srv sh /tmp/acme2certifier/rpm_tester.sh
 
-    - name: "[ ENROLL ] acme.sh"
-      run: |
-        docker exec -i acme-sh acme.sh --server http://acme-srv --accountemail 'acme-sh@example.com' --issue -d acme-sh.acme --standalone --debug 3 --output-insecure --force
-        awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "cert-" c ".pem"}' < acme-sh/acme-sh.acme_ecc/ca.cer
-        openssl verify -CAfile cert-2.pem -untrusted cert-1.pem  acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer
-
-    - name: "[ ENROLL ] lego"
-      run: |
-        mkdir lego
-        docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" -d lego.acme --http run
-        sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem lego/certificates/lego.acme.crt
+    - name: "Test enrollment"
+      uses: ./.github/actions/acme_clients
 
     - name: "[ * ] collecting test logs"
       if: ${{ failure() }}
       run: |
         mkdir -p ${{ github.workspace }}/artifact/upload
-        sudo cp -rp examples/Docker/data/ ${{ github.workspace }}/artifact/data/
-        cd examples/Docker
-        docker-compose logs > ${{ github.workspace }}/artifact/docker-compose.log
-        sudo tar -C ${{ github.workspace }}/artifact/ -cvzf ${{ github.workspace }}/artifact/upload/artifact.tar.gz docker-compose.log data
+        docker exec acme-srv tar cvfz /tmp/acme2certifier/a2c.tgz /opt/acme2certifier
+        sudo cp -rp data/ ${{ github.workspace }}/artifact/data/
+        sudo cp -rp acme-sh/ ${{ github.workspace }}/artifact/acme-sh/
+        sudo rm ${{ github.workspace }}/artifact/data/*.rpm
+        docker exec acme-srv cat /etc/nginx/nginx.conf.orig > ${{ github.workspace }}/artifact/data/nginx.conf.orig
+        docker exec acme-srv cat /etc/nginx/nginx.conf > ${{ github.workspace }}/artifact/data/nginx.conf
+        docker exec acme-srv cat /var/log/messages > ${{ github.workspace }}/artifact/acme-srv.log
+        sudo tar -C ${{ github.workspace }}/artifact/ -cvzf ${{ github.workspace }}/artifact/upload/artifact.tar.gz data acme-srv.log acme-sh
 
     - name: "[ * ] uploading artificates"
-      uses: actions/upload-artifact@v3
+      uses: actions/upload-artifact@v4
       if: ${{ failure() }}
       with:
-        name: nginx_cust_db.tar.gz
+        name: rpm_cust_db_file-rh${{ matrix.rhversion }}.tar.gz
         path: ${{ github.workspace }}/artifact/upload/
diff --git a/.gitignore b/.gitignore
index da25b0d5..dfad8fb0 100644
--- a/.gitignore
+++ b/.gitignore
@@ -143,6 +143,7 @@ acme_srv/ejbca/*
 acme_srv/ssl/*
 acme_srv/cn_dump/*
 acme_srv/fixture
+acme_srv/entrust/*
 *.dll
 acme_srv/cmp/WindowsCMPOpenSSL/openssl.exe
 acme_srv/migrations.old
diff --git a/CHANGES.md b/CHANGES.md
index cf161358..b98397e6 100644
--- a/CHANGES.md
+++ b/CHANGES.md
@@ -5,6 +5,108 @@ This is a high-level summary of the most important changes. For a full list of
 changes, see the [git commit log](https://github.com/grindsa/acme2certifier/commits)
 and pick the appropriate release branch.
 
+# Changes in 0.36
+
+**Features and Improvements**:
+
+- refactored [NCLM ca handler](docs/nclm.md) using the external REST-API
+- [ca handler](docs/digicert.md) using the [DigiCert CertCentral API](https://dev.digicert.com/en/certcentral-apis.html)
+- [ca handler](docs/entrust.md) using the Entrust ECS Enterprise APIl
+- [EAB Profiling support](docs/eab_profiling.md) in Microsoft CA handlers
+- [#187](https://github.com/grindsa/acme2certifier/pull/187) url option for mscertsrv ca handler
+- subject profiling feature
+- [strip down python-impacket module](https://github.com/grindsa/acme2certifier/blob/master/docs/mswcce.md#local-installation) in docker images
+- [strip down impacket RPM package](https://github.com/grindsa/sbom/tree/main/rpm-repo/RPMs/rhel9)
+- YAML config file format supported in [EAB-Profiling feature](docs/eab_profiling.md)
+- Upgrade Container images to Ubuntu 24.04
+
+**Bugfixes**:
+
+- openssl-ca-handler: basicConstraints extension will not be marked as critical anymore
+- openssl-ca-handler: subjectkeyidentifier extension will not be marked as critical anymore
+- fall-back option to python-openssl for Redhat deployments
+- detect and handle django installations on Debian/Ubunto systems
+- automated schema updates in case of RPM updates
+
+# Changes in 0.35
+
+**Features and Improvements**:
+
+- [#153](https://github.com/grindsa/acme2certifier/issues/153) Kerberos support in [mscertsrv_handler](docs/mscertsrv.md)
+- allowed_domainlist checking in [mswcce_handler](docs/mswcce.md)
+- `timeout` parameter in [ms-wcce_handler](docs/mswcce.md) to specify an enrollment timeout
+- new [tool to validate eab-files](docs/eab_profiling.md#profile-verification)
+- [#165](https://github.com/grindsa/acme2certifier/issues/165) [EAB profiling](docs/eab_profiling.md#enrollment-profiling-via-external-account-binding) for ejbca_handler
+- [#166](https://github.com/grindsa/acme2certifier/issues/166) [EAB profiling](docs/acme_ca.md#eab-profiling) for acme_ca_handler
+- documentation for active/active setup on [Alma9](docs/a2c-alma-loadbalancing.md) and [Ubuntu 22.04](docs/a2c-ubuntu-loadbalancing.md)
+- [#165](https://github.com/grindsa/acme2certifier/issues/165) documentaion of [external database support](docs/external_database_support.md) via django_handler
+
+**Bugfixes**:
+
+- `acme_srv.cfg` will be preserved in case of RPM updates
+- apache2_wsgi docker image will be tagged with `latest`
+- [#166](https://github.com/grindsa/acme2certifier/issues/166) workaround for failed account lookups on smallstep-ca
+
+# Changes in 0.34
+
+**Features and Improvements**:
+
+- [Enrollment profiling via external account binding](docs/eab_profiling.md)
+- [#144](https://github.com/grindsa/acme2certifier/issues/144) configuration option to supress product name
+- [#143](https://github.com/grindsa/acme2certifier/issues/143) template name as part of the user-agent field in wcce/wes handler
+- configuration option to limit the number of identifiers in a single order request
+- `burst` parameter in example nginx.conf to ratelimit incoming requests
+- [container images for arm64 plattforms](https://hub.docker.com/layers/grindsa/acme2certifier/apache2-wsgi/images/sha256-9092e98ad23fa94dfb17534333a9306ec447b274c2e4b5bbaee0b8bc41c6becc?context=repo)
+- regression tests on arm64 plattforms
+
+**Bugfixes**:
+
+- [#147](https://github.com/grindsa/acme2certifier/pull/147) correct content-type for problem+json message
+- updated [eab-example files](https://github.com/grindsa/acme2certifier/tree/master/examples/eab_handler) as hmac must be longer than 256bits
+- identifier sanitizing
+
+# Changes in 0.33.3
+
+**Features and Improvements**:
+
+- some smaller modifications run flawless on Redhat8 and derivates
+- Workflows to test rpm-deployment on RHEL8 and RHEL9
+
+# Changes in 0.33.2
+
+**Upgrade notes**:
+
+- database scheme gets updated. Please run either
+  - `tools/db_update.py` when using the wsgi_handler or
+  - `tools/django_update.py` in case you are using the django_handler
+
+**Bugfixes**:
+
+- [134](https://github.com/grindsa/acme2certifier/issues/134) - acme_srv_housekeeping" -> value too long for "name" field
+- [135](https://github.com/grindsa/acme2certifier/issues/134) - acme_srv_housekeeping dbversion ist set back to 0.23.1 after container restart
+
+# Changes in 0.33.1
+
+**Bugfixes**:
+
+- [132](https://github.com/grindsa/acme2certifier/issues/132) - returning serial numbers in hex-format with leading zero
+
+# Changes in 0.33
+
+**Upgrade notes**:
+
+- database scheme gets updated. Please run either
+  - `tools/db_update.py` when using the wsgi_handler or
+  - `tools/django_update.py` in case you are using the django_handler
+
+**Features and Improvements**:
+
+- Support [draft-ietf-acme-ari-02](https://datatracker.ietf.org/doc/draft-ietf-acme-ari/02): Renewal Information (ARI) Extension
+- First version of [Insta ASA CA handler](docs/asa.md)
+- [winacme renewal-info workaround](https://github.com/grindsa/acme2certifier/issues/127)
+- better logging to ease troubleshootnig of eab
+- code refactoring to improve [f-string handling](https://pylint.pycqa.org/en/latest/user_guide/messages/convention/consider-using-f-string.html)
+
 # Changes in 0.32
 
 **Features and Improvements**:
@@ -56,7 +158,7 @@ and pick the appropriate release branch.
 **Features and Improvements**:
 
 - Support [RFC 8738](https://www.rfc-editor.org/rfc/rfc8738.html): Certificates for IP addresses
-- Support [draft-ietf-acme-ari-01](https://datatracker.ietf.org/doc/draft-ietf-acme-ari/): Renewal Information (ARI) Extension
+- Support [draft-ietf-acme-ari-01](https://datatracker.ietf.org/doc/draft-ietf-acme-ari/01): Renewal Information (ARI) Extension
 - Interoperability testing with [Caddy](https://caddyserver.com/docs/automatic-https) as part of regular regression
 
 # Changes in 0.28
@@ -288,7 +390,7 @@ and pick the appropriate release branch.
 **Features**:
 
 - [Generic ACME protocol handler](docs/acme_ca.md)
-- CA handler for [acme2dfn](https://github.com/pfisterer/acme2dfn) (external; ACME proxy for the [German research network's SOAP API](https://blog.pki.dfn.de/tag/soap-api/))
+- CA handler for [acme2dfn](https://github.com/pfisterer/acme2dfn)
 - wsgi_db_handler: allow DB file path configuration
 - allow setting config file location via environment variable
 
diff --git a/README.md b/README.md
index 9e3dc46f..56c19812 100644
--- a/README.md
+++ b/README.md
@@ -14,30 +14,33 @@
 [![Reliability Rating](https://sonarcloud.io/api/project_badges/measure?project=grindsa_acme2certifier&metric=reliability_rating)](https://sonarcloud.io/summary/overall?id=grindsa_acme2certifier&branch=min)
 [![Quality Gate Status](https://sonarcloud.io/api/project_badges/measure?project=grindsa_acme2certifier&metric=alert_status)](https://sonarcloud.io/summary/overall?id=grindsa_acme2certifier&branch=min)
 
-acme2certifier is development project to create an ACME protocol proxy. Main
-intention is to provide ACME services on CA servers which do not support this
-protocol yet. It consists of two libraries:
+acme2certifier is development project to create an ACME protocol proxy. Main intention is to provide ACME services on CA servers which do not support this protocol yet. It consists of two libraries:
 
 - acme_srv/*.py - a bunch of classes implementing ACME server functionality based
 on [rfc8555](https://tools.ietf.org/html/rfc8555)
 - ca_handler.py - interface towards CA server. The intention of this library
 is to be modular that an [adaption to other CA servers](docs/ca_handler.md)
 should be straight forward. As of today the following handlers are available:
-  - [NetGuard Certificate Manager/Insta Certifier](docs/certifier.md)
-  - [NetGuard Certificate Lifecycle Manager](docs/nclm.md)
-  - [EJBCA](docs/ejbca.md)
-  - [OpenXPKI](docs/openxpki.md)
-  - [Microsoft Certificate Enrollment Web Services](docs/mscertsrv.md)
-  - [Microsoft Windows Client Certificate Enrollment Protocol (MS-WCCE) via RPC/DCOM](docs/mswcce.md)
-  - [Generic ACME protocol handler supporting Letsencrypt, BuyPass.com and ZeroSSL](docs/acme_ca.md)
-  - [Generic EST protocol handler](docs/est.md)
-  - [Generic CMPv2 protocol handler](docs/cmp.md)
-  - [Openssl](docs/openssl.md)
-  - [XCA](docs/xca.md)
-  - [acme2dfn](https://github.com/pfisterer/acme2dfn) (external; ACME proxy for the [German research network's PKI](https://www.pki.dfn.de/ueberblick-dfn-pki/)
-
-For more up-to-date information and further documentation, please visit the
-project's home page at: [https://github.com/grindsa/acme2certifier](https://github.com/grindsa/acme2certifier)
+
+| E - Certificte Enrollment, R - Certificte Revocation, P - [EAB Profiling](docs/eab_profiling.md) |E|R|P|
+| :-------- | - | - | - |
+| [DigiCert® CertCentral](docs/digicert.md) | :white_check_mark: | :white_check_mark: | :white_check_mark: |
+| [Entrust ECS Enterprise](docs/entrust.md) | :white_check_mark: | :white_check_mark: | :white_check_mark: |
+| [EJBCA](docs/ejbca.md) | :white_check_mark: | :white_check_mark: | :white_check_mark: |
+| [Generic ACME protocol handler supporting Letsencrypt, BuyPass.com and ZeroSSL](docs/acme_ca.md) | :x: | :x: | :white_check_mark: |
+| [Generic CMPv2 protocol handler](docs/cmp.md) | :white_check_mark: | :x: | :x: |
+| [Generic EST protocol handler](docs/est.md) | :white_check_mark: | :x: | :x: |
+| [Insta ActiveCMS](docs/asa.md) | :white_check_mark: | :white_check_mark: | :white_check_mark: |
+| [Microsoft Certificate Enrollment Web Services](docs/mscertsrv.md) | :white_check_mark: | :x: | :white_check_mark: |
+| [Microsoft Windows Client Certificate Enrollment Protocol (MS-WCCE) via RPC/DCOM](docs/mswcce.md) | :white_check_mark: | :x: | :white_check_mark: |
+| [NetGuard Certificate Lifecycle Manager](docs/nclm.md) | :white_check_mark: | :white_check_mark: | :x: |
+| [NetGuard Certificate Manager/Insta Certifier](docs/certifier.md) | :white_check_mark: | :white_check_mark: | :white_check_mark: |
+| [Openssl](docs/openssl.md) | :white_check_mark: | :white_check_mark: | :x: |
+| [OpenXPKI](docs/openxpki.md) | :white_check_mark: | :white_check_mark: | :x: |
+| [XCA](docs/xca.md) | :white_check_mark: | :white_check_mark: | :white_check_mark: |
+| [acme2dfn](https://github.com/pfisterer/acme2dfn) (external; ACME proxy for the [German research network's PKI](https://www.pki.dfn.de/ueberblick-dfn-pki/)| :white_check_mark: | :x: | :x: |
+
+For more up-to-date information and further documentation, please visit the project's home page at: [https://github.com/grindsa/acme2certifier](https://github.com/grindsa/acme2certifier)
 
 ## ChangeLog
 
@@ -57,21 +60,18 @@ Following acme-clients are used for regular testing of server functionality
 - [Posh-ACME](https://github.com/rmbolger/Posh-ACME)
 - [win-acme](https://www.win-acme.com/)
 
-Other clients are on my list for later testing. In case you are bored, feel
-free to test other ACME clients and raise [issues](https://github.com/grindsa/acme2certifier/issues/new)
-if something does not work as expected.
+Other clients are on my list for later testing. In case you are bored, feel free to test other ACME clients and raise [issues](https://github.com/grindsa/acme2certifier/issues/new) if something does not work as expected.
 
 [Command-line parameters used for testing](docs/acme-clients.md)
 
-I am not a professional developer. Keep this in mind while laughing about my
-code and don’t forget to send patches.
+I am not a professional developer. Keep this in mind while laughing about my code and don’t forget to send patches.
 
 ## Features
 
 - ACME v2 [RFC 8555](https://www.rfc-editor.org/rfc/rfc8555.html) compliant server implementation including
   - Support [RFC 8737](https://www.rfc-editor.org/rfc/rfc8737.html): TLS Application‑Layer Protocol Negotiation (ALPN) Challenge Extension
   - Support [RFC 8738](https://www.rfc-editor.org/rfc/rfc8738.html): Certificates for IP addresses
-  - Support [draft-ietf-acme-ari-01](https://datatracker.ietf.org/doc/draft-ietf-acme-ari/): Renewal Information (ARI) Extension
+  - Support [draft-ietf-acme-ari-02](https://datatracker.ietf.org/doc/draft-ietf-acme-ari/02/) and [draft-ietf-acme-ari-01](https://datatracker.ietf.org/doc/draft-ietf-acme-ari/01/): Renewal Information (ARI) Extension
   - Support [TNAuthList identifiers](https://datatracker.ietf.org/doc/html/draft-ietf-acme-authority-token-tnauthlist-13): [TNAuthList profile](docs/tnauthlist.md) of ACME Authority Token
   - Support [tkauth-01](https://datatracker.ietf.org/doc/html/draft-ietf-acme-authority-token-09) ACME Challenges Using an Authority Token
   - [Certificate polling](docs/poll.md) and [Call backs](docs/trigger.md) from CA servers. These calls are not standardized but important to use acme2certifier together with classical enterprise CA
@@ -87,12 +87,9 @@ Additional functionality will be added over time. If you are badly missing a cer
 
 ## Installation
 
-The proxy can run either as plain wsgi-script on either apache or nginx or as
-django project. Running acme2certifier as django project allows to use other
-database backends than SQLite.
+The proxy can run either as plain wsgi-script on either apache or nginx or as django project. Running acme2certifier as django project allows to use other database backends than SQLite.
 
-The fastest and most convenient way to install acme2certifier is to use docker
-containers.  There are ready made images available at [dockerhub](https://hub.docker.com/r/grindsa/acme2certifier) and [ghcr.io](https://github.com/grindsa?tab=packages&ecosystem=container) as well as [instructions to build your own container](examples/Docker/). In addition rpm packages for AlmaLinux/CentOS Stream/Redhat EL 9 and deb packages for Ubuntu 22.04 will be provided with every release.
+The fastest and most convenient way to install acme2certifier is to use docker containers.  There are ready made images available at [dockerhub](https://hub.docker.com/r/grindsa/acme2certifier) and [ghcr.io](https://github.com/grindsa?tab=packages&ecosystem=container) as well as [instructions to build your own container](examples/Docker/). In addition rpm packages for AlmaLinux/CentOS Stream/Redhat EL 9 and deb packages for Ubuntu 22.04 will be provided with every release.
 
 - [acme2certifier in Github container repository](https://github.com/grindsa?tab=packages&ecosystem=container)
 - [acme2certifier repository at hub.docker.com](https://hub.docker.com/r/grindsa/acme2certifier)
@@ -109,15 +106,11 @@ containers.  There are ready made images available at [dockerhub](https://hub.do
 
 ## Contributing
 
-Please read [CONTRIBUTING.md](docs/CONTRIBUTING.md) for details on my code of
-conduct, and the process for submitting pull requests.
-Please note that I have a life besides programming. Thus, expect a delay
-in answering.
+Please read [CONTRIBUTING.md](docs/CONTRIBUTING.md) for details on my code of conduct, and the process for submitting pull requests. Please note that I have a life besides programming. Thus, expect a delay in answering.
 
 ## Versioning
 
-I use [SemVer](http://semver.org/) for versioning. For the versions available,
-see the [tags on this repository](https://github.com/grindsa/dkb-robo/tags).
+I use [SemVer](http://semver.org/) for versioning. For the versions available, see the [tags on this repository](https://github.com/grindsa/dkb-robo/tags).
 
 ## License
 
diff --git a/SECURITY.md b/SECURITY.md
index 3ba9ed39..3f6ed588 100644
--- a/SECURITY.md
+++ b/SECURITY.md
@@ -6,9 +6,9 @@
 
 | Version | Supported          |
 | ------- | ------------------ |
-| 0.32.x  | :white_check_mark: |
-| 0.31.x  | :white_check_mark: |
-| < 0.31  | :x:  |
+| 0.36.x  | :white_check_mark: |
+| 0.35.x  | :white_check_mark: |
+| < 0.35  | :x:  |
 
 ## Reporting a Vulnerability
 
diff --git a/acme_srv/account.py b/acme_srv/account.py
index e8542b8b..713d6fe2 100644
--- a/acme_srv/account.py
+++ b/acme_srv/account.py
@@ -1,5 +1,4 @@
 # -*- coding: utf-8 -*-
-# pylint: disable=C0209
 """ Account class """
 from __future__ import print_function
 import json
@@ -58,7 +57,7 @@ def _account_lookup(self, jwk: Dict[str, str]) -> Tuple[int, str, Dict[str, str]
         try:
             result = self.dbstore.account_lookup('jwk', json.dumps(jwk))
         except Exception as err_:
-            self.logger.critical('acme2certifier database error in Account._account_lookup(): {0}'.format(err_))
+            self.logger.critical('acme2certifier database error in Account._account_lookup(): %s', err_)
             result = None
 
         if result:
@@ -72,21 +71,21 @@ def _account_lookup(self, jwk: Dict[str, str]) -> Tuple[int, str, Dict[str, str]
             message = self.err_msg_dic['accountdoesnotexist']
             detail = None
 
-        self.logger.debug('Account._acount_lookup() ended with:{0}'.format(code))
+        self.logger.debug('Account._acount_lookup() ended with: %s', code)
         return (code, message, detail)
 
     def _account_add_check(self, account_name: str, data_dic: Dict[str, str]) -> Tuple[int, str, str]:
         """ perform database operation """
-        self.logger.debug('Account.account._account_add_check({0})'.format(account_name))
+        self.logger.debug('Account.account._account_add_check(%s)', account_name)
 
         try:
             (db_name, new) = self.dbstore.account_add(data_dic)
         except Exception as err_:
-            self.logger.critical('Account.account._add(): Database error: {0}'.format(err_))
+            self.logger.critical('Account.account._add(): Database error: %s', err_)
             db_name = None
             new = False
 
-        self.logger.debug('got account_name:{0} new:{1}'.format(db_name, new))
+        self.logger.debug('got account_name: %s new: %s', db_name, new)
 
         if new:
             code = 201
@@ -96,7 +95,7 @@ def _account_add_check(self, account_name: str, data_dic: Dict[str, str]) -> Tup
             message = db_name
         detail = None
 
-        self.logger.debug('Account.account._account_add_check() ended with: {0}'.format(account_name))
+        self.logger.debug('Account.account._account_add_check() ended with: %s', account_name)
         return (code, message, detail)
 
     def _account_eab_add(self, payload: Dict[str, str], data_dic: Dict[str, str]) -> Dict[str, str]:
@@ -106,7 +105,7 @@ def _account_eab_add(self, payload: Dict[str, str], data_dic: Dict[str, str]) ->
         if payload and 'externalaccountbinding' in payload and payload['externalaccountbinding']:
             if 'protected' in payload['externalaccountbinding']:
                 eab_kid = self._eab_kid_get(payload['externalaccountbinding']['protected'])
-                self.logger.info('add eab_kid: {0} to data_dic'.format(eab_kid))
+                self.logger.info('add eab_kid: %s to data_dic', eab_kid)
                 if eab_kid:
                     data_dic['eab_kid'] = eab_kid
 
@@ -115,7 +114,7 @@ def _account_eab_add(self, payload: Dict[str, str], data_dic: Dict[str, str]) ->
 
     def _account_add(self, account_name: str, content: Dict[str, str], contact: List[str], payload: Dict[str, str]):
         """ prepare db insert and call DBstore helper """
-        self.logger.debug('Account.account._account_add({0})'.format(account_name))
+        self.logger.debug('Account.account._account_add(%s)', account_name)
 
         # ecc_only check
         if self.ecc_only and not content['alg'].startswith('ES'):
@@ -137,7 +136,7 @@ def _account_add(self, account_name: str, content: Dict[str, str], contact: List
             # check code to be returned
             (code, message, detail) = self._account_add_check(account_name, data_dic)
 
-        self.logger.debug('Account.account._account_add() ended with: {0}'.format(account_name))
+        self.logger.debug('Account.account._account_add() ended with: %s', account_name)
         return (code, message, detail)
 
     def _add(self, content: Dict[str, str], payload: Dict[str, str], contact: List[str]):
@@ -161,7 +160,7 @@ def _add(self, content: Dict[str, str], payload: Dict[str, str], contact: List[s
             message = self.err_msg_dic['malformed']
             detail = 'incomplete protected payload'
 
-        self.logger.debug('Account.account._add() ended with:{0}'.format(code))
+        self.logger.debug('Account.account._add() ended with: %s', code)
         return (code, message, detail)
 
     def _contact_check(self, content: Dict[str, str]) -> Tuple[int, str, str]:
@@ -182,7 +181,7 @@ def _contact_check(self, content: Dict[str, str]) -> Tuple[int, str, str]:
             message = self.err_msg_dic['invalidcontact']
             detail = 'no contacts specified'
 
-        self.logger.debug('Account._contact_check() ended with:{0}'.format(code))
+        self.logger.debug('Account._contact_check() ended with: %s', code)
         return (code, message, detail)
 
     def _contact_list_build(self, payload: Dict[str, str]) -> List[str]:
@@ -206,7 +205,7 @@ def _contacts_update(self, aname: str, payload: Dict[str, str]) -> Tuple[int, st
             try:
                 result = self.dbstore.account_update(data_dic)
             except Exception as err_:
-                self.logger.critical('acme2certifier database error in Account._contacts_update(): {0}'.format(err_))
+                self.logger.critical('acme2certifier database error in Account._contacts_update(): %s', err_)
                 result = None
 
             if result:
@@ -220,11 +219,11 @@ def _contacts_update(self, aname: str, payload: Dict[str, str]) -> Tuple[int, st
 
     def _delete(self, aname: str) -> Tuple[int, str, str]:
         """ delete account """
-        self.logger.debug('Account._delete({0})'.format(aname))
+        self.logger.debug('Account._delete(%s)', aname)
         try:
             result = self.dbstore.account_delete(aname)
         except Exception as err_:
-            self.logger.critical('acme2certifier database error in Account._delete(): {0}'.format(err_))
+            self.logger.critical('acme2certifier database error in Account._delete(): %s', err_)
             result = None
 
         if result:
@@ -236,12 +235,12 @@ def _delete(self, aname: str) -> Tuple[int, str, str]:
             message = self.err_msg_dic['accountdoesnotexist']
             detail = 'deletion failed'
 
-        self.logger.debug('Account._delete() ended with:{0}'.format(code))
+        self.logger.debug('Account._delete() ended with: %s', code)
         return (code, message, detail)
 
     def _eab_jwk_compare(self, protected: Dict[str, str], payload: Dict[str, str]) -> bool:
         """ compare jwk from outer header with jwk in eab playload """
-        self.logger.debug('_eab_jwk_compare()')
+        self.logger.debug('Account._eab_jwk_compare()')
         result = False
         if 'jwk' in protected:
             # convert outer jwk into string for better comparison
@@ -253,12 +252,12 @@ def _eab_jwk_compare(self, protected: Dict[str, str], payload: Dict[str, str]) -
                 if jwk_outer == jwk_inner:
                     result = True
 
-        self.logger.debug('_eab_jwk_compare() ended with: {0}'.format(result))
+        self.logger.debug('_eab_jwk_compare() ended with: %s', result)
         return result
 
     def _eab_kid_get(self, protected: str) -> str:
         """ get key identifier for eab validation """
-        self.logger.debug('_eab_kid_get()')
+        self.logger.debug('Account._eab_kid_get()')
         # load protected into json format
         protected_dic = json.loads(b64decode_pad(self.logger, protected))
         # extract kid
@@ -267,12 +266,12 @@ def _eab_kid_get(self, protected: str) -> str:
         else:
             eab_key_id = None
 
-        self.logger.debug('_eab_kid_get() ended with: {0}'.format(eab_key_id))
+        self.logger.debug('Account._eab_kid_get() ended with: %s', eab_key_id)
         return eab_key_id
 
     def _eab_verify(self, payload: Dict[str, str]) -> Tuple[int, str, str]:
         """" check for external account binding """
-        self.logger.debug('_eab_check()')
+        self.logger.debug('Account._eab_verify()')
 
         # get key identifier
         eab_kid = self._eab_kid_get(payload['externalaccountbinding']['protected'])
@@ -293,18 +292,18 @@ def _eab_verify(self, payload: Dict[str, str]) -> Tuple[int, str, str]:
                 code = 403
                 message = self.err_msg_dic['unauthorized']
                 detail = 'eab signature verification failed'
-                self.logger.error('Account._eab_check() returned error: {0}'.format(error))
+                self.logger.error('Account._eab_check() returned error: %s', error)
         else:
             code = 403
             message = self.err_msg_dic['unauthorized']
             detail = 'eab kid lookup failed'
 
-        self.logger.debug('_eab_check() ended with: {0}'.format(code))
+        self.logger.debug('Account._eab_verify() ended with: %s', code)
         return (code, message, detail)
 
     def _eab_check(self, protected: Dict[str, str], payload: Dict[str, str]) -> Tuple[int, str, str]:
         """" check for external account binding """
-        self.logger.debug('_eab_check()')
+        self.logger.debug('Account._eab_check()')
 
         if self.eab_handler and protected and payload and 'externalaccountbinding' in payload and payload['externalaccountbinding']:
             # compare JWK from protected (outer) header if jwk included in payload of external account binding
@@ -323,7 +322,7 @@ def _eab_check(self, protected: Dict[str, str], payload: Dict[str, str]) -> Tupl
             message = self.err_msg_dic['externalaccountrequired']
             detail = 'external account binding required'
 
-        self.logger.debug('Account._eab_check() ended with:{0}'.format(code))
+        self.logger.debug('Account._eab_check() ended with: %s', code)
         return (code, message, detail)
 
     def _eab_signature_verify(self, content: Dict[str, str], mac_key: str) -> Tuple[bool, str]:
@@ -337,7 +336,8 @@ def _eab_signature_verify(self, content: Dict[str, str], mac_key: str) -> Tuple[
         else:
             sig_check = False
             error = None
-        self.logger.debug('Account._eab_signature_verify() ended with: {0}'.format(sig_check))
+
+        self.logger.debug('Account._eab_signature_verify() ended with: %s: %s', sig_check, error)
         return (sig_check, error)
 
     def _header_url_compare(self, outer_protected: Dict[str, str], inner_protected: Dict[str, str]) -> Tuple[int, str, str]:
@@ -358,7 +358,7 @@ def _header_url_compare(self, outer_protected: Dict[str, str], inner_protected:
             message = self.err_msg_dic['malformed']
             detail = 'url parameter differ in inner and outer jws'
 
-        self.logger.debug('Account._header_url_compare() ended with: {0}'.format(code))
+        self.logger.debug('Account._header_url_compare() ended with: %s', code)
         return (code, message, detail)
 
     def _info(self, account_obj: Dict[str, str]) -> Dict[str, str]:
@@ -374,7 +374,7 @@ def _info(self, account_obj: Dict[str, str]) -> Dict[str, str]:
             if 'eab_kid' in account_obj and account_obj['eab_kid']:
                 response_dic['eab_kid'] = account_obj['eab_kid']
 
-        self.logger.debug('Account._info() returns: {0}'.format(json.dumps(response_dic)))
+        self.logger.debug('Account._info() returns: %s', json.dumps(response_dic))
         return response_dic
 
     def _inner_jws_check(self, outer_protected: Dict[str, str], inner_protected: Dict[str, str]) -> Tuple[int, str, str]:
@@ -395,7 +395,7 @@ def _inner_jws_check(self, outer_protected: Dict[str, str], inner_protected: Dic
             message = self.err_msg_dic['malformed']
             detail = 'inner jws is missing jwk'
 
-        self.logger.debug('Account._inner_jws_check() ended with: {0}:{1}'.format(code, detail))
+        self.logger.debug('Account._inner_jws_check() ended with: %s:%s', code, detail)
         return (code, message, detail)
 
     def _inner_payload_check(self, aname: str, outer_protected: Dict[str, str], inner_payload: Dict[str, str]) -> Tuple[int, str, str]:
@@ -425,12 +425,12 @@ def _inner_payload_check(self, aname: str, outer_protected: Dict[str, str], inne
             message = self.err_msg_dic['malformed']
             detail = 'kid is missing in outer header'
 
-        self.logger.debug('Account._inner_payload_check() ended with: {0}:{1}'.format(code, detail))
+        self.logger.debug('Account._inner_payload_check() ended with: %s:%s', code, detail)
         return (code, message, detail)
 
     def _key_change_validate(self, aname: str, outer_protected: Dict[str, str], inner_protected: Dict[str, str], inner_payload: Dict[str, str]):
         """ validate key_change before exectution """
-        self.logger.debug('Account._key_change_validate({0})'.format(aname))
+        self.logger.debug('Account._key_change_validate(%s)', aname)
         if 'jwk' in inner_protected:
             # check if we already have the key stored in DB
             key_exists = self._lookup(json.dumps(inner_protected['jwk']), 'jwk')
@@ -448,12 +448,12 @@ def _key_change_validate(self, aname: str, outer_protected: Dict[str, str], inne
             message = self.err_msg_dic['malformed']
             detail = 'inner jws is missing jwk'
 
-        self.logger.debug('Account._key_change_validate() ended with: {0}:{1}'.format(code, detail))
+        self.logger.debug('Account._key_change_validate() ended with: %s:%s', code, detail)
         return (code, message, detail)
 
     def _key_rollover(self, aname: str, protected: Dict[str, str], inner_protected: Dict[str, str], inner_payload: Dict[str, str]) -> Tuple[int, str, str]:
         """ key update after key change """
-        self.logger.debug('Account._key_rollover({0})'.format(aname))
+        self.logger.debug('Account._key_rollover(%s)', aname)
 
         (code, message, detail) = self._key_change_validate(aname, protected, inner_protected, inner_payload)
         if code == 200:
@@ -461,7 +461,7 @@ def _key_rollover(self, aname: str, protected: Dict[str, str], inner_protected:
             try:
                 result = self.dbstore.account_update(data_dic)
             except Exception as err_:
-                self.logger.critical('acme2certifier database error in Account._key_change(): {0}'.format(err_))
+                self.logger.critical('acme2certifier database error in Account._key_change(): %s', err_)
                 result = None
             if result:
                 code = 200
@@ -472,12 +472,12 @@ def _key_rollover(self, aname: str, protected: Dict[str, str], inner_protected:
                 message = self.err_msg_dic['serverinternal']
                 detail = 'key rollover failed'
 
-        self.logger.debug('Account._key_rollover() ended with: {0}'.format(code))
+        self.logger.debug('Account._key_rollover() ended with: %s', code)
         return (code, message, detail)
 
     def _key_change(self, aname: str, payload: Dict[str, str], protected: Dict[str, str]) -> Tuple[int, str, str]:
         """ key change for a given account """
-        self.logger.debug('Account._key_change({0})'.format(aname))
+        self.logger.debug('Account._key_change(%s)', aname)
 
         if 'url' in protected:
             if 'key-change' in protected['url']:
@@ -495,7 +495,7 @@ def _key_change(self, aname: str, payload: Dict[str, str], protected: Dict[str,
             message = self.err_msg_dic['malformed']
             detail = 'malformed request'
 
-        self.logger.debug('Account._key_change() ended with: {0}'.format(code))
+        self.logger.debug('Account._key_change() ended with: %s', code)
         return (code, message, detail)
 
     def _keys_adjust(self, pub_key: Dict[str, str], old_key: Dict[str, str]) -> Tuple[Dict[str, str], Dict[str, str]]:
@@ -514,13 +514,13 @@ def _keys_adjust(self, pub_key: Dict[str, str], old_key: Dict[str, str]) -> Tupl
 
     def _key_compare(self, aname: str, old_key: Dict[str, str]) -> Tuple[int, str, str]:
         """ compare key with the one stored in database """
-        self.logger.debug('Account._key_compare({0})'.format(aname))
+        self.logger.debug('Account._key_compare(%s)', aname)
 
         # load current public key from database
         try:
             pub_key = self.dbstore.jwk_load(aname)
         except Exception as err_:
-            self.logger.critical('acme2certifier database error in Account._key_compare(): {0}'.format(err_))
+            self.logger.critical('acme2certifier database error in Account._key_compare(): %s', err_)
             pub_key = None
 
         if old_key and pub_key:
@@ -540,7 +540,7 @@ def _key_compare(self, aname: str, old_key: Dict[str, str]) -> Tuple[int, str, s
             message = self.err_msg_dic['unauthorized']
             detail = 'wrong public key'
 
-        self.logger.debug('Account._key_compare() ended with: {0}'.format(code))
+        self.logger.debug('Account._key_compare() ended with: %s', code)
         return (code, message, detail)
 
     def _config_load(self):
@@ -577,11 +577,11 @@ def _config_load(self):
 
     def _lookup(self, value: str, field: str = 'name') -> Dict[str, str]:
         """ lookup account """
-        self.logger.debug('Account._lookup({0}:{1})'.format(field, value))
+        self.logger.debug('Account._lookup(%s:%s)', field, value)
         try:
             result = self.dbstore.account_lookup(field, value)
         except Exception as err_:
-            self.logger.critical('acme2certifier database error in Account._lookup(): {0}'.format(err_))
+            self.logger.critical('acme2certifier database error in Account._lookup(): %s', err_)
             result = None
         return result
 
@@ -618,11 +618,11 @@ def _onlyreturnexisting(self, protected: Dict[str, str], payload: Dict[str, str]
             message = self.err_msg_dic['serverinternal']
             detail = 'onlyReturnExisting without payload'
 
-        self.logger.debug('Account.onlyreturnexisting() ended with:{0}'.format(code))
+        self.logger.debug('Account.onlyreturnexisting() ended with: %s', code)
         return (code, message, detail)
 
     def _parse_deactivation(self, account_name: str, payload: Dict[str, str]) -> Tuple[int, str, str]:
-        self.logger.debug('Account._parse_deactivation({0})'.format(account_name))
+        self.logger.debug('Account._parse_deactivation(%s)', account_name)
         data = None
         # account deactivation
         if payload['status'].lower() == 'deactivated':
@@ -639,7 +639,7 @@ def _parse_deactivation(self, account_name: str, payload: Dict[str, str]) -> Tup
 
     def _parse_contacts_update(self, account_name: str, payload: Dict[str, str]) -> Tuple[int, str, str, Dict[str, str]]:
         """ update contacts """
-        self.logger.debug('Account._parse_contacts_update({0})'.format(account_name))
+        self.logger.debug('Account._parse_contacts_update(%s)', account_name)
         data = None
         (code, message, detail) = self._contacts_update(account_name, payload)
         if code == 200:
@@ -655,7 +655,7 @@ def _parse_contacts_update(self, account_name: str, payload: Dict[str, str]) ->
 
     def _parse_query(self, account_name: str) -> Dict[str, str]:
         """ update contacts """
-        self.logger.debug('Account._parse_query({0})'.format(account_name))
+        self.logger.debug('Account._parse_query(%s)', account_name)
 
         # this is a query for account information
         account_obj = self._lookup(account_name)
@@ -672,7 +672,7 @@ def _tos_check(self, content: Dict[str, str]) -> Tuple[int, str, str]:
         """ check terms of service """
         self.logger.debug('Account._tos_check()')
         if 'termsofserviceagreed' in content:
-            self.logger.debug('tos:{0}'.format(content['termsofserviceagreed']))
+            self.logger.debug('tos:%s', content['termsofserviceagreed'])
             if content['termsofserviceagreed']:
                 code = 200
                 message = None
@@ -687,7 +687,7 @@ def _tos_check(self, content: Dict[str, str]) -> Tuple[int, str, str]:
             message = self.err_msg_dic['useractionrequired']
             detail = 'tosfalse'
 
-        self.logger.debug('Account._tos_check() ended with:{0}'.format(code))
+        self.logger.debug('Account._tos_check() ended with:%s', code)
         return (code, message, detail)
 
     def _new(self, code: int, payload: Dict[str, str], protected: Dict[str, str]) -> Tuple[int, str, str]:
@@ -717,7 +717,7 @@ def _new(self, code: int, payload: Dict[str, str], protected: Dict[str, str]) ->
                 # add new account
                 (code, message, detail) = self._add(protected, payload, contact_list)
 
-        self.logger.debug('Account._new() ended with: {0}'.format(code))
+        self.logger.debug('Account._new() ended with: %s', code)
         return (code, message, detail)
 
     def new(self, content: Dict[str, str]) -> Dict[str, str]:
@@ -735,7 +735,7 @@ def new(self, content: Dict[str, str]) -> Dict[str, str]:
             if code == 201:
                 response_dic['data'] = {
                     'status': 'valid',
-                    'orders': '{0}{1}{2}/orders'.format(self.server_name, self.path_dic['acct_path'], message),
+                    'orders': f'{self.server_name}{self.path_dic["acct_path"]}{message}/orders'
                 }
                 if 'contact' in payload:
                     response_dic['data']['contact'] = payload['contact']
@@ -743,7 +743,7 @@ def new(self, content: Dict[str, str]) -> Dict[str, str]:
                 response_dic['data'] = detail
 
             response_dic['header'] = {}
-            response_dic['header']['Location'] = '{0}{1}{2}'.format(self.server_name, self.path_dic['acct_path'], message)
+            response_dic['header']['Location'] = f'{self.server_name}{self.path_dic["acct_path"]}{message}'
 
             # add exernal account binding
             if self.eab_check and 'externalaccountbinding' in payload:
@@ -757,7 +757,7 @@ def new(self, content: Dict[str, str]) -> Dict[str, str]:
         status_dic = {'code': code, 'type': message, 'detail': detail}
         response_dic = self.message.prepare_response(response_dic, status_dic)
 
-        self.logger.debug('Account.new() returns: {0}'.format(json.dumps(response_dic)))
+        self.logger.debug('Account.new() returns: %s', json.dumps(response_dic))
         return response_dic
 
     def parse(self, content: Dict[str, str]) -> Dict[str, str]:
@@ -795,5 +795,5 @@ def parse(self, content: Dict[str, str]) -> Dict[str, str]:
         status_dic = {'code': code, 'type': message, 'detail': detail}
         response_dic = self.message.prepare_response(response_dic, status_dic)
 
-        self.logger.debug('Account.account_parse() returns: {0}'.format(json.dumps(response_dic)))
+        self.logger.debug('Account.account_parse() returns: %s', json.dumps(response_dic))
         return response_dic
diff --git a/acme_srv/acmechallenge.py b/acme_srv/acmechallenge.py
index 5d2a1802..f3176e45 100644
--- a/acme_srv/acmechallenge.py
+++ b/acme_srv/acmechallenge.py
@@ -1,6 +1,5 @@
 # -*- coding: utf-8 -*-
 """ acmechallenge class """
-# pylint: disable=C0209
 from __future__ import print_function
 from acme_srv.db_handler import DBstore
 
@@ -28,10 +27,10 @@ def lookup(self, path_info: str) -> str:
         key_authorization = None
         if path_info:
             token = path_info.replace('/.well-known/acme-challenge/', '')
-            self.logger.info('Acmechallenge.lookup() token: {0}'.format(token))
+            self.logger.info('Acmechallenge.lookup() token: %s', token)
             challenge_dic = self.dbstore.cahandler_lookup('name', token)
             if challenge_dic and 'value1' in challenge_dic:
                 key_authorization = challenge_dic['value1']
 
-        self.logger.debug('Acmechallenge.lookup() ended with: {0}'.format(key_authorization))
+        self.logger.debug('Acmechallenge.lookup() ended with: %s', key_authorization)
         return key_authorization
diff --git a/acme_srv/authorization.py b/acme_srv/authorization.py
index 1737d7e9..50ec44bf 100644
--- a/acme_srv/authorization.py
+++ b/acme_srv/authorization.py
@@ -1,6 +1,6 @@
 # -*- coding: utf-8 -*-
 """ Order class """
-# pylint: disable=C0209, R0913
+# pylint: disable=R0913
 from __future__ import print_function
 import json
 from typing import List, Tuple, Dict
@@ -40,12 +40,12 @@ def _expiry_update(self, authz_name: str, token: str, expires: int):
         try:
             self.dbstore.authorization_update({'name': authz_name, 'token': token, 'expires': expires})
         except Exception as err_:
-            self.logger.error('acme2certifier database error in Authorization._expiry_update({0}) update: {1}'.format(authz_name, err_))
+            self.logger.error('acme2certifier database error in Authorization._expiry_update(%s) update: %s', authz_name, err_)
 
         self.logger.debug('Authorization._expiry_update() ended')
 
     def _authz_lookup(self, authz_name: str, vlist: List[str] = None) -> Dict[str, str]:
-        self.logger.debug('Authorization._authz_lookup({0})'.format(authz_name))
+        self.logger.debug('Authorization._authz_lookup(%s)', authz_name)
 
         # lookup authorization based on name
         try:
@@ -54,7 +54,7 @@ def _authz_lookup(self, authz_name: str, vlist: List[str] = None) -> Dict[str, s
             else:
                 authz = self.dbstore.authorization_lookup('name', authz_name)
         except Exception as err_:
-            self.logger.critical('acme2certifier database error in Authorization._authz_lookup({0}) lookup: {1}'.format(authz_name, err_))
+            self.logger.critical('acme2certifier database error in Authorization._authz_lookup(%s) lookup: %s', authz_name, err_)
             authz = None
 
         self.logger.debug('Authorization._authz_lookup() ended')
@@ -62,7 +62,7 @@ def _authz_lookup(self, authz_name: str, vlist: List[str] = None) -> Dict[str, s
 
     def _challengeset_get(self, authz_info_dic: Dict[str, str], authz_name: str, token: str, tnauth: bool, expires: int) -> Dict[str, str]:
         """ get challenge set """
-        self.logger.debug('Authorization._challengeset_get({0})'.format(authz_name))
+        self.logger.debug('Authorization._challengeset_get(%s)', authz_name)
 
         with Challenge(self.debug, self.server_name, self.logger, expires) as challenge:
             # get challenge data (either existing or new ones)
@@ -109,8 +109,8 @@ def _authz_info(self, url: str) -> Dict[str, str]:
         """ return authzs information """
         self.logger.debug('Authorization._authz_info()')
 
-        authz_name = string_sanitize(self.logger, url.replace('{0}{1}'.format(self.server_name, self.path_dic['authz_path']), ''))
-        self.logger.debug('Authorization._authz_info({0})'.format(authz_name))
+        authz_name = string_sanitize(self.logger, url.replace(f'{self.server_name}{self.path_dic["authz_path"]}', ''))
+        self.logger.debug('Authorization._authz_info(%s)', authz_name)
 
         expires = uts_now() + self.validity
         token = generate_random_string(self.logger, 32)
@@ -136,7 +136,7 @@ def _authz_info(self, url: str) -> Dict[str, str]:
             # get challenge-set
             authz_info_dic['challenges'] = self._challengeset_get(authz_info_dic, authz_name, token, tnauth, expires)
 
-        self.logger.debug('Authorization._authz_info() returns: {0}'.format(json.dumps(authz_info_dic)))
+        self.logger.debug('Authorization._authz_info() returns: %s', json.dumps(authz_info_dic))
         return authz_info_dic
 
     def _config_load(self):
@@ -150,23 +150,23 @@ def _config_load(self):
                 try:
                     self.validity = int(config_dic['Authorization']['validity'])
                 except Exception:
-                    self.logger.warning('Authorization._config_load(): failed to parse validity: {0}'.format(config_dic['Authorization']['validity']))
+                    self.logger.warning('Authorization._config_load(): failed to parse validity: %s', config_dic['Authorization']['validity'])
         if 'Directory' in config_dic and 'url_prefix' in config_dic['Directory']:
             self.path_dic = {k: config_dic['Directory']['url_prefix'] + v for k, v in self.path_dic.items()}
         self.logger.debug('Authorization._config_load() ended.')
 
     def invalidate(self, timestamp: int = None) -> Tuple[List[str], List[str]]:
         """ invalidate authorizations """
-        self.logger.debug('Authorization.invalidate({0})'.format(timestamp))
+        self.logger.debug('Authorization.invalidate(%s)', timestamp)
         if not timestamp:
             timestamp = uts_now()
-            self.logger.debug('Authorization.invalidate(): set timestamp to {0}'.format(timestamp))
+            self.logger.debug('Authorization.invalidate(): set timestamp to %s', timestamp)
 
         field_list = ['id', 'name', 'expires', 'value', 'created_at', 'token', 'status__id', 'status__name', 'order__id', 'order__name']
         try:
             authz_list = self.dbstore.authorizations_expired_search('expires', timestamp, vlist=field_list, operant='<=')
         except Exception as err_:
-            self.logger.critical('acme2certifier database error in Authorization.invalidate(): {0}'.format(err_))
+            self.logger.critical('acme2certifier database error in Authorization.invalidate(): %s', err_)
             authz_list = []
 
         output_list = []
@@ -181,9 +181,9 @@ def invalidate(self, timestamp: int = None) -> Tuple[List[str], List[str]]:
                     try:
                         self.dbstore.authorization_update(data_dic)
                     except Exception as err_:
-                        self.logger.critical('acme2certifier database error in Authorization.invalidate(): {0}'.format(err_))
+                        self.logger.critical('acme2certifier database error in Authorization.invalidate(): %s', err_)
 
-        self.logger.debug('Authorization.invalidate() ended: {0} authorizations identified'.format(len(output_list)))
+        self.logger.debug('Authorization.invalidate() ended: %s authorizations identified', len(output_list))
         return (field_list, output_list)
 
     def new_get(self, url: str) -> Dict[str, str]:
@@ -224,5 +224,5 @@ def new_post(self, content: str) -> Dict[str, str]:
         status_dic = {'code': code, 'type': message, 'detail': detail}
         response_dic = self.message.prepare_response(response_dic, status_dic)
 
-        self.logger.debug('Authorization.new_post() returns: {0}'.format(json.dumps(response_dic)))
+        self.logger.debug('Authorization.new_post() returns: %s', json.dumps(response_dic))
         return response_dic
diff --git a/acme_srv/certificate.py b/acme_srv/certificate.py
index 644a8055..6e4d5c32 100644
--- a/acme_srv/certificate.py
+++ b/acme_srv/certificate.py
@@ -1,10 +1,10 @@
 # -*- coding: utf-8 -*-
-# pylint: disable=c0209, r0902, r0912, r0913, r0915
+# pylint: disable=r0902, r0912, r0913, r0915
 """ certificate class """
 from __future__ import print_function
 import json
 from typing import List, Tuple, Dict
-from acme_srv.helper import b64_url_recode, generate_random_string, cert_san_get, cert_extensions_get, hooks_load, uts_now, uts_to_date_utc, date_to_uts_utc, load_config, csr_san_get, csr_extensions_get, cert_dates_get, ca_handler_load, error_dic_get, string_sanitize, pembundle_to_list, certid_asn1_get
+from acme_srv.helper import b64_url_recode, generate_random_string, cert_cn_get, cert_san_get, cert_extensions_get, hooks_load, uts_now, uts_to_date_utc, date_to_uts_utc, load_config, csr_san_get, csr_extensions_get, cert_dates_get, ca_handler_load, error_dic_get, string_sanitize, pembundle_to_list, certid_asn1_get, cert_serial_get, cert_aki_get
 from acme_srv.db_handler import DBstore
 from acme_srv.message import Message
 from acme_srv.threadwithreturnvalue import ThreadWithReturnValue
@@ -30,6 +30,7 @@ def __init__(self, debug: bool = False, srv_name: str = None, logger=None):
         self.tnauthlist_support = False
         self.cert_reusage_timeframe = 0
         self.enrollment_timeout = 5
+        self.cn2san_add = False
 
     def __enter__(self):
         """ Makes ACMEHandler a Context Manager """
@@ -41,12 +42,13 @@ def __exit__(self, *args):
 
     def _account_check(self, account_name: str, certificate: str) -> Dict[str, str]:
         """ check account """
-        self.logger.debug('Certificate.issuer_check()')
+        self.logger.debug('Certificate._account_check()')
         try:
             result = self.dbstore.certificate_account_check(account_name, b64_url_recode(self.logger, certificate))
         except Exception as err_:
-            self.logger.critical('acme2certifier database error in Certificate._account_check(): {0}'.format(err_))
+            self.logger.critical('acme2certifier database error in Certificate._account_check(): %s', err_)
             result = None
+        self.logger.debug('Certificate._account_check() ended with: %s', result)
         return result
 
     def _authz_check(self, identifier_dic: Dict[str, str], certificate: str) -> List[str]:
@@ -67,16 +69,22 @@ def _authz_check(self, identifier_dic: Dict[str, str], certificate: str) -> List
             except Exception as err_:
                 # enough to set identifier_list as empty list
                 identifier_status = []
-                self.logger.warning('Certificate._authorization_check() error while loading parsing certifcate. Error: {0}'.format(err_))
+                self.logger.warning('Certificate._authorization_check() error while loading parsing certifcate. Error: %s', err_)
         else:
             try:
                 # get sans
                 san_list = cert_san_get(self.logger, certificate)
+                if self.cn2san_add:
+                    # add common name to SANs
+                    cert_cn = cert_cn_get(self.logger, certificate)
+                    if not san_list and cert_cn:
+                        san_list.append(f'DNS:{cert_cn}')
+
                 identifier_status = self._identifer_status_list(identifiers, san_list)
             except Exception as err_:
                 # enough to set identifier_list as empty list
                 identifier_status = []
-                self.logger.warning('Certificate._authorization_check() error while loading parsing certifcate. Error: {0}'.format(err_))
+                self.logger.warning('Certificate._authorization_check() error while loading parsing certifcate. Error: %s', err_)
 
         self.logger.debug('Certificate._authz_check() ended')
         return identifier_status
@@ -92,7 +100,7 @@ def _authorization_check(self, order_name: str, certificate: str) -> bool:
         try:
             identifier_dic = self.dbstore.order_lookup('name', order_name, ['identifiers'])
         except Exception as err_:
-            self.logger.critical('acme2certifier database error in Certificate._authorization_check(): {0}'.format(err_))
+            self.logger.critical('acme2certifier database error in Certificate._authorization_check(): %s', err_)
             identifier_dic = {}
 
         if identifier_dic and 'identifiers' in identifier_dic:
@@ -103,17 +111,17 @@ def _authorization_check(self, order_name: str, certificate: str) -> bool:
         if identifier_status and False not in identifier_status:
             result = True
 
-        self.logger.debug('Certificate._authorization_check() ended with {0}'.format(result))
+        self.logger.debug('Certificate._authorization_check() ended with %s', result)
         return result
 
     def _cert_reusage_check(self, csr: str) -> Tuple[None, str, str, str]:
         """ check if an existing certificate an be reused """
-        self.logger.debug('Certificate._cert_reusage_check({0})'.format(self.cert_reusage_timeframe))
+        self.logger.debug('Certificate._cert_reusage_check(%s)', self.cert_reusage_timeframe)
 
         try:
             result_dic = self.dbstore.certificates_search('csr', csr, ('cert', 'cert_raw', 'expire_uts', 'issue_uts', 'created_at', 'id'))
         except Exception as err_:
-            self.logger.critical('acme2certifier database error in Certificate._cert_reusage_check(): {0}'.format(err_))
+            self.logger.critical('acme2certifier database error in Certificate._cert_reusage_check(): %s', err_)
             result_dic = None
 
         cert = None
@@ -127,7 +135,7 @@ def _cert_reusage_check(self, csr: str) -> Tuple[None, str, str, str]:
                 try:
                     uts_create = date_to_uts_utc(certificate['created_at'])
                 except Exception as _err:
-                    self.logger.error('acme2certifier date_to_uts_utc() error in Certificate._cert_reusage_check(): id:{0}/created_at:{1}'.format(certificate['id'], certificate['created_at']))
+                    self.logger.error('acme2certifier date_to_uts_utc() error in Certificate._cert_reusage_check(): id:%s/created_at:%s', certificate['id'], certificate['created_at'])
                     uts_create = 0
 
                 # check if there certificates within reusage timeframe
@@ -136,10 +144,10 @@ def _cert_reusage_check(self, csr: str) -> Tuple[None, str, str, str]:
                     if uts <= certificate['expire_uts']:
                         cert = certificate['cert']
                         cert_raw = certificate['cert_raw']
-                        message = 'reused certificate from id: {0}'.format(certificate['id'])
+                        message = f'reused certificate from id: {certificate["id"]}'
                         break
 
-        self.logger.debug('Certificate._cert_reusage_check() ended with {0}'.format(message))
+        self.logger.debug('Certificate._cert_reusage_check() ended with {%s', message)
         return (None, cert, cert_raw, message)
 
     def _config_hooks_load(self, config_dic: Dict[str, str]):
@@ -153,7 +161,7 @@ def _config_hooks_load(self, config_dic: Dict[str, str]):
                 # store handler in variable
                 self.hooks = hooks_module.Hooks(self.logger)
             except Exception as err:
-                self.logger.critical('Certificate._config_load(): Hooks could not be loaded: {0}'.format(err))
+                self.logger.critical('Certificate._config_load(): Hooks could not be loaded: %s', err)
 
             self.ignore_pre_hook_failure = config_dic.getboolean('Hooks', 'ignore_pre_hook_failure', fallback=False)
             self.ignore_post_hook_failure = config_dic.getboolean('Hooks', 'ignore_post_hook_failure', fallback=True)
@@ -170,12 +178,12 @@ def _config_parameters_load(self, config_dic: Dict[str, str]):
                 try:
                     self.cert_reusage_timeframe = int(config_dic['Certificate']['cert_reusage_timeframe'])
                 except Exception as err_:
-                    self.logger.error('acme2certifier Certificate._config_load() cert_reusage_timout parsing error: {0}'.format(err_))
+                    self.logger.error('acme2certifier Certificate._config_load() cert_reusage_timout parsing error: %s', err_)
             if 'enrollment_timeout' in config_dic['Certificate']:
                 try:
                     self.enrollment_timeout = int(config_dic['Certificate']['enrollment_timeout'])
                 except Exception as err_:
-                    self.logger.error('acme2certifier Certificate._config_load() enrollment_timeout parsing error: {0}'.format(err_))
+                    self.logger.error('acme2certifier Certificate._config_load() enrollment_timeout parsing error: %s', err_)
 
         if 'Directory' in config_dic and 'url_prefix' in config_dic['Directory']:
             self.path_dic = {k: config_dic['Directory']['url_prefix'] + v for k, v in self.path_dic.items()}
@@ -189,6 +197,10 @@ def _config_load(self):
         if 'Order' in config_dic:
             self.tnauthlist_support = config_dic.getboolean('Order', 'tnauthlist_support', fallback=False)
 
+        if 'CAhandler' in config_dic and config_dic.get('CAhandler', 'handler_file', fallback=None) == 'examples/ca_handler/asa_ca_handler.py':
+            self.cn2san_add = True
+            self.logger.debug('Certificate._config_load(): cn2san_add enabled')
+
         # load ca_handler according to configuration
         ca_handler_module = ca_handler_load(self.logger, config_dic)
 
@@ -204,7 +216,7 @@ def _config_load(self):
         # load parametrs
         self._config_parameters_load(config_dic)
 
-        self.logger.debug('ca_handler: {0}'.format(ca_handler_module))
+        self.logger.debug('ca_handler: %s', ca_handler_module)
         self.logger.debug('Certificate._config_load() ended.')
 
     def _identifiers_load(self, identifier_dic: Dict[str, str], csr: str) -> List[str]:
@@ -225,7 +237,7 @@ def _identifiers_load(self, identifier_dic: Dict[str, str], csr: str) -> List[st
                 identifier_status = self._identifer_tnauth_list(identifier_dic, tnauthlist)
             except Exception as err_:
                 identifier_status = []
-                self.logger.warning('Certificate._csr_check() error while parsing csr.\nerror: {0}'.format(err_))
+                self.logger.warning('Certificate._csr_check() error while parsing csr.\nerror: %s', err_)
         else:
             # get sans and compare identifiers against san
             try:
@@ -233,9 +245,9 @@ def _identifiers_load(self, identifier_dic: Dict[str, str], csr: str) -> List[st
                 identifier_status = self._identifer_status_list(identifiers, san_list)
             except Exception as err_:
                 identifier_status = []
-                self.logger.warning('Certificate._csr_check() error while checking csr.\nerror: {0}'.format(err_))
+                self.logger.warning('Certificate._csr_check() error while checking csr.\nerror: %s', err_)
 
-        self.logger.debug('Certificate._identifiers_load() ended with {0}'.format(identifier_status))
+        self.logger.debug('Certificate._identifiers_load() ended with %s', identifier_status)
         return identifier_status
 
     def _csr_check(self, certificate_name: str, csr: str) -> bool:
@@ -244,7 +256,7 @@ def _csr_check(self, certificate_name: str, csr: str) -> bool:
 
         # fetch certificate dictionary from DB
         certificate_dic = self._info(certificate_name)
-        self.logger.debug('Certificate._info() ended with:{0}'.format(certificate_dic))
+        self.logger.debug('Certificate._info() ended with:%s', certificate_dic)
 
         # empty list of statuses
         identifier_status = []
@@ -254,7 +266,7 @@ def _csr_check(self, certificate_name: str, csr: str) -> bool:
             try:
                 identifier_dic = self.dbstore.order_lookup('name', certificate_dic['order'], ['identifiers'])
             except Exception as err_:
-                self.logger.critical('acme2certifier database error in Certificate._csr_check(): {0}'.format(err_))
+                self.logger.critical('acme2certifier database error in Certificate._csr_check(): %s', err_)
                 identifier_dic = {}
 
             if identifier_dic and 'identifiers' in identifier_dic:
@@ -265,10 +277,10 @@ def _csr_check(self, certificate_name: str, csr: str) -> bool:
         if identifier_status and False not in identifier_status:
             csr_check_result = True
 
-        self.logger.debug('Certificate._csr_check() ended with {0}'.format(csr_check_result))
+        self.logger.debug('Certificate._csr_check() ended with %s', csr_check_result)
         return csr_check_result
 
-    def _enroll(self, csr: str, ca_handler: object) -> Tuple[str, str, str, str]:
+    def _enroll(self, csr: str) -> Tuple[str, str, str, str]:
         self.logger.debug('Certificate._enroll()')
         if self.cert_reusage_timeframe:
             (error, certificate, certificate_raw, poll_identifier) = self._cert_reusage_check(csr)
@@ -278,7 +290,8 @@ def _enroll(self, csr: str, ca_handler: object) -> Tuple[str, str, str, str]:
 
         if not certificate or not certificate_raw:
             self.logger.debug('Certificate._enroll(): trigger enrollment')
-            (error, certificate, certificate_raw, poll_identifier) = ca_handler.enroll(csr)
+            with self.cahandler(self.debug, self.logger) as ca_handler:
+                (error, certificate, certificate_raw, poll_identifier) = ca_handler.enroll(csr)
         else:
             self.logger.info('Certificate._enroll(): reuse existing certificate')
 
@@ -293,7 +306,7 @@ def _renewal_info_get(self, certificate: str) -> str:
 
         renewal_info_hex = certid_asn1_get(self.logger, certificate_list[0], certificate_list[1])
 
-        self.logger.debug('Certificate.certid_asn1_get() ended with {0}'.format(renewal_info_hex))
+        self.logger.debug('Certificate.certid_asn1_get() ended with %s', renewal_info_hex)
         return renewal_info_hex
 
     def _store(self, certificate: str, certificate_raw: str, poll_identifier: str, certificate_name: str, order_name: str, csr: str) -> Tuple[int, str]:
@@ -309,33 +322,33 @@ def _store(self, certificate: str, certificate_raw: str, poll_identifier: str, c
             if self.hooks:
                 try:
                     self.hooks.success_hook(certificate_name, order_name, csr, certificate, certificate_raw, poll_identifier)
-                    self.logger.debug('Certificate._enroll_and_store: success_hook successful')
+                    self.logger.debug('Certificate._store: success_hook successful')
                 except Exception as err:
-                    self.logger.error('Certificate._enroll_and_store: success_hook exception: {0}'.format(err))
+                    self.logger.error('Certificate._store: success_hook exception: %s', err)
                     if not self.ignore_success_hook_failure:
                         error = (None, 'success_hook_error', str(err))
 
         except Exception as err_:
             result = None
-            self.logger.critical('acme2certifier database error in Certificate._enroll_and_store(): {0}'.format(err_))
+            self.logger.critical('acme2certifier database error in Certificate._store(): %s', err_)
 
         self.logger.error('Certificate._store() ended')
         return (result, error)
 
     def _enrollerror_handler(self, error: str, poll_identifier: str, order_name: str, certificate_name: str) -> Tuple[None, str, str]:
         """ store error message for later analysis """
-        self.logger.error('Certificate._enroll_and_store({0})'.format(error))
+        self.logger.debug('Certificate._enrollerror_handler(%s)', error)
 
         result = None
         detail = None
         try:
             if not poll_identifier:
-                self.logger.debug('Certificate._enroll_and_store(): invalidating order as there is no certificate and no poll_identifier: {0}/{1}'.format(error, order_name))
+                self.logger.debug('Certificate._enrollerror_handler(): invalidating order as there is no certificate and no poll_identifier: %s/%s', error, order_name)
                 self._order_update({'name': order_name, 'status': 'invalid'})
             self._store_cert_error(certificate_name, error, poll_identifier)
         except Exception as err_:
             result = None
-            self.logger.critical('acme2certifier database error in Certificate._enroll_and_store() _store_cert_error: {0}'.format(err_))
+            self.logger.critical('acme2certifier database error in Certificate._enrollerror_handler() _store_cert_error: %s', err_)
 
         # cover polling cases
         if poll_identifier:
@@ -343,43 +356,43 @@ def _enrollerror_handler(self, error: str, poll_identifier: str, order_name: str
         else:
             error = self.err_msg_dic['serverinternal']
 
-        self.logger.error('Certificate._enroll_and_store() ended with: {0}'.format(result))
+        self.logger.debug('Certificate._enrollerror_handler() ended with: %s', result)
         return (result, error, detail)
 
     def _pre_hooks_process(self, certificate_name: str, order_name: str, csr: str) -> List[str]:
-        self.logger.debug('Certificate._pre_hooks_process({0}, {1})'.format(certificate_name, order_name))
+        self.logger.debug('Certificate._pre_hooks_process(%s, %s)', certificate_name, order_name)
         hook_error = []
         if self.hooks:
             try:
                 self.hooks.pre_hook(certificate_name, order_name, csr)
-                self.logger.debug('Certificate._enroll_and_store(): pre_hook successful')
+                self.logger.debug('Certificate._pre_hooks_process(): pre_hook successful')
             except Exception as err:
-                self.logger.error('Certificate._enroll_and_store(): pre_hook exception: {0}'.format(err))
+                self.logger.error('Certificate._pre_hooks_process(): pre_hook exception: %s', err)
                 if not self.ignore_pre_hook_failure:
                     hook_error = (None, 'pre_hook_error', str(err))
 
-        self.logger.debug('Certificate._pre_hooks_process({0})'.format(hook_error))
+        self.logger.debug('Certificate._pre_hooks_process(%s)', hook_error)
         return hook_error
 
     def _post_hooks_process(self, certificate_name: str, order_name: str, csr: str, error: str) -> List[str]:
-        self.logger.debug('Certificate._pre_hooks_process({0}, {1})'.format(certificate_name, order_name))
+        self.logger.debug('Certificate._post_hooks_process(%s, %s', certificate_name, order_name)
 
         hook_error = []
         if self.hooks:
             try:
                 self.hooks.post_hook(certificate_name, order_name, csr, error)
-                self.logger.debug('Certificate._enroll_and_store(): post_hook successful')
+                self.logger.debug('Certificate._post_hooks_process(): post_hook successful')
             except Exception as err:
-                self.logger.error('Certificate._enroll_and_store(): post_hook exception: {0}'.format(err))
+                self.logger.error('Certificate._post_hooks_process(): post_hook exception: %s', err)
                 if not self.ignore_post_hook_failure:
                     hook_error = (None, 'post_hook_error', str(err))
 
-        self.logger.debug('Certificate._post_hooks_process({0})'.format(hook_error))
+        self.logger.debug('Certificate._post_hooks_process(%s)', hook_error)
         return hook_error
 
     def _enroll_and_store(self, certificate_name: str, csr: str, order_name: str = None) -> Tuple[str, str, str]:
         """ enroll and store certificate """
-        self.logger.debug('Certificate._enroll_and_store({0}, {1}, {2})'.format(certificate_name, order_name, csr))
+        self.logger.debug('Certificate._enroll_and_store(%s, %s, %s)', certificate_name, order_name, csr)
 
         detail = None
         error = None
@@ -388,29 +401,27 @@ def _enroll_and_store(self, certificate_name: str, csr: str, order_name: str = N
         if hook_error:
             return hook_error
 
-        with self.cahandler(self.debug, self.logger) as ca_handler:
+        # enroll certificate
+        (error, certificate, certificate_raw, poll_identifier) = self._enroll(csr)
 
-            # enroll certificate
-            (error, certificate, certificate_raw, poll_identifier) = self._enroll(csr, ca_handler)
-
-            if certificate:
-                (result, error) = self._store(certificate, certificate_raw, poll_identifier, certificate_name, order_name, csr)
-                if error:
-                    return error
-            else:
-                self.logger.error('acme2certifier enrollment error: {0}'.format(error))
-                (result, error, detail) = self._enrollerror_handler(error, poll_identifier, order_name, certificate_name)
+        if certificate:
+            (result, error) = self._store(certificate, certificate_raw, poll_identifier, certificate_name, order_name, csr)
+            if error:
+                return error
+        else:
+            self.logger.error('acme2certifier enrollment error: %s', error)
+            (result, error, detail) = self._enrollerror_handler(error, poll_identifier, order_name, certificate_name)
 
         hook_error = self._post_hooks_process(certificate_name, order_name, csr, error)
         if hook_error:
             return hook_error
 
-        self.logger.debug('Certificate._enroll_and_store() ended with: {0}:{1}'.format(result, error))
+        self.logger.debug('Certificate._enroll_and_store() ended with: %s:%s', result, error)
         return (result, error, detail)
 
     def _identifier_chk(self, cert_type: str, cert_value: str, identifiers: List[str], san_is_in: bool) -> bool:
         """ check identifier """
-        self.logger.debug('Certificate._identifier_chk({0}/{1})'.format(cert_type, cert_value))
+        self.logger.debug('Certificate._identifier_chk(%s/%s)', cert_type, cert_value)
 
         if cert_type and cert_value:
             for identifier in identifiers:
@@ -419,7 +430,7 @@ def _identifier_chk(self, cert_type: str, cert_value: str, identifiers: List[str
                         san_is_in = True
                         break
 
-        self.logger.debug('Certificate._identifier_chk({0})'.format(san_is_in))
+        self.logger.debug('Certificate._identifier_chk(%s)', san_is_in)
         return san_is_in
 
     def _identifer_status_list(self, identifiers: List[str], san_list: List[str]) -> List[str]:
@@ -432,25 +443,25 @@ def _identifer_status_list(self, identifiers: List[str], san_list: List[str]) ->
             try:
                 (cert_type, cert_value) = san.lower().split(':', 1)
             except Exception as err_:
-                self.logger.error('Error while splitting san {0}: {1}'.format(san, err_))
+                self.logger.error('Error while splitting san %s: %s', san, err_)
                 cert_type = None
                 cert_value = None
 
             # check identifiers
             san_is_in = self._identifier_chk(cert_type, cert_value, identifiers, san_is_in)
 
-            self.logger.debug('SAN check for {0} against identifiers returned {1}'.format(san.lower(), san_is_in))
+            self.logger.debug('SAN check for %s against identifiers returned %s', san.lower(), san_is_in)
             identifier_status.append(san_is_in)
 
         if not identifier_status:
             identifier_status.append(False)
 
-        self.logger.debug('Certificate._identifer_status_list() ended with {0}'.format(identifier_status))
+        self.logger.debug('Certificate._identifer_status_list() ended with %s', identifier_status)
         return identifier_status
 
     def _identifier_tnauth_chk(self, identifier: Dict[str, str], tnauthlist: List[str]) -> bool:
         """ check tnauth identifier against tnauthlist """
-        self.logger.debug('Certificate._identifier_tnauth_chk({0})'.format(identifier))
+        self.logger.debug('Certificate._identifier_tnauth_chk(%s)', identifier)
 
         result = False
         # get the tnauthlist identifier
@@ -459,7 +470,7 @@ def _identifier_tnauth_chk(self, identifier: Dict[str, str], tnauthlist: List[st
             if 'value' in identifier and identifier['value'] in tnauthlist:
                 result = True
 
-        self.logger.debug('Certificate._identifier_tnauth_chk() endedt with {0}'.format(result))
+        self.logger.debug('Certificate._identifier_tnauth_chk() endedt with %s', result)
         return result
 
     def _identifer_tnauth_list(self, identifier_dic: Dict[str, str], tnauthlist: List[str]):
@@ -481,16 +492,16 @@ def _identifer_tnauth_list(self, identifier_dic: Dict[str, str], tnauthlist: Lis
         else:
             identifier_status.append(False)
 
-        self.logger.debug('Certificate._identifer_tnauth_list() ended with {0}'.format(identifier_status))
+        self.logger.debug('Certificate._identifer_tnauth_list() ended with %s', identifier_status)
         return identifier_status
 
     def _info(self, certificate_name: str, flist: List[str] = ('name', 'csr', 'cert', 'order__name')) -> Dict[str, str]:
         """ get certificate from database """
-        self.logger.debug('Certificate._info({0})'.format(certificate_name))
+        self.logger.debug('Certificate._info(%s)', certificate_name)
         try:
             result = self.dbstore.certificate_lookup('name', certificate_name, flist)
         except Exception as err_:
-            self.logger.critical('acme2certifier database error in Certificate._info(): {0}'.format(err_))
+            self.logger.critical('acme2certifier database error in Certificate._info(): %s', err_)
             result = None
         return result
 
@@ -535,13 +546,13 @@ def _expiredate_get(self, cert: Dict[str, str], timestamp: int, to_be_cleared: b
             # expired based on expire_uts from db
             to_be_cleared = True
 
-        self.logger.debug('Certificate._expiredate_get() ended with: to_be_cleared:  {0}'.format(to_be_cleared))
+        self.logger.debug('Certificate._expiredate_get() ended with: to_be_cleared:  %s', to_be_cleared)
         return to_be_cleared
 
     def _invalidation_check(self, cert: Dict[str, str], timestamp: int, purge: bool = False):
         """ check if cert must be invalidated """
         if 'name' in cert:
-            self.logger.debug('Certificate._invalidation_check({0})'.format(cert['name']))
+            self.logger.debug('Certificate._invalidation_check(%s)', cert['name'])
         else:
             self.logger.debug('Certificate._invalidation_check()')
 
@@ -564,23 +575,23 @@ def _invalidation_check(self, cert: Dict[str, str], timestamp: int, purge: bool
             to_be_cleared = True
 
         if 'name' in cert:
-            self.logger.debug('Certificate._invalidation_check({0}) ended with {1}'.format(cert['name'], to_be_cleared))
+            self.logger.debug('Certificate._invalidation_check(%s) ended with %s', cert['name'], to_be_cleared)
         else:
-            self.logger.debug('Certificate._invalidation_check() ended with {0}'.format(to_be_cleared))
+            self.logger.debug('Certificate._invalidation_check() ended with %s', to_be_cleared)
 
         return (to_be_cleared, cert)
 
     def _order_update(self, data_dic: Dict[str, str]):
         """ update order based on ordername """
-        self.logger.debug('Certificate._order_update({0})'.format(data_dic))
+        self.logger.debug('Certificate._order_update(%s)', data_dic)
         try:
             self.dbstore.order_update(data_dic)
         except Exception as err_:
-            self.logger.critical('acme2certifier database error in Certificate._order_update(): {0}'.format(err_))
+            self.logger.critical('acme2certifier database error in Certificate._order_update(): %s', err_)
 
     def _revocation_reason_check(self, reason: str) -> str:
         """ check reason """
-        self.logger.debug('Certificate._revocation_reason_check({0})'.format(reason))
+        self.logger.debug('Certificate._revocation_reason_check(%s)', reason)
 
         # taken from https://tools.ietf.org/html/rfc5280#section-5.3.1
         allowed_reasons = {
@@ -597,12 +608,12 @@ def _revocation_reason_check(self, reason: str) -> str:
         }
 
         result = allowed_reasons.get(reason, None)
-        self.logger.debug('Certificate._revocation_reason_check() ended with {0}'.format(result))
+        self.logger.debug('Certificate._revocation_reason_check() ended with %s', result)
         return result
 
     def _revocation_request_validate(self, account_name: str, payload: Dict[str, str]) -> Tuple[int, str]:
         """ check revocaton request for consistency"""
-        self.logger.debug('Certificate._revocation_request_validate({0})'.format(account_name))
+        self.logger.debug('Certificate._revocation_request_validate(%s)', account_name)
 
         # set a value to avoid that we are returning none by accident
         code = 400
@@ -634,34 +645,36 @@ def _revocation_request_validate(self, account_name: str, payload: Dict[str, str
                 else:
                     error = self.err_msg_dic['unauthorized']
 
-        self.logger.debug('Certificate._revocation_request_validate() ended with: {0}, {1}'.format(code, error))
+        self.logger.debug('Certificate._revocation_request_validate() ended with: %s, %s', code, error)
         return (code, error)
 
     def _store_cert(self, certificate_name: str, certificate: str, raw: str, issue_uts: int = 0, expire_uts: int = 0, poll_identifier: str = None) -> int:
         """ get key for a specific account id """
-        self.logger.debug('Certificate._store_cert({0})'.format(certificate_name))
+        self.logger.debug('Certificate._store_cert(%s)', certificate_name)
 
         renewal_info_hex = self._renewal_info_get(certificate)
+        serial = cert_serial_get(self.logger, raw, hexformat=True)
+        aki = cert_aki_get(self.logger, raw)
 
-        data_dic = {'cert': certificate, 'name': certificate_name, 'cert_raw': raw, 'issue_uts': issue_uts, 'expire_uts': expire_uts, 'poll_identifier': poll_identifier, 'renewal_info': renewal_info_hex}
+        data_dic = {'cert': certificate, 'name': certificate_name, 'cert_raw': raw, 'issue_uts': issue_uts, 'expire_uts': expire_uts, 'poll_identifier': poll_identifier, 'renewal_info': renewal_info_hex, 'serial': serial, 'aki': aki}
         try:
             cert_id = self.dbstore.certificate_add(data_dic)
         except Exception as err_:
             cert_id = None
-            self.logger.critical('acme2certifier database error in Certificate._store_cert(): {0}'.format(err_))
-        self.logger.debug('Certificate._store_cert({0}) ended'.format(cert_id))
+            self.logger.critical('acme2certifier database error in Certificate._store_cert(): %s', err_)
+        self.logger.debug('Certificate._store_cert(%s) ended', cert_id)
         return cert_id
 
     def _store_cert_error(self, certificate_name: str, error: str, poll_identifier: str) -> int:
         """ get key for a specific account id """
-        self.logger.debug('Certificate._store_cert_error({0})'.format(certificate_name))
+        self.logger.debug('Certificate._store_cert_error(%s)', certificate_name)
         data_dic = {'error': error, 'name': certificate_name, 'poll_identifier': poll_identifier}
         try:
             cert_id = self.dbstore.certificate_add(data_dic)
         except Exception as err_:
             cert_id = None
-            self.logger.critical('acme2certifier database error in Certificate._store_cert(): {0}'.format(err_))
-        self.logger.debug('Certificate._store_cert_error({0}) ended'.format(cert_id))
+            self.logger.critical('acme2certifier database error in Certificate._store_cert(): %s', err_)
+        self.logger.debug('Certificate._store_cert_error(%s) ended', cert_id)
         return cert_id
 
     def _tnauth_identifier_check(self, identifier_dic: Dict[str, str]) -> int:
@@ -674,22 +687,22 @@ def _tnauth_identifier_check(self, identifier_dic: Dict[str, str]) -> int:
                 if 'type' in identifier:
                     if identifier['type'].lower() == 'tnauthlist':
                         tnauthlist_identifer_in = True
-        self.logger.debug('Certificate._tnauth_identifier_check() ended with: {0}'.format(tnauthlist_identifer_in))
+        self.logger.debug('Certificate._tnauth_identifier_check() ended with: %s', tnauthlist_identifer_in)
         return tnauthlist_identifer_in
 
     def certlist_search(self, key: str, value: str, vlist: List[str] = ('name', 'csr', 'cert', 'order__name')) -> Dict[str, str]:
         """ get certificate from database """
-        self.logger.debug('Certificate.certlist_search({0}: {1})'.format(key, value))
+        self.logger.debug('Certificate.certlist_search(%s: %s)', key, value)
         try:
             result = self.dbstore.certificates_search(key, value, vlist)
         except Exception as err_:
-            self.logger.critical('acme2certifier database error in Certificate.certlist_search(): {0}'.format(err_))
+            self.logger.critical('acme2certifier database error in Certificate.certlist_search(): %s', err_)
             result = None
         return result
 
     def _cleanup(self, report_list: List[str], timestamp: int, purge: bool):
         """ cleanup  """
-        self.logger.debug('Certificate.cleanup({0},{1})'.format(timestamp, purge))
+        self.logger.debug('Certificate.cleanup(%s,%s)', timestamp, purge)
         if not purge:
             # we are just modifiying data
             for cert in report_list:
@@ -697,26 +710,26 @@ def _cleanup(self, report_list: List[str], timestamp: int, purge: bool):
                     'name': cert['name'],
                     'expire_uts': cert['expire_uts'],
                     'issue_uts': cert['issue_uts'],
-                    'cert': 'removed by certificates.cleanup() on {0} '.format(uts_to_date_utc(timestamp)),
+                    'cert': f'removed by certificates.cleanup() on {uts_to_date_utc(timestamp)}',
                     'cert_raw': cert['cert_raw']
                 }
                 try:
                     self.dbstore.certificate_add(data_dic)
                 except Exception as err_:
-                    self.logger.critical('acme2certifier database error in Certificate.cleanup() add: {0}'.format(err_))
+                    self.logger.critical('acme2certifier database error in Certificate.cleanup() add: %s', err_)
         else:
             # delete entries from certificates table
             for cert in report_list:
                 try:
                     self.dbstore.certificate_delete('id', cert['id'])
                 except Exception as err_:
-                    self.logger.critical('acme2certifier database error in Certificate.cleanup() delete: {0}'.format(err_))
+                    self.logger.critical('acme2certifier database error in Certificate.cleanup() delete: %s', err_)
 
         self.logger.debug('Certificate.cleanup() ended')
 
     def cleanup(self, timestamp: int = None, purge: bool = False) -> Tuple[List[str], List[str]]:
         """ cleanup routine to shrink table-size """
-        self.logger.debug('Certificate.cleanup({0},{1})'.format(timestamp, purge))
+        self.logger.debug('Certificate.cleanup(%s,%s)', timestamp, purge)
 
         field_list = ['id', 'name', 'expire_uts', 'issue_uts', 'cert', 'cert_raw', 'csr', 'created_at', 'order__id', 'order__name']
 
@@ -724,7 +737,7 @@ def cleanup(self, timestamp: int = None, purge: bool = False) -> Tuple[List[str]
         try:
             certificate_list = self.dbstore.certificates_search('expire_uts', timestamp, field_list, '<=')
         except Exception as err_:
-            self.logger.critical('acme2certifier database error in Certificate.cleanup() search: {0}'.format(err_))
+            self.logger.critical('acme2certifier database error in Certificate.cleanup() search: %s', err_)
             certificate_list = []
 
         report_list = []
@@ -737,7 +750,7 @@ def cleanup(self, timestamp: int = None, purge: bool = False) -> Tuple[List[str]
         # cleanup
         self._cleanup(report_list, timestamp, purge)
 
-        self.logger.debug('Certificate.cleanup() ended with: {0} certs'.format(len(report_list)))
+        self.logger.debug('Certificate.cleanup() ended with: %s certs', len(report_list))
         return (field_list, report_list)
 
     def _dates_update(self, cert: Dict[str, str]):
@@ -759,7 +772,7 @@ def dates_update(self):
 
         with Certificate(self.debug, None, self.logger) as certificate:
             cert_list = certificate.certlist_search('issue_uts', 0, vlist=('id', 'name', 'cert', 'cert_raw', 'issue_uts', 'expire_uts'))
-            self.logger.debug('Got {0} certificates to be updated...'.format(len(cert_list)))
+            self.logger.debug('Got {%s} certificates to be updated...', len(cert_list))
             for cert in cert_list:
                 self._dates_update(cert)
 
@@ -767,7 +780,7 @@ def dates_update(self):
 
     def enroll_and_store(self, certificate_name: str, csr: str, order_name: str = None) -> Tuple[str, str]:
         """ check csr and trigger enrollment """
-        self.logger.debug('Certificate.enroll_and_store({0},{1})'.format(certificate_name, order_name))
+        self.logger.debug('Certificate.enroll_and_store(%s, %s)', certificate_name, order_name)
 
         # check csr against order
         csr_check_result = self._csr_check(certificate_name, csr)
@@ -775,13 +788,15 @@ def enroll_and_store(self, certificate_name: str, csr: str, order_name: str = No
         # only continue if self.csr_check returned True
         if csr_check_result:
             twrv = ThreadWithReturnValue(target=self._enroll_and_store, args=(certificate_name, csr, order_name))
+            twrv.daemon = True
             twrv.start()
             enroll_result = twrv.join(timeout=self.enrollment_timeout)
+            self.logger.debug('Certificate.enroll_and_store() ThreadWithReturnValue ended')
             if enroll_result:
                 try:
                     (result, error, detail) = enroll_result
                 except Exception as err_:
-                    self.logger.error('acme2certifier database error in Certificate.enroll_and_store(): split of {0} failed with err: {1}'.format(enroll_result, err_))
+                    self.logger.error('acme2certifier database error in Certificate.enroll_and_store(): split of %s failed with err: %s', enroll_result, err_)
                     result = None
                     error = self.err_msg_dic['serverinternal']
                     detail = 'unexpected enrollment result'
@@ -794,13 +809,14 @@ def enroll_and_store(self, certificate_name: str, csr: str, order_name: str = No
             error = self.err_msg_dic['badcsr']
             detail = 'CSR validation failed'
 
-        self.logger.debug('Certificate.enroll_and_store() ended with: {0}:{1}'.format(result, error))
+        self.logger.debug('Certificate.enroll_and_store() ended with: %s:%s', result, error)
         return (error, detail)
 
     def new_get(self, url: str) -> Dict[str, str]:
         """ get request """
-        certificate_name = string_sanitize(self.logger, url.replace('{0}{1}'.format(self.server_name, self.path_dic['cert_path']), ''))
-        self.logger.debug('Certificate.new_get({0})'.format(certificate_name))
+        certificate_name = string_sanitize(self.logger, url.replace(f'{self.server_name}{self.path_dic["cert_path"]}', ''))
+        self.logger.debug('Certificate.new_get(%s)', certificate_name)
+
         # fetch certificate dictionary from DB
         certificate_dic = self._info(certificate_name, ['name', 'csr', 'cert', 'order__name', 'order__status_id'])
         response_dic = {}
@@ -818,7 +834,7 @@ def new_get(self, url: str) -> Dict[str, str]:
                     response_dic['data'] = self.err_msg_dic['serverinternal']
             elif certificate_dic['order__status_id'] == 4:
                 # order status is processing - ratelimiting
-                response_dic['header'] = {'Retry-After': '{0}'.format(self.retry_after)}
+                response_dic['header'] = {'Retry-After': f'{self.retry_after}'}
                 response_dic['code'] = 403
                 response_dic['data'] = self.err_msg_dic['ratelimited']
             else:
@@ -828,13 +844,12 @@ def new_get(self, url: str) -> Dict[str, str]:
             response_dic['code'] = 500
             response_dic['data'] = self.err_msg_dic['serverinternal']
 
-        self.logger.debug('Certificate.new_get({0}) ended'.format(response_dic['code']))
-
+        self.logger.debug('Certificate.new_get(%s) ended', response_dic['code'])
         return response_dic
 
     def new_post(self, content: str) -> Dict[str, str]:
         """ post request """
-        self.logger.debug('Certificate.new_post({0})')
+        self.logger.debug('Certificate.new_post()')
 
         response_dic = {}
         # check message
@@ -867,7 +882,7 @@ def new_post(self, content: str) -> Dict[str, str]:
         else:
             result = 'no code found'
 
-        self.logger.debug('Certificate.new_post() ended with: {0}'.format(result))
+        self.logger.debug('Certificate.new_post() ended with: %s', result)
         return response_dic
 
     def revoke(self, content: str) -> Dict[str, str]:
@@ -901,12 +916,12 @@ def revoke(self, content: str) -> Dict[str, str]:
         status_dic = {'code': code, 'type': message, 'detail': detail}
         response_dic = self.message.prepare_response(response_dic, status_dic)
 
-        self.logger.debug('Certificate.revoke() ended with: {0}'.format(response_dic))
+        self.logger.debug('Certificate.revoke() ended with: %s', response_dic)
         return response_dic
 
     def poll(self, certificate_name: str, poll_identifier: str, csr: str, order_name: str) -> int:
         """ try to fetch a certificate from CA and store it into database """
-        self.logger.debug('Certificate.poll({0}: {1})'.format(certificate_name, poll_identifier))
+        self.logger.debug('Certificate.poll(%s: %s)', certificate_name, poll_identifier)
 
         with self.cahandler(self.debug, self.logger) as ca_handler:
             (error, certificate, certificate_raw, poll_identifier, rejected) = ca_handler.poll(certificate_name, poll_identifier, csr)
@@ -919,7 +934,7 @@ def poll(self, certificate_name: str, poll_identifier: str, csr: str, order_name
                 try:
                     self.dbstore.order_update({'name': order_name, 'status': 'valid'})
                 except Exception as err_:
-                    self.logger.critical('acme2certifier database error in Certificate.poll(): {0}'.format(err_))
+                    self.logger.critical('acme2certifier database error in Certificate.poll(): %s', err_)
             else:
                 # store error message for later analysis
                 self._store_cert_error(certificate_name, error, poll_identifier)
@@ -928,18 +943,19 @@ def poll(self, certificate_name: str, poll_identifier: str, csr: str, order_name
                     try:
                         self.dbstore.order_update({'name': order_name, 'status': 'invalid'})
                     except Exception as err_:
-                        self.logger.critical('acme2certifier database error in Certificate.poll(): {0}'.format(err_))
-        self.logger.debug('Certificate.poll({0}: {1})'.format(certificate_name, poll_identifier))
+                        self.logger.critical('acme2certifier database error in Certificate.poll(): %s', err_)
+        self.logger.debug('Certificate.poll(%s: %s)', certificate_name, poll_identifier)
         return _result
 
     def store_csr(self, order_name: str, csr: str, header_info: str) -> str:
         """ store csr into database """
-        self.logger.debug('Certificate.store_csr({0})'.format(order_name))
+        self.logger.debug('Certificate.store_csr(%s)', order_name)
+
         certificate_name = generate_random_string(self.logger, 12)
         data_dic = {'order': order_name, 'csr': csr, 'name': certificate_name, 'header_info': header_info}
         try:
             self.dbstore.certificate_add(data_dic)
         except Exception as err_:
-            self.logger.critical('Database error in Certificate.store_csr(): {0}'.format(err_))
+            self.logger.critical('Database error in Certificate.store_csr(): %s', err_)
         self.logger.debug('Certificate.store_csr() ended')
         return certificate_name
diff --git a/acme_srv/challenge.py b/acme_srv/challenge.py
index a3ca2143..29327c13 100644
--- a/acme_srv/challenge.py
+++ b/acme_srv/challenge.py
@@ -1,8 +1,9 @@
 # -*- coding: utf-8 -*-
 """ Challenge class """
-# pylint: disable=C0209, r0913
+# pylint: disable=r0913
 from __future__ import print_function
 import json
+import time
 from typing import List, Tuple, Dict
 from acme_srv.helper import generate_random_string, parse_url, load_config, jwk_thumbprint_get, url_get, sha256_hash, sha256_hash_hex, b64_encode, b64_url_encode, txt_get, fqdn_resolve, uts_now, uts_to_date_utc, servercert_get, cert_san_get, cert_extensions_get, fqdn_in_san_check, proxy_check, error_dic_get, ip_validate
 from acme_srv.db_handler import DBstore
@@ -23,6 +24,7 @@ def __init__(self, debug: bool = False, srv_name: str = None, logger: object = N
         self.expiry = expiry
         self.challenge_validation_disable = False
         self.challenge_validation_timeout = 10
+        self.dns_validation_pause_timer = 0.5
         self.tnauthlist_support = False
         self.sectigo_sim = False
         self.dns_server_list = None
@@ -43,7 +45,7 @@ def _challengelist_search(self, key: str, value: str, vlist: List = ('name', 'ty
         try:
             challenge_list = self.dbstore.challenges_search(key, value, vlist)
         except Exception as err_:
-            self.logger.critical('acme2certifier database error in Challenge._challengelist_search(): {0}'.format(err_))
+            self.logger.critical('acme2certifier database error in Challenge._challengelist_search(): %s', err_)
             challenge_list = []
 
         challenge_dic = {}
@@ -54,7 +56,7 @@ def _challengelist_search(self, key: str, value: str, vlist: List = ('name', 'ty
             challenge_dic[challenge['type']]['token'] = challenge['token']
             challenge_dic[challenge['type']]['type'] = challenge['type']
             challenge_dic[challenge['type']]['url'] = challenge['name']
-            challenge_dic[challenge['type']]['url'] = '{0}{1}{2}'.format(self.server_name, self.path_dic['chall_path'], challenge['name'])
+            challenge_dic[challenge['type']]['url'] = f"{self.server_name}{self.path_dic['chall_path']}{challenge['name']}"
             challenge_dic[challenge['type']]['name'] = challenge['name']
             if 'status__name' in challenge:
                 challenge_dic[challenge['type']]['status'] = challenge['status__name']
@@ -63,49 +65,64 @@ def _challengelist_search(self, key: str, value: str, vlist: List = ('name', 'ty
         for challenge, challenge_items in challenge_dic.items():
             challenge_list.append(challenge_items)
 
-        self.logger.debug('Challenge._challengelist_search() ended with: {0}'.format(challenge_list))
+        self.logger.debug('Challenge._challengelist_search() ended with: %s', challenge_list)
         return challenge_list
 
+    def _challenge_validate_loop(self, challenge_name: str, challenge_dic: Dict[str, str], payload: Dict[str, str], jwk_thumbprint: str) -> Tuple[bool, bool]:
+        """ inner loop function to validate challenges """
+        self.logger.debug('Challenge._challenge_validate_loop(%s)', challenge_name)
+
+        if challenge_dic['type'] == 'http-01' and jwk_thumbprint:
+            (result, invalid) = self._validate_http_challenge(challenge_name, challenge_dic['authorization__type'], challenge_dic['authorization__value'], challenge_dic['token'], jwk_thumbprint)
+        elif challenge_dic['type'] == 'dns-01' and jwk_thumbprint:
+            (result, invalid) = self._validate_dns_challenge(challenge_name, challenge_dic['authorization__type'], challenge_dic['authorization__value'], challenge_dic['token'], jwk_thumbprint)
+        elif challenge_dic['type'] == 'tls-alpn-01' and jwk_thumbprint:
+            (result, invalid) = self._validate_alpn_challenge(challenge_name, challenge_dic['authorization__type'], challenge_dic['authorization__value'], challenge_dic['token'], jwk_thumbprint)
+        elif challenge_dic['type'] == 'tkauth-01' and jwk_thumbprint and self.tnauthlist_support:
+            (result, invalid) = self._validate_tkauth_challenge(challenge_name, challenge_dic['authorization__type'], challenge_dic['authorization__value'], challenge_dic['token'], jwk_thumbprint, payload)
+        else:
+            self.logger.error('unknown challenge type "%s". Setting check result to False', challenge_dic['type'])
+            result = False
+            invalid = True
+
+        self.logger.debug('Challenge._challenge_validate_loop() ended with: %s/%s', result, invalid)
+        return (result, invalid)
+
     def _challenge_validate(self, pub_key: Dict[str, str], challenge_name: str, challenge_dic: Dict[str, str], payload: Dict[str, str]) -> Tuple[bool, bool]:
         """ challenge validate """
-        self.logger.debug('Challenge._challenge_validate({0})'.format(challenge_name))
+        self.logger.debug('Challenge._challenge_validate(%s)', challenge_name)
 
         jwk_thumbprint = jwk_thumbprint_get(self.logger, pub_key)
+
         for _ele in range(0, 5):
-            if challenge_dic['type'] == 'http-01' and jwk_thumbprint:
-                (result, invalid) = self._validate_http_challenge(challenge_name, challenge_dic['authorization__type'], challenge_dic['authorization__value'], challenge_dic['token'], jwk_thumbprint)
-            elif challenge_dic['type'] == 'dns-01' and jwk_thumbprint:
-                (result, invalid) = self._validate_dns_challenge(challenge_name, challenge_dic['authorization__type'], challenge_dic['authorization__value'], challenge_dic['token'], jwk_thumbprint)
-            elif challenge_dic['type'] == 'tls-alpn-01' and jwk_thumbprint:
-                (result, invalid) = self._validate_alpn_challenge(challenge_name, challenge_dic['authorization__type'], challenge_dic['authorization__value'], challenge_dic['token'], jwk_thumbprint)
-            elif challenge_dic['type'] == 'tkauth-01' and jwk_thumbprint and self.tnauthlist_support:
-                (result, invalid) = self._validate_tkauth_challenge(challenge_name, challenge_dic['authorization__type'], challenge_dic['authorization__value'], challenge_dic['token'], jwk_thumbprint, payload)
-            else:
-                self.logger.error('unknown challenge type "{0}". Setting check result to False'.format(challenge_dic['type']))
-                result = False
-                invalid = True
+
+            result, invalid = self._challenge_validate_loop(challenge_name, challenge_dic, payload, jwk_thumbprint)
+            # pylint: disable=r1723
             if result or invalid:
                 # break loop if we got any good or bad response
                 break
+            elif challenge_dic['type'] == 'dns-01' and jwk_thumbprint:
+                # sleep for a while before we try again
+                time.sleep(self.dns_validation_pause_timer)
 
-        self.logger.debug('Challenge._challenge_validate() ended with: {0}/{1}'.format(result, invalid))
+        self.logger.debug('Challenge._challenge_validate() ended with: %s/%s', result, invalid)
         return (result, invalid)
 
     def _check(self, challenge_name: str, payload: Dict[str, str]) -> Tuple[bool, bool]:
         """ challenge check """
-        self.logger.debug('Challenge._check({0})'.format(challenge_name))
+        self.logger.debug('Challenge._check(%s)', challenge_name)
 
         try:
             challenge_dic = self.dbstore.challenge_lookup('name', challenge_name, ['type', 'status__name', 'token', 'authorization__name', 'authorization__type', 'authorization__value', 'authorization__token', 'authorization__order__account__name'])
         except Exception as err_:
-            self.logger.critical('acme2certifier database error in Challenge._check() lookup: {0}'.format(err_))
+            self.logger.critical('acme2certifier database error in Challenge._check() lookup: %s', err_)
             challenge_dic = {}
 
         if 'type' in challenge_dic and 'authorization__value' in challenge_dic and 'token' in challenge_dic and 'authorization__order__account__name' in challenge_dic:
             try:
                 pub_key = self.dbstore.jwk_load(challenge_dic['authorization__order__account__name'])
             except Exception as err_:
-                self.logger.critical('acme2certifier database error in Challenge._check() jwk: {0}'.format(err_))
+                self.logger.critical('acme2certifier database error in Challenge._check() jwk: %s', err_)
                 pub_key = None
 
             if pub_key:
@@ -117,7 +134,7 @@ def _check(self, challenge_name: str, payload: Dict[str, str]) -> Tuple[bool, bo
             result = False
             invalid = False
 
-        self.logger.debug('challenge._check() ended with: {0}/{1}'.format(result, invalid))
+        self.logger.debug('challenge._check() ended with: %s/%s', result, invalid)
         return (result, invalid)
 
     def _existing_challenge_validate(self, challenge_list: List[str]) -> Dict[str, str]:
@@ -134,11 +151,11 @@ def _existing_challenge_validate(self, challenge_list: List[str]) -> Dict[str, s
 
     def _info(self, challenge_name):
         """ get challenge details """
-        self.logger.debug('Challenge._info({0})'.format(challenge_name))
+        self.logger.debug('Challenge._info(%s)', challenge_name)
         try:
             challenge_dic = self.dbstore.challenge_lookup('name', challenge_name, vlist=('type', 'token', 'status__name', 'validated'))
         except Exception as err_:
-            self.logger.critical('acme2certifier database error in Challenge._info(): {0}'.format(err_))
+            self.logger.critical('acme2certifier database error in Challenge._info(): %s', err_)
             challenge_dic = {}
 
         if 'status' in challenge_dic and challenge_dic['status'] == 'valid':
@@ -152,7 +169,7 @@ def _info(self, challenge_name):
             if 'validated' in challenge_dic:
                 challenge_dic.pop('validated')
 
-        self.logger.debug('Challenge._info({0}) ended'.format(challenge_name))
+        self.logger.debug('Challenge._info(%s) ended', challenge_name)
         return challenge_dic
 
     def _config_proxy_load(self, config_dic: Dict[str, str]):
@@ -163,10 +180,28 @@ def _config_proxy_load(self, config_dic: Dict[str, str]):
             try:
                 self.proxy_server_list = json.loads(config_dic['DEFAULT']['proxy_server_list'])
             except Exception as err_:
-                self.logger.warning('Challenge._config_load() proxy_server_list failed with error: {0}'.format(err_))
+                self.logger.warning('Challenge._config_load() proxy_server_list failed with error: %s', err_)
 
         self.logger.debug('Challenge._config_proxy_load() ended')
 
+    def _config_dns_load(self, config_dic: Dict[str, str]):
+        """ load dns config """
+        self.logger.debug('Challenge._config_dns_load()')
+
+        if 'Challenge' in config_dic and 'dns_server_list' in config_dic['Challenge']:
+            try:
+                self.dns_server_list = json.loads(config_dic['Challenge']['dns_server_list'])
+            except Exception as err_:
+                self.logger.warning('Challenge._config_load() dns_server_list failed with error: %s', err_)
+
+            if 'dns_validation_pause_timer' in config_dic['Challenge']:
+                try:
+                    self.dns_validation_pause_timer = int(config_dic['Challenge']['dns_validation_pause_timer'])
+                except Exception as err_:
+                    self.logger.warning('Challenge._config_load() failed to load dns_validation_pause_timer: %s', err_)
+
+        self.logger.debug('Challenge._config_dns_load() ended')
+
     def _config_challenge_load(self, config_dic: Dict[str, str]):
         """ load proxy config """
         self.logger.debug('Challenge._config_challenge_load()')
@@ -174,16 +209,12 @@ def _config_challenge_load(self, config_dic: Dict[str, str]):
         if 'Challenge' in config_dic:
             self.challenge_validation_disable = config_dic.getboolean('Challenge', 'challenge_validation_disable', fallback=False)
             self.sectigo_sim = config_dic.getboolean('Challenge', 'sectigo_sim', fallback=False)
-            if 'dns_server_list' in config_dic['Challenge']:
-                try:
-                    self.dns_server_list = json.loads(config_dic['Challenge']['dns_server_list'])
-                except Exception as err_:
-                    self.logger.warning('Challenge._config_load() dns_server_list failed with error: {0}'.format(err_))
+
             if 'challenge_validation_timeout' in config_dic['Challenge']:
                 try:
                     self.challenge_validation_timeout = int(config_dic['Challenge']['challenge_validation_timeout'])
                 except Exception as err_:
-                    self.logger.warning('Challenge._config_load() failed to load challenge_validation_timeout: {0}'.format(err_))
+                    self.logger.warning('Challenge._config_load() failed to load challenge_validation_timeout: %s', err_)
 
         self.logger.debug('Challenge._config_challenge_load() ended')
 
@@ -194,6 +225,7 @@ def _config_load(self):
 
         # load challenge parameters
         self._config_challenge_load(config_dic)
+        self._config_dns_load(config_dic)
 
         if 'Order' in config_dic:
             self.tnauthlist_support = config_dic.getboolean('Order', 'tnauthlist_support', fallback=False)
@@ -208,7 +240,7 @@ def _config_load(self):
 
     def _extensions_validate(self, cert: str, extension_value: str, fqdn: str) -> bool:
         """ validate extension """
-        self.logger.debug('Challenge._extensions_validate({0}/{1})'.format(extension_value, fqdn))
+        self.logger.debug('Challenge._extensions_validate(%s/%s)', extension_value, fqdn)
         result = False
         san_list = cert_san_get(self.logger, cert, recode=False)
         fqdn_in_san = fqdn_in_san_check(self.logger, san_list, fqdn)
@@ -222,21 +254,24 @@ def _extensions_validate(self, cert: str, extension_value: str, fqdn: str) -> bo
         else:
             self.logger.debug('fqdn check against san failed')
 
-        self.logger.debug('Challenge._extensions_validate() ended with: {0}'.format(result))
+        self.logger.debug('Challenge._extensions_validate() ended with: %s', result)
         return result
 
     def _name_get(self, url: str) -> str:
         """ get challenge """
-        self.logger.debug('Challenge.get_name({0})'.format(url))
+        self.logger.debug('Challenge.get_name()')
+
         url_dic = parse_url(self.logger, url)
         challenge_name = url_dic['path'].replace(self.path_dic['chall_path'], '')
         if '/' in challenge_name:
             (challenge_name, _sinin) = challenge_name.split('/', 1)
+
+        self.logger.debug('Challenge.get_name() ended with: %s', challenge_name)
         return challenge_name
 
     def _new(self, authz_name: str, mtype: str, token: str = None, value: str = None) -> Dict[str, str]:
         """ new challenge """
-        self.logger.debug('Challenge._new({0}:{2}:{1})'.format(authz_name, mtype, value))
+        self.logger.debug('Challenge._new(%s:%s:%s)', authz_name, mtype, value)
 
         challenge_name = generate_random_string(self.logger, 12)
 
@@ -255,13 +290,13 @@ def _new(self, authz_name: str, mtype: str, token: str = None, value: str = None
         try:
             chid = self.dbstore.challenge_add(value, mtype, data_dic)
         except Exception as err_:
-            self.logger.critical('acme2certifier database error in Challenge._new(): {0}, {2}:{1}'.format(err_, mtype, value))
+            self.logger.critical('acme2certifier database error in Challenge._new(): %s, %s:%s', err_, value, mtype)
             chid = None
 
         challenge_dic = {}
         if chid:
             challenge_dic['type'] = mtype
-            challenge_dic['url'] = '{0}{1}{2}'.format(self.server_name, self.path_dic['chall_path'], challenge_name)
+            challenge_dic['url'] = f'{self.server_name}{self.path_dic["chall_path"]}{challenge_name}'
             challenge_dic['token'] = token
             challenge_dic['status'] = 'pending'
             if mtype == 'tkauth-01':
@@ -275,7 +310,7 @@ def _new(self, authz_name: str, mtype: str, token: str = None, value: str = None
     def _parse(self, code: int, payload: Dict[str, str], protected: Dict[str, str], challenge_name: str, challenge_dic: Dict[str, str]) -> Tuple[int, str, str, Dict[str, str]]:
         # pylint: disable=R0913
         """ challenge parse """
-        self.logger.debug('Challenge._parse({0})'.format(challenge_name))
+        self.logger.debug('Challenge._parse(%s)', challenge_name)
 
         response_dic = {}
         message = None
@@ -307,28 +342,29 @@ def _parse(self, code: int, payload: Dict[str, str], protected: Dict[str, str],
             challenge_dic['url'] = protected['url']
             response_dic['data'] = challenge_dic
             response_dic['header'] = {}
-            response_dic['header']['Link'] = '<{0}{1}>;rel="up"'.format(self.server_name, self.path_dic['authz_path'])
+            response_dic['header']['Link'] = f'<{self.server_name}{self.path_dic["authz_path"]}>;rel="up"'
 
-        self.logger.debug('Challenge._parse() ended with: {0}'.format(code))
+        self.logger.debug('Challenge._parse() ended with: %s', code)
         return (code, message, detail, response_dic)
 
     def _update(self, data_dic: Dict[str, str]):
         """ update challenge """
-        self.logger.debug('Challenge._update({0})'.format(data_dic))
+        self.logger.debug('Challenge._update(%s)', data_dic)
+
         try:
             self.dbstore.challenge_update(data_dic)
         except Exception as err_:
-            self.logger.critical('acme2certifier database error in Challenge._update(): {0}'.format(err_))
+            self.logger.critical('acme2certifier database error in Challenge._update(): %s', err_)
         self.logger.debug('Challenge._update() ended')
 
     def _update_authz(self, challenge_name: str, data_dic: Dict[str, str]):
         """ update authorizsation based on challenge_name """
-        self.logger.debug('Challenge._update_authz({0})'.format(challenge_name))
+        self.logger.debug('Challenge._update_authz(%s)', challenge_name)
         try:
             # lookup autorization based on challenge_name
             authz_name = self.dbstore.challenge_lookup('name', challenge_name, ['authorization__name'])['authorization']
         except Exception as err_:
-            self.logger.critical('acme2certifier database error in Challenge._update_authz() lookup: {0}'.format(err_))
+            self.logger.critical('acme2certifier database error in Challenge._update_authz() lookup: %s', err_)
             authz_name = None
 
         if authz_name:
@@ -337,13 +373,14 @@ def _update_authz(self, challenge_name: str, data_dic: Dict[str, str]):
             # update authorization
             self.dbstore.authorization_update(data_dic)
         except Exception as err_:
-            self.logger.critical('acme2certifier database error in Challenge._update_authz() upd: {0}'.format(err_))
+            self.logger.critical('acme2certifier database error in Challenge._update_authz() upd: %s', err_)
 
         self.logger.debug('Challenge._update_authz() ended')
 
     def _validate(self, challenge_name: str, payload: Dict[str, str]) -> bool:
         """ validate challenge"""
-        self.logger.debug('Challenge._validate({0}: {1})'.format(challenge_name, payload))
+        self.logger.debug('Challenge._validate(%s: %s)', challenge_name, payload)
+
         # change state to processing
         self._update({'name': challenge_name, 'status': 'processing'})
         if self.challenge_validation_disable:
@@ -367,17 +404,17 @@ def _validate(self, challenge_name: str, payload: Dict[str, str]) -> bool:
             data_dic = {'name': challenge_name, 'keyauthorization': payload['keyAuthorization']}
             self._update(data_dic)
 
-        self.logger.debug('Challenge._validate() ended with:{0}'.format(challenge_check))
+        self.logger.debug('Challenge._validate() ended with:%s', challenge_check)
         return challenge_check
 
     def _validate_alpn_challenge(self, challenge_name: str, id_type: str, id_value: str, token: str, jwk_thumbprint: str) -> Tuple[bool, bool]:
         """ validate dns challenge """
-        self.logger.debug('Challenge._validate_alpn_challenge({0}:{1}:{2})'.format(challenge_name, id_value, token))
+        self.logger.debug('Challenge._validate_alpn_challenge(%s:%s:%s)', challenge_name, id_value, token)
 
         if id_type == 'dns':
             # resolve name
             (response, invalid) = fqdn_resolve(id_value, self.dns_server_list)
-            self.logger.debug('fqdn_resolve() ended with: {0}/{1}'.format(response, invalid))
+            self.logger.debug('fqdn_resolve() ended with: %s/%s', response, invalid)
             sni = id_value
         elif id_type == 'ip':
             (sni, invalid) = ip_validate(self.logger, id_value)
@@ -387,9 +424,9 @@ def _validate_alpn_challenge(self, challenge_name: str, id_type: str, id_value:
 
         # we are expecting a certifiate extension which is the sha256 hexdigest of token in a byte structure
         # which is base64 encoded '0420' has been taken from acme_srv.sh sources
-        sha256_digest = sha256_hash_hex(self.logger, '{0}.{1}'.format(token, jwk_thumbprint))
-        extension_value = b64_encode(self.logger, bytearray.fromhex('0420{0}'.format(sha256_digest)))
-        self.logger.debug('computed value: {0}'.format(extension_value))
+        sha256_digest = sha256_hash_hex(self.logger, f'{token}.{jwk_thumbprint}')
+        extension_value = b64_encode(self.logger, bytearray.fromhex(f'0420{sha256_digest}'))
+        self.logger.debug('computed value: %s', extension_value)
 
         if not invalid:
             # check if we need to set a proxy
@@ -406,26 +443,27 @@ def _validate_alpn_challenge(self, challenge_name: str, id_type: str, id_value:
         else:
             result = False
 
-        self.logger.debug('Challenge._validate_alpn_challenge() ended with: {0}/{1}'.format(result, invalid))
+        self.logger.debug('Challenge._validate_alpn_challenge() ended with: %s/%s', result, invalid)
         return (result, invalid)
 
     def _validate_dns_challenge(self, challenge_name: str, _type: str, fqdn: str, token: str, jwk_thumbprint: str) -> Tuple[bool, bool]:
         """ validate dns challenge """
-        self.logger.debug('Challenge._validate_dns_challenge({0}:{1}:{2})'.format(challenge_name, fqdn, token))
+        self.logger.debug('Challenge._validate_dns_challenge(%s:%s:%s)', challenge_name, fqdn, token)
 
         # handle wildcard domain
         fqdn = self._wcd_manipulate(fqdn)
 
         # rewrite fqdn to resolve txt record
-        fqdn = '_acme-challenge.{0}'.format(fqdn)
+        fqdn = f'_acme-challenge.{fqdn}'
 
         # compute sha256 hash
-        _hash = b64_url_encode(self.logger, sha256_hash(self.logger, '{0}.{1}'.format(token, jwk_thumbprint)))
+        _hash = b64_url_encode(self.logger, sha256_hash(self.logger, f'{token}.{jwk_thumbprint}'))
+
         # query dns
         txt_list = txt_get(self.logger, fqdn, self.dns_server_list)
 
         # compare computed hash with result from DNS query
-        self.logger.debug('response_got: {0} response_expected: {1}'.format(txt_list, _hash))
+        self.logger.debug('response_got: %s response_expected: %s', txt_list, _hash)
         if _hash in txt_list:
             self.logger.debug('validation successful')
             result = True
@@ -433,17 +471,17 @@ def _validate_dns_challenge(self, challenge_name: str, _type: str, fqdn: str, to
             self.logger.debug('validation not successful')
             result = False
 
-        self.logger.debug('Challenge._validate_dns_challenge() ended with: {0}'.format(result))
+        self.logger.debug('Challenge._validate_dns_challenge() ended with: %s', result)
         return (result, False)
 
     def _validate_http_challenge(self, challenge_name: str, id_type: str, id_value: str, token: str, jwk_thumbprint: str) -> Tuple[bool, bool]:
         """ validate http challenge """
-        self.logger.debug('Challenge._validate_http_challenge({0}:{1}:{2})'.format(challenge_name, id_value, token))
+        self.logger.debug('Challenge._validate_http_challenge(%s:%s:%s)', challenge_name, id_value, token)
 
         if id_type == 'dns':
             # resolve name
             (response, invalid) = fqdn_resolve(id_value, self.dns_server_list)
-            self.logger.debug('fqdn_resolve() ended with: {0}/{1}'.format(response, invalid))
+            self.logger.debug('fqdn_resolve() ended with: %s/%s', response, invalid)
         elif id_type == 'ip':
             invalid = False
             (_sni, invalid) = ip_validate(self.logger, id_value)
@@ -456,11 +494,11 @@ def _validate_http_challenge(self, challenge_name: str, id_type: str, id_value:
                 proxy_server = proxy_check(self.logger, id_value, self.proxy_server_list)
             else:
                 proxy_server = None
-            req = url_get(self.logger, 'http://{0}/.well-known/acme-challenge/{1}'.format(id_value, token), dns_server_list=self.dns_server_list, proxy_server=proxy_server, verify=False, timeout=self.challenge_validation_timeout)
+            req = url_get(self.logger, f'http://{id_value}/.well-known/acme-challenge/{token}', dns_server_list=self.dns_server_list, proxy_server=proxy_server, verify=False, timeout=self.challenge_validation_timeout)
             if req:
                 response_got = req.splitlines()[0]
-                response_expected = '{0}.{1}'.format(token, jwk_thumbprint)
-                self.logger.debug('response_got: {0} response_expected: {1}'.format(response_got, response_expected))
+                response_expected = f'{token}.{jwk_thumbprint}'
+                self.logger.debug('response_got: %s response_expected: %s', response_got, response_expected)
                 if response_got == response_expected:
                     self.logger.debug('validation successful')
                     result = True
@@ -473,21 +511,21 @@ def _validate_http_challenge(self, challenge_name: str, id_type: str, id_value:
         else:
             result = False
 
-        self.logger.debug('Challenge._validate_http_challenge() ended with: {0}/{1}'.format(result, invalid))
+        self.logger.debug('Challenge._validate_http_challenge() ended with: %s/%s', result, invalid)
         return (result, invalid)
 
     def _validate_tkauth_challenge(self, challenge_name: str, _type: str, tnauthlist: str, _token: str, _jwk_thumbprint: str, payload: Dict[str, str]) -> Tuple[bool, bool]:
         """ validate tkauth challenge """
-        self.logger.debug('Challenge._validate_tkauth_challenge({0}:{1}:{2})'.format(challenge_name, tnauthlist, payload))
+        self.logger.debug('Challenge._validate_tkauth_challenge(%s:%s:%s)', challenge_name, tnauthlist, payload)
 
         result = True
         invalid = False
-        self.logger.debug('Challenge._validate_tkauth_challenge() ended with: {0}/{1}'.format(result, invalid))
+        self.logger.debug('Challenge._validate_tkauth_challenge() ended with: %s/%s', result, invalid)
         return (result, invalid)
 
     def _validate_tnauthlist_payload(self, payload: Dict[str, str], challenge_dic: Dict[str, str]) -> Tuple[int, str, str]:
         """ check payload in cae tnauthlist option has been set """
-        self.logger.debug('Challenge._validate_tnauthlist_payload({0})'.format(payload))
+        self.logger.debug('Challenge._validate_tnauthlist_payload(%s)', payload)
 
         code = 400
         message = None
@@ -513,22 +551,24 @@ def _validate_tnauthlist_payload(self, payload: Dict[str, str], challenge_dic: D
                 code = 200
         else:
             message = self.err_msg_dic['malformed']
-            detail = 'invalid challenge: {0}'.format(challenge_dic)
+            detail = f'invalid challenge: {challenge_dic}'
 
-        self.logger.debug('Challenge._validate_tnauthlist_payload() ended with:{0}'.format(code))
+        self.logger.debug('Challenge._validate_tnauthlist_payload() ended with:%s', code)
         return (code, message, detail)
 
     def _wcd_manipulate(self, fqdn: str) -> str:
         """ wildcard domain handling """
-        self.logger.debug('Challenge._wc_manipulate() for fqdn: {0}'.format(fqdn))
+        self.logger.debug('Challenge._wc_manipulate() for fqdn: %s', fqdn)
+
         if fqdn.startswith('*.'):
             fqdn = fqdn[2:]
-        self.logger.debug('Challenge._wc_manipulate() ended with: {0}'.format(fqdn))
+        self.logger.debug('Challenge._wc_manipulate() ended with: %s', fqdn)
         return fqdn
 
     def challengeset_get(self, authz_name: str, _auth_status: str, token: str, tnauth: bool, id_type: str = 'dns', id_value: str = None) -> List[str]:
         """ get the challengeset for an authorization """
-        self.logger.debug('Challenge.challengeset_get() for auth: {0}:{1}'.format(authz_name, id_value))
+        self.logger.debug('Challenge.challengeset_get() for auth: %s:%s', authz_name, id_value)
+
         # check database if there are exsting challenges for a particular authorization
         challenge_list = self._challengelist_search('authorization__name', authz_name)
 
@@ -552,7 +592,8 @@ def challengeset_get(self, authz_name: str, _auth_status: str, token: str, tnaut
     def get(self, url: str) -> Dict[str, str]:
         """ get challenge details based on get request """
         challenge_name = self._name_get(url)
-        self.logger.debug('Challenge.get({0})'.format(challenge_name))
+        self.logger.debug('Challenge.get(%s)', challenge_name)
+
         response_dic = {}
         response_dic['code'] = 200
         response_dic['data'] = self._info(challenge_name)
@@ -560,7 +601,8 @@ def get(self, url: str) -> Dict[str, str]:
 
     def new_set(self, authz_name: str, token: str, tnauth: bool = False, id_type: str = 'dns', value: str = None) -> List[str]:
         """ net challenge set """
-        self.logger.debug('Challenge.new_set({0}, {1})'.format(authz_name, value))
+        self.logger.debug('Challenge.new_set(%s, %s)', authz_name, value)
+
         challenge_list = []
 
         if tnauth:
@@ -579,9 +621,9 @@ def new_set(self, authz_name: str, token: str, tnauth: bool = False, id_type: st
                 if challenge_json:
                     challenge_list.append(challenge_json)
                 else:
-                    self.logger.error('ERROR: Empty challenge returned for {0}'.format(challenge_type))
+                    self.logger.error('ERROR: Empty challenge returned for %s', challenge_type)
 
-        self.logger.debug('Challenge._new_set returned ({0})'.format(challenge_list))
+        self.logger.debug('Challenge._new_set returned (%s)', challenge_list)
         return challenge_list
 
     def parse(self, content: str) -> Dict[str, str]:
@@ -604,7 +646,7 @@ def parse(self, content: str) -> Dict[str, str]:
                     else:
                         code = 400
                         message = self.err_msg_dic['malformed']
-                        detail = 'invalid challenge: {0}'.format(challenge_name)
+                        detail = f'invalid challenge: {challenge_name}'
                 else:
                     code = 400
                     message = self.err_msg_dic['malformed']
@@ -617,5 +659,5 @@ def parse(self, content: str) -> Dict[str, str]:
         # prepare/enrich response
         status_dic = {'code': code, 'type': message, 'detail': detail}
         response_dic = self.message.prepare_response(response_dic, status_dic)
-        self.logger.debug('challenge.parse() returns: {0}'.format(json.dumps(response_dic)))
+        self.logger.debug('challenge.parse() returns: %s', json.dumps(response_dic))
         return response_dic
diff --git a/acme_srv/directory.py b/acme_srv/directory.py
index 39dd9aa6..bdf6b097 100644
--- a/acme_srv/directory.py
+++ b/acme_srv/directory.py
@@ -1,6 +1,6 @@
 # -*- coding: utf-8 -*-
 """ Directory class """
-# pylint: disable=c0209, e0401, r0913
+# pylint: disable=e0401, r0913
 from __future__ import print_function
 import uuid
 from typing import Dict
@@ -9,6 +9,9 @@
 from .db_handler import DBstore
 
 
+GH_HOME = 'https://github.com/grindsa/acme2certifier'
+
+
 class Directory(object):
     """ class for directory handling """
 
@@ -17,6 +20,8 @@ def __init__(self, debug=None, srv_name=None, logger=None):
         self.logger = logger
         self.dbstore = DBstore(debug, self.logger)
         self.supress_version = False
+        self.suppress_product_information = False
+        self.home = GH_HOME
         self.tos_url = None
         self.version = __version__
         self.dbversion = __dbversion__
@@ -48,6 +53,13 @@ def _config_load(self):
         if 'Directory' in config_dic and 'url_prefix' in config_dic['Directory']:
             self.url_prefix = config_dic['Directory']['url_prefix']
 
+        self.home = config_dic.get('Directory', 'home', fallback=GH_HOME)
+
+        try:
+            self.suppress_product_information = config_dic.getboolean('Directory', 'suppress_product_information', fallback=False)
+        except Exception as err_:
+            self.logger.error('Directory._config_load() suppress_product_information not set: %s', err_)
+
         self.logger.debug('Directory._config_load() ended')
 
     def directory_get(self) -> Dict[str, str]:
@@ -62,16 +74,21 @@ def directory_get(self) -> Dict[str, str]:
             'revokeCert': self.server_name + self.url_prefix + '/acme/revokecert',
             'keyChange': self.server_name + self.url_prefix + '/acme/key-change',
             'renewalInfo': self.server_name + self.url_prefix + '/acme/renewal-info',
-            'meta': {
-                'home': 'https://github.com/grindsa/acme2certifier',
-                'author': 'grindsa <grindelsack@gmail.com>',
-                'name': 'acme2certifier'
-            },
+            'meta': {}
         }
 
-        # show version information in meta tags if not disabled....
-        if not self.supress_version:
-            d_dic['meta']['version'] = self.version
+        if not self.suppress_product_information:
+            d_dic['meta'] = {
+                'home': self.home,
+                'author': 'grindsa <grindelsack@gmail.com>',
+                'name': 'acme2certifier'
+            }
+            # show version information in meta tags if not disabled....
+            if not self.supress_version:
+                d_dic['meta']['version'] = self.version
+        else:
+            if self.home != GH_HOME:
+                d_dic['meta']['home'] = self.home
 
         # add terms of service
         if self.tos_url:
@@ -87,15 +104,16 @@ def directory_get(self) -> Dict[str, str]:
                 if version == self.dbversion:
                     d_dic['meta']['db_check'] = 'OK'
                 else:
-                    self.logger.error('acme2certifier database error: version mismatch: detected: {0}/ expected: {1}'.format(version, __dbversion__))
+                    self.logger.error('acme2certifier database error: version mismatch: detected: %s/ expected: %s', version, __dbversion__)
                     d_dic['meta']['db_check'] = 'NOK'
 
             except Exception as err_:
-                self.logger.critical('acme2certifier database error in Directory.dbversion_check(): {0}'.format(err_))
+                self.logger.critical('acme2certifier database error in Directory.dbversion_check(): %s', err_)
                 d_dic['meta']['db_check'] = 'NOK'
 
         # generate random key in json as recommended by LE
         d_dic[uuid.uuid4().hex] = 'https://community.letsencrypt.org/t/adding-random-entries-to-the-directory/33417'
+
         return d_dic
 
     def servername_get(self) -> str:
diff --git a/acme_srv/helper.py b/acme_srv/helper.py
index 19c56fed..c032de0d 100644
--- a/acme_srv/helper.py
+++ b/acme_srv/helper.py
@@ -1,4 +1,4 @@
-# pylint: disable=c0209, c0302, e0401, r0913
+# pylint: disable=c0302, e0401, r0913
 # -*- coding: utf-8 -*-
 """ helper functions for acme2certifier """
 from __future__ import print_function
@@ -33,17 +33,18 @@
 from cryptography.hazmat.backends import default_backend
 from cryptography.hazmat.primitives import serialization, hashes
 from cryptography.x509 import load_pem_x509_certificate, ocsp
+from OpenSSL import crypto
 import requests
 import requests.packages.urllib3.util.connection as urllib3_cn
 from .version import __version__
 
 
-USER_AGENT = 'acme2certifier/{0}'.format(__version__)
+USER_AGENT = f'acme2certifier/{__version__}'
 
 
 def b64decode_pad(logger: logging.Logger, string: str) -> bytes:
     """ b64 decoding and padding of missing "=" """
-    logger.debug('b64decode_pad()')
+    logger.debug('Helper.b64decode_pad()')
     try:
         b64dec = base64.urlsafe_b64decode(string + '=' * (4 - len(string) % 4))
     except Exception:
@@ -53,19 +54,19 @@ def b64decode_pad(logger: logging.Logger, string: str) -> bytes:
 
 def b64_decode(logger: logging.Logger, string: str) -> str:
     """ b64 decoding """
-    logger.debug('b64decode()')
+    logger.debug('Helper.b64decode()')
     return convert_byte_to_string(base64.b64decode(string))
 
 
 def b64_encode(logger: logging.Logger, string: str) -> str:
     """ encode a bytestream in base64 """
-    logger.debug('b64_encode()')
+    logger.debug('Helper.b64_encode()')
     return convert_byte_to_string(base64.b64encode(string))
 
 
 def b64_url_encode(logger: logging.Logger, string: str) -> str:
     """ encode a bytestream in base64 url and remove padding """
-    logger.debug('b64_url_encode()')
+    logger.debug('Helper.b64_url_encode()')
     string = convert_string_to_byte(string)
     encoded = base64.urlsafe_b64encode(string)
     return encoded.rstrip(b"=")
@@ -73,7 +74,7 @@ def b64_url_encode(logger: logging.Logger, string: str) -> str:
 
 def b64_url_recode(logger: logging.Logger, string: str) -> str:
     """ recode base64_url to base64 """
-    logger.debug('b64_url_recode()')
+    logger.debug('Helper.b64_url_recode()')
     padding_factor = (4 - len(string) % 4) % 4
     string = convert_byte_to_string(string)
     string += "=" * padding_factor
@@ -83,20 +84,20 @@ def b64_url_recode(logger: logging.Logger, string: str) -> str:
 
 def build_pem_file(logger: logging.Logger, existing, certificate, wrap, csr=False):
     """ construct pem_file """
-    logger.debug('build_pem_file()')
+    logger.debug('Helper.build_pem_file()')
     if csr:
-        pem_file = '-----BEGIN CERTIFICATE REQUEST-----\n{0}\n-----END CERTIFICATE REQUEST-----\n'.format(textwrap.fill(convert_byte_to_string(certificate), 64))
+        pem_file = f'-----BEGIN CERTIFICATE REQUEST-----\n{textwrap.fill(convert_byte_to_string(certificate), 64)}\n-----END CERTIFICATE REQUEST-----\n'
     else:
         if existing:
             if wrap:
-                pem_file = '{0}-----BEGIN CERTIFICATE-----\n{1}\n-----END CERTIFICATE-----\n'.format(convert_byte_to_string(existing), textwrap.fill(convert_byte_to_string(certificate), 64))
+                pem_file = f'{existing}-----BEGIN CERTIFICATE-----\n{textwrap.fill(convert_byte_to_string(certificate), 64)}\n-----END CERTIFICATE-----\n'
             else:
-                pem_file = '{0}-----BEGIN CERTIFICATE-----\n{1}\n-----END CERTIFICATE-----\n'.format(convert_byte_to_string(existing), convert_byte_to_string(certificate))
+                pem_file = f'{convert_byte_to_string(existing)}-----BEGIN CERTIFICATE-----\n{convert_byte_to_string(certificate)}\n-----END CERTIFICATE-----\n'
         else:
             if wrap:
-                pem_file = '-----BEGIN CERTIFICATE-----\n{0}\n-----END CERTIFICATE-----\n'.format(textwrap.fill(convert_byte_to_string(certificate), 64))
+                pem_file = f'-----BEGIN CERTIFICATE-----\n{textwrap.fill(convert_byte_to_string(certificate), 64)}\n-----END CERTIFICATE-----\n'
             else:
-                pem_file = '-----BEGIN CERTIFICATE-----\n{0}\n-----END CERTIFICATE-----\n'.format(convert_byte_to_string(certificate))
+                pem_file = f'-----BEGIN CERTIFICATE-----\n{convert_byte_to_string(certificate)}\n-----END CERTIFICATE-----\n'
     return pem_file
 
 
@@ -116,13 +117,13 @@ def ca_handler_load(logger: logging.Logger, config_dic: Dict) -> importlib.impor
             spec.loader.exec_module(ca_handler_module)
             return ca_handler_module
         except Exception as err_:
-            logger.critical('Helper.ca_handler_load(): loading CAhandler configured in cfg failed with err: {0}'.format(err_))
+            logger.critical('Helper.ca_handler_load(): loading CAhandler configured in cfg failed with err: %s', err_)
 
     # if no 'handler_file' provided or loading was unsuccessful, try to load default handler
     try:
         ca_handler_module = importlib.import_module('acme_srv.ca_handler')
     except Exception as err_:
-        logger.critical('Helper.ca_handler_load(): loading default CAhandler failed with err: {0}'.format(err_))
+        logger.critical('Helper.ca_handler_load(): loading default CAhandler failed with err: %s', err_)
         ca_handler_module = None
 
     return ca_handler_module
@@ -135,7 +136,50 @@ def config_check(logger: logging.Logger, config_dic: Dict):
     for section, section_dic in config_dic.items():
         for key, value in section_dic.items():
             if value.startswith('"') or value.endswith('"'):
-                logger.warning('config_check(): section {0} option: {1} contains " characters. Check if this is really needed!'.format(section, key))
+                logger.warning('config_check(): section %s option: %s contains " characters. Check if this is really needed!', section, key)
+
+
+def config_eab_profile_load(logger: logging.Logger, config_dic: Dict[str, str]):
+    """ load parameters """
+    logger.debug('Helper.config_eab_profile_load()')
+
+    eab_profiling = False
+    eab_handler = None
+
+    try:
+        eab_profiling = config_dic.getboolean('CAhandler', 'eab_profiling', fallback=False)
+    except Exception as err:
+        logger.warning('CAhandler._config_eab_profile_load() failed with error: %s', err)
+        eab_profiling = False
+
+    if eab_profiling:
+        if 'EABhandler' in config_dic and 'eab_handler_file' in config_dic['EABhandler']:
+            # load eab_handler according to configuration
+            eab_handler_module = eab_handler_load(logger, config_dic)
+            if not eab_handler_module:
+                logger.critical('CAhandler._config_load(): EABHandler could not get loaded')
+            else:
+                eab_handler = eab_handler_module.EABhandler
+        else:
+            logger.critical('CAhandler._config_load(): EABHandler configuration incomplete')
+
+    logger.debug('_config_profile_load() ended')
+    return eab_profiling, eab_handler
+
+
+def config_headerinfo_load(logger: logging.Logger, config_dic: Dict[str, str]):
+    """ load parameters """
+    logger.debug('Helper.config_headerinfo_load()')
+
+    header_info_field = None
+    if 'Order' in config_dic and 'header_info_list' in config_dic['Order'] and config_dic['Order']['header_info_list']:
+        try:
+            header_info_field = json.loads(config_dic['Order']['header_info_list'])[0]
+        except Exception as err_:
+            logger.warning('Helper.config_headerinfo_load() header_info_list failed with error: %s', err_)
+
+    logger.debug('config_headerinfo_load() ended')
+    return header_info_field
 
 
 def eab_handler_load(logger: logging.Logger, config_dic: Dict) -> importlib.import_module:
@@ -149,18 +193,18 @@ def eab_handler_load(logger: logging.Logger, config_dic: Dict) -> importlib.impo
             eab_handler_module = importlib.util.module_from_spec(spec)
             spec.loader.exec_module(eab_handler_module)
         except Exception as err_:
-            logger.critical('Helper.eab_handler_load(): loading EABhandler configured in cfg failed with err: {0}'.format(err_))
+            logger.critical('Helper.eab_handler_load(): loading EABhandler configured in cfg failed with err: %s', err_)
             try:
                 eab_handler_module = importlib.import_module('acme_srv.eab_handler')
             except Exception as err_:
                 eab_handler_module = None
-                logger.critical('Helper.eab_handler_load(): loading default EABhandler failed with err: {0}'.format(err_))
+                logger.critical('Helper.eab_handler_load(): loading default EABhandler failed with err: %s', err_)
     else:
         if 'EABhandler' in config_dic:
             try:
                 eab_handler_module = importlib.import_module('acme_srv.eab_handler')
             except Exception as err_:
-                logger.critical('Helper.eab_handler_load(): loading default EABhandler failed with err: {0}'.format(err_))
+                logger.critical('Helper.eab_handler_load(): loading default EABhandler failed with err: %s', err_)
                 eab_handler_module = None
         else:
             logger.error('Helper.eab_handler_load(): EABhandler configuration missing in config file')
@@ -181,14 +225,51 @@ def hooks_load(logger: logging.Logger, config_dic: Dict) -> importlib.import_mod
             hooks_module = importlib.util.module_from_spec(spec)
             spec.loader.exec_module(hooks_module)
         except Exception as err_:
-            logger.critical('Helper.hooks_load(): loading Hooks configured in cfg failed with err: {0}'.format(err_))
+            logger.critical('Helper.hooks_load(): loading Hooks configured in cfg failed with err: %s', err_)
 
     return hooks_module
 
 
+def cert_aki_get(logger: logging.Logger, certificate: str) -> str:
+    """ get subject key identifier from certificate """
+    logger.debug('Helper.cert_ski_get()')
+
+    cert = cert_load(logger, certificate, recode=True)
+    try:
+        aki = cert.extensions.get_extension_for_oid(x509.OID_AUTHORITY_KEY_IDENTIFIER)
+        aki_value = aki.value.key_identifier.hex()
+    except Exception as _err:
+        aki_value = cert_aki_pyopenssl_get(logger, certificate)
+    logger.debug('cert_aki_get() ended with: %s', aki_value)
+    return aki_value
+
+
+def cert_aki_pyopenssl_get(logger, certificate: str) -> str:
+    """Get Authority Key Identifier from a certificate as a hex string."""
+    logger.debug('Helper.cert_aki_pyopenssl_cert()')
+
+    pem_data = convert_string_to_byte(build_pem_file(logger, None, b64_url_recode(logger, certificate), True))
+    cert = crypto.load_certificate(crypto.FILETYPE_PEM, pem_data)
+    # Get the AKI extension
+    aki = None
+    for i in range(cert.get_extension_count()):
+        ext = cert.get_extension(i)
+        if 'authorityKeyIdentifier' in str(ext.get_short_name()):
+            aki = ext
+    if aki:
+        # Get the SKI value and convert it to hex
+        aki_hex = aki.get_data()[4:].hex()
+    else:
+        logger.error("cert_ski_pyopenssl_get(): No AKI found in certificate")
+        aki_hex = None
+    logger.debug('Helper.cert_ski_pyopenssl_cert() ended with: %s', aki_hex)
+    return aki_hex
+
+
 def cert_load(logger: logging.Logger, certificate: str, recode: bool) -> x509.Certificate:
     """ load certificate object from pem _Format """
-    logger.debug('cert_load({0})'.format(recode))
+    logger.debug('Helper.cert_load(%s)', recode)
+
     if recode:
         pem_data = convert_string_to_byte(build_pem_file(logger, None, b64_url_recode(logger, certificate), True))
     else:
@@ -200,10 +281,10 @@ def cert_load(logger: logging.Logger, certificate: str, recode: bool) -> x509.Ce
 
 def cert_dates_get(logger: logging.Logger, certificate: str) -> Tuple[int, int]:
     """ get date number form certificate """
-    logger.debug('cert_dates_get()')
+    logger.debug('Helper.cert_dates_get()')
+
     issue_date = 0
     expiration_date = 0
-
     try:
         cert = cert_load(logger, certificate, recode=True)
         issue_date = date_to_uts_utc(cert.not_valid_before, _tformat='%Y-%m-%d %H:%M:%S')
@@ -212,13 +293,13 @@ def cert_dates_get(logger: logging.Logger, certificate: str) -> Tuple[int, int]:
         issue_date = 0
         expiration_date = 0
 
-    logger.debug('cert_dates_get() ended with: {0}/{1}'.format(issue_date, expiration_date))
+    logger.debug('cert_dates_get() ended with: %s/%s', issue_date, expiration_date)
     return (issue_date, expiration_date)
 
 
 def cert_cn_get(logger: logging.Logger, certificate: str) -> str:
     """ get cn from certificate  """
-    logger.debug('CAhandler.cert_cn_get()')
+    logger.debug('Helper.cert_cn_get()')
 
     cert = cert_load(logger, certificate, recode=True)
     # get subject and look for common name
@@ -228,7 +309,7 @@ def cert_cn_get(logger: logging.Logger, certificate: str) -> str:
         if attr.oid == x509.NameOID.COMMON_NAME:
             result = attr.value
             break
-    logger.debug('CAhandler.cert_cn_get() ended with: {0}'.format(result))
+    logger.debug('Helper.cert_cn_get() ended with: %s', result)
     return result
 
 
@@ -241,11 +322,11 @@ def cert_der2pem(der_cert: bytes) -> str:
 
 def cert_issuer_get(logger: logging.Logger, certificate: str) -> str:
     """ get serial number form certificate """
-    logger.debug('cert_issuer_get()')
+    logger.debug('Helper.cert_issuer_get()')
 
     cert = cert_load(logger, certificate, recode=True)
     result = cert.issuer.rfc4514_string()
-    logger.debug('CAhandler.cert_issuer_get() ended with: {0}'.format(result))
+    logger.debug('Helper.cert_issuer_get() ended with: %s', result)
     return result
 
 
@@ -258,20 +339,45 @@ def cert_pem2der(pem_cert: str) -> bytes:
 
 def cert_pubkey_get(logger: logging.Logger, certificate=str) -> str:
     """ get public key from certificate  """
-    logger.debug('CAhandler.cert_pubkey_get()')
+    logger.debug('Helper.cert_pubkey_get()')
     cert = cert_load(logger, certificate, recode=False)
     public_key = cert.public_key()
     pubkey_str = public_key.public_bytes(
         encoding=serialization.Encoding.PEM,
         format=serialization.PublicFormat.SubjectPublicKeyInfo
     )
-    logger.debug('CAhandler.cert_pubkey_get() ended with: {0}'.format(pubkey_str))
+    logger.debug('Helper.cert_pubkey_get() ended with: %s', pubkey_str)
     return convert_byte_to_string(pubkey_str)
 
 
+def cert_san_pyopenssl_get(logger, certificate, recode=True):
+    """ get subject alternate names from certificate """
+    logger.debug('Helper.cert_san_pyopenssl_get()')
+    if recode:
+        pem_file = build_pem_file(logger, None, b64_url_recode(logger, certificate), True)
+    else:
+        pem_file = certificate
+
+    cert = crypto.load_certificate(crypto.FILETYPE_PEM, pem_file)
+    san = []
+    ext_count = cert.get_extension_count()
+    for i in range(0, ext_count):
+        ext = cert.get_extension(i)
+        if 'subjectAltName' in str(ext.get_short_name()):
+            # pylint: disable=c2801
+            san_list = ext.__str__().split(',')
+            for san_name in san_list:
+                san_name = san_name.rstrip()
+                san_name = san_name.lstrip()
+                san.append(san_name)
+
+    logger.debug('Helper.cert_san_pyopenssl_get() ended')
+    return san
+
+
 def cert_san_get(logger: logging.Logger, certificate: str, recode: bool = True) -> List[str]:
     """ get subject alternate names from certificate """
-    logger.debug('cert_san_get({0})'.format(recode))
+    logger.debug('Helper.cert_san_get(%s)', recode)
 
     cert = cert_load(logger, certificate, recode=recode)
     sans = []
@@ -279,40 +385,121 @@ def cert_san_get(logger: logging.Logger, certificate: str, recode: bool = True)
         ext = cert.extensions.get_extension_for_oid(x509.OID_SUBJECT_ALTERNATIVE_NAME)
         sans_list = ext.value.get_values_for_type(x509.DNSName)
         for san in sans_list:
-            sans.append('DNS:{0}'.format(san))
+            sans.append(f'DNS:{san}')
         sans_list = ext.value.get_values_for_type(x509.IPAddress)
         for san in sans_list:
-            sans.append('IP:{0}'.format(san))
+            sans.append(f'IP:{san}')
     except Exception as err:
-        logger.error('cert_san_get(): Error: {0}'.format(err))
+        logger.error('cert_san_get(): Error: %s', err)
+        # we may add the routing to get the sanes via pyopenssl here if needed (sans = cert_san_pyopenssl_get(logger, certificate, recode=recode))
 
-    logger.debug('cert_san_get() ended')
+    logger.debug('Helper.cert_san_get() ended')
     return sans
 
 
+def cert_ski_pyopenssl_get(logger, certificate: str) -> str:
+    """Get Subject Key Identifier from a certificate as a hex string."""
+    logger.debug('Helper.cert_ski_pyopenssl_cert()')
+
+    pem_data = convert_string_to_byte(build_pem_file(logger, None, b64_url_recode(logger, certificate), True))
+    cert = crypto.load_certificate(crypto.FILETYPE_PEM, pem_data)
+    # Get the SKI extension
+    ski = None
+    for i in range(cert.get_extension_count()):
+        ext = cert.get_extension(i)
+        if 'subjectKeyIdentifier' in str(ext.get_short_name()):
+            ski = ext
+    if ski:
+        # Get the SKI value and convert it to hex
+        ski_hex = ski.get_data()[2:].hex()
+    else:
+        logger.error("cert_ski_pyopenssl_get(): No SKI found in certificate")
+        ski_hex = None
+    logger.debug('Helper.cert_ski_pyopenssl_cert() ended with: %s', ski_hex)
+    return ski_hex
+
+
+def cert_ski_get(logger: logging.Logger, certificate: str) -> str:
+    """ get subject key identifier from certificate """
+    logger.debug('Helper.cert_ski_get()')
+
+    cert = cert_load(logger, certificate, recode=True)
+    try:
+        ski = cert.extensions.get_extension_for_oid(x509.OID_SUBJECT_KEY_IDENTIFIER)
+        ski_value = ski.value.digest.hex()
+    except Exception as err:
+        logger.error('cert_ski_get(): Error: %s', err)
+        ski_value = cert_ski_pyopenssl_get(logger, certificate)
+    logger.debug('Helper.cert_ski_get() ended with: %s', ski_value)
+    return ski_value
+
+
+def cryptography_version_get(logger: logging.Logger) -> int:
+    """ get version number of cryptography module """
+    logger.debug('Helper.cryptography_version_get()')
+    # pylint: disable=c0415
+    import cryptography
+
+    try:
+        version_list = cryptography.__version__.split('.')
+        if version_list:
+            major_version = int(version_list[0])
+    except Exception as err:
+        logger.error('cryptography_version_get(): Error: %s', err)
+        major_version = 36
+
+    logger.debug('cryptography_version_get() ended with %s', major_version)
+    return major_version
+
+
 def cert_extensions_get(logger: logging.Logger, certificate: str, recode: bool = True):
     """ get extenstions from certificate certificate """
-    logger.debug('cert_extensions_get()')
+    logger.debug('Helper.cert_extensions_get()')
 
-    cert = cert_load(logger, certificate, recode=recode)
+    crypto_module_version = cryptography_version_get(logger)
+    if crypto_module_version < 36:
+        logger.debug('Helper.cert_extensions_get(): using pyopenssl')
+        extension_list = cert_extensions_py_openssl_get(logger, certificate, recode)
+    else:
+        cert = cert_load(logger, certificate, recode=recode)
+        extension_list = []
+        for extension in cert.extensions:
+            extension_list.append(convert_byte_to_string(base64.b64encode(extension.value.public_bytes())))
+
+    logger.debug('Helper.cert_extensions_get() ended with: %s', extension_list)
+    return extension_list
+
+
+def cert_extensions_py_openssl_get(logger, certificate, recode=True):
+    """ get extenstions from certificate certificate """
+    logger.debug('cert_extensions_py_openssl_get()')
+    if recode:
+        pem_file = build_pem_file(logger, None, b64_url_recode(logger, certificate), True)
+    else:
+        pem_file = certificate
 
+    cert = crypto.load_certificate(crypto.FILETYPE_PEM, pem_file)
     extension_list = []
-    for extension in cert.extensions:
-        extension_list.append(convert_byte_to_string(base64.b64encode(extension.value.public_bytes())))
+    ext_count = cert.get_extension_count()
+    for i in range(0, ext_count):
+        ext = cert.get_extension(i)
+        extension_list.append(convert_byte_to_string(base64.b64encode(ext.get_data())))
 
-    logger.debug('cert_extensions_get() ended with: {0}'.format(extension_list))
+    logger.debug('cert_extensions_py_openssl_get() ended with: %s', extension_list)
     return extension_list
 
 
 def cert_serial_get(logger: logging.Logger, certificate: str, hexformat: bool = False):
     """ get serial number form certificate """
-    logger.debug('cert_serial_get()')
+    logger.debug('Helper.cert_serial_get()')
     cert = cert_load(logger, certificate, recode=True)
     if hexformat:
-        serial_number = '{0:x}'.format(cert.serial_number)
+        serial_number = f'{cert.serial_number:x}'
+        # add leading zero if needed
+        serial_number = serial_number.zfill(len(serial_number) + len(serial_number) % 2)
     else:
         serial_number = cert.serial_number
-    logger.debug('cert_serial_get() ended with: {0}'.format(serial_number))
+    logger.debug('Helper.cert_serial_get() ended with: %s', serial_number)
     return serial_number
 
 
@@ -338,7 +525,8 @@ def convert_string_to_byte(value: str) -> bytes:
 
 def csr_load(logger: logging.Logger, csr: str) -> x509.CertificateSigningRequest:
     """ load certificate object from pem _Format """
-    logger.debug('cert_load({0})')
+    logger.debug('Helper.cert_load()')
+
     pem_data = convert_string_to_byte(build_pem_file(logger, None, b64_url_recode(logger, csr), True, True))
     csr_data = x509.load_pem_x509_csr(pem_data)
 
@@ -347,10 +535,9 @@ def csr_load(logger: logging.Logger, csr: str) -> x509.CertificateSigningRequest
 
 def csr_cn_get(logger: logging.Logger, csr_pem: str) -> str:
     """ get cn from certificate request """
-    logger.debug('CAhandler.csr_cn_get()')
+    logger.debug('Helper.csr_cn_get()')
 
     csr = csr_load(logger, csr_pem)
-
     # Extract the subject's common name
     common_name = None
     for attribute in csr.subject:
@@ -358,37 +545,53 @@ def csr_cn_get(logger: logging.Logger, csr_pem: str) -> str:
             common_name = attribute.value
             break
 
-    logger.debug('CAhandler.csr_cn_get() ended with: {0}'.format(common_name))
+    logger.debug('Helper.csr_cn_get() ended with: %s', common_name)
     return common_name
 
 
 def csr_dn_get(logger: logging.Logger, csr: str) -> str:
     """ get subject from certificate request in openssl notation """
-    logger.debug('CAhandler.csr_dn_get()')
+    logger.debug('Helper.csr_dn_get()')
 
     csr_obj = csr_load(logger, csr)
     subject = csr_obj.subject.rfc4514_string()
 
-    logger.debug('CAhandler.csr_dn_get() ended with: {0}'.format(subject))
+    logger.debug('Helper.csr_dn_get() ended with: %s', subject)
     return subject
 
 
-def csr_pubkey_get(logger, csr):
+def csr_pubkey_get(logger: logging.Logger, csr, encoding='pem'):
     """ get public key from certificate request """
-    logger.debug('CAhandler.csr_pubkey_get()')
+    logger.debug('Helper.csr_pubkey_get()')
     csr_obj = csr_load(logger, csr)
     public_key = csr_obj.public_key()
-    pubkey_str = public_key.public_bytes(
-        encoding=serialization.Encoding.PEM,
-        format=serialization.PublicFormat.SubjectPublicKeyInfo
-    )
-    logger.debug('CAhandler.cert_pubkey_get() ended with: {0}'.format(pubkey_str))
-    return convert_byte_to_string(pubkey_str)
+    if encoding == 'pem':
+        pubkey_str = public_key.public_bytes(
+            encoding=serialization.Encoding.PEM,
+            format=serialization.PublicFormat.SubjectPublicKeyInfo
+        )
+        pubkey = convert_byte_to_string(pubkey_str)
+    elif encoding == 'base64der':
+        pubkey_str = public_key.public_bytes(
+            encoding=serialization.Encoding.DER,
+            format=serialization.PublicFormat.SubjectPublicKeyInfo
+        )
+        pubkey = b64_encode(logger, pubkey_str)
+
+    elif encoding == 'der':
+        pubkey = public_key.public_bytes(
+            encoding=serialization.Encoding.DER,
+            format=serialization.PublicFormat.SubjectPublicKeyInfo
+        )
+    else:
+        pubkey = None
+    logger.debug('Helper.cert_pubkey_get() ended with: %s', pubkey)
+    return pubkey
 
 
 def csr_san_get(logger: logging.Logger, csr: str) -> List[str]:
     """ get subject alternate names from certificate """
-    logger.debug('cert_san_get()')
+    logger.debug('Helper.cert_san_get()')
     sans = []
     if csr:
 
@@ -399,21 +602,44 @@ def csr_san_get(logger: logging.Logger, csr: str) -> List[str]:
 
             sans_list = ext.value.get_values_for_type(x509.DNSName)
             for san in sans_list:
-                sans.append('DNS:{0}'.format(san))
+                sans.append(f'DNS:{san}')
             sans_list = ext.value.get_values_for_type(x509.IPAddress)
             for san in sans_list:
-                sans.append('IP:{0}'.format(san))
+                sans.append(f'IP:{san}')
 
         except Exception as err:
-            logger.error('csr_san_get(): Error: {0}'.format(err))
+            logger.error('csr_san_get(): Error: %s', err)
 
-    logger.debug('csr_san_get() ended with: {0}'.format(str(sans)))
+    logger.debug('Helper.csr_san_get() ended with: %s', str(sans))
     return sans
 
 
+def csr_san_byte_get(logger: logging.Logger, csr: str) -> bytes:
+    """ get sans from CSR as base64 encoded byte squence"""
+    # Load the CSR
+    logger.debug('Helper.csr_san_byte_get()')
+
+    csr = csr_load(logger, csr)
+
+    # Get the SAN extension
+    san_extension = csr.extensions.get_extension_for_oid(x509.oid.ExtensionOID.SUBJECT_ALTERNATIVE_NAME)
+
+    # Get the SANs
+    sans = san_extension.value
+
+    # Serialize the SANs to a byte sequence
+    sans_bytes = sans.public_bytes()
+
+    # Encode the byte sequence as base64
+    sans_base64 = b64_encode(logger, sans_bytes)
+
+    logger.debug('Helper.csr_san_byte_get() ended')
+    return sans_base64
+
+
 def csr_extensions_get(logger: logging.Logger, csr: str) -> List[str]:
     """ get extensions from certificate """
-    logger.debug('csr_extensions_get()')
+    logger.debug('Helper.csr_extensions_get()')
 
     csr_obj = csr_load(logger, csr)
 
@@ -421,13 +647,29 @@ def csr_extensions_get(logger: logging.Logger, csr: str) -> List[str]:
     for extension in csr_obj.extensions:
         extension_list.append(convert_byte_to_string(base64.b64encode(extension.value.public_bytes())))
 
-    logger.debug('csr_extensions_get() ended with: {0}'.format(extension_list))
+    logger.debug('Helper.csr_extensions_get() ended with: %s', extension_list)
     return extension_list
 
 
+def csr_subject_get(logger: logging.Logger, csr: str) -> Dict[str, str]:
+    """ get subject from csr as a list of tuples """
+    logger.debug('Helper.csr_subject_get()')
+    # pylint: disable=w0212
+
+    csr_obj = csr_load(logger, csr)
+    subject_dic = {}
+    # get subject and look for common name
+    subject = csr_obj.subject
+    for attr in subject:
+        subject_dic[attr.oid._name] = attr.value
+
+    logger.debug('Helper.csr_subject_get() ended')
+    return subject_dic
+
+
 def decode_deserialize(logger: logging.Logger, string: str) -> Dict:
     """ decode and deserialize string """
-    logger.debug('decode_deserialize()')
+    logger.debug('Helper.decode_deserialize()')
     # b64 decode
     string_decode = b64decode_pad(logger, string)
     # deserialize if b64 decoding was successful
@@ -442,7 +684,7 @@ def decode_deserialize(logger: logging.Logger, string: str) -> Dict:
 
 def decode_message(logger: logging.Logger, message: str) -> Tuple[str, str, Dict[str, str], Dict[str, str], str]:
     """ decode jwstoken and return header, payload and signature """
-    logger.debug('decode_message()')
+    logger.debug('Helper.decode_message()')
     jwstoken = jws.JWS()
     result = False
     error = None
@@ -456,7 +698,7 @@ def decode_message(logger: logging.Logger, message: str) -> Tuple[str, str, Dict
         signature = jwstoken.objects['signature']
         result = True
     except Exception as err:
-        logger.error('decode_message() err: {0}'.format(err))
+        logger.error('decode_message() err: %s', err)
         error = str(err)
         protected = {}
         payload = {}
@@ -480,7 +722,7 @@ def dkeys_lower(tree: Dict[str, str]) -> Dict[str, str]:
 
 def fqdn_in_san_check(logger: logging.Logger, san_list: List[str], fqdn: str) -> bool:
     """ check if fqdn is in a list of sans """
-    logger.debug('fqdn_in_san_check([%s], %s)', san_list, fqdn)
+    logger.debug('Helper.fqdn_in_san_check([%s], %s)', san_list, fqdn)
 
     result = False
     if fqdn and san_list:
@@ -491,15 +733,15 @@ def fqdn_in_san_check(logger: logging.Logger, san_list: List[str], fqdn: str) ->
                     result = True
                     break
             except Exception:
-                logger.error('ERROR: fqdn_in_san_check() SAN split failed: {0}'.format(san))
+                logger.error('ERROR: fqdn_in_san_check() SAN split failed: %s', san)
 
-    logger.debug('fqdn_in_san_check() ended with: {}'.format(result))
+    logger.debug('Helper.fqdn_in_san_check() ended with: %s', result)
     return result
 
 
 def generate_random_string(logger: logging.Logger, length: int) -> str:
     """ generate random string to be used as name """
-    logger.debug('generate_random_string()')
+    logger.debug('Helper.generate_random_string()')
     char_set = digits + ascii_letters
     return ''.join(random.choice(char_set) for _ in range(length))
 
@@ -526,23 +768,80 @@ def get_url(environ: Dict[str, str], include_path: bool = False) -> str:
         proto = 'http'
 
     if include_path and 'PATH_INFO' in environ:
-        result = '{0}://{1}{2}'.format(proto, server_name, html.escape(environ['PATH_INFO']))
+        result = f'{proto}://{server_name}{html.escape(environ["PATH_INFO"])}'
+    else:
+        result = f'{proto}://{server_name}'
+    return result
+
+
+def header_info_field_validate(logger, csr: str, header_info_field: str, value: str, value_list: List[str]) -> Tuple[str, str]:
+    """ select value from list"""
+    logger.debug('Helper.header_info_field_validate(%s)', value)
+
+    value_to_set = None
+    error = None
+    # get header info
+    header_info_value = header_info_lookup(logger, csr, header_info_field, value)
+    if header_info_value:
+        if header_info_value in value_list:
+            value_to_set = header_info_value
+        else:
+            error = f'{value} "{header_info_value}" is not allowed'
     else:
-        result = '{0}://{1}'.format(proto, server_name)
+        # header not set, use first value from list
+        value_to_set = value_list[0]
+
+    logger.debug('Helper.header_info_field_validate(%s) ended with %s/%s', value, value_to_set, error)
+    return value_to_set, error
+
+
+def header_info_jsonify(logger: logging.Logger, header_info: str) -> Dict[str, str]:
+    """ jsonify header info"""
+    logger.debug('Helper.header_info_json_parse()')
+
+    header_info_dic = {}
+    try:
+        if isinstance(header_info, list) and 'header_info' in header_info[-1]:
+            header_info_dic = json.loads(header_info[-1]['header_info'])
+    except Exception as err:
+        logger.error('header_info_lookup() could not parse header_info_field: %s', err)
+
+    logger.debug('Helper.header_info_json_parse() ended with: %s', bool(header_info_dic))
+    return header_info_dic
+
+
+def header_info_lookup(logger, csr: str, header_info_field, key: str) -> str:
+    """ lookup header info """
+    logger.debug('Helper.header_info_lookup(%s)', key)
+
+    result = None
+    header_info = header_info_get(logger, csr=csr)
+
+    if header_info:
+        header_info_dic = header_info_jsonify(logger, header_info)
+        if header_info_field in header_info_dic:
+            for ele in header_info_dic[header_info_field].split(' '):
+                if key in ele.lower():
+                    result = ele.split('=', 1)[1]
+                    break
+        else:
+            logger.error('header_info_lookup() header_info_field not found: %s', header_info_field)
+
+    logger.debug('Helper.header_info_lookup(%s) ended with: %s', key, result)
     return result
 
 
-def header_info_get(logger: logging.Logger, csr: str, vlist: List[str] = ('id', 'name', 'header_info')) -> List[str]:
+def header_info_get(logger: logging.Logger, csr: str, vlist: List[str] = ('id', 'name', 'header_info'), field_name: str = 'csr') -> List[str]:
     """ lookup header information """
-    logger.debug('header_info_get()')
+    logger.debug('Helper.header_info_get()')
 
     try:
         from acme_srv.db_handler import DBstore  # pylint: disable=c0415
         dbstore = DBstore(logger=logger)
-        result = dbstore.certificates_search('csr', csr, vlist)
+        result = dbstore.certificates_search(field_name, csr, vlist)
     except Exception as err:
         result = []
-        logger.error('Helper.header_info_get(): error: {0}'.format(err))
+        logger.error('Helper.header_info_get(): error: %s', err)
 
     return list(result)
 
@@ -555,7 +854,7 @@ def load_config(logger: logging.Logger = None, mfilter: str = None, cfg_file: st
         else:
             cfg_file = os.path.dirname(__file__) + '/' + 'acme_srv.cfg'
     if logger:
-        logger.debug('load_config({1}:{0})'.format(mfilter, cfg_file))
+        logger.debug('load_config(%s:%s)', mfilter, cfg_file)
     config = configparser.ConfigParser(interpolation=None)
     config.optionxform = str
     config.read(cfg_file, encoding='utf8')
@@ -564,7 +863,8 @@ def load_config(logger: logging.Logger = None, mfilter: str = None, cfg_file: st
 
 def parse_url(logger: logging.Logger, url: str) -> Dict[str, str]:
     """ split url into pieces """
-    logger.debug('parse_url({0})'.format(url))
+    logger.debug('Helper.parse_url()')
+
     url_dic = {
         'proto': urlparse(url).scheme,
         'host': urlparse(url).netloc,
@@ -575,7 +875,7 @@ def parse_url(logger: logging.Logger, url: str) -> Dict[str, str]:
 
 def encode_url(logger: logging.Logger, input_string: str) -> str:
     """ urlencoding """
-    logger.debug('encode_url({0})'.format(input_string))
+    logger.debug('Helper.encode_url(%s)', input_string)
 
     return quote(input_string)
 
@@ -626,7 +926,7 @@ def logger_info(logger: logging.Logger, addr: str, locator: str, dat_dic: Dict[s
         # remove token from challenge
         data_dic = _logger_challenges_modify(data_dic)
 
-    logger.info('{0} {1} {2}'.format(addr, locator, str(data_dic)))
+    logger.info('%s %s %s', addr, locator, str(data_dic))
 
 
 def logger_setup(debug: bool) -> logging.Logger:
@@ -654,45 +954,45 @@ def logger_setup(debug: bool) -> logging.Logger:
 def print_debug(debug: bool, text: str):
     """ little helper to print debug messages """
     if debug:
-        print('{0}: {1}'.format(datetime.datetime.now(), text))
+        print(f'{datetime.datetime.now()}: {text}')
 
 
 def jwk_thumbprint_get(logger: logging.Logger, pub_key: Dict[str, str]) -> str:
     """ get thumbprint """
-    logger.debug('jwk_thumbprint_get()')
+    logger.debug('Helper.jwk_thumbprint_get()')
     if pub_key:
         try:
             jwkey = jwk.JWK(**pub_key)
             thumbprint = jwkey.thumbprint()
         except Exception as err:
-            logger.error('jwk_thumbprint_get(): error: {0}'.format(err))
+            logger.error('jwk_thumbprint_get(): error: %s', err)
             thumbprint = None
     else:
         thumbprint = None
 
-    logger.debug('jwk_thumbprint_get() ended with: {0}'.format(thumbprint))
+    logger.debug('Helper.jwk_thumbprint_get() ended with: %s', thumbprint)
     return thumbprint
 
 
 def sha256_hash(logger: logging.Logger, string: str) -> str:
     """ hash string """
-    logger.debug('sha256_hash()')
+    logger.debug('Helper.sha256_hash()')
     result = hashlib.sha256(string.encode('utf-8')).digest()
-    logger.debug('sha256_hash() ended with {0} (base64-encoded)'.format(b64_encode(logger, result)))
+    logger.debug('Helper.sha256_hash() ended with %s (base64-encoded)', b64_encode(logger, result))
     return result
 
 
 def sha256_hash_hex(logger: logging.Logger, string: str) -> str:
     """ hash string """
-    logger.debug('sha256_hash_hex()')
+    logger.debug('Helper.sha256_hash_hex()')
     result = hashlib.sha256(string.encode('utf-8')).hexdigest()
-    logger.debug('sha256_hash_hex() ended with {0}'.format(result))
+    logger.debug('Helper.sha256_hash_hex() ended with %s', result)
     return result
 
 
 def signature_check(logger: logging.Logger, message: str, pub_key: str, json_: bool = False) -> Tuple[bool, str]:
     """ check JWS """
-    logger.debug('signature_check({0})'.format(json_))
+    logger.debug('Helper.signature_check(%s)', json_)
 
     result = False
     error = None
@@ -701,11 +1001,13 @@ def signature_check(logger: logging.Logger, message: str, pub_key: str, json_: b
         # load key
         try:
             if json_:
+                logger.debug('Helper.signature_check(): load key from json')
                 jwkey = jwk.JWK.from_json(pub_key)
             else:
+                logger.debug('Helper.signature_check(): load plain json')
                 jwkey = jwk.JWK(**pub_key)
         except Exception as err:
-            logger.error('load key failed {0}'.format(err))
+            logger.error('load key failed %s', err)
             jwkey = None
             result = False
             error = str(err)
@@ -718,17 +1020,21 @@ def signature_check(logger: logging.Logger, message: str, pub_key: str, json_: b
                 jwstoken.verify(jwkey)
                 result = True
             except Exception as err:
-                logger.error('verify failed {0}'.format(err))
+                logger.error('verify failed %s', err)
                 error = str(err)
+        else:
+            logger.error('No jwkey extracted')
     else:
+        logger.error('No pubkey specified.')
         error = 'No key specified.'
 
+    logger.debug('Helper.signature_check() ended with: %s, %s', result, error)
     return (result, error)
 
 
 def string_sanitize(logger: logging.Logger, unsafe_str: str) -> str:
     """ sanitize string """
-    logger.debug('string_sanitize()')
+    logger.debug('Helper.string_sanitize()')
     allowed_range = set(range(32, 127))
     safe_str = ''
     for char in unsafe_str:
@@ -805,7 +1111,7 @@ def dns_server_list_load() -> List[str]:
 
 def error_dic_get(logger: logging.Logger) -> Dict[str, str]:
     """ load acme error messages """
-    logger.debug('error_dict_get()')
+    logger.debug('Helper.error_dict_get()')
     # this is the main dictionary
     error_dic = {
         'badcsr': 'urn:ietf:params:acme:error:badCSR',
@@ -821,7 +1127,8 @@ def error_dic_get(logger: logging.Logger) -> Dict[str, str]:
         'unsupportedidentifier': 'urn:ietf:params:acme:error:unsupportedIdentifier',
         'ordernotready': 'urn:ietf:params:acme:error:orderNotReady',
         'ratelimited': 'urn:ietf:params:acme:error:rateLimited',
-        'badrevocationreason': 'urn:ietf:params:acme:error:badRevocationReason'}
+        'badrevocationreason': 'urn:ietf:params:acme:error:badRevocationReason',
+        'rejectedidentifier': 'urn:ietf:params:acme:error:rejectedIdentifier'}
 
     return error_dic
 
@@ -839,7 +1146,7 @@ def patched_create_connection(address: List[str], *args, **kwargs):  # pragma: n
 
 def proxy_check(logger: logging.Logger, fqdn: str, proxy_server_list: Dict[str, str]) -> str:
     """ check proxy server """
-    logger.debug('proxy_check({0})'.format(fqdn))
+    logger.debug('Helper.proxy_check(%s)', fqdn)
 
     # remove leading *.
     proxy_server_list_new = {k.replace('*.', ''): v for k, v in proxy_server_list.items()}
@@ -851,20 +1158,20 @@ def proxy_check(logger: logging.Logger, fqdn: str, proxy_server_list: Dict[str,
             if bool(regex_compiled.search(fqdn)):
                 # parameter is in - set flag accordingly and stop loop
                 proxy = proxy_server_list_new[regex]
-                logger.debug('proxy_check() match found: fqdn: {0}, regex: {1}'.format(fqdn, regex))
+                logger.debug('Helper.proxy_check() match found: fqdn: %s, regex: %s', fqdn, regex)
                 break
 
     if '*' in proxy_server_list_new.keys() and not proxy:
-        logger.debug('proxy_check() wildcard match found: fqdn: {0}'.format(fqdn))
+        logger.debug('Helper.proxy_check() wildcard match found: fqdn: %s', fqdn)
         proxy = proxy_server_list_new['*']
 
-    logger.debug('proxy_check() ended with {0}'.format(proxy))
+    logger.debug('Helper.proxy_check() ended with %s', proxy)
     return proxy
 
 
 def url_get_with_own_dns(logger: logging.Logger, url: str, verify: bool = True) -> str:
     """ request by using an own dns resolver """
-    logger.debug('url_get_with_own_dns({0})'.format(url))
+    logger.debug('Helper.url_get_with_own_dns(%s)', url)
     # patch an own connection handler into URL lib
     # pylint: disable=W0212
     connection._orig_create_connection = connection.create_connection
@@ -874,7 +1181,7 @@ def url_get_with_own_dns(logger: logging.Logger, url: str, verify: bool = True)
         result = req.text
     except Exception as err_:
         result = None
-        logger.error('url_get_with_own_dns error: {0}'.format(err_))
+        logger.error('Helper.url_get_with_own_dns error: %s', err_)
     # cleanup
     connection.create_connection = connection._orig_create_connection
     return result
@@ -888,7 +1195,7 @@ def allowed_gai_family() -> socket.AF_INET:
 
 def url_get_with_default_dns(logger: logging.Logger, url: str, proxy_list: Dict[str, str], verify: bool, timeout: int) -> str:
     """ http get with default dns server """
-    logger.debug('url_get_with_default_dns({0}) vrf={1}, timout:{2}'.format(url, verify, timeout))
+    logger.debug('Helper.url_get_with_default_dns(%s) vrf=%s, timout:%s', url, verify, timeout)
 
     # we need to tweak headers and url for ipv6 addresse
     (headers, url) = v6_adjust(logger, url)
@@ -897,9 +1204,9 @@ def url_get_with_default_dns(logger: logging.Logger, url: str, proxy_list: Dict[
         req = requests.get(url, verify=verify, timeout=timeout, headers=headers, proxies=proxy_list)
         result = req.text
     except Exception as err_:
-        logger.debug('url_get({0}): error'.format(err_))
+        logger.debug('Helper.url_get(%s): error', err_)
         # force fallback to ipv4
-        logger.debug('url_get({0}): fallback to v4'.format(url))
+        logger.debug('Helper.url_get(%s): fallback to v4', url)
         old_gai_family = urllib3_cn.allowed_gai_family
         try:
             urllib3_cn.allowed_gai_family = allowed_gai_family
@@ -907,7 +1214,7 @@ def url_get_with_default_dns(logger: logging.Logger, url: str, proxy_list: Dict[
             result = req.text
         except Exception as err:
             result = None
-            logger.error('url_get error: {0}'.format(err))
+            logger.error('url_get error: %s', err)
         urllib3_cn.allowed_gai_family = old_gai_family
 
     return result
@@ -915,7 +1222,7 @@ def url_get_with_default_dns(logger: logging.Logger, url: str, proxy_list: Dict[
 
 def url_get(logger: logging.Logger, url: str, dns_server_list: List[str] = None, proxy_server=None, verify=True, timeout=20) -> str:
     """ http get """
-    logger.debug('url_get({0}) vrf={1}, timout:{2}'.format(url, verify, timeout))
+    logger.debug('Helper.url_get(%s) vrf=%s, timout:%s', url, verify, timeout)
     # pylint: disable=w0621
     # configure proxy servers if specified
     if proxy_server:
@@ -927,13 +1234,13 @@ def url_get(logger: logging.Logger, url: str, dns_server_list: List[str] = None,
     else:
         result = url_get_with_default_dns(logger, url, proxy_list, verify, timeout)
 
-    logger.debug('url_get() ended with: {0}'.format(result))
+    logger.debug('Helper.url_get() ended with: %s', result)
     return result
 
 
 def txt_get(logger: logging.Logger, fqdn: str, dns_srv: List[str] = None) -> List[str]:
     """ dns query to get the TXt record """
-    logger.debug('txt_get({0}: {1})'.format(fqdn, dns_srv))
+    logger.debug('Helper.txt_get(%s: %s)', fqdn, dns_srv)
 
     # rewrite dns resolver if configured
     if dns_srv:
@@ -945,14 +1252,14 @@ def txt_get(logger: logging.Logger, fqdn: str, dns_srv: List[str] = None) -> Lis
         for rrecord in response:
             txt_record_list.append(rrecord.strings[0])
     except Exception as err_:
-        logger.error('txt_get() error: {0}'.format(err_))
-    logger.debug('txt_get() ended with: {0}'.format(txt_record_list))
+        logger.error('txt_get() error: %s', err_)
+    logger.debug('Helper.txt_get() ended with: %s', txt_record_list)
     return txt_record_list
 
 
 def uts_now():
     """ unixtimestamp in utc """
-    return calendar.timegm(datetime.datetime.utcnow().utctimetuple())
+    return calendar.timegm(datetime.datetime.now(datetime.timezone.utc).utctimetuple())
 
 
 def uts_to_date_utc(uts: int, tformat: str = '%Y-%m-%dT%H:%M:%SZ') -> str:
@@ -990,12 +1297,13 @@ def datestr_to_date(datestr: str, tformat: str = '%Y-%m-%dT%H:%M:%S') -> str:
 
 def proxystring_convert(logger: logging.Logger, proxy_server: str) -> Tuple[str, str, str]:
     """ convert proxy string """
-    logger.debug('proxystring_convert({0})'.format(proxy_server))
+    logger.debug('Helper.proxystring_convert(%s)', proxy_server)
+
     proxy_proto_dic = {'http': socks.PROXY_TYPE_HTTP, 'socks4': socks.PROXY_TYPE_SOCKS4, 'socks5': socks.PROXY_TYPE_SOCKS5}
     try:
         (proxy_proto, proxy) = proxy_server.split('://')
     except Exception:
-        logger.error('proxystring_convert(): error splitting proxy_server string: {0}'.format(proxy_server))
+        logger.error('proxystring_convert(): error splitting proxy_server string: %s', proxy_server)
         proxy = None
         proxy_proto = None
 
@@ -1003,7 +1311,7 @@ def proxystring_convert(logger: logging.Logger, proxy_server: str) -> Tuple[str,
         try:
             (proxy_addr, proxy_port) = proxy.split(':')
         except Exception:
-            logger.error('proxystring_convert(): error splitting proxy into host/port: {0}'.format(proxy))
+            logger.error('proxystring_convert(): error splitting proxy into host/port: %s', proxy)
             proxy_addr = None
             proxy_port = None
     else:
@@ -1014,25 +1322,25 @@ def proxystring_convert(logger: logging.Logger, proxy_server: str) -> Tuple[str,
         try:
             proto_string = proxy_proto_dic[proxy_proto]
         except Exception:
-            logger.error('proxystring_convert(): unknown proxy protocol: {0}'.format(proxy_proto))
+            logger.error('proxystring_convert(): unknown proxy protocol: %s', proxy_proto)
             proto_string = None
     else:
-        logger.error('proxystring_convert(): proxy_proto ({0}), proxy_addr ({1}) or proxy_port ({2}) missing'.format(proxy_proto, proxy_addr, proxy_port))
+        logger.error('proxystring_convert(): proxy_proto (%s), proxy_addr (%s) or proxy_port (%s) missing', proxy_proto, proxy_addr, proxy_port)
         proto_string = None
 
     try:
         proxy_port = int(proxy_port)
     except Exception:
-        logger.error('proxystring_convert(): unknown proxy port: {0}'.format(proxy_port))
+        logger.error('proxystring_convert(): unknown proxy port: %s', proxy_port)
         proxy_port = None
 
-    logger.debug('proxystring_convert() ended with {0}, {1}, {2}'.format(proto_string, proxy_addr, proxy_port))
+    logger.debug('Helper.proxystring_convert() ended with %s, %s, %s', proto_string, proxy_addr, proxy_port)
     return (proto_string, proxy_addr, proxy_port)
 
 
 def servercert_get(logger: logging.Logger, hostname: str, port: int = 443, proxy_server: str = None, sni: str = None) -> str:
     """ get server certificate from an ssl connection """
-    logger.debug('servercert_get({0}:{1})'.format(hostname, port))
+    logger.debug('Helper.servercert_get(%s:%s)', hostname, port)
 
     pem_cert = None
 
@@ -1051,7 +1359,12 @@ def servercert_get(logger: logging.Logger, hostname: str, port: int = 443, proxy
     context.options |= ssl.PROTOCOL_TLS_CLIENT
     context.set_alpn_protocols(["acme-tls/1"])
     # reject insecure ssl version
-    context.minimum_version = ssl.TLSVersion.TLSv1_2
+    try:
+        # this does not work on RH8
+        context.minimum_version = ssl.TLSVersion.TLSv1_2
+    except Exception:  # pragma: no cover
+        logger.error('servercert_get(): minimum_version not supported')
+
     context.options |= ssl.OP_NO_SSLv3
     context.options |= ssl.OP_NO_TLSv1
     context.options |= ssl.OP_NO_TLSv1_1
@@ -1059,36 +1372,36 @@ def servercert_get(logger: logging.Logger, hostname: str, port: int = 443, proxy
     if proxy_server:
         (proxy_proto, proxy_addr, proxy_port) = proxystring_convert(logger, proxy_server)
         if proxy_proto and proxy_addr and proxy_port:
-            logger.debug('servercert_get() configure proxy')
+            logger.debug('servercert_get(): configure proxy')
             sock.setproxy(proxy_proto, proxy_addr, port=proxy_port)
     try:
         sock.connect((hostname, port))
         with context.wrap_socket(sock, server_hostname=sni) as sslsock:
-            logger.debug('servercert_get(): {0}:{1}:{2} version: {3}'.format(hostname, sni, port, sslsock.version()))
+            logger.debug('servercert_get(): %s:%s:%s version: %s', hostname, sni, port, sslsock.version())
             der_cert = sslsock.getpeercert(True)
             # from binary DER format to PEM
             if der_cert:
                 pem_cert = ssl.DER_cert_to_PEM_cert(der_cert)
     except Exception as err_:
-        logger.error('servercert_get() failed with: {0}'.format(err_))
+        logger.error('servercert_get() failed with: %s', err_)
         pem_cert = None
 
     if pem_cert:
-        logger.debug('servercert_get() ended with: {0}'.format(b64_encode(logger, convert_string_to_byte(pem_cert))))
+        logger.debug('Helper.servercert_get() ended with: %s', b64_encode(logger, convert_string_to_byte(pem_cert)))
     else:
-        logger.debug('servercert_get() ended with: None')
+        logger.debug('Helper.servercert_get() ended with: None')
     return pem_cert
 
 
 def validate_csr(logger: logging.Logger, order_dic: Dict[str, str], _csr) -> bool:
     """ validate certificate signing request against order"""
-    logger.debug('validate_csr({0})'.format(order_dic))
+    logger.debug('Helper.validate_csr(%s)', order_dic)
     return True
 
 
 def validate_email(logger: logging.Logger, contact_list: List[str]) -> bool:
     """ validate contact against RFC608"""
-    logger.debug('validate_email()')
+    logger.debug('Helper.validate_email()')
     result = True
     pattern = r"^[A-Za-z0-9\.\+_-]+@[A-Za-z]+[A-Za-z0-9\._-]+[A-Za-z0-9]+\.[a-zA-Z\.]+[a-zA-Z]+$"
     # check if we got a list or single address
@@ -1097,14 +1410,64 @@ def validate_email(logger: logging.Logger, contact_list: List[str]) -> bool:
             contact = contact.replace('mailto:', '')
             contact = contact.lstrip()
             tmp_result = bool(re.search(pattern, contact))
-            logger.debug('# validate: {0} result: {1}'.format(contact, tmp_result))
+            logger.debug('# validate: %s result: %s', contact, tmp_result)
             if not tmp_result:
                 result = tmp_result
     else:
         contact_list = contact_list.replace('mailto:', '')
         contact_list = contact_list.lstrip()
         result = bool(re.search(pattern, contact_list))
-        logger.debug('# validate: {0} result: {1}'.format(contact_list, result))
+        logger.debug('Helper.validate_email() of: %s emded with result: %s', contact_list, result)
+    return result
+
+
+def validate_identifier(logger: logging.Logger, id_type: str, identifier: str, tnauthlist_support: bool = False) -> bool:
+    """ validate identifier """
+    logger.debug('Helper.validate_identifier()')
+
+    result = False
+    if identifier:
+        if id_type == 'dns':
+            result = validate_fqdn(logger, identifier)
+        elif id_type == 'ip':
+            result = validate_ip(logger, identifier)
+        elif id_type == 'tnauthlist' and tnauthlist_support:
+            result = True
+
+    logger.debug('Helper.validate_identifier() ended with: %s', result)
+    return result
+
+
+def validate_ip(logger: logging.Logger, ip: str) -> bool:
+    """ validate ip address """
+    logger.debug('Helper.validate_ip()')
+    try:
+        ipaddress.ip_address(ip)
+        result = True
+    except ValueError:
+        result = False
+    logger.debug('Helper.validate_ip() ended with: %s', result)
+    return result
+
+
+def validate_fqdn(logger: logging.Logger, fqdn: str) -> bool:
+    """ validate fqdn """
+    logger.debug('Helper.validate_fqdn()')
+
+    result = False
+    regex = r"^(([a-z0-9]\-*[a-z0-9]*){1,63}\.?){1,255}$"
+    p = re.compile(regex)
+    if re.search(p, fqdn):
+        result = True
+
+    if not result:
+        logger.debug('Helper.validate_fqdn(): invalid fqdn. Check for wildcard : %s', fqdn)
+        regex = r"^\*\.[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$"
+        p = re.compile(regex)
+        if re.search(p, fqdn):
+            result = True
+
+    logger.debug('Helper.validate_fqdn() ended with: %s', result)
     return result
 
 
@@ -1120,7 +1483,7 @@ def handle_exception(exc_type, exc_value, exc_traceback):  # pragma: no cover
 
 def pembundle_to_list(logger: logging.Logger, pem_bundle: str) -> List[str]:
     """ split pem bundle into a list of certificates """
-    logger.debug('pembundle_to_list()')
+    logger.debug('Helper.pembundle_to_list()')
     cert_list = []
     pem_data = ""
     if '-----BEGIN CERTIFICATE-----' in pem_bundle:
@@ -1132,13 +1495,13 @@ def pembundle_to_list(logger: logging.Logger, pem_bundle: str) -> List[str]:
             pem_data += line + "\n"
         if pem_data:
             cert_list.append(pem_data)
-    logger.debug('pembundle_to_list() returned {0} certificates'.format(len(cert_list)))
+    logger.debug('Helper.pembundle_to_list() returned %s certificates', cert_list)
     return cert_list
 
 
 def certid_asn1_get(logger: logging.Logger, cert_pem: str, issuer_pem: str) -> str:
     """ get renewal information from certificate """
-    logger.debug('certid_asn1_get()')
+    logger.debug('Helper.certid_asn1_get()')
 
     cert = load_pem_x509_certificate(convert_string_to_byte(cert_pem))
     issuer = load_pem_x509_certificate(convert_string_to_byte(issuer_pem))
@@ -1156,7 +1519,7 @@ def certid_asn1_get(logger: logging.Logger, cert_pem: str, issuer_pem: str) -> s
 
 def certid_hex_get(logger: logging.Logger, renewal_info: str) -> Tuple[str, str]:
     """ get certid in hex from renewal_info field """
-    logger.debug('certid_hex_get()')
+    logger.debug('Helper.certid_hex_get()')
 
     renewal_info_b64 = b64_url_recode(logger, renewal_info)
     renewal_info_hex = b64_decode(logger, renewal_info_b64).hex()
@@ -1165,13 +1528,13 @@ def certid_hex_get(logger: logging.Logger, renewal_info: str) -> Tuple[str, str]
     mda, certid_renewal = renewal_info_hex.split('0420', 1)
     mda = mda[4:]
 
-    logger.debug('certid_hex_get() endet with {0}'.format(certid_renewal))
+    logger.debug('Helper.certid_hex_get() endet with %s', certid_renewal)
     return mda, certid_renewal
 
 
 def certid_check(logger: logging.Logger, renewal_info: str, certid_database: str) -> str:
     """ compare certid with renewal info """
-    logger.debug('certid_check()')
+    logger.debug('Helper.certid_check()')
 
     renewal_info_b64 = b64_url_recode(logger, renewal_info)
     renewal_info_hex = b64_decode(logger, renewal_info_b64).hex()
@@ -1180,13 +1543,13 @@ def certid_check(logger: logging.Logger, renewal_info: str, certid_database: str
     _header, certid_renewal = renewal_info_hex.split('0420', 1)
     result = certid_renewal == certid_database
 
-    logger.debug('certid_check() ended with: {0}'.format(result))
+    logger.debug('Helper.certid_check() ended with: %s', result)
     return result
 
 
 def ip_validate(logger: logging.Logger, ip_addr: str) -> Tuple[str, bool]:
     """  validate ip address """
-    logger.debug('ip_validate({0})'.format(ip_addr))
+    logger.debug('Helper.ip_validate(%s)', ip_addr)
 
     try:
         reverse_pointer = ipaddress.ip_address(ip_addr).reverse_pointer
@@ -1194,13 +1557,13 @@ def ip_validate(logger: logging.Logger, ip_addr: str) -> Tuple[str, bool]:
     except ValueError:
         reverse_pointer = None
         invalid = True
-    logger.debug('ip_validate() ended with: {0}:{1}'.format(reverse_pointer, invalid))
+    logger.debug('Helper.ip_validate() ended with: %s:%s', reverse_pointer, invalid)
     return (reverse_pointer, invalid)
 
 
 def v6_adjust(logger: logging.Logger, url: str) -> Tuple[Dict[str, str], str]:
     """ corner case for v6 addresses """
-    logger.debug('v6_adjust({0})'.format(url))
+    logger.debug('Helper.v6_adjust(%s)', url)
 
     headers = {'Connection': 'close', 'Accept-Encoding': 'gzip', 'User-Agent': USER_AGENT}
 
@@ -1209,25 +1572,348 @@ def v6_adjust(logger: logging.Logger, url: str) -> Tuple[Dict[str, str], str]:
     # adjust headers and url in case we have an ipv6address
     if ipv6_chk(logger, url_dic['host']):
         headers['Host'] = url_dic['host']
-        url = '{0}://[{1}]/{2}'.format(url_dic['proto'], url_dic['host'], url_dic['path'])
+        url = f"{url_dic['proto']}://[{url_dic['host']}]/{url_dic['path']}"
 
-    logger.debug('v6_adjust() ended')
+    logger.debug('Helper.v6_adjust() ended')
     return (headers, url)
 
 
 def ipv6_chk(logger: logging.Logger, address: str) -> bool:
     """ check if an address is ipv6 """
-    logger.debug('ipv6_chk({0})'.format(address))
+    logger.debug('Helper.ipv6_chk(%s)', address)
 
     try:
         # we need to set a host header and braces for ipv6 headers and
         if isinstance(ipaddress.ip_address(address), ipaddress.IPv6Address):
-            logger.debug('v6_adjust(}): ipv6 address detected')
+            logger.debug('Helper.v6_adjust(}): ipv6 address detected')
             result = True
         else:
             result = False
     except Exception:
         result = False
 
-    logger.debug('ipv6_chk() ended with {0}'.format(result))
+    logger.debug('Helper.ipv6_chk() ended with %s', result)
+    return result
+
+
+def domainlist_check(logger, entry: str, list_: List[str], toggle: bool = False) -> bool:
+    """ check string against list """
+    logger.debug('Helper.domainlist_check(%s:%s)', entry, toggle)
+    # print(list_)
+    logger.debug('Helper.check against list: %s', list_)
+
+    # default setting
+    check_result = False
+
+    if entry:
+        if list_:
+            for regex in list_:
+                # check entry
+                check_result = domainlist_entry_check(logger, entry, regex, check_result)
+        else:
+            # empty list, flip parameter to make the check successful
+            check_result = True
+
+    if toggle:
+        # toggle result if this is a blacklist
+        check_result = not check_result
+
+    logger.debug('Helper.domainlist_check() ended with: %s', check_result)
+    return check_result
+
+
+def domainlist_entry_check(logger, entry: str, regex: str, check_result: bool) -> bool:
+    """ check string against regex """
+    logger.debug('Helper.domainlist_entry_check(%s/%s):', entry, regex)
+
+    if regex.startswith('*.'):
+        regex = regex.replace('*.', '.')
+    regex_compiled = re.compile(regex)
+
+    if bool(regex_compiled.search(entry)):
+        # parameter is in set flag accordingly and stop loop
+        check_result = True
+
+    logger.debug('Helper.domainlist_entry_check() ended with: %s', check_result)
+    return check_result
+
+
+def allowed_domainlist_check(logger: logging.Logger, csr, allowed_domain_list: List[str]) -> bool:
+    """ check if domain is in allowed domain list """
+    logger.debug('Helper.allowed_domainlist_check(%s)')
+
+    result = False
+    (san_list, check_list) = sancheck_lists_create(logger, csr)
+
+    # go over the san list and check each entry
+    for san in san_list:
+        check_list.append(domainlist_check(logger, san, allowed_domain_list))
+
+    if check_list:
+        # cover a cornercase with empty checklist (no san, no cn)
+        if False in check_list:
+            result = False
+        else:
+            result = True
+
+    logger.debug('Helper.allowed_domainlist_check() ended with: %s', result)
     return result
+
+
+def sancheck_lists_create(logger, csr: str) -> Tuple[List[str], List[str]]:
+    """ create lists for san check """
+    logger.debug('Helper.sancheck_lists_create()')
+
+    check_list = []
+    san_list = []
+
+    # get sans and build a list
+    _san_list = csr_san_get(logger, csr)
+
+    if _san_list:
+        for san in _san_list:
+            try:
+                # SAN list must be modified/filtered)
+                (_san_type, san_value) = san.lower().split(':')
+                san_list.append(san_value)
+            except Exception:
+                # force check to fail as something went wrong during parsing
+                check_list.append(False)
+                logger.debug('Helper.sancheck_lists_create(): san_list parsing failed at entry: $s', san)
+
+    # get common name and attach it to san_list
+    cn = csr_cn_get(logger, csr)
+
+    if cn:
+        cn = cn.lower()
+        if cn not in san_list:
+            # append cn to san_list
+            logger.debug('Helper.sancheck_lists_create()): append cn to san_list')
+            san_list.append(cn)
+
+    return (san_list, check_list)
+
+
+def eab_profile_header_info_check(logger: logging.Logger, cahandler, csr: str, handler_hifield: str = 'profile_name', ) -> str:
+    """ check profile """
+    logger.debug('Helper.eab_profile_header_info_check()')
+
+    if cahandler.eab_profiling:
+
+        if cahandler.eab_handler:
+            # profiling enabled - check profile
+            error = eab_profile_check(logger, cahandler, csr, handler_hifield)
+        else:
+            logger.error('Helper.eab_profile_header_info_check(): eab_profiling enabled but no handler defined')
+            error = 'Eab_profiling enabled but no handler defined'
+
+    elif cahandler.header_info_field:
+        # no profiling - parse profileid from http_header
+        hil_value = header_info_lookup(logger, csr, cahandler.header_info_field, handler_hifield)
+        if hil_value:
+            logger.debug('Helper.eab_profile_header_info_check(): setting %s to %s', handler_hifield, hil_value)
+            setattr(cahandler, handler_hifield, hil_value)
+            error = None
+        else:
+            logger.debug('Helper.eab_profile_header_info_check(): no header_info field found')
+            error = None
+    else:
+        # no profiling - no header_info_field
+        error = None
+
+    logger.debug('Helper.eab_profile_header_info_check() ended with %s', error)
+    return error
+
+
+def cn_validate(logger: logging.Logger, cn: str) -> bool:
+    """ validate common name """
+    logger.debug('Helper.cn_validate(%s)', cn)
+
+    error = False
+    if cn:
+        # check if CN is a valid IP address
+        result = validate_ip(logger, cn)
+        if not result:
+            # check if CN is a valid fqdn
+            result = validate_fqdn(logger, cn)
+        if not result:
+            error = 'Profile subject check failed: CN validation failed'
+    else:
+        error = 'Profile subject check failed: commonName missing'
+
+    logger.debug('Helper.cn_validate() ended with: %s', error)
+    return error
+
+
+def eab_profile_subject_string_check(logger: logging.Logger, profile_subject_dic, key: str, value: str) -> str:
+    """ check if a for a string value taken from profile if its a variable inside a class and apply value """
+    logger.debug('Helper.eab_profile_subject_string_check(): string: key: %s, value: %s', key, value)
+
+    error = False
+    if key == 'commonName':
+        # check if CN is a valid IP address or fqdn
+        error = cn_validate(logger, value)
+    elif key in profile_subject_dic:
+        if isinstance(profile_subject_dic[key], str) and (value == profile_subject_dic[key] or profile_subject_dic[key] == '*'):
+            logger.debug('Helper.eab_profile_subject_check() successul for string : %s', key)
+            del profile_subject_dic[key]
+        elif isinstance(profile_subject_dic[key], list) and value in profile_subject_dic[key]:
+            logger.debug('Helper.eab_profile_subject_check() successul for list : %s', key)
+            del profile_subject_dic[key]
+        else:
+            logger.error('Helper.eab_profile_subject_check() failed for: %s: value: %s expected: %s', key, value, profile_subject_dic[key])
+            error = f'Profile subject check failed for {key}'
+    else:
+        logger.error('Helper.eab_profile_subject_check() failed for: %s', key)
+        error = f'Profile subject check failed for {key}'
+
+    logger.debug('Helper.eab_profile_subject_string_check() ended')
+    return error
+
+
+def eab_profile_subject_check(logger: logging.Logger, csr: str, profile_subject_dic: str) -> str:
+    """ check subject against profile information"""
+    logger.debug('Helper.eab_profile_subject_check()')
+    error = None
+
+    # get subject from csr
+    subject_dic = csr_subject_get(logger, csr)
+
+    # check if all profile subject entries are in csr
+    for key, value in subject_dic.items():
+        error = eab_profile_subject_string_check(logger, profile_subject_dic, key, value)
+        if error:
+            break
+
+    # check if we have any entries left in the profile_subject_dic
+    if not error and profile_subject_dic:
+        logger.error('Helper.eab_profile_subject_check() failed for: %s', list(profile_subject_dic.keys()))
+        error = 'Profile subject check failed'
+
+    logger.debug('Helper.eab_profile_subject_check() ended with: %s', error)
+    return error
+
+
+def eab_profile_check(logger: logging.Logger, cahandler, csr: str, handler_hifield: str) -> str:
+    """ check eab profile"""
+    logger.debug('Helper.eab_profile_check()')
+
+    result = None
+    with cahandler.eab_handler(logger) as eab_handler:
+        eab_profile_dic = eab_handler.eab_profile_get(csr)
+        for key, value in eab_profile_dic.items():
+            if key == 'subject':
+                result = eab_profile_subject_check(logger, csr, value)
+            elif isinstance(value, str):
+                eab_profile_string_check(logger, cahandler, key, value)
+            elif isinstance(value, list):
+                # check if we need to execute a function from the handler
+                if 'eab_profile_list_check' in dir(cahandler):
+                    result = cahandler.eab_profile_list_check(eab_handler, csr, key, value)
+                else:
+                    result = eab_profile_list_check(logger, cahandler, eab_handler, csr, key, value)
+            if result:
+                break
+
+        # we need to reject situations where profiling is enabled but the header_hifiled is not defined in json
+        if cahandler.header_info_field and handler_hifield not in eab_profile_dic:
+            hil_value = header_info_lookup(logger, csr, cahandler.header_info_field, handler_hifield)
+            if hil_value:
+                # setattr(self, handler_hifield, hil_value)
+                result = f'header_info field "{handler_hifield}" is not allowed by profile'
+
+    logger.debug('Helper.eab_profile_check() ended with: %s', result)
+    return result
+
+
+def eab_profile_list_check(logger, cahandler, eab_handler, csr, key, value):
+    """ check if a for a list value taken from profile if its a variable inside a class and apply value """
+    logger.debug('Helper.eab_profile_list_check(): list: key: %s, value: %s', key, value)
+
+    result = None
+    if hasattr(cahandler, key) and key != 'allowed_domainlist':
+        new_value, error = header_info_field_validate(logger, csr, cahandler.header_info_field, key, value)
+        if new_value:
+            logger.debug('Helper.eab_profile_list_check(): setting attribute: %s to %s', key, new_value)
+            setattr(cahandler, key, new_value)
+        else:
+            result = error
+    elif key == 'allowed_domainlist':
+        # check if csr contains allowed domains
+        error = eab_handler.allowed_domains_check(csr, value)
+        if error:
+            result = error
+    else:
+        logger.error('Helper.eab_profile_list_check(): ignore list attribute: key: %s value: %s', key, value)
+
+    logger.debug('Helper.eab_profile_list_check() ended with: %s', result)
+    return result
+
+
+def eab_profile_string_check(logger, cahandler, key, value):
+    """ check if a for a string value taken from profile if its a variable inside a class and apply value """
+    logger.debug('Helper.eab_profile_string_check(): string: key: %s, value: %s', key, value)
+
+    if hasattr(cahandler, key):
+        logger.debug('Helper.eab_profile_string_check(): setting attribute: %s to %s', key, value)
+        setattr(cahandler, key, value)
+    else:
+        logger.error('Helper.eab_profile_string_check(): ignore string attribute: key: %s value: %s', key, value)
+
+    logger.debug('Helper.eab_profile_string_check() ended')
+
+
+def request_operation(logger: logging.Logger, headers: Dict[str, str] = None, proxy: Dict[str, str] = None, timeout: int = 20, url: str = None, session=requests, method: str = 'GET', payload: Dict[str, str] = None):
+    """ check if a for a string value taken from profile if its a variable inside a class and apply value """
+    logger.debug('Helper.api_operation(): method: %s', method)
+
+    try:
+        if method.lower() == 'get':
+            api_response = session.get(url=url, headers=headers, proxies=proxy, timeout=timeout)
+        elif method.lower() == 'post':
+            api_response = session.post(url=url, headers=headers, proxies=proxy, timeout=timeout, json=payload)
+        elif method.lower() == 'put':
+            api_response = session.put(url=url, headers=headers, proxies=proxy, timeout=timeout, json=payload)
+        else:
+            logger.error('unknown request method: %s', method)
+            api_response = None
+
+        code = api_response.status_code
+        if api_response.text:
+            try:
+                content = api_response.json()
+            except Exception as err_:
+                logger.error('request_operation returned error during json parsing: %s', err_)
+                content = str(err_)
+        else:
+            content = None
+
+    except Exception as err_:
+        logger.error('request_operation returned error: %s', err_)
+        code = 500
+        content = str(err_)
+
+    logger.debug('Helper.request_operation() ended with: %s', code)
+    return code, content
+
+
+def csr_cn_lookup(logger: logging.Logger, csr: str) -> str:
+    """ lookup  CN/ 1st san from CSR """
+    logger.debug('CAhandler._csr_cn_lookup()')
+
+    csr_cn = csr_cn_get(logger, csr)
+    if not csr_cn:
+        # lookup first san
+        san_list = csr_san_get(logger, csr)
+        if san_list and len(san_list) > 0:
+            for san in san_list:
+                try:
+                    csr_cn = san.split(':')[1]
+                    break
+                except Exception as err:
+                    logger.error('CAhandler._csr_cn_lookup() split failed: %s', err)
+        else:
+            logger.error('CAhandler._csr_cn_lookup() no SANs found in CSR')
+
+    logger.debug('CAhandler._csr_cn_lookup() ended with: %s', csr_cn)
+    return csr_cn
diff --git a/acme_srv/housekeeping.py b/acme_srv/housekeeping.py
index 01649f4c..fd41a71e 100644
--- a/acme_srv/housekeeping.py
+++ b/acme_srv/housekeeping.py
@@ -1,5 +1,4 @@
 # -*- coding: utf-8 -*-
-# pylint: disable=c0209
 """ Housekeeping class """
 from __future__ import print_function
 import csv
@@ -37,7 +36,7 @@ def _accountlist_get(self) -> Dict[str, str]:
         try:
             result = self.dbstore.accountlist_get()
         except Exception as err_:
-            self.logger.critical('acme2certifier database error in Housekeeping._accountlist_get(): {0}'.format(err_))
+            self.logger.critical('acme2certifier database error in Housekeeping._accountlist_get(): %s', err_)
             result = None
         return result
 
@@ -47,7 +46,7 @@ def _certificatelist_get(self) -> Dict[str, str]:
         try:
             result = self.dbstore.certificatelist_get()
         except Exception as err_:
-            self.logger.critical('acme2certifier database error in Housekeeping.certificatelist_get(): {0}'.format(err_))
+            self.logger.critical('acme2certifier database error in Housekeeping.certificatelist_get(): %s', err_)
             result = None
         return result
 
@@ -68,7 +67,7 @@ def _cliaccounts_list(self, silent: bool = True) -> Dict[str, str]:
         try:
             result = self.dbstore.cliaccountlist_get()
         except Exception as err_:
-            self.logger.critical('acme2certifier database error in Housekeeping._cliaccounts_list(): {0}'.format(err_))
+            self.logger.critical('acme2certifier database error in Housekeeping._cliaccounts_list(): %s', err_)
             result = None
         if result and not silent:
             self._cliaccounts_format(result)
@@ -78,14 +77,14 @@ def _cliaccounts_format(self, result_list: List[str]):
         """ format cliaccount report """
         self.logger.debug('Housekeeping._cliaccounts_format()')
         try:
-            print('\n{0}|{1}|{2}|{3}|{4}|{5}'.format('Name'.ljust(15), 'Contact'.ljust(20), 'cliadm'.ljust(6), 'repadm'.ljust(6), 'certadm'.ljust(7), 'Created at'.ljust(20)))
+            print(f"\n{'Name'.ljust(15)}|{'Contact'.ljust(20)}|{'cliadm'.ljust(6)}|{'repadm'.ljust(6)}|{'certadm'.ljust(7)}|{'Created at'.ljust(20)}")
             print('-' * 78)
             for account in sorted(result_list, key=lambda k: k['id']):
-                print('{0}|{1}|{2}|{3}|{4}|{5}'.format(account['name'][:15].ljust(15), account['contact'][:20].ljust(20), str(bool(account['cliadmin'])).ljust(6), str(bool(account['reportadmin'])).ljust(6), str(bool(account['certificateadmin'])).ljust(7), account['created_at'].ljust(20)))
+                print(f"{account['name'][:15].ljust(15)}|{account['contact'][:20].ljust(20)}|{str(bool(account['cliadmin'])).ljust(6)}|{str(bool(account['reportadmin'])).ljust(6)}|{str(bool(account['certificateadmin'])).ljust(7)}|{account['created_at'].ljust(20)}")
             print('\n')
         except Exception as err:
             self.logger.error('acme2certifier error in Housekeeping._cliaccounts_format()')
-            self.logger.error('acme2certifier error in Housekeeping._cliaccounts_format(): {0}'.format(err))
+            self.logger.error('acme2certifier error in Housekeeping._cliaccounts_format(): %s', err)
 
     def _report_get(self, payload: Dict[str, str]) -> Tuple[Dict[str, str], int, str, str]:
         """ create report """
@@ -130,7 +129,7 @@ def _clireport_get(self, payload: Dict[str, str], permissions_dic: Dict[str, str
             message = self.error_msg_dic['unauthorized']
             detail = 'No permissions to download reports'
 
-        self.logger.debug('Housekeeping._clireport_get() returned with: {0}/{1}'.format(code, detail))
+        self.logger.debug('Housekeeping._clireport_get() returned with: %s/%s', code, detail)
         return (code, message, detail, response_dic)
 
     def _config_load(self):
@@ -240,7 +239,7 @@ def _data_dic_build(self, config_dic: Dict[str, str]) -> Dict[str, str]:
                 try:
                     data_dic.update(config_dic['permissions'])
                 except Exception as err:
-                    self.logger.error('acme2certifier  error in Housekeeping._data_dic_build(): {0}'.format(err))
+                    self.logger.error('acme2certifier  error in Housekeeping._data_dic_build(): %s', err)
 
             if 'jwk' in config_dic:
                 data_dic['jwk'] = json.dumps(config_dic['jwk'])
@@ -266,12 +265,12 @@ def _fieldlist_normalize(self, field_list: List[str], prefix: str) -> Dict[str,
             f_list = field.split('__')
             # items from selected list which do not have a table reference get prefix added
             if len(f_list) == 1:
-                new_field = '{0}.{1}'.format(prefix, field)
+                new_field = f'{prefix}.{field}'
             elif f_list[-2] == 'status' and len(f_list) >= 3:
                 # status fields have one reference more
-                new_field = '{0}.{1}.{2}'.format(f_list[-3], f_list[-2], f_list[-1])
+                new_field = f'{f_list[-3]}.{f_list[-2]}.{f_list[-1]}'
             else:
-                new_field = '{0}.{1}'.format(f_list[-2], f_list[-1])
+                new_field = f'{f_list[-2]}.{f_list[-1]}'
             field_dic[field] = new_field
 
         return field_dic
@@ -430,7 +429,7 @@ def _to_list(self, field_list: List[str], cert_list: List[str]) -> List[str]:
 
             # append list to output
             csv_list.append(tmp_list)
-        self.logger.debug('Housekeeping._to_list() ended with {0} entries'.format(len(csv_list)))
+        self.logger.debug('Housekeeping._to_list() ended with %s entries', len(csv_list))
         return csv_list
 
     def accountreport_get(self, report_format: str = 'csv', report_name: str = None, nested: bool = False) -> List[str]:
@@ -445,18 +444,18 @@ def accountreport_get(self, report_format: str = 'csv', report_name: str = None,
         account_list = self._convert_data(account_list)
 
         if account_list:
-            self.logger.debug('output to dump: {0}.{1}'.format(report_name, report_format))
+            self.logger.debug('output to dump: %s.%s', report_name, report_format)
             if report_format == 'csv':
                 self.logger.debug('Housekeeping.certreport_get() dump in csv-format')
                 csv_list = self._to_list(field_list, account_list)
                 account_list = csv_list
                 if report_name:
-                    self._csv_dump('{0}.{1}'.format(report_name, report_format), csv_list)
+                    self._csv_dump(f'{report_name}.{report_format}', csv_list)
             elif report_format == 'json':
                 if nested:
                     account_list = self._to_acc_json(account_list)
                 if report_name:
-                    self._json_dump('{0}.{1}'.format(report_name, report_format), account_list)
+                    self._json_dump(f'{report_name}.{report_format}', account_list)
 
         return account_list
 
@@ -478,17 +477,17 @@ def certreport_get(self, report_format: str = 'csv', report_name: str = None) ->
         field_list.insert(8, 'certificate.expire_date')
 
         if cert_list:
-            self.logger.debug('Prepare output in: {0} format'.format(report_format))
+            self.logger.debug('Prepare output in: %s format', report_format)
             if report_format == 'csv':
                 self.logger.debug('Housekeeping.certreport_get(): Dump in csv-format')
                 csv_list = self._to_list(field_list, cert_list)
                 cert_list = csv_list
                 if report_name:
-                    self._csv_dump('{0}.{1}'.format(report_name, report_format), csv_list)
+                    self._csv_dump(f'{report_name}.{report_format}', csv_list)
             elif report_format == 'json':
                 self.logger.debug('Housekeeping.certreport_get(): Dump in json-format')
                 if report_name:
-                    self._json_dump('{0}.{1}'.format(report_name, report_format), cert_list)
+                    self._json_dump(f'{report_name}.{report_format}', cert_list)
             else:
                 self.logger.info('Housekeeping.certreport_get(): No dump just return report')
 
@@ -519,10 +518,10 @@ def certificates_cleanup(self, uts: int = None, purge: bool = False, report_form
                     if report_format == 'csv':
                         self.logger.debug('Housekeeping.certificates_cleanup(): Dump in csv-format')
                         csv_list = self._to_list(field_list, cert_list)
-                        self._csv_dump('{0}.{1}'.format(report_name, report_format), csv_list)
+                        self._csv_dump(f'{report_name}.{report_format}', csv_list)
                     elif report_format == 'json':
                         self.logger.debug('Housekeeping.certificates_cleanup(): Dump in json-format')
-                        self._json_dump('{0}.{1}'.format(report_name, report_format), cert_list)
+                        self._json_dump(f'{report_name}.{report_format}', cert_list)
                     else:
                         self.logger.debug('Housekeeping.certificates_cleanup():  No dump just return report')
                 else:
@@ -554,13 +553,13 @@ def cli_usermgr(self, config_dic: Dict[str, str]) -> int:
                     self.logger.error('acme2certifier error in Housekeeping.cli_usermgr(): data incomplete')
 
             except Exception as err_:
-                self.logger.critical('acme2certifier database error in Housekeeping.cli_usermgr(): {0}'.format(err_))
+                self.logger.critical('acme2certifier database error in Housekeeping.cli_usermgr(): %s', err_)
 
         return result
 
     def authorizations_invalidate(self, uts: int = uts_now(), report_format: str = 'csv', report_name: str = None):
         """ authorizations cleanup based on expiry date """
-        self.logger.debug('Housekeeping.authorization_invalidate({0})'.format(uts))
+        self.logger.debug('Housekeeping.authorization_invalidate(%s)', uts)
 
         with Authorization(self.debug, None, self.logger) as authorization:
             # get expired orders
@@ -576,10 +575,10 @@ def authorizations_invalidate(self, uts: int = uts_now(), report_format: str = '
                     if report_format == 'csv':
                         self.logger.debug('Housekeeping.authorizations_invalidate(): Dump in csv-format')
                         csv_list = self._to_list(field_list, authorization_list)
-                        self._csv_dump('{0}.{1}'.format(report_name, report_format), csv_list)
+                        self._csv_dump(f'{report_name}.{report_format}', csv_list)
                     elif report_format == 'json':
                         self.logger.debug('Housekeeping.authorizations_invalidate(): Dump in json-format')
-                        self._json_dump('{0}.{1}'.format(report_name, report_format), authorization_list)
+                        self._json_dump(f'{report_name}.{report_format}', authorization_list)
                     else:
                         self.logger.debug('Housekeeping.authorizations_invalidate():  No dump just return report')
                 else:
@@ -587,25 +586,25 @@ def authorizations_invalidate(self, uts: int = uts_now(), report_format: str = '
 
     def dbversion_check(self, version: str = None):
         """ check database version """
-        self.logger.debug('Housekeeping.dbversion_check({0})'.format(version))
+        self.logger.debug('Housekeeping.dbversion_check(%s)', version)
 
         if version:
             try:
                 (result, script_name) = self.dbstore.dbversion_get()
             except Exception as err_:
-                self.logger.critical('acme2certifier database error in Housekeeping.dbversion_check(): {0}'.format(err_))
+                self.logger.critical('acme2certifier database error in Housekeeping.dbversion_check(): %s', err_)
                 result = None
                 script_name = 'handler specific migration'
             if result != version:
-                self.logger.critical('acme2certifier database version mismatch in: version is {0} but should be {1}. Please run the "{2}" script'.format(result, version, script_name))
+                self.logger.critical('acme2certifier database version mismatch in: version is %s but should be %s. Please run the "%s" script', result, version, script_name)
             else:
-                self.logger.debug('acme2certifier database version: {0} is upto date'.format(version))
+                self.logger.debug('acme2certifier database version: %s is upto date', version)
         else:
             self.logger.critical('acme2certifier database version could not be verified in Housekeeping.dbversion_check()')
 
     def orders_invalidate(self, uts: int = uts_now(), report_format: str = 'csv', report_name: str = None) -> List[str]:
         """ orders cleanup based on expiry date"""
-        self.logger.debug('Housekeeping.orders_invalidate({0})'.format(uts))
+        self.logger.debug('Housekeeping.orders_invalidate(%s)', uts)
 
         with Order(self.debug, None, self.logger) as order:
             # get expired orders
@@ -621,10 +620,10 @@ def orders_invalidate(self, uts: int = uts_now(), report_format: str = 'csv', re
                     if report_format == 'csv':
                         self.logger.debug('Housekeeping.orders_invalidate(): Dump in csv-format')
                         csv_list = self._to_list(field_list, order_list)
-                        self._csv_dump('{0}.{1}'.format(report_name, report_format), csv_list)
+                        self._csv_dump(f'{report_name}.{report_format}', csv_list)
                     elif report_format == 'json':
                         self.logger.debug('Housekeeping.orders_invalidate(): Dump in json-format')
-                        self._json_dump('{0}.{1}'.format(report_name, report_format), order_list)
+                        self._json_dump(f'{report_name}.{report_format}', order_list)
                     else:
                         self.logger.debug('Housekeeping.orders_invalidate():  No dump just return report')
                 else:
diff --git a/acme_srv/message.py b/acme_srv/message.py
index fd8dbad7..a79ac775 100644
--- a/acme_srv/message.py
+++ b/acme_srv/message.py
@@ -1,5 +1,5 @@
 # -*- coding: utf-8 -*-
-# pylint: disable=c0209
+# pylint: disable=r0913
 """ message class """
 from __future__ import print_function
 import json
@@ -49,7 +49,7 @@ def _name_rev_get(self, content: Dict[str, str]) -> str:
         try:
             account_list = self.dbstore.account_lookup('jwk', json.dumps(content['jwk']))
         except Exception as err_:
-            self.logger.critical('acme2certifier database error in Message._name_rev_get(): {0}'.format(err_))
+            self.logger.critical('acme2certifier database error in Message._name_rev_get(): %s', err_)
             account_list = []
         if account_list:
             if 'name' in account_list:
@@ -59,7 +59,7 @@ def _name_rev_get(self, content: Dict[str, str]) -> str:
         else:
             kid = None
 
-        self.logger.debug('Message._name_rev_get() ended with kid: {0}'.format(kid))
+        self.logger.debug('Message._name_rev_get() ended with kid: %s', kid)
         return kid
 
     def _name_get(self, content: Dict[str, str]) -> str:
@@ -67,19 +67,19 @@ def _name_get(self, content: Dict[str, str]) -> str:
         self.logger.debug('Message._name_get()')
 
         if 'kid' in content:
-            self.logger.debug('kid: {0}'.format(content['kid']))
-            kid = content['kid'].replace('{0}{1}'.format(self.server_name, self.path_dic['acct_path']), '')
+            self.logger.debug('kid: %s', content['kid'])
+            kid = content['kid'].replace(f'{self.server_name}{self.path_dic["acct_path"]}', '')
             if '/' in kid:
                 kid = None
         elif 'jwk' in content and 'url' in content:
-            if content['url'] == '{0}{1}'.format(self.server_name, self.path_dic['revocation_path']):
+            if content['url'] == f'{self.server_name}{self.path_dic["revocation_path"]}':
                 # this is needed for cases where we get a revocation message signed with account key but account name is missing
                 kid = self._name_rev_get(content)
             else:
                 kid = None
         else:
             kid = None
-        self.logger.debug('Message._name_get() returns: {0}'.format(kid))
+        self.logger.debug('Message._name_get() returns: %s', kid)
         return kid
 
     def _check(self, skip_nonce_check: bool, skip_signature_check: bool, content: str, protected: Dict[str, str], use_emb_key: bool) -> Tuple[int, str, str, str]:
@@ -114,13 +114,14 @@ def _check(self, skip_nonce_check: bool, skip_signature_check: bool, content: st
                 message = error
                 detail = error_detail
 
-        self.logger.debug('Message._check() ended with: {0}'.format(code))
+        self.logger.debug('Message._check() ended with: %s', code)
         return (code, message, detail, account_name)
 
     # pylint: disable=R0914
     def check(self, content: str, use_emb_key: bool = False, skip_nonce_check: bool = False) -> Tuple[int, str, str, Dict[str, str], Dict[str, str], str]:
         """ validate message """
         self.logger.debug('Message.check()')
+
         # disable signature check if paramter has been set
         if self.disable_dic['signature_check_disable']:
             self.logger.error('**** SIGNATURE_CHECK_DISABLE!!! Severe security issue ****')
@@ -139,7 +140,7 @@ def check(self, content: str, use_emb_key: bool = False, skip_nonce_check: bool
             message = 'urn:ietf:params:acme:error:malformed'
             detail = error_detail
 
-        self.logger.debug('Message.check() ended with:{0}'.format(code))
+        self.logger.debug('Message.check() ended with:%s', code)
         return (code, message, detail, protected, payload, account_name)
 
     def cli_check(self, content: str) -> Tuple[int, str, str, Dict[str, str], Dict[str, str], str, Dict[str, str]]:
@@ -171,7 +172,7 @@ def cli_check(self, content: str) -> Tuple[int, str, str, Dict[str, str], Dict[s
             message = 'urn:ietf:params:acme:error:malformed'
             detail = error_detail
 
-        self.logger.debug('Message.check() ended with:{0}'.format(code))
+        self.logger.debug('Message.check() ended with:%s', code)
         return (code, message, detail, protected, payload, account_name, permissions)
 
     def prepare_response(self, response_dic: Dict[str, str], status_dic: Dict[str, str], add_nonce: bool = True) -> Dict[str, str]:
diff --git a/acme_srv/nonce.py b/acme_srv/nonce.py
index 78243389..63924ac1 100644
--- a/acme_srv/nonce.py
+++ b/acme_srv/nonce.py
@@ -1,6 +1,5 @@
 # -*- coding: utf-8 -*-
 """ Nonce class """
-# pylint: disable=c0209
 from __future__ import print_function
 import uuid
 from typing import Tuple, Dict
@@ -24,19 +23,19 @@ def __exit__(self, *args):
 
     def _check_and_delete(self, nonce: str) -> Tuple[int, str, str]:
         """ check if nonce exists and delete it """
-        self.logger.debug('Nonce.nonce._check_and_delete({0})'.format(nonce))
+        self.logger.debug('Nonce.nonce._check_and_delete(%s)', nonce)
 
         try:
             nonce_chk_result = self.dbstore.nonce_check(nonce)
         except Exception as err_:
-            self.logger.critical('acme2certifier database error during nonce_check() in Nonce._check_and_delete(): {0}'.format(err_))
+            self.logger.critical('acme2certifier database error during nonce_check() in Nonce._check_and_delete(): %s', err_)
             nonce_chk_result = False
 
         if nonce_chk_result:
             try:
                 self.dbstore.nonce_delete(nonce)
             except Exception as err_:
-                self.logger.critical('acme2certifier database error during nonce_delete() in Nonce._check_and_delete(): {0}'.format(err_))
+                self.logger.critical('acme2certifier database error during nonce_delete() in Nonce._check_and_delete(): %s', err_)
             code = 200
             message = None
             detail = None
@@ -44,7 +43,7 @@ def _check_and_delete(self, nonce: str) -> Tuple[int, str, str]:
             code = 400
             message = 'urn:ietf:params:acme:error:badNonce'
             detail = nonce
-        self.logger.debug('Nonce._check_and_delete() ended with:{0}'.format(code))
+        self.logger.debug('Nonce._check_and_delete() ended with:%s', code)
         return (code, message, detail)
 
     def _new(self) -> str:
@@ -61,18 +60,18 @@ def check(self, protected_decoded: Dict[str, str]) -> Tuple[int, str, str]:
             code = 400
             message = 'urn:ietf:params:acme:error:badNonce'
             detail = 'NONE'
-        self.logger.debug('Nonce.check_nonce() ended with:{0}'.format(code))
+        self.logger.debug('Nonce.check_nonce() ended with:%s', code)
         return (code, message, detail)
 
     def generate_and_add(self) -> str:
         """ generate new nonce and store it """
         self.logger.debug('Nonce.nonce_generate_and_add()')
         nonce = self._new()
-        self.logger.debug('got nonce: {0}'.format(nonce))
-        # self.logger.critical('foo')
+
+        self.logger.debug('got nonce: %s', nonce)
         try:
             _id = self.dbstore.nonce_add(nonce)  # lgtm [py/unused-local-variable]
         except Exception as err_:
-            self.logger.critical('acme2certifier database error in Nonce.generate_and_add(): {0}'.format(err_))
-        self.logger.debug('Nonce.generate_and_add() ended with:{0}'.format(nonce))
+            self.logger.critical('acme2certifier database error in Nonce.generate_and_add(): %s', err_)
+        self.logger.debug('Nonce.generate_and_add() ended with:%s', nonce)
         return nonce
diff --git a/acme_srv/order.py b/acme_srv/order.py
index b83bba2d..4214e51b 100644
--- a/acme_srv/order.py
+++ b/acme_srv/order.py
@@ -1,10 +1,9 @@
 # -*- coding: utf-8 -*-
 """ Order class """
-# pylint: disable=c0209
 from __future__ import print_function
 import json
 from typing import List, Tuple, Dict
-from acme_srv.helper import b64_url_recode, generate_random_string, load_config, parse_url, uts_to_date_utc, uts_now, error_dic_get
+from acme_srv.helper import b64_url_recode, generate_random_string, load_config, parse_url, uts_to_date_utc, uts_now, error_dic_get, validate_identifier
 from acme_srv.certificate import Certificate
 from acme_srv.db_handler import DBstore
 from acme_srv.message import Message
@@ -27,6 +26,7 @@ def __init__(self, debug: bool = None, srv_name: str = None, logger: object = No
         self.retry_after = 600
         self.tnauthlist_support = False
         self.sectigo_sim = False
+        self.identifier_limit = 20
         self.header_info_list = []
 
     def __enter__(self):
@@ -38,7 +38,7 @@ def __exit__(self, *args):
         """ cose the connection at the end of the context """
 
     def _auth_add(self, oid: str, payload: Dict[str, str], auth_dic: Dict[str, str]) -> str:
-        self.logger.debug('Order._auth_add({0})'.format(oid))
+        self.logger.debug('Order._auth_add(%s)', oid)
 
         if oid:
             error = None
@@ -57,16 +57,17 @@ def _auth_add(self, oid: str, payload: Dict[str, str], auth_dic: Dict[str, str])
                         auth['status'] = 'valid'
                         self.dbstore.authorization_update(auth)
                 except Exception as err_:
-                    self.logger.critical('acme2certifier database error in Order._add() authz: {0}'.format(err_))
+                    self.logger.critical('acme2certifier database error in Order._add() authz: %s', err_)
         else:
             error = self.error_msg_dic['malformed']
 
-        self.logger.debug('Order._auth_add() ended with {0}'.format(error))
+        self.logger.debug('Order._auth_add() ended with %s', error)
         return error
 
     def _add(self, payload: Dict[str, str], aname: str) -> Tuple[str, str, Dict[str, str], int]:
         """ add order request to database """
-        self.logger.debug('Order._add({0})'.format(aname))
+        self.logger.debug('Order._add(%s)', aname)
+
         error = None
         auth_dic = {}
         order_name = generate_random_string(self.logger, 12)
@@ -91,7 +92,7 @@ def _add(self, payload: Dict[str, str], aname: str) -> Tuple[str, str, Dict[str,
                 # add order to db
                 oid = self.dbstore.order_add(data_dic)
             except Exception as err_:
-                self.logger.critical('acme2certifier database error in Order._add() order: {0}'.format(err_))
+                self.logger.critical('acme2certifier database error in Order._add() order: %s', err_)
                 oid = None
 
             if not error:
@@ -111,7 +112,7 @@ def _config_headerinfo_config_load(self, config_dic: Dict[str, str]):
             try:
                 self.header_info_list = json.loads(config_dic['Order']['header_info_list'])
             except Exception as err_:
-                self.logger.warning('Order._config_orderconfig_load() header_info_list failed with error: {0}'.format(err_))
+                self.logger.warning('Order._config_orderconfig_load() header_info_list failed with error: %s', err_)
 
         self.logger.debug('Order._config_headerinfo_config_load() ended')
 
@@ -130,12 +131,16 @@ def _config_orderconfig_load(self, config_dic: Dict[str, str]):
                 try:
                     self.retry_after = int(config_dic['Order']['retry_after_timeout'])
                 except Exception:
-                    self.logger.warning('Order._config_load(): failed to parse retry_after: {0}'.format(config_dic['Order']['retry_after_timeout']))
+                    self.logger.warning('Order._config_load(): failed to parse retry_after: %s', config_dic['Order']['retry_after_timeout'])
             if 'validity' in config_dic['Order']:
                 try:
                     self.validity = int(config_dic['Order']['validity'])
                 except Exception:
-                    self.logger.warning('Order._config_load(): failed to parse validity: {0}'.format(config_dic['Order']['validity']))
+                    self.logger.warning('Order._config_load(): failed to parse validity: %s', config_dic['Order']['validity'])
+            try:
+                self.identifier_limit = int(config_dic.get('Order', 'identifier_limit', fallback=20))
+            except Exception:
+                self.logger.warning('Order._config_load(): failed to parse identifier_limit: %s', config_dic['Order']['identifier_limit'])
 
         self.logger.debug('Order._config_orderconfig_load() ended')
 
@@ -153,7 +158,7 @@ def _config_load(self):
                 try:
                     self.authz_validity = int(config_dic['Authorization']['validity'])
                 except Exception:
-                    self.logger.warning('Order._config_load(): failed to parse authz validity: {0}'.format(config_dic['Authorization']['validity']))
+                    self.logger.warning('Order._config_load(): failed to parse authz validity: %s', config_dic['Authorization']['validity'])
 
         if 'Directory' in config_dic and 'url_prefix' in config_dic['Directory']:
             self.path_dic = {k: config_dic['Directory']['url_prefix'] + v for k, v in self.path_dic.items()}
@@ -162,7 +167,8 @@ def _config_load(self):
 
     def _name_get(self, url: str) -> str:
         """ get ordername """
-        self.logger.debug('Order._name_get({0})'.format(url))
+        self.logger.debug('Order._name_get(%s)', url)
+
         url_dic = parse_url(self.logger, url)
         order_name = url_dic['path'].replace(self.path_dic['order_path'], '')
         if '/' in order_name:
@@ -170,9 +176,10 @@ def _name_get(self, url: str) -> str:
         self.logger.debug('Order._name_get() ended')
         return order_name
 
-    def _identifiers_check(self, identifiers_list: List[str]) -> str:
-        """ check validity of identifers in order """
-        self.logger.debug('Order._identifiers_check({0})'.format(identifiers_list))
+    def _identifiers_allowed(self, identifiers_list: List[str]) -> bool:
+        """ check if identifiers are allowed """
+        self.logger.debug('Order._identifiers_allowed()')
+
         error = None
         allowed_identifers = ['dns', 'ip']
 
@@ -180,27 +187,44 @@ def _identifiers_check(self, identifiers_list: List[str]) -> str:
         if self.tnauthlist_support:
             allowed_identifers.append('tnauthlist')
 
-        if identifiers_list and isinstance(identifiers_list, list):
-            for identifier in identifiers_list:
-                if 'type' in identifier:
-                    if identifier['type'].lower() not in allowed_identifers:
-                        error = self.error_msg_dic['unsupportedidentifier']
-                        break
+        for identifier in identifiers_list:
+            if 'type' in identifier:
+                # pylint: disable=R1723
+                if identifier['type'].lower() not in allowed_identifers:
+                    error = self.error_msg_dic['unsupportedidentifier']
+                    break
                 else:
-                    error = self.error_msg_dic['malformed']
+                    if not validate_identifier(self.logger, identifier['type'].lower(), identifier['value'], self.tnauthlist_support):
+                        error = self.error_msg_dic['rejectedidentifier']
+                        break
+            else:
+                error = self.error_msg_dic['malformed']
+
+        self.logger.debug('Order._identifiers_allowed() ended with: %s', error)
+        return error
+
+    def _identifiers_check(self, identifiers_list: List[str]) -> str:
+        """ check validity of identifers in order """
+        self.logger.debug('Order._identifiers_check(%s)', identifiers_list)
+
+        if identifiers_list and isinstance(identifiers_list, list):
+            if len(identifiers_list) > self.identifier_limit:
+                error = self.error_msg_dic['rejectedidentifier']
+            else:
+                error = self._identifiers_allowed(identifiers_list)
         else:
             error = self.error_msg_dic['malformed']
 
-        self.logger.debug('Order._identifiers_check() done with {0}:'.format(error))
+        self.logger.debug('Order._identifiers_check() done with %s:', error)
         return error
 
     def _info(self, order_name: str) -> Dict[str, str]:
         """ list details of an order """
-        self.logger.debug('Order._info({0})'.format(order_name))
+        self.logger.debug('Order._info(%s)', order_name)
         try:
             result = self.dbstore.order_lookup('name', order_name)
         except Exception as err_:
-            self.logger.critical('acme2certifier database error in Order._info(): {0}'.format(err_))
+            self.logger.critical('acme2certifier database error in Order._info(): %s', err_)
             result = None
         return result
 
@@ -218,7 +242,7 @@ def _header_info_lookup(self, header: str) -> str:
         if header_info_dic:
             result = json.dumps(header_info_dic)
 
-        self.logger.debug('Order._header_info_lookup() ended with: {0} keys in dic'.format(len(header_info_dic.keys())))
+        self.logger.debug('Order._header_info_lookup() ended with: %s keys in dic', len(header_info_dic.keys()))
         return result
 
     def _finalize(self, order_name: str, payload: Dict[str, str], header: str = None) -> Tuple[int, str, str, str]:
@@ -267,7 +291,8 @@ def _finalize(self, order_name: str, payload: Dict[str, str], header: str = None
 
     def _process(self, order_name: str, protected: Dict[str, str], payload: Dict[str, str], header: str = None) -> Tuple[int, str, str, str]:
         """ process order """
-        self.logger.debug('Order._process({0})'.format(order_name))
+        self.logger.debug('Order._process({%s)', order_name)
+
         certificate_name = None
         message = None
         detail = None
@@ -283,7 +308,7 @@ def _process(self, order_name: str, protected: Dict[str, str], payload: Dict[str
                 try:
                     cert_dic = self.dbstore.certificate_lookup('order__name', order_name)
                 except Exception as err_:
-                    self.logger.critical('acme2certifier database error in Order._process(): {0}'.format(err_))
+                    self.logger.critical('acme2certifier database error in Order._process(): %s', err_)
                     cert_dic = {}
                 if cert_dic:
                     # we found a cert in the database
@@ -295,12 +320,12 @@ def _process(self, order_name: str, protected: Dict[str, str], payload: Dict[str
             message = self.error_msg_dic['malformed']
             detail = 'url is missing in protected'
 
-        self.logger.debug('Order._process() ended with order:{0} {1}:{2}:{3}'.format(order_name, code, message, detail))
+        self.logger.debug('Order._process() ended with order:%s %s:%s:%s', order_name, code, message, detail)
         return (code, message, detail, certificate_name)
 
     def _csr_process(self, order_name: str, csr: str, header_info: str) -> Tuple[int, str, str]:
         """ process certificate signing request """
-        self.logger.debug('Order._csr_process({0})'.format(order_name))
+        self.logger.debug('Order._csr_process(%s)', order_name)
 
         order_dic = self._info(order_name)
 
@@ -327,18 +352,19 @@ def _csr_process(self, order_name: str, csr: str, header_info: str) -> Tuple[int
         else:
             code = 400
             message = self.error_msg_dic['unauthorized']
-            detail = 'order: {0} not found'.format(order_name)
+            detail = f'order: {order_name} not found'
 
-        self.logger.debug('Order._csr_process() ended with order:{0} {1}:{2}:{3}'.format(order_name, code, message, detail))
+        self.logger.debug('Order._csr_process() ended with order:%s %s:{%s:%s', order_name, code, message, detail)
         return (code, message, detail)
 
     def _update(self, data_dic: Dict[str, str]):
         """ update order based on ordername """
-        self.logger.debug('Order._update({0})'.format(data_dic))
+        self.logger.debug('Order._update(%s)', data_dic)
+
         try:
             self.dbstore.order_update(data_dic)
         except Exception as err_:
-            self.logger.critical('acme2certifier database error in Order._update(): {0}'.format(err_))
+            self.logger.critical('acme2certifier database error in Order._update(): %s', err_)
 
     def _order_dic_create(self, tmp_dic: Dict[str, str]) -> Dict[str, str]:
         """ create order dictionary """
@@ -357,19 +383,19 @@ def _order_dic_create(self, tmp_dic: Dict[str, str]) -> Dict[str, str]:
             try:
                 order_dic['identifiers'] = json.loads(tmp_dic['identifiers'])
             except Exception:
-                self.logger.error('Order._order_dic_create(): error while parsing the identifier {0}'.format(tmp_dic['identifiers']))
+                self.logger.error('Order._order_dic_create(): error while parsing the identifier %s', tmp_dic['identifiers'])
 
         self.logger.debug('Order._order_dic_create() ended')
         return order_dic
 
     def _authz_list_lookup(self, order_name: str) -> List[str]:
         """ lookup authorization list """
-        self.logger.debug('Order._authz_list_lookup({0})'.format(order_name))
+        self.logger.debug('Order._authz_list_lookup(%s)', order_name)
 
         try:
             authz_list = self.dbstore.authorization_lookup('order__name', order_name, ['name', 'status__name'])
         except Exception as err_:
-            self.logger.critical('acme2certifier database error in Order._authz_list_lookup(): {0}'.format(err_))
+            self.logger.critical('acme2certifier database error in Order._authz_list_lookup(): %s', err_)
             authz_list = []
 
         self.logger.debug('Order._authz_list_lookup() ended')
@@ -380,7 +406,7 @@ def _validity_list_create(self, authz_list: List[str], order_dic: Dict[str, str]
         validity_list = []
         for authz in authz_list:
             if 'name' in authz:
-                order_dic["authorizations"].append('{0}{1}{2}'.format(self.server_name, self.path_dic['authz_path'], authz['name']))
+                order_dic["authorizations"].append(f'{self.server_name}{self.path_dic["authz_path"]}{authz["name"]}')
             if 'status__name' in authz:
                 if authz['status__name'] == 'valid':
                     validity_list.append(True)
@@ -396,7 +422,7 @@ def _validity_list_create(self, authz_list: List[str], order_dic: Dict[str, str]
 
     def _lookup(self, order_name: str) -> Dict[str, str]:
         """ sohw order details based on ordername """
-        self.logger.debug('Order._validity_list_create({0})'.format(order_name))
+        self.logger.debug('Order._validity_list_create(%s)', order_name)
         order_dic = {}
 
         tmp_dic = self._info(order_name)
@@ -417,16 +443,16 @@ def _lookup(self, order_name: str) -> Dict[str, str]:
 
     def invalidate(self, timestamp: int = None) -> Tuple[List[str], List[str]]:
         """ invalidate orders """
-        self.logger.debug('Order.invalidate({0})'.format(timestamp))
+        self.logger.debug('Order.invalidate(%s)', timestamp)
         if not timestamp:
             timestamp = uts_now()
-            self.logger.debug('Order.invalidate(): set timestamp to {0}'.format(timestamp))
+            self.logger.debug('Order.invalidate(): set timestamp to %s', timestamp)
 
         field_list = ['id', 'name', 'expires', 'identifiers', 'created_at', 'status__id', 'status__name', 'account__id', 'account__name', 'account__contact']
         try:
             order_list = self.dbstore.orders_invalid_search('expires', timestamp, vlist=field_list, operant='<=')
         except Exception as err_:
-            self.logger.critical('acme2certifier database error in Order._invalidate() search: {0}'.format(err_))
+            self.logger.critical('acme2certifier database error in Order._invalidate() search: %s', err_)
             order_list = []
         output_list = []
         for order in order_list:
@@ -438,9 +464,9 @@ def invalidate(self, timestamp: int = None) -> Tuple[List[str], List[str]]:
                 try:
                     self.dbstore.order_update(data_dic)
                 except Exception as err_:
-                    self.logger.critical('acme2certifier database error in Order._invalidate() upd: {0}'.format(err_))
+                    self.logger.critical('acme2certifier database error in Order._invalidate() upd: %s', err_)
 
-        self.logger.debug('Order.invalidate() ended: {0} orders identified'.format(len(output_list)))
+        self.logger.debug('Order.invalidate() ended: %s orders identified', len(output_list))
         return (field_list, output_list)
 
     def new(self, content: str) -> Dict[str, str]:
@@ -455,25 +481,30 @@ def new(self, content: str) -> Dict[str, str]:
             if not error:
                 code = 201
                 response_dic['header'] = {}
-                response_dic['header']['Location'] = '{0}{1}{2}'.format(self.server_name, self.path_dic['order_path'], order_name)
+                response_dic['header']['Location'] = f'{self.server_name}{self.path_dic["order_path"]}{order_name}'
                 response_dic['data'] = {}
                 response_dic['data']['identifiers'] = []
                 response_dic['data']['authorizations'] = []
                 response_dic['data']['status'] = 'pending'
                 response_dic['data']['expires'] = expires
-                response_dic['data']['finalize'] = '{0}{1}{2}/finalize'.format(self.server_name, self.path_dic['order_path'], order_name)
+                response_dic['data']['finalize'] = f'{self.server_name}{self.path_dic["order_path"]}{order_name}/finalize'
                 for auth_name, value in auth_dic.items():
-                    response_dic['data']['authorizations'].append('{0}{1}{2}'.format(self.server_name, self.path_dic['authz_path'], auth_name))
+                    response_dic['data']['authorizations'].append(f'{self.server_name}{self.path_dic["authz_path"]}{auth_name}')
                     response_dic['data']['identifiers'].append(value)
+            elif error == self.error_msg_dic['rejectedidentifier']:
+                code = 403
+                message = error
+                detail = 'Some of the requested identifiers got rejected'
             else:
                 code = 400
                 message = error
-                detail = 'could not process order'
+                detail = 'Could not process order'
+
         # prepare/enrich response
         status_dic = {'code': code, 'type': message, 'detail': detail}
         response_dic = self.message.prepare_response(response_dic, status_dic)
 
-        self.logger.debug('Order.new() returns: {0}'.format(json.dumps(response_dic)))
+        self.logger.debug('Order.new() returns: %s', json.dumps(response_dic))
         return response_dic
 
     def _parse(self, protected: Dict[str, str], payload: Dict[str, str], header: str = None) -> Tuple[int, str, str, str, str]:
@@ -501,7 +532,7 @@ def _parse(self, protected: Dict[str, str], payload: Dict[str, str], header: str
             message = self.error_msg_dic['malformed']
             detail = 'url is missing in protected'
 
-        self.logger.debug('Order._parse() ended with code: {0}'.format(code))
+        self.logger.debug('Order._parse() ended with code: %s', code)
         return (code, message, detail, certificate_name, order_name)
 
     def parse(self, content: str, header: str = None) -> Dict[str, str]:
@@ -524,20 +555,20 @@ def parse(self, content: str, header: str = None) -> Dict[str, str]:
             if code == 200:
                 # create response
                 response_dic['header'] = {}
-                response_dic['header']['Location'] = '{0}{1}{2}'.format(self.server_name, self.path_dic['order_path'], order_name)
+                response_dic['header']['Location'] = f'{self.server_name}{self.path_dic["order_path"]}{order_name}'
                 response_dic['data'] = self._lookup(order_name)
                 if 'status' in response_dic['data'] and response_dic['data']['status'] == 'processing':
                     # set retry header as cert issuane is not completed.
-                    response_dic['header']['Retry-After'] = '{0}'.format(self.retry_after)
-                response_dic['data']['finalize'] = '{0}{1}{2}/finalize'.format(self.server_name, self.path_dic['order_path'], order_name)
+                    response_dic['header']['Retry-After'] = f'{self.retry_after}'
+                response_dic['data']['finalize'] = f'{self.server_name}{self.path_dic["order_path"]}{order_name}/finalize'
                 # add the path to certificate if order-status is ready
                 # if certificate_name:
                 if certificate_name and 'status' in response_dic['data'] and response_dic['data']['status'] == 'valid':
-                    response_dic['data']['certificate'] = '{0}{1}{2}'.format(self.server_name, self.path_dic['cert_path'], certificate_name)
+                    response_dic['data']['certificate'] = f'{self.server_name}{self.path_dic["cert_path"]}{certificate_name}'
 
         # prepare/enrich response
         status_dic = {'code': code, 'type': message, 'detail': detail}
         response_dic = self.message.prepare_response(response_dic, status_dic)
 
-        self.logger.debug('Order.parse() returns: {0}'.format(json.dumps(response_dic)))
+        self.logger.debug('Order.parse() returns: %s', json.dumps(response_dic))
         return response_dic
diff --git a/acme_srv/renewalinfo.py b/acme_srv/renewalinfo.py
index 27699834..d420f3eb 100644
--- a/acme_srv/renewalinfo.py
+++ b/acme_srv/renewalinfo.py
@@ -1,11 +1,10 @@
 # -*- coding: utf-8 -*-
 """ Nonce class """
-# pylint: disable=c0209
 from __future__ import print_function
 from typing import Dict
 from acme_srv.db_handler import DBstore
 from acme_srv.message import Message
-from acme_srv.helper import string_sanitize, certid_hex_get, uts_to_date_utc, error_dic_get, load_config, uts_now
+from acme_srv.helper import string_sanitize, certid_hex_get, uts_to_date_utc, error_dic_get, load_config, uts_now, cert_serial_get, cert_aki_get, b64_url_recode, b64_decode
 
 
 class Renewalinfo(object):
@@ -44,32 +43,89 @@ def _config_load(self):
                 try:
                     self.renewaltreshold_pctg = float(config_dic['Renewalinfo']['renewaltreshold_pctg'])
                 except Exception as err_:
-                    self.logger.error('acme2certifier Renewalinfo._config_load() renewaltreshold_pctg parsing error: {0}'.format(err_))
+                    self.logger.error('acme2certifier Renewalinfo._config_load() renewaltreshold_pctg parsing error: %s', err_)
 
             if 'retry_after_timeout' in config_dic['Renewalinfo']:
                 try:
                     self.retry_after_timeout = int(config_dic['Renewalinfo']['retry_after_timeout'])
                 except Exception as err_:
-                    self.logger.error('acme2certifier Renewalinfo._config_load() retry_after_timeout parsing error: {0}'.format(err_))
+                    self.logger.error('acme2certifier Renewalinfo._config_load() retry_after_timeout parsing error: %s', err_)
 
-    def _lookup(self, certid_hex: str) -> Dict[str, str]:
-        """ lookup expiry dates based on renewal info """
-        self.logger.debug('Renewalinfo._lookup()')
+    def _cert_dic_lookup(self, renewalinfo_string: str) -> Dict[str, str]:
+        """ lookup certificate based on renewalinfo string """
+        self.logger.debug('Renewalinfo._cert_dic_lookup(%s)', renewalinfo_string)
+
+        if '.' in renewalinfo_string:
+            # draft-ietf-acme-ari-02
+            (serial, aki) = self._serial_aki_get(renewalinfo_string)
+            # lookup database for certificate data
+            cert_dic = self._draft02_lookup(serial, aki)
+
+        else:
+            # draft-ietf-acme-ari-01
+            (_mda, certid_hex) = certid_hex_get(self.logger, renewalinfo_string)
+            # lookup database for certificate data
+            cert_dic = self._draft01_lookup(certid_hex)
+
+        self.logger.debug('Renewalinfo._cert_dic_lookup(%s) - ended with: %s', renewalinfo_string, bool(cert_dic))
+        return cert_dic
+
+    def _cert_table_update(self):
+        """ add serial and aki to certificate table """
+        self.logger.debug('Renewalinfo._cert_table_update()')
+
+        try:
+            certificate_list = self.dbstore.certificates_search('serial', None, operant='is', vlist=['id', 'name', 'cert', 'cert_raw', 'serial', 'aki'])
+        except Exception as err_:
+            self.logger.critical('acme2certifier database error in Renewalinfo._cert_table_update(): %s', err_)
+            certificate_list = []
+
+        update_cnt = 0
+        for cert in certificate_list:
+            if 'cert_raw' in cert and cert['cert_raw'] and 'name' in cert and 'cert' in cert:
+                serial = cert_serial_get(self.logger, cert['cert_raw'], hexformat=True)
+                aki = cert_aki_get(self.logger, cert['cert_raw'])
+                data_dic = {'serial': serial, 'aki': aki, 'name': cert['name'], 'cert_raw': cert['cert_raw'], 'cert': cert['cert']}
+                self.dbstore.certificate_add(data_dic)
+                update_cnt += 1
+
+        self.logger.debug('Renewalinfo._cert_table_update(%s) - done', update_cnt)
+
+    def _draft01_lookup(self, certid_hex: str) -> Dict[str, str]:
+        """ lookup expiry dates based on certid accoridng to acme-ari-01 """
+        self.logger.debug('Renewalinfo._draft01_lookup()')
 
         try:
             result_dic = self.dbstore.certificate_lookup('renewal_info', certid_hex, ('id', 'name', 'cert', 'cert_raw', 'expire_uts', 'issue_uts', 'created_at'))
         except Exception as err_:
-            self.logger.critical('acme2certifier database error in Renewalinfo._lookup(): {0}'.format(err_))
+            self.logger.critical('acme2certifier database error in Renewalinfo._draft01_lookup(): %s', err_)
             result_dic = None
 
         return result_dic
 
-    def _renewalinfo_get(self, certid_hex: str) -> Dict[str, str]:
-        """ create dictionary containing renwal infor data """
-        self.logger.debug('Renewalinfo.get()')
+    def _draft02_lookup(self, serial: str, aki: str) -> Dict[str, str]:
+        """ lookup expiry dates based on certid accoridng to acme-ari-02 """
+        self.logger.debug('Renewalinfo._draft02_lookup()')
+
+        cert_dic = {}
+        try:
+            cert_list = self.dbstore.certificates_search('serial', serial, operant='is', vlist=['id', 'name', 'cert', 'cert_raw', 'expire_uts', 'issue_uts', 'aki', 'created_at'])
+            if not cert_list and serial.startswith('0'):
+                # cover cornercase where serial is padded with leading zeros
+                cert_list = self.dbstore.certificates_search('serial', serial.lstrip('0'), operant='is', vlist=['id', 'name', 'cert', 'cert_raw', 'expire_uts', 'issue_uts', 'aki', 'created_at'])
+            for cert in cert_list:
+                if cert['aki'] == aki:
+                    cert_dic = cert
+                    break
+        except Exception as err_:
+            self.logger.critical('acme2certifier database error in Renewalinfo._draft02_lookup(): %s', err_)
 
-        # lookup database for certificate data
-        cert_dic = self._lookup(certid_hex)
+        self.logger.debug('Renewalinfo._draft02_lookup() ended with: %s', bool(cert_dic))
+        return cert_dic
+
+    def _renewalinfo_generate(self, cert_dic: Dict[str, str]) -> Dict[str, str]:
+        """ create dictionary containing renwal info data """
+        self.logger.debug('Renewalinfo._renewalinfo_generate()')
 
         if 'expire_uts' in cert_dic and cert_dic['expire_uts']:
 
@@ -95,54 +151,89 @@ def _renewalinfo_get(self, certid_hex: str) -> Dict[str, str]:
         else:
             renewalinfo_dic = {}
 
+        self.logger.debug('Renewalinfo._renewalinfo_generate() ended')
         return renewalinfo_dic
 
-    def renewalinfo_string_get(self, url: str) -> str:
+    def _renewalinfo_get(self, renewalinfo_string: str) -> Dict[str, str]:
+        """ get renewal info dictionary """
+        self.logger.debug('Renewalinfo._renewalinfo_get()')
+
+        cert_dic = self._cert_dic_lookup(renewalinfo_string)
+        rewalinfo_dic = self._renewalinfo_generate(cert_dic)
+
+        self.logger.debug('Renewalinfo._renewalinfo_get() ended with: %s', rewalinfo_dic)
+        return rewalinfo_dic
+
+    def _renewalinfo_string_get(self, url: str) -> str:
         """ get renewal string from url"""
         self.logger.debug('Renewalinfo.renewal_string_get()')
 
         # we need to workaround a strange issue in win-acme
-        url = url.replace('{0}{1}'.format(self.server_name, self.path_dic['renewalinfo'].rstrip('/')), '')
+        url = url.replace(f'{self.server_name}{self.path_dic["renewalinfo"].rstrip("/")}', '')
         url = url.lstrip('/')
 
         # sanitize renewal_info string
         renewalinfo_string = string_sanitize(self.logger, url)
 
-        self.logger.debug('Renewalinfo.renewal_string_get() - renewalinfo_string: {0}'.format(renewalinfo_string))
+        self.logger.debug('Renewalinfo.renewal_string_get() - renewalinfo_string: %s', renewalinfo_string)
         return renewalinfo_string
 
+    def _serial_aki_get(self, renewalinfo_string: str) -> (str, str):
+        """ get serial and aki from renewalinfo string """
+        self.logger.debug('Renewalinfo._serial_aki_get()')
+
+        # split renewalinfo_string
+        renewalinfo_list = renewalinfo_string.split('.')
+
+        if len(renewalinfo_list) == 2:
+            serial = b64_decode(self.logger, b64_url_recode(self.logger, renewalinfo_list[1])).hex()
+            aki = b64_decode(self.logger, b64_url_recode(self.logger, renewalinfo_list[0])).hex()
+        else:
+            serial = None
+            aki = None
+
+        self.logger.debug('Renewalinfo._serial_aki_get() - serial: %s, aki: %s', serial, aki)
+        return (serial, aki)
+
     def get(self, url: str) -> Dict[str, str]:
         """ get renewal information """
         self.logger.debug('Renewalinfo.get()')
 
-        # parse renewalinfo
-        renewalinfo_string = self.renewalinfo_string_get(url)
+        # shousekeeping - add serial and aki to certificate table
+        if not self.dbstore.hkparameter_get('cert_aki_serial_update'):
+            self._cert_table_update()
+            self.logger.debug('Renewalinfo.get() - update housekeeping')
+            self.dbstore.hkparameter_add({'name': 'cert_aki_serial_update', 'value': True})
 
-        (mda, certid_hex) = certid_hex_get(self.logger, renewalinfo_string)
+        # parse renewalinfo string
+        renewalinfo_string = self._renewalinfo_string_get(url)
 
-        response_dic = {}
-        # we cannot verify the AKI thus we accept any value
-        if mda:
-            # get renewal window datas
-            rewalinfo_dic = self._renewalinfo_get(certid_hex)
+        # get renewal information
+        try:
+            rewalinfo_dic = self._renewalinfo_get(renewalinfo_string)
             if rewalinfo_dic:
-                response_dic['code'] = 200
-                # filter certificate and decode it
-                response_dic['data'] = rewalinfo_dic
-                # order status is processing - ratelimiting
-                response_dic['header'] = {'Retry-After': '{0}'.format(self.retry_after_timeout)}
+                rc_code = 200
             else:
-                response_dic['code'] = 404
-                response_dic['data'] = self.err_msg_dic['malformed']
+                rc_code = 404
+        except Exception as err_:
+            self.logger.error('Renewalinfo.get() - error: %s', err_)
+            rewalinfo_dic = {}
+            rc_code = 400
+
+        response_dic = {'code': rc_code}
+        if rewalinfo_dic:
+            # filter certificate and decode it
+            response_dic['data'] = rewalinfo_dic
+            # order status is processing - ratelimiting
+            response_dic['header'] = {'Retry-After': f'{self.retry_after_timeout}'.format()}
         else:
-            response_dic['code'] = 400
             response_dic['data'] = self.err_msg_dic['malformed']
 
         return response_dic
 
     def update(self, content: str) -> Dict[str, str]:
         """ update renewalinfo request """
-        self.logger.debug('Renewalinfo.update({0})')
+        self.logger.debug('Renewalinfo.update()')
 
         # check message
         (code, _message, _detail, _protected, payload, _account_name) = self.message.check(content)
@@ -150,9 +241,7 @@ def update(self, content: str) -> Dict[str, str]:
         response_dic = {}
         if code == 200 and 'certid' in payload and 'replaced' in payload:
 
-            (_mda, certid_hex) = certid_hex_get(self.logger, payload['certid'])
-
-            cert_dic = self._lookup(certid_hex)
+            cert_dic = self._cert_dic_lookup(payload['certid'])
 
             if cert_dic and payload['replaced']:
                 cert_dic['replaced'] = True
diff --git a/acme_srv/signature.py b/acme_srv/signature.py
index fa6ae983..ce10c539 100644
--- a/acme_srv/signature.py
+++ b/acme_srv/signature.py
@@ -1,6 +1,5 @@
 # -*- coding: utf-8 -*-
 """ Signature class """
-# pylint: disable=c0209
 from __future__ import print_function
 from typing import Tuple, Dict
 from acme_srv.helper import signature_check, load_config, error_dic_get
@@ -25,27 +24,27 @@ def __init__(self, debug: bool = False, srv_name: str = None, logger: object = N
 
     def _cli_jwk_load(self, kid: int) -> Dict[str, str]:
         """ get key for a specific account id """
-        self.logger.debug('Signature._cli_jwk_load({0})'.format(kid))
+        self.logger.debug('Signature._cli_jwk_load(%s)', kid)
         try:
             result = self.dbstore.cli_jwk_load(kid)
         except Exception as err_:
-            self.logger.critical('acme2certifier database error in Signature._cli_jwk_load(): {0}'.format(err_))
+            self.logger.critical('acme2certifier database error in Signature._cli_jwk_load(): %s', err_)
             result = None
         return result
 
     def _jwk_load(self, kid: str) -> Dict[str, str]:
         """ get key for a specific account id """
-        self.logger.debug('Signature._jwk_load({0})'.format(kid))
+        self.logger.debug('Signature._jwk_load(%s)', kid)
         try:
             result = self.dbstore.jwk_load(kid)
         except Exception as err_:
-            self.logger.critical('acme2certifier database error in Signature._jwk_load(): {0}'.format(err_))
+            self.logger.critical('acme2certifier database error in Signature._jwk_load(): %s', err_)
             result = None
         return result
 
     def cli_check(self, aname: str, content: str) -> Tuple[str, str, None]:
         """ signature check against cli key """
-        self.logger.debug('Signature.cli_check({0})'.format(aname))
+        self.logger.debug('Signature.cli_check(%s)', aname)
         result = False
         error = None
 
@@ -62,12 +61,12 @@ def cli_check(self, aname: str, content: str) -> Tuple[str, str, None]:
         else:
             error = self.err_msg_dic['malformed']
 
-        self.logger.debug('Signature.cli_check() ended with: {0}:{1}'.format(result, error))
+        self.logger.debug('Signature.cli_check() ended with: %s:%s', result, error)
         return (result, error, None)
 
     def check(self, aname: str, content: str, use_emb_key: bool = False, protected: Dict[str, str] = None) -> Tuple[str, str, None]:
         """ signature check """
-        self.logger.debug('Signature.check({0})'.format(aname))
+        self.logger.debug('Signature.check(%s)', aname)
         result = False
         if content:
             error = None
@@ -90,7 +89,7 @@ def check(self, aname: str, content: str, use_emb_key: bool = False, protected:
         else:
             error = self.err_msg_dic['malformed']
 
-        self.logger.debug('Signature.check() ended with: {0}:{1}'.format(result, error))
+        self.logger.debug('Signature.check() ended with: %s:%s', result, error)
         return (result, error, None)
 
     def eab_check(self, content: str, mac_key: str) -> Tuple[str, str]:
@@ -101,4 +100,5 @@ def eab_check(self, content: str, mac_key: str) -> Tuple[str, str]:
         if content and mac_key:
             (result, error) = signature_check(self.logger, content, mac_key, json_=True)
 
+        self.logger.debug('Signature.signature_check() ended with: %s:%s', result, error)
         return (result, error)
diff --git a/acme_srv/trigger.py b/acme_srv/trigger.py
index b175d05e..f7e46521 100644
--- a/acme_srv/trigger.py
+++ b/acme_srv/trigger.py
@@ -44,7 +44,7 @@ def _certname_lookup(self, cert_pem: str) -> List[str]:
                     csr_pubkey = csr_pubkey_get(self.logger, cert['csr'])
                     if csr_pubkey == cert_pubkey:
                         result_list.append({'cert_name': cert['name'], 'order_name': cert['order__name']})
-        self.logger.debug('Trigger._certname_lookup() ended with: {0}'.format(result_list))
+        self.logger.debug('Trigger._certname_lookup() ended with: %s', result_list)
 
         return result_list
 
@@ -61,9 +61,9 @@ def _config_load(self):
             try:
                 self.cahandler = ca_handler_module.CAhandler
             except Exception as err_:
-                self.logger.critical('Certificate._config_load(): loading CAhandler failed with err: {0}'.format(err_))
+                self.logger.critical('Certificate._config_load(): loading CAhandler failed with err: %s', err_)
 
-        self.logger.debug('ca_handler: {0}'.format(ca_handler_module))
+        self.logger.debug('ca_handler: %s', ca_handler_module)
         self.logger.debug('Certificate._config_load() ended.')
 
     def _cert_store(self, cert_bundle: str, cert_raw: str) -> Tuple[int, str, str]:
@@ -82,13 +82,13 @@ def _cert_store(self, cert_bundle: str, cert_raw: str) -> Tuple[int, str, str]:
                 try:
                     self.dbstore.certificate_add(data_dic)
                 except Exception as err_:
-                    self.logger.critical('acme2certifier database error in trigger._payload_process() add: {0}'.format(err_))
+                    self.logger.critical('acme2certifier database error in trigger._payload_process() add: %s', err_)
                 if 'order_name' in cert and cert['order_name']:
                     try:
                         # update order status to 5 (valid)
                         self.dbstore.order_update({'name': cert['order_name'], 'status': 'valid'})
                     except Exception as err_:
-                        self.logger.critical('acme2certifier database error in trigger._payload_process() upd: {0}'.format(err_))
+                        self.logger.critical('acme2certifier database error in trigger._payload_process() upd: %s', err_)
             code = 200
             message = 'OK'
             detail = None
@@ -118,7 +118,7 @@ def _payload_process(self, payload: str) -> Tuple[int, str, str]:
                 message = 'payload malformed'
                 detail = None
 
-        self.logger.debug('Trigger._payload_process() ended with: {0} {1}'.format(code, message))
+        self.logger.debug('Trigger._payload_process() ended with: %s %s', code, message)
         return (code, message, detail)
 
     def parse(self, content: str) -> Dict[str, str]:
@@ -151,5 +151,5 @@ def parse(self, content: str) -> Dict[str, str]:
         if detail:
             response_dic['data']['detail'] = detail
 
-        self.logger.debug('Trigger.parse() returns: {0}'.format(json.dumps(response_dic)))
+        self.logger.debug('Trigger.parse() returns: %s', json.dumps(response_dic))
         return response_dic
diff --git a/acme_srv/version.py b/acme_srv/version.py
index 53e69b9a..45dec189 100644
--- a/acme_srv/version.py
+++ b/acme_srv/version.py
@@ -3,5 +3,5 @@
 # 1) we don't load dependencies by storing it in __init__.py
 # 2) we can import it in setup.py for the same reason
 # 3) we can import it into your module module
-__version__ = '0.32'
-__dbversion__ = '0.30'
+__version__ = '0.36'
+__dbversion__ = '0.33.2'
diff --git a/docs/a2c-alma-loadbalancing.md b/docs/a2c-alma-loadbalancing.md
new file mode 100644
index 00000000..71144c92
--- /dev/null
+++ b/docs/a2c-alma-loadbalancing.md
@@ -0,0 +1,672 @@
+<!-- markdownlint-disable  MD013 -->
+<!-- wiki-title How to build an acme2certifier cluster on Alma Linux 9 -->
+# How to build an acme2certifier cluster on Alma Linux 9
+
+This tutorial describes the configuration of a two-node acme2certifier cluster running in active/active configuration. Although both nodes are active at the same time and provide proxy services via different ip-addresses database, configuration and runtime objects will be replicated among the nodes.
+
+This setup requires the switch to a different database engine as SQLite, which is the default a2c backend, is not designed to handle concurrent write access, which can happen in an active/active setup. Thus, [MariaDB](https://mariadb.org/) will be used. Configuration files and runtime objects will be replicated using [Lsyncd](https://github.com/lsyncd/lsyncd). The following diagram depicts the application stack to be used.
+
+![architecture](a2c-alma-loadbalancing.png "architecture")
+
+The guide is written for **Alma Linux 9**, however adapting to other Linux distributions ir Redhat derivates should not be difficult. There is also a guide for [Ubuntu 22.04](a2c-ubuntu-loadbalancing.md) available
+
+## Preparation
+
+To set up the MariaDB Master-Master replication between multiple servers, you will need to ensure each system hostname is resolved to the correct IP address. I recommend setting up the FQDN in /etc/hosts on each server.
+
+```cfg
+cat /etc/hosts
+...
+192.168.14.136 alma9-c1.bar.local alma9-c1
+192.168.14.137 alma9-c2.bar.local alma9-c2
+```
+
+Furthermore, the EPEL-repository need ot be enabled on both nodes.
+
+```bash
+sudo yum install -y epel-release
+sudo yum update -y
+```
+
+Stop the firewalld on both nodes
+
+```bash
+sudo systemctl stop firewalld
+sudo systemctl disable firewalld
+```
+
+## Installation and configuration of MariaDB
+
+The following instructions are based on [an existing tutorial](https://www.howtoforge.com/how-to-setup-mariadb-master-master-replication-on-debian-11/).
+
+### Setting up alma9-c1
+
+- install MariaDB-server
+
+```bash
+sudo yum install -y mariadb-server
+```
+
+- start MariaDB during startup
+
+```bash
+sudo systemctl enable mariadb
+sudo systemctl status mariadb
+```
+
+- modify `/etc/my.cnf.d/mariadb-server.cnf` change the ip-binding and add the follwinng lines
+
+```cfg
+# listen on external address
+bind-address            = 192.168.14.136
+
+server-id              = 1
+report_host            = alma9-c1
+
+log_bin                = /var/log/mariadb/mariadb-bin
+log_bin_index          = /var/log/mariadb/mariadb-bin.index
+
+relay_log              = /var/log/mariadb/relay-bin
+relay_log_index        = /var/log/mariadb/relay-bin.index
+
+# avoiding  primary key collision
+log-slave-updates
+auto_increment_increment=2
+auto_increment_offset=1
+```
+
+- restart MariaDB-server
+
+```bash
+sudo systemctl restart mariadb
+```
+
+- verify service binding
+
+```bash
+ss -plnt
+State    Recv-Q   Send-Q        Local Address:Port       Peer Address:Port   Process
+...
+LISTEN   0        80           192.168.14.136:3306            0.0.0.0:*       users:(("mariadbd",pid=815,fd=43))
+...
+```
+
+- open the mysql commandclient client
+
+```bash
+sudo mysql -u  root
+```
+
+- create the replication user
+
+```SQL
+CREATE USER 'replusr'@'%' IDENTIFIED BY 'replpasswd';
+GRANT REPLICATION SLAVE ON *.* TO 'replusr'@'%';
+FLUSH PRIVILEGES;
+```
+
+- Next, run the following query to check the current binary log and its exact position of it. In this example, the binary log file for the MariaDB server is "mariadb-bin.000001" with the position "773". These outputs will be used in the next stage for setting up the "alma9-c2" server.
+
+```SQL
+SHOW MASTER STATUS;
+```
+
+```SQL
++--------------------+----------+--------------+------------------+
+| File               | Position | Binlog_Do_DB | Binlog_Ignore_DB |
++--------------------+----------+--------------+------------------+
+| mariadb-bin.000001 |      773 |              |                  |
++--------------------+----------+--------------+------------------+
+1 row in set (0.000 sec)
+```
+
+### Setting up alma9-c2
+
+- install MariaDB-server
+
+```bash
+sudo yum install -y mariadb-server
+```
+
+- start MariaDB during startup
+
+```bash
+sudo systemctl enable mariadb
+sudo systemctl status mariadb
+```
+
+- modify `/etc/my.cnf.d/mariadb-server.cnf` change the ip-binding and add the follwinng lines
+
+```cfg
+# listen on external address
+bind-address            = 192.168.14.137
+
+server-id              = 2
+report_host            = alma9-c2
+
+log_bin                = /var/log/mariadb/mariadb-bin
+log_bin_index          = /var/log/mariadb/mariadb-bin.index
+
+relay_log              = /var/log/mariadb/relay-bin
+relay_log_index        = /var/log/mariadb/relay-bin.index
+
+# avoiding  primary key collision
+log-slave-updates
+auto_increment_increment=2
+auto_increment_offset=2
+```
+
+- restart MariaDB-server
+
+```bash
+sudo systemctl restart mariadb
+```
+
+- verify service binding
+
+```bash
+ss -plnt
+```
+
+```bash
+State    Recv-Q   Send-Q        Local Address:Port       Peer Address:Port   Process
+...
+LISTEN   0        80           192.168.14.137:3306            0.0.0.0:*       users:(("mariadbd",pid=841,fd=41))
+...
+```
+
+- open the mysql commandclient client
+
+```bash
+sudo mysql -u  root
+```
+
+- create the replication user
+
+```SQL
+CREATE USER 'replusr'@'%' IDENTIFIED BY 'replpasswd';
+GRANT REPLICATION SLAVE ON *.* TO 'replusr'@'%';
+FLUSH PRIVILEGES;
+```
+
+- stop the slave and add information about the alma9-c1 master node as well as the binlog file name ("mariadb-bin.000001") and position  ("773") from alma9-c1.
+
+```SQL
+STOP SLAVE;
+CHANGE MASTER TO MASTER_HOST='alma9-c1', MASTER_USER='replusr', MASTER_PASSWORD='replpasswd', MASTER_LOG_FILE='mariadb-bin.000001', MASTER_LOG_POS=773;
+```
+
+- start the slave again and verify the slave status on the "alma9-c2" server. You should get "Slave_IO_Running: Yes" and "Slave_SQL_Running: Yes",
+
+```SQL
+START SLAVE;
+SHOW SLAVE STATUS\G
+```
+
+```SQL
+*************************** 1. row ***************************
+                Slave_IO_State: Waiting for master to send event
+                   Master_Host: alma9-c1
+...
+              Slave_IO_Running: Yes
+             Slave_SQL_Running: Yes
+...
+```
+
+### Configure master-master replication on alma9-c1
+
+- open the mysql commandclient client and create the replication user
+
+```bash
+sudo mysql -u  root
+```
+
+- stop the slave and add information about the alma9-c2 master node as well as the binlog file name and position.
+
+```SQL
+STOP SLAVE;
+CHANGE MASTER TO MASTER_HOST='alma9-c2', MASTER_USER='replusr', MASTER_PASSWORD='replpasswd', MASTER_LOG_FILE='mariadb-bin.000001', MASTER_LOG_POS=773;
+```
+
+- start the slave again and verify the slave status
+
+```SQL
+START SLAVE;
+SHOW SLAVE STATUS\G
+```
+
+```SQL
+*************************** 1. row ***************************
+                Slave_IO_State: Waiting for master to send event
+                   Master_Host: alma9-c1
+...
+              Slave_IO_Running: Yes
+             Slave_SQL_Running: Yes
+...
+```
+
+### Test master-master replication
+
+#### test on alma9-c1
+
+- open the mysql commandline client
+
+```bash
+sudo mysql -u  root
+```
+
+- create a testdatabase and a test-table
+
+```SQL
+CREATE DATABASE testdb;
+```
+
+#### test on alma9-c2
+
+- open the mysql commandline client
+
+```bash
+sudo mysql -u  root
+```
+
+- check the databases created in previous step
+
+```SQL
+SHOW DATABASES;
+```
+
+```SQL
++--------------------+
+| Database           |
++--------------------+
+| information_schema |
+| mysql              |
+| performance_schema |
+| testdb             |
++--------------------+
+5 rows in set (0.000 sec)
+
+MariaDB [(none)]>
+```
+
+- delete database
+
+```SQL
+DROP DATABASE testdb;
+```
+
+#### verification on alma9-c1
+
+- back on alma9-c1 check the databases to make sure that "testdb" is not present anymore
+
+```SQL
+SHOW DATABASES;
+```
+
+```SQL
++--------------------+
+| Database           |
++--------------------+
+| information_schema |
+| mysql              |
+| performance_schema |
++--------------------+
+4 rows in set (0.000 sec)
+
+```
+
+## Configure directory replication via Lsyncd
+
+The following instructions are based on [an existing tutorial](https://docs.rackspace.com/docs/set-up-lsyncd-locally-and-over-ssh-to-sync-directories).
+
+To accomplish a remote synchronization using Lsyncd, each node must have password-less SSH access to its peer. Further, it is recommended to use the root-user for synchronization  to ensure that permissions, ownership, and group information of the synchronized objects will be preserved.
+
+### on both nodes to be executed as root-user
+
+- generate ssh keys
+
+```bash
+sudo ssh-keygen -t rsa -f /root/.ssh/id_lsyncd
+```
+
+- copy the newly created public key `/root/.ssh/id_lsyncd.pub` from each host to peer and add it to `/root/.ssh/authorized_keys` file
+
+- create the acme2certifier directory to be synchronized between the two hosts
+
+```bash
+sudo mkdir -p /opt/acme2certifier/volume
+```
+
+- install Lsyncd
+
+```bash
+sudo yum install -y lsyncd
+```
+
+### configuration on alma9-c1
+
+- test passwordless ssh access by logging in to alma9-c2
+
+```bash
+sudo ssh -i /root/.ssh/id_lsyncd root@alma9-c2
+exit
+```
+
+- create a configuration file `/etc/lsyncd.conf` with the following content
+
+```lua
+settings {
+  logfile = "/var/log/lsyncd/lsyncd.log",
+  statusFile = "/var/log/lsyncd/lsyncd.status",
+  statusInterval = 20,
+  nodaemon   = false
+}
+
+sync {
+  default.rsyncssh,
+  source = "/opt/acme2certifier/volume/",
+  host = "alma9-c2",
+  targetdir = "/opt/acme2certifier/volume/",
+  rsync = {
+    rsh = "/usr/bin/ssh -l root -i /root/.ssh/id_lsyncd -o StrictHostKeyChecking=no",
+    compress = true,
+    owner = true,
+    group = true,
+    archive = true
+ }
+}
+```
+
+- start Lsyncd and enable automatic startup
+
+```bash
+sudo systemctl restart lsyncd
+sudo systemctl enable lsyncd
+```
+
+### configuration on alma9-c2
+
+- test passwordless ssh access by logging in to alma9-c1
+
+```bash
+sudo ssh -i /root/.ssh/id_lsyncd root@alma9-c1
+```
+
+- create a configuration file `/etc/lsyncd.conf` with the following content
+
+```lua
+settings {
+  logfile = "/var/log/lsyncd/lsyncd.log",
+  statusFile = "/var/log/lsyncd/lsyncd.status",
+  statusInterval = 20,
+  nodaemon   = false
+}
+
+sync {
+  default.rsyncssh,
+  source = "/opt/acme2certifier/volume/",
+  host = "alma9-c1",
+  targetdir = "/opt/acme2certifier/volume/",
+  rsync = {
+    rsh = "/usr/bin/ssh -l root -i /root/.ssh/id_lsyncd -o StrictHostKeyChecking=no",
+    compress = true,
+    owner = true,
+    group = true,
+    archive = true
+ }
+}
+```
+
+- start Lsyncd and enable automatic startup
+
+```bash
+sudo systemctl restart lsyncd
+sudo systemctl enable lsyncd
+```
+
+### Test replication
+
+#### test replication on alma9-c1
+
+- create a file in `/opt/acme2certifier/volume` directory
+
+```bash
+sudo touch /opt/acme2certifier/volume/test.txt
+```
+
+#### test replication on alma9-c2
+
+- verify that the '/opt/acme2certifier/volume/test.txt' has been syncronized to alma9-c2 (please note that replication can take up to 20s)
+
+```bash
+sudo ls -la /opt/acme2certifier/volume
+```
+
+- delete the '/opt/acme2certifier/volume/test.txt'
+
+```bash
+sudo rm /opt/acme2certifier/volume/test.txt
+```
+
+#### verify deletion on alma9-c1
+
+- back on alma9-c1 check `/opt/acme2certifier/volume` to make sure that "test.txt" has been deleted (please note that replication can take up to 20s)
+
+```bash
+sudo ls -la /opt/acme2certifier/volume
+```
+
+In case of problem check the logfiles stored in `/var/log/lsyncd` for errors.
+
+## Install acme2certifier
+
+### on both nodes
+
+- Install django packages and mysqlclient
+
+```bash
+sudo yum install python3-mysqlclient python3-django3 python3-pyyaml -y
+```
+
+- Downlaod the [latest rpm package](https://github.com/grindsa/acme2certifier/releases)
+- install the package locally and fix permissions
+
+```bash
+sudo yum localinstall -y ./acme2certifier_<version>-1.0.noarch.rpm
+ sudo chown -R nginx /opt/acme2certifier/volume/
+```
+
+- Copy and activete nginx configuration file
+
+```bash
+sudo cp /opt/acme2certifier/examples/nginx/nginx_acme_srv.conf /etc/nginx/conf.d
+```
+
+- Copy and activate nginx ssl configuration file (optional)
+
+```bash
+sudo cp /opt/acme2certifier/examples/nginx/nginx_acme_srv_ssl.conf /etc/nginx/conf.d
+```
+
+- copy the django handler and the django directory structure
+
+```bash
+sudo cp /opt/acme2certifier/examples/db_handler/django_handler.py /opt/acme2certifier/acme_srv/db_handler.py
+sudo cp -r /opt/acme2certifier/examples/django/* /opt/acme2certifier/
+```
+
+- move the acme2certifier configuration file `acme_srv.cfg` into the mirrored diectory and create a symbolic link
+
+```bash
+sudo mv /opt/acme2certifier/acme_srv/acme_srv.cfg /opt/acme2certifier/volume/
+sudo ln -s /opt/acme2certifier/volume/acme_srv.cfg  /opt/acme2certifier/acme_srv/
+```
+
+- Enable and start the apache2 service
+
+```bash
+sudo systemctl enable acme2certifier
+sudo systemctl start acme2certifier
+sudo systemctl enable nginx
+sudo systemctl start nginx
+```
+
+### on alma9-c1
+
+- open the mysql commandline client
+
+```bash
+sudo mysql -u  root
+```
+
+- create a testdatabase and a test-table
+
+```SQL
+CREATE DATABASE acme2certifier CHARACTER SET UTF8;
+GRANT ALL PRIVILEGES ON acme2certifier.* TO 'acme2certifier'@'%' IDENTIFIED BY 'a2cpasswd';
+FLUSH PRIVILEGES;
+```
+
+- generate a new django secret-key and note it down
+
+```bash
+python3 /opt/acme2certifier/tools/django_secret_keygen.py
++%*lei)yj9b841=2d5(u)a&7*uwi@l99$(*&ong@g*p1%q)g$e
+```
+
+- modify `/opt/acme2certifier/acme2certifier/settings.py` and
+  - insert the secret-key created in the previous step
+  - update the 'ALLOWED_HOSTS'- section with both ip-address and fqdn of the node
+  - configure a connection to mariadb as shown below
+
+```python
+SECRET_KEY = '+%*lei)yj9b841=2d5(u)a&7*uwi@l99$(*&ong@g*p1%q)g$e'
+...
+ALLOWED_HOSTS = ['192.168.14.136', 'alma9-c1.bar.local']
+...
+
+DATABASES = {
+    'default': {
+        'ENGINE': 'django.db.backends.mysql',
+        'NAME': 'acme2certifier',
+        'USER': 'acme2certifier',
+        'PASSWORD': 'a2cpasswd',
+        'HOST': "alma9-c1",
+        'OPTIONS': {"init_command": "SET sql_mode='STRICT_TRANS_TABLES', innodb_strict_mode=1","charset": "utf8mb4", "use_unicode": True},
+    },
+
+}
+```
+
+- Modify the [configuration file](acme_srv.md) `/opt/acme2certifier/volume/acme_srv.cfg`according to you needs. If your ca-handler needs runtime information (configuration files, keys, certificate-bundles etc.) to be shared between the nodes make sure that they get loaded from `/opt/acme2certifier/volume`. Below an example for the `[CAhandler]` section of the openssl-handler I use during my tests:
+
+```cfg
+[CAhandler]
+handler_file: /opt/acme2certifier/examples/ca_handler/openssl_ca_handler.py
+ca_cert_chain_list: ["/opt/acme2certifier/volume/root-ca-cert.pem"]
+issuing_ca_key: /opt/acme2certifier/volume/ca/sub-ca-key.pk8
+issuing_ca_key_passphrase_variable: OPENSSL_PASSPHRASE
+issuing_ca_cert: /opt/acme2certifier/volume/ca/sub-ca-cert.pem
+issuing_ca_crl: /opt/acme2certifier/volume/ca/sub-ca-crl.pem
+cert_validity_days: 30
+cert_validity_adjust: True
+cert_save_path: /opt/acme2certifier/volume/ca/certs
+save_cert_as_hex: True
+cn_enforce: True
+```
+
+- create a django migration set, apply the migrations and load fixtures
+
+```bash
+cd /opt/acme2certifier
+sudo python3 manage.py makemigrations
+sudo python3 manage.py migrate
+sudo python3 manage.py loaddata acme_srv/fixture/status.yaml
+```
+
+- run the django_update script
+
+```bash
+sudo python3 /opt/acme2certifier/tools/django_update.py
+```
+
+- restart the acme2certifier service
+
+```bash
+sudo systemctl restart acme2certifier.service
+```
+
+- Test the server by accessing the directory ressource
+
+```bash
+curl http://alma9-c1.bar.local/directory
+```
+
+```bash
+{"newAccount": "http://alma9-c1.bar.local/acme_srv/newaccount", "fa8b347d3849421ebc4b234205418805": "https://community.letsencrypt.org/t/adding-random-entries-to-the-directory/33417", "keyChange": "http://alma9-c1.bar.local/acme_srv/key-change", "newNonce": "http://alma9-c1.bar.local/acme_srv/newnonce", "meta": {"home": "https://github.com/grindsa/acme2certifier", "author": "grindsa <grindelsack@gmail.com>"}, "newOrder": "http://alma9-c1.bar.local/acme_srv/neworders", "revokeCert": "http://alma9-c1.bar.local/acme_srv/revokecert"}
+```
+
+### on alma9-c2
+
+- generate a new django secret and note it down
+
+```bash
+python3 /opt/acme2certifier/tools/django_secret_keygen.py
+5@@wlvvi!hb(6qc%*77j55@jt8ib4^f1o&+pz-^z*#v3e7u3o!
+```
+
+- modify `/opt/acme2certifier/acme2certifier/settings.py` and
+  - insert a secret key created in the previous step
+  - update the 'ALLOWED_HOSTS'- section with both IP-Adress and fqdn of the node
+  - configure a connection to mariadb as shown below
+
+```python
+SECRET_KEY = '5@@wlvvi!hb(6qc%*77j55@jt8ib4^f1o&+pz-^z*#v3e7u3o!'
+...
+ALLOWED_HOSTS = ['192.168.14.137', 'alma9-c2.bar.local']
+...
+
+DATABASES = {
+    'default': {
+        'ENGINE': 'django.db.backends.mysql',
+        'NAME': 'acme2certifier',
+        'USER': 'acme2certifier',
+        'PASSWORD': 'a2cpasswd',
+        'HOST': "alma9-c2",
+        'OPTIONS': {"init_command": "SET sql_mode='STRICT_TRANS_TABLES', innodb_strict_mode=1","charset": "utf8mb4", "use_unicode": True},
+    },
+
+}
+```
+
+- restart the acme2certifier service
+
+```bash
+sudo systemctl restart acme2certifier.service
+```
+
+- Test the server by accessing the directory ressource
+
+```bash
+curl http://alma9-c2.bar.local/directory
+```
+
+```bash
+{"newAccount": "http://alma9-c2.bar.local/acme_srv/newaccount", "fa8b347d3849421ebc4b234205418805": "https://community.letsencrypt.org/t/adding-random-entries-to-the-directory/33417", "keyChange": "http://alma9-c2.bar.local/acme_srv/key-change", "newNonce": "http://alma9-c2.bar.local/acme_srv/newnonce", "meta": {"home": "https://github.com/grindsa/acme2certifier", "author": "grindsa <grindelsack@gmail.com>"}, "newOrder": "http://alma9-c2.bar.local/acme_srv/neworders", "revokeCert": "http://alma9-c2.bar.local/acme_srv/revokecert"}
+```
+
+## Test enrollment
+
+- try to enroll certificates from both nodes by using your favorite acme-client. I am using [lego](https://github.com/go-acme/lego) as this client supports multiple endpoints at once.
+
+- Example for enrollment from alma9-c1
+
+```bash
+ docker run -i -p 80:80 -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://alma9-c1.bar.local -a --email "lego@example.com" -d lego01.bar.local --http run
+```
+
+- Example for enrollment from alma9-c2
+
+```bash
+ docker run -i -p 80:80 -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://alma9-c2.bar.local -a --email "lego@example.com" -d lego01.bar.local --http run
+```
diff --git a/docs/a2c-alma-loadbalancing.png b/docs/a2c-alma-loadbalancing.png
new file mode 100644
index 00000000..23142c27
Binary files /dev/null and b/docs/a2c-alma-loadbalancing.png differ
diff --git a/docs/a2c-ubuntu-loadbalancing.md b/docs/a2c-ubuntu-loadbalancing.md
new file mode 100644
index 00000000..af084bab
--- /dev/null
+++ b/docs/a2c-ubuntu-loadbalancing.md
@@ -0,0 +1,671 @@
+<!-- markdownlint-disable  MD013 -->
+<!-- wiki-title # How to build am acme2certifier cluster on Ubuntu 22.04 -->
+# How to build am acme2certifier cluster on Ubuntu 22.04
+
+This tutorial describes the configuration of a two-node acme2certifier cluster running in active/active configuration. Although both nodes are active at the same time and provide proxy services via different ip-addresses database, configuration and runtime objects will be replicated among the nodes.
+
+This setup requires the switch to a different database engine as SQLite, which is the default a2c backend, is not designed to handle concurrent write access, which can happen in an active/active setup. Thus, [MariaDB](https://mariadb.org/) will be used. Configuration files and runtime objects will be replicated using [Lsyncd](https://github.com/lsyncd/lsyncd). The following diagram depicts the application stack to be used.
+
+![architecture](a2c-ubuntu-loadbalancing.png "architecture")
+
+The guide is written for **Ubuntu 22.04**, however adapting to other Linux distributions should not be difficult. There is also a guide for [Alma Linux 9](a2c-alma-loadbalancing.md) available
+
+## Preparation
+
+To set up the MariaDB Master-Master replication between multiple servers, you will need to ensure each system hostname is resolved to the correct IP address. I recommend setting up the FQDN in /etc/hosts on each server.
+
+```cfg
+cat /etc/hosts
+...
+192.168.14.132 ub2204-c1.bar.local ub2204-c1
+192.168.14.133 ub2204-c2.bar.local ub2204-c2
+```
+
+Furthermore, Apache2 should already be installed to create the directories to be replicated.
+
+```bash
+sudo apt-get install -y apache2  apache2-data  libapache2-mod-wsgi-py3
+```
+
+## Installation and configuration of MariaDB
+
+The following instructions are based on [an existing tutorial](https://www.howtoforge.com/how-to-setup-mariadb-master-master-replication-on-debian-11/).
+
+### Setting up ub2204-c1
+
+- install MariaDB-server
+
+```bash
+sudo apt install -y mariadb-server
+```
+
+- start MariaDB during startup
+
+```bash
+sudo systemctl is-enabled mariadb
+sudo systemctl status mariadb
+```
+
+- modify `/etc/mysql/mariadb.conf.d/50-server.cnf` change the ip-binding and add the follwinng lines
+
+```cfg
+# listen on external address
+bind-address            = 192.168.14.132
+
+server-id              = 1
+report_host            = ub2204-c1
+
+log_bin                = /var/log/mysql/mariadb-bin
+log_bin_index          = /var/log/mysql/mariadb-bin.index
+
+relay_log              = /var/log/mysql/relay-bin
+relay_log_index        = /var/log/mysql/relay-bin.index
+
+# avoiding  primary key collision
+log-slave-updates
+auto_increment_increment=2
+auto_increment_offset=1
+```
+
+- restart MariaDB-server
+
+```bash
+sudo systemctl restart mariadb
+```
+
+- verify service binding
+
+```bash
+ss -plnt
+State    Recv-Q   Send-Q        Local Address:Port       Peer Address:Port   Process
+...
+LISTEN   0        80           192.168.14.132:3306            0.0.0.0:*       users:(("mariadbd",pid=815,fd=43))
+...
+```
+
+- open the mysql commandclient client
+
+```bash
+sudo mysql -u  root
+```
+
+- create the replication user
+
+```SQL
+CREATE USER 'replusr'@'%' IDENTIFIED BY 'replpasswd';
+GRANT REPLICATION SLAVE ON *.* TO 'replusr'@'%';
+FLUSH PRIVILEGES;
+```
+
+- Next, run the following query to check the current binary log and its exact position of it. In this example, the binary log file for the MariaDB server is "mariadb-bin.000001" with the position "773". These outputs will be used in the next stage for setting up the "ub2204-c2" server.
+
+```SQL
+SHOW MASTER STATUS;
+```
+
+```SQL
++--------------------+----------+--------------+------------------+
+| File               | Position | Binlog_Do_DB | Binlog_Ignore_DB |
++--------------------+----------+--------------+------------------+
+| mariadb-bin.000001 |      773 |              |                  |
++--------------------+----------+--------------+------------------+
+1 row in set (0.000 sec)
+```
+
+### Setting up ub2204-c2
+
+- install MariaDB-server
+
+```bash
+sudo apt install -y mariadb-server
+```
+
+- start MariaDB during startup
+
+```bash
+sudo systemctl is-enabled mariadb
+sudo systemctl status mariadb
+```
+
+- modify `/etc/mysql/mariadb.conf.d/50-server.cnf` change the ip-binding and add the follwinng lines
+
+```cfg
+# listen on external address
+bind-address            = 192.168.14.133
+
+server-id              = 2
+report_host            = ub2204-c2
+
+log_bin                = /var/log/mysql/mariadb-bin
+log_bin_index          = /var/log/mysql/mariadb-bin.index
+
+relay_log              = /var/log/mysql/relay-bin
+relay_log_index        = /var/log/mysql/relay-bin.index
+
+# avoiding  primary key collision
+log-slave-updates
+auto_increment_increment=2
+auto_increment_offset=2
+```
+
+- restart MariaDB-server
+
+```bash
+sudo systemctl restart mariadb
+```
+
+- verify service binding
+
+```bash
+ss -plnt
+```
+
+```bash
+State    Recv-Q   Send-Q        Local Address:Port       Peer Address:Port   Process
+...
+LISTEN   0        80           192.168.14.133:3306            0.0.0.0:*       users:(("mariadbd",pid=841,fd=41))
+...
+```
+
+- open the mysql commandclient client
+
+```bash
+sudo mysql -u  root
+```
+
+- create the replication user
+
+```SQL
+CREATE USER 'replusr'@'%' IDENTIFIED BY 'replpasswd';
+GRANT REPLICATION SLAVE ON *.* TO 'replusr'@'%';
+FLUSH PRIVILEGES;
+```
+
+- stop the slave and add information about the ub2204-c1 master node as well as the binlog file name ("mariadb-bin.000001") and position  ("773") from ub2204-c1.
+
+```SQL
+STOP SLAVE;
+CHANGE MASTER TO MASTER_HOST='ub2204-c1', MASTER_USER='replusr', MASTER_PASSWORD='replpasswd', MASTER_LOG_FILE='mariadb-bin.000001', MASTER_LOG_POS=773;
+```
+
+- start the slave again and verify the slave status on the "ub2204-c2" server. You should get "Slave_IO_Running: Yes" and "Slave_SQL_Running: Yes",
+
+```SQL
+START SLAVE;
+SHOW SLAVE STATUS\G
+```
+
+```SQL
+*************************** 1. row ***************************
+                Slave_IO_State: Waiting for master to send event
+                   Master_Host: ub2204-c1
+...
+              Slave_IO_Running: Yes
+             Slave_SQL_Running: Yes
+...
+```
+
+### Configure master-master replication on ub2204-c1
+
+- open the mysql commandclient client and create the replication user
+
+```bash
+sudo mysql -u  root
+```
+
+- stop the slave and add information about the ub2204-c2 master node as well as the binlog file name and position.
+
+```SQL
+STOP SLAVE;
+CHANGE MASTER TO MASTER_HOST='ub2204-c2', MASTER_USER='replusr', MASTER_PASSWORD='replpasswd', MASTER_LOG_FILE='mariadb-bin.000001', MASTER_LOG_POS=773;
+```
+
+- start the slave again and verify the slave status
+
+```SQL
+START SLAVE;
+```
+
+```SQL
+SHOW SLAVE STATUS\G
+*************************** 1. row ***************************
+                Slave_IO_State: Waiting for master to send event
+                   Master_Host: ub2204-c1
+...
+              Slave_IO_Running: Yes
+             Slave_SQL_Running: Yes
+...
+```
+
+### Test master-master replication
+
+#### test replication on ub2204-c1
+
+- open the mysql commandline client
+
+```bash
+sudo mysql -u  root
+```
+
+- create a testdatabase and a test-table
+
+```SQL
+CREATE DATABASE testdb;
+```
+
+#### test replication on ub2204-c2
+
+- open the mysql commandline client
+
+```bash
+sudo mysql -u  root
+```
+
+- check the databases created in previous step
+
+```SQL
+SHOW DATABASES;
++--------------------+
+| Database           |
++--------------------+
+| information_schema |
+| mysql              |
+| performance_schema |
+| sys                |
+| testdb             |
++--------------------+
+5 rows in set (0.000 sec)
+```
+
+```SQL
+MariaDB [(none)]>
+```
+
+- delete database
+
+```SQL
+DROP DATABASE testdb;
+```
+
+#### verify deletion on ub2204-c1
+
+- back on ub2204-c1 check the databases to make sure that "testdb" is not present anymore
+
+```SQL
+SHOW DATABASES;
+```
+
+```SQL
++--------------------+
+| Database           |
++--------------------+
+| information_schema |
+| mysql              |
+| performance_schema |
+| sys                |
++--------------------+
+4 rows in set (0.000 sec)
+
+```
+
+## Configure directory replication via Lsyncd
+
+The following instructions are based on [an existing tutorial](https://docs.rackspace.com/docs/set-up-lsyncd-locally-and-over-ssh-to-sync-directories).
+
+To accomplish a remote synchronization using Lsyncd, each node must have password-less SSH access to its peer. Further, it is recommended to use the root-user for synchronization  to ensure that permissions, ownership, and group information of the synchronized objects will be preserved.
+
+### on both nodes to be executed as root-user
+
+- generate ssh keys
+
+```bash
+sudo ssh-keygen -t rsa -f /root/.ssh/id_lsyncd
+```
+
+- copy the newly created public key `/root/.ssh/id_lsyncd.pub` from each host to peer and add it to `/root/.ssh/authorized_keys` file
+
+- create the acme2certifier directory to be synchronized between the two hosts
+
+```bash
+sudo mkdir -p /var/www/acme2certifier/volume
+```
+
+- install Lsyncd
+
+```bash
+sudo apt-get install -y lsyncd
+```
+
+- create the directory storing the configuration and log files
+
+```bash
+sudo mkdir /etc/lsyncd /var/log/lsyncd
+```
+
+### configuration on ub2204-c1
+
+- test passwordless ssh access by logging in to ub2204-c2
+
+```bash
+sudo ssh -i /root/.ssh/id_lsyncd root@ub2204-c2
+exit
+```
+
+- create a configuration file `/etc/lsyncd/lsyncd.conf.lua` with the following content
+
+```lua
+settings {
+  logfile = "/var/log/lsyncd/lsyncd.log",
+  statusFile = "/var/log/lsyncd/lsyncd.status",
+  statusInterval = 20,
+  nodaemon   = false
+}
+
+sync {
+  default.rsyncssh,
+  source = "/var/www/acme2certifier/volume/",
+  host = "ub2204-c2",
+  targetdir = "/var/www/acme2certifier/volume/",
+  rsync = {
+    rsh = "/usr/bin/ssh -l root -i /root/.ssh/id_lsyncd -o StrictHostKeyChecking=no",
+    compress = true,
+    owner = true,
+    group = true,
+    archive = true
+ }
+}
+```
+
+- start Lsyncd and enable automatic startup
+
+```bash
+sudo systemctl restart lsyncd
+sudo systemctl enable lsyncd
+```
+
+### configuration on ub2204-c2
+
+- test passwordless ssh access by logging in to ub2204-c1
+
+```bash
+sudo ssh -i /root/.ssh/id_lsyncd root@ub2204-c1
+```
+
+- create a configuration file `/etc/lsyncd/lsyncd.conf.lua` with the following content
+
+```lua
+settings {
+  logfile = "/var/log/lsyncd/lsyncd.log",
+  statusFile = "/var/log/lsyncd/lsyncd.status",
+  statusInterval = 20,
+  nodaemon   = false
+}
+
+sync {
+  default.rsyncssh,
+  source = "/var/www/acme2certifier/volume/",
+  host = "ub2204-c1",
+  targetdir = "/var/www/acme2certifier/volume/",
+  rsync = {
+    rsh = "/usr/bin/ssh -l root -i /root/.ssh/id_lsyncd -o StrictHostKeyChecking=no",
+    compress = true,
+    owner = true,
+    group = true,
+    archive = true
+ }
+}
+```
+
+- start Lsyncd and enable automatic startup
+
+```bash
+sudo systemctl restart lsyncd
+sudo systemctl enable lsyncd
+```
+
+### Test replication
+
+#### test repliasyncronizationtion on ub2204-c1
+
+- create a file in `/var/www/acme2certifier/volume` directory
+
+```bash
+sudo touch /var/www/acme2certifier/volume/test.txt
+```
+
+#### test syncronization on ub2204-c2
+
+- verify that the '/var/www/acme2certifier/volume/test.txt' has been syncronized to ub2204-c2 (please note that replication can take up to 20s)
+
+```bash
+sudo ls -la /var/www/acme2certifier/volume
+```
+
+- delete the '/var/www/acme2certifier/volume/test.txt'
+
+```bash
+sudo rm /var/www/acme2certifier/volume/test.txt
+```
+
+#### verify removal on ub2204-c1
+
+- back on ub2204-c1 check `/var/www/acme2certifier/volume` to make sure that "test.txt" has been deleted (please note that replication can take up to 20s)
+
+```bash
+sudo ls -la /var/www/acme2certifier/volume
+```
+
+In case of problem check the logfiles stored in `/var/log/lsyncd` for errors.
+
+## Install acme2certifier
+
+### on both nodes
+
+- Downlaod the [latest deb package](https://github.com/grindsa/acme2certifier/releases)
+- install the package locally
+
+```bash
+sudo apt-get install -y ./acme2certifier_<version>-1_all.deb
+```
+
+- Copy and activete apache2 configuration file
+
+```bash
+sudo cp /var/www/acme2certifier/examples/apache2/apache_django.conf /etc/apache2/sites-available/acme2certifier.conf
+sudo a2ensite acme2certifier
+```
+
+- Copy and activate apache2 ssl configuration file (optional)
+
+```bash
+sudo cp /var/www/acme2certifier/examples/apache2/apache_django_ssl.conf /etc/apache2/sites-available/acme2certifier_ssl.conf
+sudo a2ensite acme2certifier_ssl
+```
+
+- disable the default sites
+
+```bash
+sudo a2dissite 000-default.conf
+sudo a2dissite default-ssl
+```
+
+- copy the django handler and the django directory structure
+
+```bash
+sudo cp /var/www/acme2certifier/examples/db_handler/django_handler.py /var/www/acme2certifier/acme_srv/db_handler.py
+sudo cp -R /var/www/acme2certifier/examples/django/* /var/www/acme2certifier/
+```
+
+- move the acme2certifier configuration file `acme_srv.cfg` into the mirrored diectory and create a symbolic link
+
+```bash
+sudo mv /var/www/acme2certifier/acme_srv/acme_srv.cfg /var/www/acme2certifier/volume/
+sudo ln -s /var/www/acme2certifier/volume/acme_srv.cfg  /var/www/acme2certifier/acme_srv/
+```
+
+- Enable and start the apache2 service
+
+```bash
+sudo systemctl enable apache2.service
+sudo systemctl start apache2.service
+```
+
+### setup on ub2204-c1
+
+- open the mysql commandline client
+
+```bash
+sudo mysql -u  root
+```
+
+- create a testdatabase and a test-table
+
+```SQL
+CREATE DATABASE acme2certifier CHARACTER SET UTF8;
+GRANT ALL PRIVILEGES ON acme2certifier.* TO 'acme2certifier'@'%' IDENTIFIED BY 'a2cpasswd';
+FLUSH PRIVILEGES;
+```
+
+- generate a new django secret-key and note it down
+
+```bash
+python3 /var/www/acme2certifier/tools/django_secret_keygen.py
++%*lei)yj9b841=2d5(u)a&7*uwi@l99$(*&ong@g*p1%q)g$e
+```
+
+- modify `/var/www/acme2certifier/acme2certifier/settings.py` and
+  - insert the secret-key created in the previous step
+  - update the 'ALLOWED_HOSTS'- section with both ip-address and fqdn of the node
+  - configure a connection to mariadb as shown below
+
+```python
+SECRET_KEY = '+%*lei)yj9b841=2d5(u)a&7*uwi@l99$(*&ong@g*p1%q)g$e'
+...
+ALLOWED_HOSTS = ['192.168.14.132', 'ub2204-c1.bar.local']
+...
+
+DATABASES = {
+    'default': {
+        'ENGINE': 'django.db.backends.mysql',
+        'NAME': 'acme2certifier',
+        'USER': 'acme2certifier',
+        'PASSWORD': 'a2cpasswd',
+        'HOST': "ub2204-c1",
+        'OPTIONS': {"init_command": "SET sql_mode='STRICT_TRANS_TABLES', innodb_strict_mode=1","charset": "utf8mb4", "use_unicode": True},
+    },
+
+}
+```
+
+- Modify the [configuration file](acme_srv.md) `/var/www/acme2certifier/volume/acme_srv.cfg`according to you needs. If your ca-handler needs runtime information (configuration files, keys, certificate-bundles etc.) to be shared between the nodes make sure that they get loaded from `/var/www/acme2certifier/volume`. Below an example for the `[CAhandler]` section of the openssl-handler I use during my tests:
+
+```cfg
+[CAhandler]
+handler_file: /var/www/acme2certifier/examples/ca_handler/openssl_ca_handler.py
+ca_cert_chain_list: ["/var/www/acme2certifier/volume/root-ca-cert.pem"]
+issuing_ca_key: /var/www/acme2certifier/volume/ca/sub-ca-key.pk8
+issuing_ca_key_passphrase_variable: OPENSSL_PASSPHRASE
+issuing_ca_cert: /var/www/acme2certifier/volume/ca/sub-ca-cert.pem
+issuing_ca_crl: /var/www/acme2certifier/volume/ca/sub-ca-crl.pem
+cert_validity_days: 30
+cert_validity_adjust: True
+cert_save_path: /var/www/acme2certifier/volume/ca/certs
+save_cert_as_hex: True
+cn_enforce: True
+```
+
+- create a django migration set, apply the migrations and load fixtures
+
+```bash
+cd /var/www/acme2certifier
+sudo python3 manage.py makemigrations
+sudo python3 manage.py migrate
+sudo python3 manage.py loaddata acme_srv/fixture/status.yaml
+```
+
+- run the django_update script
+
+```bash
+sudo python3 /var/www/acme2certifier/tools/django_update.py
+```
+
+- restart the apache2 service
+
+```bash
+sudo systemctl restart apache2.service
+```
+
+- Test the server by accessing the directory ressource
+
+```bash
+curl http://ub2204-c1.bar.local/directory
+```
+
+```bash
+{"newAccount": "http://ub2204-c1.bar.local/acme_srv/newaccount", "fa8b347d3849421ebc4b234205418805": "https://community.letsencrypt.org/t/adding-random-entries-to-the-directory/33417", "keyChange": "http://ub2204-c1.bar.local/acme_srv/key-change", "newNonce": "http://ub2204-c1.bar.local/acme_srv/newnonce", "meta": {"home": "https://github.com/grindsa/acme2certifier", "author": "grindsa <grindelsack@gmail.com>"}, "newOrder": "http://ub2204-c1.bar.local/acme_srv/neworders", "revokeCert": "http://ub2204-c1.bar.local/acme_srv/revokecert"}
+```
+
+### setup on ub2204-c2
+
+- generate a new django secret and note it down
+
+```bash
+python3 /var/www/acme2certifier/tools/django_secret_keygen.py
+5@@wlvvi!hb(6qc%*77j55@jt8ib4^f1o&+pz-^z*#v3e7u3o!
+```
+
+- modify `/var/www/acme2certifier/acme2certifier/settings.py` and
+  - insert a secret key created in the previous step
+  - update the 'ALLOWED_HOSTS'- section with both IP-Adress and fqdn of the node
+  - configure a connection to mariadb as shown below
+
+```python
+SECRET_KEY = '5@@wlvvi!hb(6qc%*77j55@jt8ib4^f1o&+pz-^z*#v3e7u3o!'
+...
+ALLOWED_HOSTS = ['192.168.14.133', 'ub2204-c2.bar.local']
+...
+
+DATABASES = {
+    'default': {
+        'ENGINE': 'django.db.backends.mysql',
+        'NAME': 'acme2certifier',
+        'USER': 'acme2certifier',
+        'PASSWORD': 'a2cpasswd',
+        'HOST': "ub2204-c2",
+        'OPTIONS': {"init_command": "SET sql_mode='STRICT_TRANS_TABLES', innodb_strict_mode=1","charset": "utf8mb4", "use_unicode": True},
+    },
+
+}
+```
+
+- restart the apache2 service
+
+```bash
+sudo systemctl restart apache2.service
+```
+
+- Test the server by accessing the directory ressource
+
+```bash
+curl http://ub2204-c2.bar.local/directory
+```
+
+```bash
+{"newAccount": "http://ub2204-c2.bar.local/acme_srv/newaccount", "fa8b347d3849421ebc4b234205418805": "https://community.letsencrypt.org/t/adding-random-entries-to-the-directory/33417", "keyChange": "http://ub2204-c2.bar.local/acme_srv/key-change", "newNonce": "http://ub2204-c2.bar.local/acme_srv/newnonce", "meta": {"home": "https://github.com/grindsa/acme2certifier", "author": "grindsa <grindelsack@gmail.com>"}, "newOrder": "http://ub2204-c2.bar.local/acme_srv/neworders", "revokeCert": "http://ub2204-c2.bar.local/acme_srv/revokecert"}
+```
+
+## Test enrollment
+
+- try to enroll certificates from both nodes by using your favorite acme-client. I am using [lego](https://github.com/go-acme/lego) as this client supports multiple endpoints at once.
+
+- Example for enrollment from ub2204-c1
+
+```bash
+ docker run -i -p 80:80 -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://ub2204-c1.bar.local -a --email "lego@example.com" -d lego01.bar.local --http run
+```
+
+- Example for enrollment from ub2204-c2
+
+```bash
+ docker run -i -p 80:80 -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://ub2204-c2.bar.local -a --email "lego@example.com" -d lego01.bar.local --http run
+```
diff --git a/docs/a2c-ubuntu-loadbalancing.png b/docs/a2c-ubuntu-loadbalancing.png
new file mode 100644
index 00000000..6d68e075
Binary files /dev/null and b/docs/a2c-ubuntu-loadbalancing.png differ
diff --git a/docs/acme_ca.md b/docs/acme_ca.md
index a90732f1..76b00c35 100644
--- a/docs/acme_ca.md
+++ b/docs/acme_ca.md
@@ -45,11 +45,14 @@ The handler must be configured via `acme_srv`.
 | handler_file | path to ca_handler file | yes | None |
 | account_path | path to account ressource on ca server | no | '/acme/acct' |
 | acme_url | url of the acme endpoint | yes | None |
-| acme_account | acme account name. If not specified acme2certifer will try to lookup the account name based on the key-file | yes | None |
-| acme_keyfile | Path to private key json-format. If specified in config but not existing on file-system acme2certifer will generate a new key and try to register it |
+| acme_account | acme account name. If not specified acme2certifer will try to lookup the account name based on the key-file | no | None |
+| acme_keyfile | Path to private key json-format. If specified in config but not existing on file-system acme2certifer will generate a new key and try to register it | no | None |
+| acme_keypath | Path to private key directory. If specified in config acme2certifer store new keys in this directory | no | None |
 | acme_account_email | email address used to register a new account | no | None |
 | allowed_domainlist | list of domain-names allowed for enrollment in json format example: ["bar.local$, bar.foo.local] | no | [] |
 | directory_path | path to directory ressource on ca server | no | '/directory' |
+| eab_profiling |  enable eab-profiling  | None |  False |
+| ssl_verify | verify certificates on SSL connections | no | True |
 
 - modify the server configuration (`acme_srv/acme_srv.cfg`) and add at least the following parameters.
 
@@ -109,6 +112,18 @@ acme_account_email: email@example.com
 account_path: /account/
 ```
 
+# Example for smallstep ca
+
+Below a configuration to connect to a smallstep ca under the assumption that a provisioner called `myacme` has been created.
+
+```cfg
+acme_keyfile: acme_srv/acme/smallstep.json
+acme_url: https://<fqdn>/acme/myacme
+acme_account_email: email@example.com
+account_path: /
+ssl_verify: False
+```
+
 ## Example key-file in json format
 
 This is just an example for your reference. DO NOT USE IT ON YOUR SYSTEM!
@@ -129,3 +144,73 @@ You can also use existing keys generated by `certbot` which are usually stored i
  "dq": "cVUb7KqdUgpQO_T4jDKmb_6EdavdzPsu8wzKyLNI4MD1AtSVr-nWwY6QFCQulpdNM86nR0lmwadieuaxaeressdNW5RR0O0CJRTYHM_K1J88X8nKv-vBCiyd0QHFTEZngP51F-FtJg5yKeW7rUMYNAsCMOVaR7p8InelmiGgWpgU"
 }
 ```
+
+## Passing a profileID from client to server
+
+The handler makes use of the [header_info_list feature](header_info.md) allowing an acme-client to specify acme-backend address to be used during certificate enrollment. This feature is disabled by default and must be activate in `acme_srv.cfg` as shown below
+
+```config
+[Order]
+...
+header_info_list: ["HTTP_USER_AGENT"]
+```
+
+The acme-client can then specify the acme_url as part of its user-agent string.
+
+Example for acme.sh:
+
+```bash
+docker exec -i acme-sh acme.sh --server http://<acme-srv> --issue -d <fqdn> --standalone --useragent acme_url=<acme-server url> --debug 3 --output-insecure
+```
+
+Example for lego:
+
+```bash
+docker run -i -v $PWD/lego:/.lego/ --rm --name lego goacme/lego -s http://<acme-srv> -a --email "lego@example.com" --user-agent acme_url=<acme-server url> -d <fqdn> --http run
+```
+
+# eab profiling
+
+This handler can use the [eab profiling feture](eab_profiling.md) to allow individual enrollment configuration per acme-account as well as restriction of CN and SANs to be submitted within the CSR. The feature is disabled by default and must be activated in `acme_srv.cfg`
+
+**Important**: In case `acme_url` variables will be specified in a profile (like for 'keyid_00' in the below example), the `acme_key_path` parameter must be set in `acme_srv.cfg` to ensure that the different key_files are being stored correctly.
+
+```cfg
+[EABhandler]
+eab_handler_file: examples/eab_handler/kid_profile_handler.py
+acme_key_path: <path>
+
+[CAhandler]
+eab_profiling: True
+```
+
+below an example key-file:
+
+```json
+{
+  "keyid_00": {
+    "hmac": "V2VfbmVlZF9hbm90aGVyX3ZlcnkfX2xvbmdfaG1hY190b19jaGVja19lYWJfZm9yX2tleWlkXzAwX2FzX2xlZ29fZW5mb3JjZXNfYW5faG1hY19sb25nZXJfdGhhbl8yNTZfYml0cw",
+    "cahandler": {
+      "acme_url": ["https://acme-staging-v02.api.letsencrypt.org", "https://api.buypass.com/acme", "https://acme.ssl.com/sslcom-dv-rsa"],
+      "allowed_domainlist": ["www.example.com", "www.example.org", "*.acme"]
+    }
+  },
+  "keyid_01": {
+    "hmac": "YW5vdXRoZXJfdmVyeV9sb25nX2htYWNfZm9yX2tleWlkXzAxX3doaWNoIHdpbGxfYmUgdXNlZF9kdXJpbmcgcmVncmVzc2lvbg",
+    "cahandler": {
+      "acme_url": "https://acme-staging-v02.api.letsencrypt.org",
+      "acme_keyfile": "/var/www/acme2certifier/volume/acme_ca/le_key.json",
+      "allowed_domainlist": ["www.example.com", "www.example.org", "*.acme"]
+    }
+  },
+  "keyid_02": {
+    "hmac": "dGhpc19pc19hX3ZlcnlfbG9uZ19obWFjX3RvX21ha2Vfc3VyZV90aGF0X2l0c19tb3JlX3RoYW5fMjU2X2JpdHM",
+    "cahandler": {
+      "allowed_domainlist": ["www.example.com", "www.example.org"]
+    }
+  },
+  "keyid_03": {
+    "hmac": "YW5kX2ZpbmFsbHlfdGhlX2xhc3RfaG1hY19rZXlfd2hpY2hfaXNfbG9uZ2VyX3RoYW5fMjU2X2JpdHNfYW5kX3Nob3VsZF93b3Jr"
+  }
+}
+```
diff --git a/docs/acme_srv.md b/docs/acme_srv.md
index 5626f824..8174a7e5 100644
--- a/docs/acme_srv.md
+++ b/docs/acme_srv.md
@@ -16,13 +16,16 @@
 | `CAhandler` | `handler_file` | path and name of ca_handler file to be loaded. If not specified `acme_srv/ca_handler.py` will be loaded | examples/ca_handler/openssl_handler.py | `acme_srv/ca_handler.py`|
 | `Certificate` | `revocation_reason_check_disable` | disable the check of revocation reason | True/False | False|
 | `Certificate` | `cert_reusage_timeframe` | in case a csr will be resend within this timeframe (in seconds) the  certificate already stored in the database will be returned and no enrollment will be triggered| Integer |0 (disabled)|
-| `Certificate` | `enrollment_timeout` | timeout in second for asynchronous ca_handler threat| Integer |5|
+| `Certificate` | `enrollment_timeout` | timeout in seconds for asynchronous ca_handler threat| Integer |5|
 | `Challenge` | `challenge_validation_disable` | disable challenge validation via http or dns. THIS IS A SEVERE SECURITY ISSUE! Please enable for testing/debugging purposes only. | True/False | False|
 | `Challenge` | `challenge_validation_timeout` | Timeout in seconds for challenge validation | Integer | 10 |
 | `Challenge` | `dns_server_list` | Use own dns servers for name resolution during challenge verification| ["ip1", "ip2"] | []|
+| `Challenge` | `dns_validation_pause_timer` | pause interval in seconds after failed validation of a dns challenge | 10 | 0.5 |
 | `Challenge` | `sectigo_sim` | provide `sectigo-email-01` challenges - Only for development and testing! | True/False | False |
 | `DBhandler` | `dbfile` | path and name of database file. If not specified `acme_srv/acme_srv.db` will be used. Parameter is only available for a wsgi handler and will be ignored if django handler is getting used | 'acme/database.db' | `acme_srv/acme_srv.db`|
 | `Directory` | `db_check` | check database connection compare schemes and report as OK/NOK in meta information  | True/False | False|
+| `Directory` | `home` | homepage string to be shown when fetching the directory ressource  | 'string' | 'https://github.com/grindsa/acme2certifier' |
+| `Directory` | `supress_product_information` | Do not show product name, author and version when fetching the directory resource | True/False | False|
 | `Directory` | `supress_version` | Do not show version information when fetching the directory resource | True/False | False|
 | `Directory` | `tos_url` | Terms of Service URL | URL | None|
 | `Directory` | `url_prefix` | url prefix for acme2certifier resources | '/foo' | None|
@@ -36,6 +39,7 @@
 | `Order` | `expiry_check_disable` | Disable order expiration  | True/False | False|
 | `Order` | `header_info_list` | HTTP header fields to be passed to ca handler  | ["HTTP_USER_AGENT", "FOO_BAR"] |[]|
 | `Order` | `retry_after_timeout` | Retry-After value to be send to client in case a certificate enrollment request gets pending on CA server  | Integer |120|
+| `Order` | `identifier_limit` | Maximum number of identifiers submitted in a single order request which translate later into SANs per certificate | Integer |20|
 | `Order` | [`tnauthlist_support`](tnauthlist.md) | accept [TNAuthList identifiers](https://tools.ietf.org/html/draft-ietf-acme-authority-token-tnauthlist-03) and challenges containing [tkauth-01 type](https://tools.ietf.org/html/draft-ietf-acme-authority-token-03) | True/False | False|
 | `Order` | `validity` | Order validity in seconds | Integer |86400|
 
diff --git a/docs/asa.md b/docs/asa.md
new file mode 100644
index 00000000..d43359cc
--- /dev/null
+++ b/docs/asa.md
@@ -0,0 +1,83 @@
+<!-- markdownlint-disable  MD013 -->
+<!-- wiki-title CA handler for Insta -->
+# Connecting to Insta ActiveCMS
+
+## Prerequisites
+
+- ActiveCMS needs to have Active Security API activated
+- you need to have user, password and an api key to access the ASA
+- you need ot have permissions to revoke and enroll certificates
+
+## Configuration
+
+- modify the server configuration (`/acme_srv/acme_srv.cfg`) and add the following parameters
+
+```config
+[CAhandler]
+handler_file: examples/ca_handler/asa_ca_handler.py
+api_host: http://<ip>:<port>
+api_user: <user>
+api_password: <password>
+api_key: <api_key>
+ca_bundle: <value>
+ca_name: <ca_name>
+profile_name: <value>
+cert_validity_days: <days>
+```
+
+- api_host - URL of Active Security API
+- api_user - REST user
+- api_user_variable - *optional* - name of the environment variable containing the REST username (a configured `api_user` parameter in acme_srv.cfg takes precedence)
+- api_password - password for REST user
+- api_password_variable - *optional* - name of the environment variable containing the password for the REST user (a configured `api_password` parameter in acme_srv.cfg takes precedence)
+- api_key - key for REST user
+- api_key_variable - *optional* - name of the environment variable containing the api_key for the REST access (a configured `api_key` parameter in acme_srv.cfg takes precedence)
+- ca_bundle - certificate bundle needed to validate the server certificate - can be True/False or a filename (default: None)
+- ca_name - name of the CA used to enroll certificates
+- profile_name - profile name
+- cert_validity_days - optional - polling timeout (default: 60s)
+
+It is also recommended to increase the enrollment timeout to avoid that acme2certifier is closing the connection to early.
+
+```config
+[Certificate]
+enrollment_timeout:15
+```
+
+You can get the list of certificate authrities by running the following REST call against ASA.
+
+```bash
+root@rlh:~# curl -u '$api_user':'$api_password' -H "x-api-key: <api_key> $api_host'/list_issuers
+```
+
+You can get the list of profiles by running the following REST call against ASA (ca_name parameter must be [url-encoded](https://en.wikipedia.org/wiki/Percent-encoding)).
+
+```bash
+root@rlh:~# curl -u '$api_user':'$api_password' -H "x-api-key: <api_key> $api_host'/list_profiles?issuerName=<ca_name>
+```
+
+The CA handler will verify ca_name and profile_name parameters before enrollment.
+
+## Passing a profileID from client to server
+
+The handler makes use of the [header_info_list feature](header_info.md) allowing an acme-client to specify a profile_name to be used during certificate enrollment. This feature is disabled by default and must be activate in `acme_srv.cfg` as shown below
+
+```config
+[Order]
+...
+header_info_list: ["HTTP_USER_AGENT"]
+```
+
+The acme-client can then specify the profile_name as part of its user-agent string.
+
+Example for acme.sh:
+
+```bash
+docker exec -i acme-sh acme.sh --server http://<acme-srv> --issue -d <fqdn> --standalone --useragent profile_name=<profile-name> --debug 3 --output-insecure
+```
+
+Example for lego:
+
+```bash
+docker run -i -v $PWD/lego:/.lego/ --rm --name lego goacme/lego -s http://<acme-srv> -a --email "lego@example.com" --user-agent profile_name=<profile_name> -d <fqdn> --http run
+```
diff --git a/docs/certifier.md b/docs/certifier.md
index fab9d67a..71734aa4 100644
--- a/docs/certifier.md
+++ b/docs/certifier.md
@@ -21,6 +21,7 @@ ca_bundle: <value>
 ca_name: <ca_name>
 profile_id: <value>
 polling_timeout: <seconds>
+eab_profiling: <True|False>
 ```
 
 - api_host - URL of the Certifier-REST service
@@ -32,6 +33,7 @@ polling_timeout: <seconds>
 - ca_name - name of the CA used to enroll certificates
 - profile_id - optional - profileId
 - polling_timeout - optional - polling timeout (default: 60s)
+- eab_profiling - optional - [activate eab profiling](eab_profiling.md) (default: False)
 
 Depending on CA policy configuration a CSR may require approval. In such a situation acme2certfier will poll the CA server to check the CSR status. The polling interval can be configured in acme.server.cfg.
 
@@ -72,9 +74,9 @@ The response to this call will show a dictionary containing the list of CAs incl
   ]
 ```
 
-## Passing a profileID from client to server
+## Passing a profile_id from client to server
 
-The handler makes use of the [header_info_list feature](header_info.md) allowing an acme-client to specify a profileID to be used during certificate enrollment. This feature is disabled by default and must be activate in `acme_srv.cfg` as shown below
+The handler makes use of the [header_info_list feature](header_info.md) allowing an acme-client to specify a profile_id to be used during certificate enrollment. This feature is disabled by default and must be activate in `acme_srv.cfg` as shown below
 
 ```config
 [Order]
@@ -87,13 +89,57 @@ The acme-client can then specify the profileID as part of its user-agent string.
 Example for acme.sh:
 
 ```bash
-docker exec -i acme-sh acme.sh --server http://<acme-srv> --issue -d <fqdn> --standalone --useragent profileID=101 --debug 3 --output-insecure
+docker exec -i acme-sh acme.sh --server http://<acme-srv> --issue -d <fqdn> --standalone --useragent profile_id=101 --debug 3 --output-insecure
 ```
 
 Example for lego:
 
 ```bash
-docker run -i -v $PWD/lego:/.lego/ --rm --name lego goacme/lego -s http://<acme-srv> -a --email "lego@example.com" --user-agent profileID=101 -d <fqdn> --http run
+docker run -i -v $PWD/lego:/.lego/ --rm --name lego goacme/lego -s http://<acme-srv> -a --email "lego@example.com" --user-agent profile_id=101 -d <fqdn> --http run
+```
+
+# eab profiling
+
+This handler can use the [eab profiling feture](eab_profiling.md) to allow individual enrollment configuration per acme-account as well as restriction of CN and SANs to be submitted within the CSR. The feature is disabled by default and must be activated in `acme_srv.cfg`
+
+```cfg
+[EABhandler]
+eab_handler_file: examples/eab_handler/kid_profile_handler.py
+key_file: <profile_file>
+
+[CAhandler]
+eab_profiling: True
+```
+
+below an example key-file used during regression testing:
+
+```json
+{
+  "keyid_00": {
+    "hmac": "V2VfbmVlZF9hbm90aGVyX3ZlcnkfX2xvbmdfaG1hY190b19jaGVja19lYWJfZm9yX2tleWlkXzAwX2FzX2xlZ29fZW5mb3JjZXNfYW5faG1hY19sb25nZXJfdGhhbl8yNTZfYml0cw",
+    "cahandler": {
+      "profile_id": ["p100", "p101", "p102"],
+      "allowed_domainlist": ["www.example.com", "www.example.org", "*.acme"]
+    }
+  },
+  "keyid_01": {
+    "hmac": "YW5vdXRoZXJfdmVyeV9sb25nX2htYWNfZm9yX2tleWlkXzAxX3doaWNoIHdpbGxfYmUgdXNlZF9kdXJpbmcgcmVncmVzc2lvbg",
+    "cahandler": {
+      "profile_id": "102",
+      "allowed_domainlist": ["www.example.com", "www.example.org", "*.acme"],
+      "ca_name": "subca2"
+    }
+  },
+  "keyid_02": {
+    "hmac": "dGhpc19pc19hX3ZlcnlfbG9uZ19obWFjX3RvX21ha2Vfc3VyZV90aGF0X2l0c19tb3JlX3RoYW5fMjU2X2JpdHM",
+    "cahandler": {
+      "allowed_domainlist": ["www.example.com", "www.example.org"]
+    }
+  },
+  "keyid_03": {
+    "hmac": "YW5kX2ZpbmFsbHlfdGhlX2xhc3RfaG1hY19rZXlfd2hpY2hfaXNfbG9uZ2VyX3RoYW5fMjU2X2JpdHNfYW5kX3Nob3VsZF93b3Jr"
+  }
+}
 ```
 
 ## CA policy configuration
diff --git a/docs/database_scheme.png b/docs/database_scheme.png
index cbb7f313..320d095e 100644
Binary files a/docs/database_scheme.png and b/docs/database_scheme.png differ
diff --git a/docs/digicert.md b/docs/digicert.md
new file mode 100644
index 00000000..e3bf9687
--- /dev/null
+++ b/docs/digicert.md
@@ -0,0 +1,116 @@
+<!-- markdownlint-disable  MD013 -->
+<!-- wiki-title CA handler for Digicert CertCentral -->
+# Connecting to DigiCert CertCentral
+
+This handler can be used to enroll certificates from [DigiCert CertCentral](https://dev.digicert.com/en/certcentral-apis.html).
+
+## Prerequisites
+
+- you'll need:
+  - a DigiCert CertCentral subscription :-)
+  - an [API-Key](https://dev.digicert.com/en/certcentral-apis/authentication.html) for Authentication and Authorization
+  - an [Organization](https://dev.digicert.com/en/certcentral-apis/services-api/organizations.html)
+  - a [whitelisted domain](https://dev.digicert.com/en/certcentral-apis/services-api/domains.html)
+
+## Configuration
+
+- modify the server configuration (`acme_srv.cfg`) and add the first thre of the below mentioned parameters
+
+```confag
+[CAhandler]
+handler_file: examples/ca_handler/digicert_ca_handler.py
+api_key: <api_key>
+organization_name: <organization_name>
+
+allowed_domainlist: <allowed_domainlist>
+api_url: <api_url>
+organization_id: <organization_id>
+cert_type: <cert_type>
+signature_hash: <signature_hash>
+order_validity: <order_validity>
+request_timeout: <seconds>
+eab_profiling: <True|False>
+```
+
+- api_key - required - API key to access the API
+- organization_name - required - Organization name as specified in DigiCert CertCentral
+- allowed_domainlist: list of domain-names allowed for enrollment in json format (example: ["bar.local$, bar.foo.local])
+- api_url - optional - URL of the CertCentral API
+- organization_id - optional - organization id - configuration prevents additional rest-lookups
+- cert_type - optional - [certificte type](https://dev.digicert.com/en/certcentral-apis/services-api/orders.html) to be isused. (default: ssl_basic)
+- signature_hash - optional - hash algorithm used for certificate signing - (default: sha256)
+- order_validity - optional - oder validity (default: 1 year)
+- request_timeout - optional - requests timeout in seconds for requests (default: 5s)
+- eab_profiling - optional - [activate eab profiling](eab_profiling.md) (default: False)
+
+Use your favorite acme client for certificate enrollment. A list of clients used in our regression can be found in the [disclaimer section of our README file](../README.md)
+
+*Important:* the DigiCert API expectes a CommonName to be set. Hence, certbot cannot be used for certificate enrollment.
+
+## Passing a cert_type from client to server
+
+The handler makes use of the [header_info_list feature](header_info.md) allowing an acme-client to specify a [certificate type](https://dev.digicert.com/en/certcentral-apis/services-api/orders.html) to be used during certificate enrollment. This feature is disabled by default and must be activate in `acme_srv.cfg` as shown below
+
+```config
+[Order]
+...
+header_info_list: ["HTTP_USER_AGENT"]
+```
+
+The acme-client can then specify the cert_type as part of its user-agent string.
+
+Example for acme.sh:
+
+```bash
+docker exec -i acme-sh acme.sh --server http://<acme-srv> --issue -d <fqdn> --standalone --useragent cert_type=ssl_securesite_pro --debug 3 --output-insecure
+```
+
+Example for lego:
+
+```bash
+docker run -i -v $PWD/lego:/.lego/ --rm --name lego goacme/lego -s http://<acme-srv> -a --email "lego@example.com" --user-agent cert_type=ssl_securesite_pro -d <fqdn> --http run
+```
+
+# eab profiling
+
+This handler can use the [eab profiling feture](eab_profiling.md) to allow individual enrollment configuration per acme-account as well as restriction of CN and SANs to be submitted within the CSR. The feature is disabled by default and must be activated in `acme_srv.cfg`
+
+```cfg
+[EABhandler]
+eab_handler_file: examples/eab_handler/kid_profile_handler.py
+key_file: <profile_file>
+
+[CAhandler]
+eab_profiling: True
+```
+
+below an example key-file used during regression testing:
+
+```json
+{
+  "keyid_00": {
+    "hmac": "V2VfbmVlZF9hbm90aGVyX3ZlcnkfX2xvbmdfaG1hY190b19jaGVja19lYWJfZm9yX2tleWlkXzAwX2FzX2xlZ29fZW5mb3JjZXNfYW5faG1hY19sb25nZXJfdGhhbl8yNTZfYml0cw",
+    "cahandler": {
+      "cert_type": ["ssl_basic", "ssl_securesite_pro", "ssl_securesite_flex"],
+      "allowed_domainlist": ["www.example.com", "www.example.org", "*.acme"],
+      "organization_name": "acme2certifier"
+    }
+  },
+  "keyid_01": {
+    "hmac": "YW5vdXRoZXJfdmVyeV9sb25nX2htYWNfZm9yX2tleWlkXzAxX3doaWNoIHdpbGxfYmUgdXNlZF9kdXJpbmcgcmVncmVzc2lvbg",
+    "cahandler": {
+      "allowed_domainlist": ["www.example.com", "www.example.org", "*.acme"],
+      "cert_type": "ssl_securesite_pro"
+    }
+  },
+  "keyid_02": {
+    "hmac": "dGhpc19pc19hX3ZlcnlfbG9uZ19obWFjX3RvX21ha2Vfc3VyZV90aGF0X2l0c19tb3JlX3RoYW5fMjU2X2JpdHM",
+    "cahandler": {
+      "allowed_domainlist": ["www.example.com", "www.example.org"]
+    }
+  },
+  "keyid_03": {
+    "hmac": "YW5kX2ZpbmFsbHlfdGhlX2xhc3RfaG1hY19rZXlfd2hpY2hfaXNfbG9uZ2VyX3RoYW5fMjU2X2JpdHNfYW5kX3Nob3VsZF93b3Jr"
+  }
+}
+```
diff --git a/docs/eab.md b/docs/eab.md
index 9fd745fd..8506b2bb 100644
--- a/docs/eab.md
+++ b/docs/eab.md
@@ -44,13 +44,52 @@ kid and mac_key need to be stored as key/value pairs in json format.
 
 ```json
 {
-  "keyid_01": "bWFjXzAw",
+  "keyid_00": "bWFjXzAw",
   "keyid_01": "bWFjXzAx",
   "keyid_02": "bWFjXzAy",
   "keyid_03": "bWFjXzAz"
 }
 ```
 
+## Keyfile verification
+
+In the keyfile can be checked for consistency by using the `tools/eab_chk.py` utility.
+
+```bash
+ py /var/www/acme2certifier/tools/eab_chk.py --help
+```
+
+```bash
+usage: eab_chk.py [-h] -c CONFIGFILE [-d] [-v] [-vv] [-k KEYID | -s]
+
+eab_chk.py - verify eab keyfile
+
+options:
+  -h, --help            show this help message and exit
+  -c CONFIGFILE, --configfile CONFIGFILE
+                        configfile
+  -d, --debug           debug mode
+  -v, --verbose         verbose
+  -vv, --veryverbose    show enrollment profile
+  -k KEYID, --keyid KEYID
+                        keyid to filter
+  -s, --summary         summary
+```
+
+Below the example output by using the above mentioned json keyfile
+
+```bash
+ py /var/www/acme2certifier/tools/eab_chk.py  -c /var/www/acme2certifier/acme_srv/acme_srv.cfg -v
+```
+
+```bash
+Summary: 4 entries in kid_file
+keyid_00: bWFjXzAw
+keyid_01: bWFjXzAx
+keyid_02: bWFjXzAy
+keyid_03: bWFjXzAz
+```
+
 ## create a customized eab handler
 
 Creating your own eab-handler is pretty straightforward.  All you need to do is to create your own handler.py with a "EABhandler" class containing a __mac_key_get__ method to lookup the `mac_key` based on a given `kid`.
@@ -90,3 +129,4 @@ class EABhandler(object):
         self.logger.debug('EABhandler.mac_key_get({})'.format(kid))
         mac_key =  # code to lookup the mac_key...
         return mac_key
+```
diff --git a/docs/eab_profiling.md b/docs/eab_profiling.md
new file mode 100644
index 00000000..02fa0fbe
--- /dev/null
+++ b/docs/eab_profiling.md
@@ -0,0 +1,241 @@
+<!-- markdownlint-disable  MD013 -->
+<!-- wiki-title Enrollment profiling via external account binding -->
+# Enrollment profiling via external account binding
+
+Starting with  version 0.34 acme2certifier supports the configuration of account specific enrollment configuration. Depending on the handler to be used the feature allows the definition of individual authentication credentials, enrollment profiles or certificate authoritzies.
+
+Currently the following ca-handlers had been modified and do support this feature:
+
+- [generic ACME](acme_ca.md)
+- [EJBCA](ejbca.md)
+- [Insta ActiveCMS](asa.md)
+- [Insta certifier/NetGuard Certificate manager](certifier.md)
+- [Microsoft Certificate Enrollment Web Services](mscertsrv.md)
+- [Microsoft Windows Client Certificate Enrollment Protocol (MS-WCCE) via RPC/DCOM](mswcce.md)
+- [XCA](xca.md)
+
+In case you need support for a different ca-handler feel free to raise an [issue](https://github.com/grindsa/acme2certifier/issues/new).
+
+## Configuration
+
+This feature requires [external account binding](eab.md) to be enabled and a specific EAB-handler to be configured.
+
+```cfg
+[EABhandler]
+eab_handler_file: examples/eab_handler/kid_profile_handler.py
+key_file: volume/kid_profiles.json
+```
+
+The `key_file` allows the specification enrollmenmt parameters per (external) acme-account. Main identifier is the key_id to be used during account registration. Any parameter used in the [CAhandler] configuration section of a handler can be customized. Below an example configuration to be used for [Insta Certifier](certifier.md) with some explanation:
+
+```json
+{
+  "keyid_00": {
+    "hmac": "hmac-key",
+    "cahandler": {
+      "profile_id": "profile_1",
+      "allowed_domainlist": ["*.example.com", "*.example.org", "*.example.fi"],
+      "ca_name": "non_default_ca",
+      "api_user": "non_default_api_user",
+      "api_password": "api_password"
+    }
+  },
+  "keyid_01": {
+    "hmac": "hmac-key",
+    "cahandler": {
+      "profile_id": ["profile_1", "profile_2", "profile_3"],
+      "allowed_domainlist": ["*.example.fi", "*.acme"]
+    }
+  },
+  "keyid_02": {
+    "hmac": "hmac-key"
+  }
+}
+```
+
+- Acme-accounts created with keyid "keyid_00" will always use profile-id "profile_1" and specific api-user credentials for enrollment from certificate authority "non_default_ca". Further, the SAN/Common names to be used in enrollment requests are restricted to the domains "example.com", "example.org" and "example.fi".
+- Acme-accounts created with keyid "keyid_01" and can specify 3 different profile_ids by using the [header_info feature](header_info.md). Enrollment requests having other profile_ids will be rejected. In case no profile_id get specified the first profile_id in the list ("profile_1") will be used. SAN/CNs to be used are restricted to "example.fi" and ".local" All other enrollment paramters will be taken from acme_srv.cfg
+- Acme-accounts created with keyid "keyid_02" do not have any restriction. Enrolment parameters will be taken from the [CAhandler] section in ´acme_srv.cfg`
+
+Starting from v0.36 acme2certifier does support profile configuration in yaml format. Below a configuration example providing the same level of functionality than the above json configuration
+
+```yaml
+---
+{
+---
+keyid_00:
+  hmac: "hmac-key"
+  cahandler:
+    profile_id: "profile_1"
+    allowed_domainlist:
+    - "*.example.com"
+    - "*.example.org"
+    - "*.example.fi"
+    ca_name: "non_default_ca"
+    api_user: "non_default_api_user"
+    api_password: "api_password"
+keyid_01:
+  hmac: "hmac-key"
+  cahandler:
+    profile_id:
+    - "profile_1"
+    - "profile_2"
+    - "profile_3"
+    allowed_domainlist:
+    - "*.example.fi"
+    - "*.acme"
+keyid_02:
+  hmac: "hmac-key"
+```
+
+## subject profiling
+
+Starting from v0.36 the eab-profiling feature can be used to check and white-list the certificate subject DN.
+
+Attribute names must follow [RFC3039](https://www.rfc-editor.org/rfc/rfc3039.html#section-3.1.2); every RDN can be white-listed as:
+
+- string - attribute in CSR DN must match this value
+- list - attribute in CSR DN must match one of the list entries
+- "*" - any value matches as long as the attribute is present
+
+The below example configuration will only allow CSR matching the following ciriterias:
+
+- serial number can be of any value but must be included
+- organizationalUnitName must be either "acme1" or "acme2"
+- organizationName must be "acme corp"
+- countryName must be "AC"
+- additional CSR DN such as localityName or stateOrProvinceName are not allowed
+
+```json
+...
+{
+  "keyid_00": {
+    "hmac": "hmac-key",
+    "cahandler": {
+      "template_name": ["template", "acme"],
+      "allowed_domainlist": ["www.example.com", "www.example.org", "*.acme"],
+      "subject": {
+        "serialNumber": "*",
+        "organizationName": "acme corp",
+        "organizationalUnitName": ["acme1", "acme2"],
+        "countryName": "AC"
+       }
+    }
+  }
+}
+...
+```
+
+## Profile verification
+
+In the keyfile can be checked for consistency by using the `tools/eab_chk.py` utility.
+
+```bash
+ py /var/www/acme2certifier/tools/eab_chk.py --help
+```
+
+```bash
+usage: eab_chk.py [-h] -c CONFIGFILE [-d] [-v] [-vv] [-k KEYID | -s]
+
+eab_chk.py - verify eab keyfile
+
+options:
+  -h, --help            show this help message and exit
+  -c CONFIGFILE, --configfile CONFIGFILE
+                        configfile
+  -d, --debug           debug mode
+  -v, --verbose         verbose
+  -vv, --veryverbose    show enrollment profile
+  -k KEYID, --keyid KEYID
+                        keyid to filter
+  -s, --summary         summary
+```
+
+Below the example output by using the above mentioned keyfile
+
+- show a summary only
+
+```bash
+py /var/www/acme2certifier/tools/eab_chk.py  -c /var/www/acme2certifier/acme_srv/acme_srv.cfg
+```
+
+```bash
+Summary: 4 entries in kid_file
+```
+
+- show keyids and hmac
+
+```bash
+ py /var/www/acme2certifier/tools/eab_chk.py  -c /var/www/acme2certifier/acme_srv/acme_srv.cfg -v
+```
+
+```bash
+Summary: 4 entries in kid_file
+keyid_00: V2VfbmVlZF9hbm90aGVyX3ZlcnkfX2xvbmdfaG1hY190b19jaGVja19lYWJfZm9yX2tleWlkXzAwX2FzX2xlZ29fZW5mb3JjZXNfYW5faG1hY19sb25nZXJfdGhhbl8yNTZfYml0cw
+keyid_01: YW5vdXRoZXJfdmVyeV9sb25nX2htYWNfZm9yX2tleWlkXzAxX3doaWNoIHdpbGxfYmUgdXNlZF9kdXJpbmcgcmVncmVzc2lvbg
+keyid_02: dGhpc19pc19hX3ZlcnlfbG9uZ19obWFjX3RvX21ha2Vfc3VyZV90aGF0X2l0c19tb3JlX3RoYW5fMjU2X2JpdHM
+keyid_03: YW5kX2ZpbmFsbHlfdGhlX2xhc3RfaG1hY19rZXlfd2hpY2hfaXNfbG9uZ2VyX3RoYW5fMjU2X2JpdHNfYW5kX3Nob3VsZF93b3Jr
+```
+
+- show profiles
+
+```bash
+py /var/www/acme2certifier/tools/eab_chk.py  -c /var/www/acme2certifier/acme_srv/acme_srv.cfg -vv
+```
+
+```bash
+Summary: 4 entries in kid_file
+keyid_00:
+  cahandler:
+    allowed_domainlist:
+    - www.example.com
+    - www.example.org
+    - '*.example.fi'
+    - '*.bar.local'
+    profile_id:
+    - '101'
+    - '102'
+    profile_name:
+    - ACME_2
+    - ACME
+    template_name:
+    - TLS_Server
+    - acme
+  hmac: V2VfbmVlZF9hbm90aGVyX3ZlcnkfX2xvbmdfaG1hY190b19jaGVja19lYWJfZm9yX2tleWlkXzAwX2FzX2xlZ29fZW5mb3JjZXNfYW5faG1hY19sb25nZXJfdGhhbl8yNTZfYml0cw
+keyid_01:
+  cahandler:
+    allowed_domainlist:
+    - '*.example.fi'
+    - '*.acme'
+    - '*.bar.local'
+    profile_id: '101'
+    profile_name: ACME_2
+    template_name: TLS_Server
+  hmac: YW5vdXRoZXJfdmVyeV9sb25nX2htYWNfZm9yX2tleWlkXzAxX3doaWNoIHdpbGxfYmUgdXNlZF9kdXJpbmcgcmVncmVzc2lvbg
+keyid_02:
+  cahandler:
+    ca_name: RSA Root CA
+  hmac: dGhpc19pc19hX3ZlcnlfbG9uZ19obWFjX3RvX21ha2Vfc3VyZV90aGF0X2l0c19tb3JlX3RoYW5fMjU2X2JpdHM
+keyid_03:
+  hmac: YW5kX2ZpbmFsbHlfdGhlX2xhc3RfaG1hY19rZXlfd2hpY2hfaXNfbG9uZ2VyX3RoYW5fMjU2X2JpdHNfYW5kX3Nob3VsZF93b3Jr
+```
+
+- filter output to a single keyid
+
+```bash
+py /var/www/acme2certifier/tools/eab_chk.py  -c /var/www/acme2certifier/acme_srv/acme_srv.cfg -k keyid_01
+```
+
+```bash
+Summary: 1 entries in kid_file
+keyid_01:
+  cahandler:
+    allowed_domainlist:
+    - '*.example.fi'
+    - '*.acme'
+    - '*.bar.local'
+    profile_id: '101'
+    profile_name: ACME_2
+    template_name: TLS_Server
+  hmac: YW5vdXRoZXJfdmVyeV9sb25nX2htYWNfZm9yX2tleWlkXzAxX3doaWNoIHdpbGxfYmUgdXNlZF9kdXJpbmcgcmVncmVzc2lvbg
+```
diff --git a/docs/ejbca.md b/docs/ejbca.md
index 981e3153..047eaf8d 100644
--- a/docs/ejbca.md
+++ b/docs/ejbca.md
@@ -8,11 +8,11 @@ This handler can be used to enroll certificates from the [Open Source version of
 
 - [EJBCA](https://www.ejbca.org) needs to have the RESTv1-service enabled
 - you'll need:
-  - a [client certificate and key in p12](https://doc.primekey.com/ejbca/ejbca-operations/ejbca-ca-concept-guide/authentication-methods) format to authenticate towards the rest-service
+  - a [client certificate and key in p12](https://docs.keyfactor.com/ejbca/latest/authentication-methods) format to authenticate towards the rest-service
   - the name of the CA issuing the certificates from EJBA admin UI
   - a username and enrolment code
-  - a [certificate profile name](https://doc.primekey.com/ejbca/ejbca-operations/ejbca-ca-concept-guide/certificate-profiles-overview)
-  - an [end-entity profile name](https://download.primekey.com/docs/EJBCA-Enterprise/6_14_1/End_Entity_Profiles.html)
+  - a [certificate profile name](https://docs.keyfactor.com/ejbca/latest/certificate-profiles-overview)
+  - an [end-entity profile name](https://docs.keyfactor.com/ejbca/latest/end-entity-profiles-overview)
 
 ## Configuration
 
@@ -30,6 +30,7 @@ username: <name>
 enrollment_code: <value>
 ca_name: <name>
 request_timeout: <seconds>
+eab_profiling: <True|False>
 ```
 
 - api_host - URL of the EJBCA-Rest service
@@ -45,6 +46,7 @@ request_timeout: <seconds>
 - ee_profile_name - name of the end entity profile
 - ca_name - name of the CA used to enroll certificates
 - request_timeout - optional - requests timeout in seconds for requests (default: 5s)
+- eab_profiling - optional - [activate eab profiling](eab_profiling.md) (default: False)
 
 You can test the connection by running the following curl command against your EJBCA server.
 
@@ -63,3 +65,71 @@ The response to this call will show a dictionary containing status und version n
 ```
 
 Use your favorite acme client for certificate enrollment. A list of clients used in our regression can be found in the [disclaimer section of our README file](../README.md)
+
+## Passing a profile_id from client to server
+
+The handler makes use of the [header_info_list feature](header_info.md) allowing an acme-client to specify a certificate profile to be used during certificate enrollment. This feature is disabled by default and must be activate in `acme_srv.cfg` as shown below
+
+```config
+[Order]
+...
+header_info_list: ["HTTP_USER_AGENT"]
+```
+
+The acme-client can then specify the profileID as part of its user-agent string.
+
+Example for acme.sh:
+
+```bash
+docker exec -i acme-sh acme.sh --server http://<acme-srv> --issue -d <fqdn> --standalone --useragent cert_profile_name=acme_clt --debug 3 --output-insecure
+```
+
+Example for lego:
+
+```bash
+docker run -i -v $PWD/lego:/.lego/ --rm --name lego goacme/lego -s http://<acme-srv> -a --email "lego@example.com" --user-agent cert_profile_name=acme_clt -d <fqdn> --http run
+```
+
+# eab profiling
+
+This handler can use the [eab profiling feture](eab_profiling.md) to allow individual enrollment configuration per acme-account as well as restriction of CN and SANs to be submitted within the CSR. The feature is disabled by default and must be activated in `acme_srv.cfg`
+
+```cfg
+[EABhandler]
+eab_handler_file: examples/eab_handler/kid_profile_handler.py
+key_file: <profile_file>
+
+[CAhandler]
+eab_profiling: True
+```
+
+below an example key-file used during regression testing:
+
+```json
+{
+  "keyid_00": {
+    "hmac": "V2VfbmVlZF9hbm90aGVyX3ZlcnkfX2xvbmdfaG1hY190b19jaGVja19lYWJfZm9yX2tleWlkXzAwX2FzX2xlZ29fZW5mb3JjZXNfYW5faG1hY19sb25nZXJfdGhhbl8yNTZfYml0cw",
+    "cahandler": {
+      "cert_profile_name": ["acmeca2", "acmeca1"],
+      "allowed_domainlist": ["www.example.com", "www.example.org", "*.acme"]
+    }
+  },
+  "keyid_01": {
+    "hmac": "YW5vdXRoZXJfdmVyeV9sb25nX2htYWNfZm9yX2tleWlkXzAxX3doaWNoIHdpbGxfYmUgdXNlZF9kdXJpbmcgcmVncmVzc2lvbg",
+    "cahandler": {
+      "cert_profile_name": "acmeca2",
+      "allowed_domainlist": ["www.example.com", "www.example.org", "*.acme"],
+      "ca_name": "acmeca"
+    }
+  },
+  "keyid_02": {
+    "hmac": "dGhpc19pc19hX3ZlcnlfbG9uZ19obWFjX3RvX21ha2Vfc3VyZV90aGF0X2l0c19tb3JlX3RoYW5fMjU2X2JpdHM",
+    "cahandler": {
+      "allowed_domainlist": ["www.example.com", "www.example.org"]
+    }
+  },
+  "keyid_03": {
+    "hmac": "YW5kX2ZpbmFsbHlfdGhlX2xhc3RfaG1hY19rZXlfd2hpY2hfaXNfbG9uZ2VyX3RoYW5fMjU2X2JpdHNfYW5kX3Nob3VsZF93b3Jr"
+  }
+}
+```
diff --git a/docs/entrust.md b/docs/entrust.md
new file mode 100644
index 00000000..9fbc2837
--- /dev/null
+++ b/docs/entrust.md
@@ -0,0 +1,114 @@
+<!-- markdownlint-disable  MD013 -->
+<!-- wiki-title CA handler for Entrust ECS Enterprise -->
+# Connecting to Entrust ECS Enterprise
+
+This handler can be used to enroll certificates from Entrust ECS Enterprise API.
+
+## Prerequisites
+
+- you'll need:
+  - Username and Password for HTTP-BASIC authentication
+  - if configured - a client certificate for mutual TLS authentication towards the Entrust RESt API
+  - an pre-validated Organization name
+
+## Configuration
+
+- modify the server configuration (`acme_srv.cfg`) and add the first thre of the below mentioned parameters
+
+```confag
+[CAhandler]
+handler_file: examples/ca_handler/entrust_ca_handler.py
+username: <Username>
+password: <Password>
+certtype: <certificate type>
+organization_name: <organization name>
+
+client_cert: <client file>
+cert_passphrase: <pkcs#12 passphrase>
+cert_validity_days: <certificate validity>
+allowed_domainlist: <allowed_domainlist>
+request_timeout: <seconds>
+eab_profiling: <True|False>
+```
+
+- username - required - username access the API
+- password - required - password to access the PI
+- organization_name - required - Organization name as specified in DigiCert CertCentral
+- client_cert - optional - client certificate to access the API (to be stored in either pem or pkcs#12 format)
+- client_key - optional - client private key to access the API (must be stored in pem format)
+- client_passphrase - passphrase to access the client_cert (if stored in pkcs#2 format)
+- cert_type - optional - certificate type to be isused. (default: STANDARD_SSL)
+- cert_validity_days - certificate validity in days (default: 365)
+- allowed_domainlist: list of domain-names allowed for enrollment in json format (example: ["bar.local$, bar.foo.local])
+- request_timeout - optional - requests timeout in seconds for requests (default: 5s)
+- eab_profiling - optional - [activate eab profiling](eab_profiling.md) (default: False)
+
+Use your favorite acme client for certificate enrollment. A list of clients used in our regression can be found in the [disclaimer section of our README file](../README.md)
+
+## Passing a cert_type from client to server
+
+The handler makes use of the [header_info_list feature](header_info.md) allowing an acme-client to specify a certificate type to be used during certificate enrollment. This feature is disabled by default and must be activate in `acme_srv.cfg` as shown below
+
+```config
+[Order]
+...
+header_info_list: ["HTTP_USER_AGENT"]
+```
+
+The acme-client can then specify the cert_type as part of its user-agent string.
+
+Example for acme.sh:
+
+```bash
+docker exec -i acme-sh acme.sh --server http://<acme-srv> --issue -d <fqdn> --standalone --useragent cert_type=ADVANTAGE_SSL --debug 3 --output-insecure
+```
+
+Example for lego:
+
+```bash
+docker run -i -v $PWD/lego:/.lego/ --rm --name lego goacme/lego -s http://<acme-srv> -a --email "lego@example.com" --user-agent cert_type=ADVANTAGE_SSL -d <fqdn> --http run
+```
+
+# eab profiling
+
+This handler can use the [eab profiling feture](eab_profiling.md) to allow individual enrollment configuration per acme-account as well as restriction of CN and SANs to be submitted within the CSR. The feature is disabled by default and must be activated in `acme_srv.cfg`
+
+```cfg
+[EABhandler]
+eab_handler_file: examples/eab_handler/kid_profile_handler.py
+key_file: <profile_file>
+
+[CAhandler]
+eab_profiling: True
+```
+
+below an example key-file used during regression testing:
+
+```json
+{
+  "keyid_00": {
+    "hmac": "V2VfbmVlZF9hbm90aGVyX3ZlcnkfX2xvbmdfaG1hY190b19jaGVja19lYWJfZm9yX2tleWlkXzAwX2FzX2xlZ29fZW5mb3JjZXNfYW5faG1hY19sb25nZXJfdGhhbl8yNTZfYml0cw",
+    "cahandler": {
+      "cert_type": ["ADVANTAGE_SSL", "STANDARD_PLUS_SSL", "WILDCARD_SSL"],
+      "allowed_domainlist": ["www.example.com", "www.example.org", "*.acme"],
+      "organization_name": "acme2certifier"
+    }
+  },
+  "keyid_01": {
+    "hmac": "YW5vdXRoZXJfdmVyeV9sb25nX2htYWNfZm9yX2tleWlkXzAxX3doaWNoIHdpbGxfYmUgdXNlZF9kdXJpbmcgcmVncmVzc2lvbg",
+    "cahandler": {
+      "allowed_domainlist": ["www.example.com", "www.example.org", "*.acme"],
+      "cert_type": "ADVANTAGE_SSL"
+    }
+  },
+  "keyid_02": {
+    "hmac": "dGhpc19pc19hX3ZlcnlfbG9uZ19obWFjX3RvX21ha2Vfc3VyZV90aGF0X2l0c19tb3JlX3RoYW5fMjU2X2JpdHM",
+    "cahandler": {
+      "allowed_domainlist": ["www.example.com", "www.example.org"]
+    }
+  },
+  "keyid_03": {
+    "hmac": "YW5kX2ZpbmFsbHlfdGhlX2xhc3RfaG1hY19rZXlfd2hpY2hfaXNfbG9uZ2VyX3RoYW5fMjU2X2JpdHNfYW5kX3Nob3VsZF93b3Jr"
+  }
+}
+```
diff --git a/docs/external_database_support.md b/docs/external_database_support.md
new file mode 100644
index 00000000..890528bf
--- /dev/null
+++ b/docs/external_database_support.md
@@ -0,0 +1,220 @@
+<!-- markdownlint-disable MD013 -->
+<!-- wiki-title: Support for External Databases -->
+# Support for External Databases
+
+Acme2certifier supports external databases by using the [Django Python framework](https://www.djangoproject.com/). The default SQLite backend is not designed to handle concurrent write access, which can easily occur in an environment with a high transaction frequency.
+
+All [databases supported by Django](https://docs.djangoproject.com/en/5.0/ref/databases/) should work in theory; MariaDB and PostgreSQL will be tested during [release regression](https://github.com/grindsa/acme2certifier/blob/master/.github/workflows/django_tests..yml).
+
+This guide is written for **Ubuntu 22.04**; however, adapting it to other Linux distributions should not be difficult.
+
+## Preparation
+
+### When Using MariaDB
+
+The steps below assume that MariaDB is already installed and running on your system.
+
+- Open the MySQL command-line client:
+
+```bash
+sudo mysql -u  root
+```
+
+- create the acme2certifier database and database user
+
+```SQL
+CREATE DATABASE acme2certifier CHARACTER SET UTF8;
+GRANT ALL PRIVILEGES ON acme2certifier.* TO 'acme2certifier'@'%' IDENTIFIED BY 'a2cpasswd';
+FLUSH PRIVILEGES;
+```
+
+- Install missing Python modules:
+
+```bash
+apt-get install python3-django python3-mysqldb python3-pymysql
+```
+
+### When using PostgreSQL
+
+It is assumed that PostgreSQL is already installed and running.
+
+- Open the PostgreSQL command-line client:
+
+```bash
+sudo psql -U postgres
+```
+
+- Create the acme2certifier database and database user:
+
+```SQL
+CREATE DATABASE acme2certifier;
+CREATE USER acme2certifier WITH PASSWORD 'a2cpasswd';
+ALTER ROLE acme2certifier SET client_encoding TO 'utf8';
+ALTER ROLE acme2certifier SET default_transaction_isolation TO 'read committed';
+ALTER ROLE acme2certifier SET timezone TO 'UTC';
+GRANT ALL PRIVILEGES ON DATABASE acme2certifier TO acme2certifier;
+GRANT ALL ON schema public TO acme2certifier;
+GRANT USAGE ON schema public TO acme2certifier;
+GRANT postgres TO acme2certifier;
+```
+
+- Install missing python modules
+
+```bash
+sudo apt-get install python3-django python3-psycopg2
+```
+
+## Install and Configure acme2certifier
+
+- Downlaod the [latest deb package](https://github.com/grindsa/acme2certifier/releases)
+- Install the package locally
+
+```bash
+sudo apt-get install -y ./acme2certifier_<version>-1_all.deb
+```
+
+- Copy and activete Apache2 configuration file
+
+```bash
+sudo cp /var/www/acme2certifier/examples/apache2/apache_django.conf /etc/apache2/sites-available/acme2certifier.conf
+sudo a2ensite acme2certifier
+```
+
+- Copy and activate the Apache2 SSL configuration file (optional):
+
+```bash
+sudo cp /var/www/acme2certifier/examples/apache2/apache_django_ssl.conf /etc/apache2/sites-available/acme2certifier_ssl.conf
+sudo a2ensite acme2certifier_ssl
+```
+
+- Disable the default sites:
+
+```bash
+sudo a2dissite 000-default.conf
+sudo a2dissite default-ssl
+```
+
+- Copy the Django handler and the Django directory structure:
+
+```bash
+sudo cp /var/www/acme2certifier/examples/db_handler/django_handler.py /var/www/acme2certifier/acme_srv/db_handler.py
+sudo cp -R /var/www/acme2certifier/examples/django/* /var/www/acme2certifier/
+```
+
+- Enable and start the Apache2 service:
+
+```bash
+sudo systemctl enable apache2.service
+sudo systemctl start apache2.service
+```
+
+- Generate a new Django secret key and note it down:
+
+```bash
+python3 /var/www/acme2certifier/tools/django_secret_keygen.py
++%*lei)yj9b841=2d5(u)a&7*uwi@l99$(*&ong@g*p1%q)g$e
+```
+
+- Modify `/var/www/acme2certifier/acme2certifier/settings.py` and:
+  - Insert the secret-key created in the previous step
+  - Update the 'ALLOWED_HOSTS'- section with both ip-address and fqdn of the node
+  - Configure a connection to mariadb as shown below
+
+```python
+SECRET_KEY = '+%*lei)yj9b841=2d5(u)a&7*uwi@l99$(*&ong@g*p1%q)g$e'
+ALLOWED_HOSTS = ['192.168.14.132', 'ub2204-c1.bar.local']
+(...)
+```
+
+### Connecting to MariaDB
+
+- Modify `/var/www/acme2certifier/acme2certifier/settings.py` and configure your database connection as below:
+
+```python
+DATABASES = {
+    'default': {
+        'ENGINE': 'django.db.backends.mysql',
+        'NAME': 'acme2certifier',
+        'USER': 'acme2certifier',
+        'PASSWORD': 'a2cpasswd',
+        'HOST': "ub2204-c1",
+        'OPTIONS': {"init_command": "SET sql_mode='STRICT_TRANS_TABLES', innodb_strict_mode=1","charset": "utf8mb4", "use_unicode": True},
+    },
+
+}
+```
+
+### Connecting to PostGres
+
+- Modify `/var/www/acme2certifier/acme2certifier/settings.py` and configure your databdatabase connection as below:
+
+```python
+DATABASES = {
+    'default': {
+        'ENGINE': 'django.db.backends.postgresql_psycopg2',
+        'NAME': 'acme2certifier',
+        'USER': 'acme2certifier',
+        'PASSWORD': 'a2cpasswd',
+        'HOST': 'postgresdbsrv',
+        'PORT': '',
+    }
+}
+```
+
+## Finilize acme2cerifier configuration
+
+- Create a Django migration set, apply the migrations, and load fixtures: the [configuration file](acme_srv.md) `/var/www/acme2certifier/volume/acme_srv.cfg`according to your needs. If your CA handler needs runtime information (configuration files, keys, certificate bundles, etc.) to be shared between the nodes, ensure they are loaded from `/var/www/acme2certifier/volume`. Below an example for the `[CAhandler]` section of the openssl-handler I use during my tests:
+
+```cfg
+[CAhandler]
+handler_file: /var/www/acme2certifier/examples/ca_handler/openssl_ca_handler.py
+ca_cert_chain_list: ["/var/www/acme2certifier/volume/root-ca-cert.pem"]
+issuing_ca_key: /var/www/acme2certifier/volume/ca/sub-ca-key.pk8
+issuing_ca_key_passphrase_variable: OPENSSL_PASSPHRASE
+issuing_ca_cert: /var/www/acme2certifier/volume/ca/sub-ca-cert.pem
+issuing_ca_crl: /var/www/acme2certifier/volume/ca/sub-ca-crl.pem
+cert_validity_days: 30
+cert_validity_adjust: True
+cert_save_path: /var/www/acme2certifier/volume/ca/certs
+save_cert_as_hex: True
+cn_enforce: True
+```
+
+- Create a Django migration set, apply the migrations, and load fixtures:
+
+```bash
+cd /var/www/acme2certifier
+sudo python3 manage.py makemigrations
+sudo python3 manage.py migrate
+sudo python3 manage.py loaddata acme_srv/fixture/status.yaml
+```
+
+- Run the Django update script:
+
+```bash
+sudo python3 /var/www/acme2certifier/tools/django_update.py
+```
+
+- Restart the apache2 service
+
+```bash
+sudo systemctl restart apache2.service
+```
+
+- Test the server by accessing the directory ressource
+
+```bash
+curl http://ub2204-c1.bar.local/directory
+```
+
+```bash
+{"newAccount": "http://ub2204-c1.bar.local/acme_srv/newaccount", "fa8b347d3849421ebc4b234205418805": "https://community.letsencrypt.org/t/adding-random-entries-to-the-directory/33417", "keyChange": "http://ub2204-c1.bar.local/acme_srv/key-change", "newNonce": "http://ub2204-c1.bar.local/acme_srv/newnonce", "meta": {"home": "https://github.com/grindsa/acme2certifier", "author": "grindsa <grindelsack@gmail.com>"}, "newOrder": "http://ub2204-c1.bar.local/acme_srv/neworders", "revokeCert": "http://ub2204-c1.bar.local/acme_srv/revokecert"}
+```
+
+## Test enrollment
+
+- Try to enroll certificates by using your favorite acme-client. I am using [lego](https://github.com/go-acme/lego).
+
+```bash
+ docker run -i -p 80:80 -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://ub2204-c1.bar.local -a --email "lego@example.com" -d lego01.bar.local --http run
+```
diff --git a/docs/install_apache2_wsgi.md b/docs/install_apache2_wsgi.md
index 30182d00..8fbf72cb 100644
--- a/docs/install_apache2_wsgi.md
+++ b/docs/install_apache2_wsgi.md
@@ -5,12 +5,12 @@
 A [readymade shell script](../examples/install_scripts/a2c-ubuntu22-apache2.sh) performing the below tasks will can be found in `examples/install_scripts` directory.
 
 1. Install apache2 and the corresponding wsgi module
-$ sudo apt-get install -y apache2 libapache2-mod-wsgi-py3 python3-pip apache2-data
+$ sudo apt-get install -y apache2 libapache2-mod-wsgi-py3 python3-pip apache2-data curl krb5-user libgssapi-krb5-2 libkrb5-3 python3-gssapi
 
 2. check if the wsgi module is activated in your apache configuration
 
 ```bash
-$ sudo apache2ctl -M | grep -i wsgi
+sudo apache2ctl -M | grep -i wsgi
  wsgi_module (shared)
 ```
 
@@ -21,24 +21,28 @@ if the wsgi_module is not enabled please check the internet how to do...
 4. install the missing modules via pip
 
 ```bash
-$ sudo pip3 install -r requirements.txt
+sudo pip3 install -r requirements.txt
 ```
 
 5. copy the file `examples/apache2/apache_wsgi.conf` to `/etc/apache2/sites-available/acme2certifier.conf` and modify it according to you needs.
 
-6. in case you would like to activate TLS copy the file `examples/acme_wsgi_ssl.conf` to `/etc/apache2/sites-available/acme2certifier.conf` and modify it according to your needs. Do not forget to place the key-bundle. This
-
-file must contain the following certificate data in pem format:
+6. in case you would like to activate TLS copy the file `examples/acme_wsgi_ssl.conf` to `/etc/apache2/sites-available/acme2certifier.conf` and modify it according to your needs. Do not forget to place the key-bundle. This file must contain the following certificate data in pem format:
 
 - the private key
 - the end-entity certificate
 - intermediate CA certificates, sorted from leaf to root (root CA certificate should not be included for security reasons)
 
+Further, the ssl module needs to be activated
+
+```bash
+sudo a2enmod ssl
+```
+
 7. activate the virtual server(s)
 
 ```bash
-$ sudo a2ensite acme2certifier.conf
-$ sudo a2ensite acme2certifier_ssl.conf
+sudo a2ensite acme2certifier.conf
+sudo a2ensite acme2certifier_ssl.conf
 ```
 
 8. create a directory `/var/www/acme2certifier`
@@ -46,19 +50,19 @@ $ sudo a2ensite acme2certifier_ssl.conf
 10. copy the directories `examples/ca_hander/`, `examples/eab_handler/`, `examples/hooks/` and `tools` to `/var/www/acme2certifier/`
 
 ```bash
-$ sudo mkdir /var/www/acme2certifier/examples
-$ sudo cp -R examples/ca_handler/ /var/www/acme2certifier/examples/ca_handler
-$ sudo cp -R examples/eab_handler/ /var/www/acme2certifier/examples/eab_handler
-$ sudo cp -R examples/hooks/ /var/www/acme2certifier/examples/hooks
-$ sudo cp -R examples/acme_srv.cfg /var/www/acme2certifier/examples/
-$ sudo cp -R tools/ /var/www/acme2certifier/tools
+sudo mkdir /var/www/acme2certifier/examples
+sudo cp -R examples/ca_handler/ /var/www/acme2certifier/examples/ca_handler
+sudo cp -R examples/eab_handler/ /var/www/acme2certifier/examples/eab_handler
+sudo cp -R examples/hooks/ /var/www/acme2certifier/examples/hooks
+sudo cp -R examples/acme_srv.cfg /var/www/acme2certifier/examples/
+sudo cp -R tools/ /var/www/acme2certifier/tools
 ```
 
 11. create a directory `/var/www/acme2certifier/acme_srv`
 12. copy the content of the `acme_srv` directory to `/var/www/acme2certifier/acme_srv`
 
 ```bash
-$ sudo cp -R acme_srv/ /var/www/acme2certifier/acme_srv
+sudo cp -R acme_srv/ /var/www/acme2certifier/acme_srv
 ```
 
 13. create a configuration file `acme_srv.cfg` in /var/www/acme2certfier/acme or use the example stored in the examples directory
@@ -68,26 +72,26 @@ $ sudo cp -R acme_srv/ /var/www/acme2certifier/acme_srv
 17. activate the wsgi database handler
 
 ```bash
-$ sudo cp /var/www/acme2certifier/examples/db_handler/wsgi_handler.py /var/www/acme_srv/acme2certfier/db_handler.py
+sudo cp /var/www/acme2certifier/examples/db_handler/wsgi_handler.py /var/www/acme_srv/acme2certfier/db_handler.py
 ```
 
 18. ensure that the all files and directories under /var/www/acme2certifier are owned by the user running the webserver (www-data is just an example!)
 
 ```bash
-$ sudo chown -R www-data.www-data /var/www/acme2certifier/
+sudo chown -R www-data.www-data /var/www/acme2certifier/
 ```
 
 19. set correct permissions to acme subdirectory
 
 ```bash
-$ sudo chmod a+x /var/www/acme2certifier/acme_srv
+sudo chmod a+x /var/www/acme2certifier/acme_srv
 ```
 
 20. delete default apache configuration file and restart the apache2 service
 
 ```bash
-$ sudo rm /etc/apache2/sites-enabled/000-default.conf
-$ sudo systemctl reload apache2
+sudo rm /etc/apache2/sites-enabled/000-default.conf
+sudo systemctl reload apache2
 ```
 
 21. Check access to the directory resource to verify that everything works so far
diff --git a/docs/install_deb.md b/docs/install_deb.md
index 271d8d70..ec8a2e28 100644
--- a/docs/install_deb.md
+++ b/docs/install_deb.md
@@ -10,22 +10,22 @@ The debian package is generic and supports running acme2certifier with either ap
 2. Install acme2certifier and apache2 packages
 
 ```bash
-$ sudo apt-get install -y apache2  apache2-data  libapache2-mod-wsgi-py3
-$ sudo apt-get install -y ../acme2certifier_<version>-1_all.deb
+sudo apt-get install -y apache2  apache2-data  libapache2-mod-wsgi-py3
+sudo apt-get install -y ../acme2certifier_<version>-1_all.deb
 ```
 
 3. Copy and activete apache2 configuration file
 
 ```bash
-$ sudo cp /var/www/acme2certifier/examples/apache2/apache_wsgi.conf /etc/apache2/sites-available/acme2certifier.conf
-$ sudo a2ensite acme2certifier
+sudo cp /var/www/acme2certifier/examples/apache2/apache_wsgi.conf /etc/apache2/sites-available/acme2certifier.conf
+sudo a2ensite acme2certifier
 ```
 
 4. Copy and activate apache2 ssl configuration file (optional)
 
 ```bash
-$ sudo cp /var/www/acme2certifier/examples/apache2/apache_wsgi_ssl.conf /etc/apache2/sites-available/acme2certifier_ssl.conf
-$ sudo a2ensite acme2certifier_ssl
+sudo cp /var/www/acme2certifier/examples/apache2/apache_wsgi_ssl.conf /etc/apache2/sites-available/acme2certifier_ssl.conf
+sudo a2ensite acme2certifier_ssl
 ```
 
 5. Create a configuration file `acme_srv.cfg` in `/var/www/acme2certifier/acme_srv/` or use the example stored in the examples directory
@@ -35,14 +35,14 @@ $ sudo a2ensite acme2certifier_ssl
 8. Enable and start the apache2 service
 
 ```bash
-$ systemctl enable apache2.service
-$ systemctl start apache2.service
+sudo systemctl enable apache2.service
+sudo systemctl start apache2.service
 ```
 
 9. Test the server by accessing the directory resource
 
 ```bash
-$ curl http://<your server name>/directory
+curl http://<your server name>/directory
 {"newAccount": "http://127.0.0.1:8000/acme_srv/newaccount", "fa8b347d3849421ebc4b234205418805": "https://community.letsencrypt.org/t/adding-random-entries-to-the-directory/33417", "keyChange": "http://127.0.0.1:8000/acme_srv/key-change", "newNonce": "http://127.0.0.1:8000/acme_srv/newnonce", "meta": {"home": "https://github.com/grindsa/acme2certifier", "author": "grindsa <grindelsack@gmail.com>"}, "newOrder": "http://127.0.0.1:8000/acme_srv/neworders", "revokeCert": "http://127.0.0.1:8000/acme_srv/revokecert"}
 ```
 
@@ -54,32 +54,32 @@ $ curl http://<your server name>/directory
 2. Install acme2certifier and nginx packages
 
 ```bash
-$ sudo apt-get install -y python3-pip nginx uwsgi uwsgi-plugin-python3
-$ sudo apt-get install -y ../acme2certifier_<version>-1_all.deb
+sudo apt-get install -y python3-pip nginx uwsgi uwsgi-plugin-python3
+sudo apt-get install -y ../acme2certifier_<version>-1_all.deb
 ```
 
 3. Adapt the nginx configuration file to Ubuntu 22.04 and activate the configuration
 
 ```bash
-$ sed -i "s/run\/uwsgi\/acme.sock/var\/www\/acme2certifier\/acme.sock/g" examples/nginx/nginx_acme_srv.conf
-$ sudo cp examples/nginx/nginx_acme_srv.conf /etc/nginx/sites-available/acme_srv.conf
-$ sudo rm /etc/nginx/sites-enabled/default
-$ sudo ln -s /etc/nginx/sites-available/acme_srv.conf /etc/nginx/sites-enabled/acme_srv.conf
+sudo sed -i "s/run\/uwsgi\/acme.sock/var\/www\/acme2certifier\/acme.sock/g" examples/nginx/nginx_acme_srv.conf
+sudo cp examples/nginx/nginx_acme_srv.conf /etc/nginx/sites-available/acme_srv.conf
+sudo rm /etc/nginx/sites-enabled/default
+sudo ln -s /etc/nginx/sites-available/acme_srv.conf /etc/nginx/sites-enabled/acme_srv.conf
 ```
 
 4. Adapt and copy uwsgi configuration files
 
 ```bash
-$ sed -i "s/\/run\/uwsgi\/acme.sock/acme.sock/g" examples/nginx/acme2certifier.ini
-$ sed -i "s/nginx/www-data/g" examples/nginx/acme2certifier.ini
-$ echo "plugins=python3" >> examples/nginx/acme2certifier.ini
-$ sudo cp examples/nginx/acme2certifier.ini /var/www/acme2certifier
+sudo sed -i "s/\/run\/uwsgi\/acme.sock/acme.sock/g" examples/nginx/acme2certifier.ini
+sudo sed -i "s/nginx/www-data/g" examples/nginx/acme2certifier.ini
+sudo echo "plugins=python3" >> examples/nginx/acme2certifier.ini
+sudo sudo cp examples/nginx/acme2certifier.ini /var/www/acme2certifier
 ```
 
 5. Create acme2certifier systemd service file
 
 ```bash
-cat <<EOT > acme2certifier.service
+sudo cat <<EOT > acme2certifier.service
 [Unit]
 Description=uWSGI instance to serve acme2certifier
 After=network.target
@@ -99,27 +99,27 @@ EOT
 6. Copy systemd service file
 
 ```bash
-$ sudo mv acme2certifier.service /etc/systemd/system/acme2certifier.service
+sudo mv acme2certifier.service /etc/systemd/system/acme2certifier.service
 ```
 
 7. Enable and start acme2certifier service
 
 ```bash
-$ sudo systemctl start acme2certifier
-$ sudo systemctl enable acme2certifier
+sudo systemctl start acme2certifier
+sudo systemctl enable acme2certifier
 ```
 
 8. Enable and start nginx
 
 ```bash
-$ sudo systemctl start nginx
-$ sudo systemctl enable nginx
+sudo systemctl start nginx
+sudo systemctl enable nginx
 ```
 
 9. Test the server by accessing the directory resource
 
 ```bash
-$ curl http://<your server name>/directory
+curl http://<your server name>/directory
 {"newAccount": "http://127.0.0.1:8000/acme_srv/newaccount", "fa8b347d3849421ebc4b234205418805": "https://community.letsencrypt.org/t/adding-random-entries-to-the-directory/33417", "keyChange": "http://127.0.0.1:8000/acme_srv/key-change", "newNonce": "http://127.0.0.1:8000/acme_srv/newnonce", "meta": {"home": "https://github.com/grindsa/acme2certifier", "author": "grindsa <grindelsack@gmail.com>"}, "newOrder": "http://127.0.0.1:8000/acme_srv/neworders", "revokeCert": "http://127.0.0.1:8000/acme_srv/revokecert"}
 ```
 
diff --git a/docs/install_nginx_wsgi.md b/docs/install_nginx_wsgi.md
index 6c52c6a6..4391cb7e 100644
--- a/docs/install_nginx_wsgi.md
+++ b/docs/install_nginx_wsgi.md
@@ -9,30 +9,30 @@ A [readymade shell script](../examples/install_scripts/a2c-centos9-nginx.sh) per
 1. download the archive and unpack it into a temporary directory.
 
 ```bash
-$ cd /tmp
-$ curl https://codeload.github.com/grindsa/acme2certifier/tar.gz/refs/heads/master -o a2c-master.tgz
-$ tar xvfz a2c-master.tgz
-$ cd /tmp/acme2certifier-master
+cd /tmp
+curl https://codeload.github.com/grindsa/acme2certifier/tar.gz/refs/heads/master -o a2c-master.tgz
+tar xvfz a2c-master.tgz
+cd /tmp/acme2certifier-master
 ```
 
 2. Install missing packages
 
 ```bash
-$ sudo yum install -y epel-release
-$ sudo yum update -y
-$ sudo yum install -y python-pip nginx python3-uwsgidecorators.x86_64 tar uwsgi-plugin-python3 policycoreutils-python-utils
+sudo yum install -y epel-release
+sudo yum update -y
+sudo yum install -y python-pip nginx python3-uwsgidecorators.x86_64 tar uwsgi-plugin-python3 policycoreutils-python-utils
 ```
 
 3. Setup your project directory
 
 ```bash
-$ mkdir /opt/acme2certifier
+sudo mkdir /opt/acme2certifier
 ```
 
 4. Install the missing python modules
 
 ```bash
-$ pip install -r /opt/acme2certifier/requirements.txt
+sudo pip install -r /opt/acme2certifier/requirements.txt
 ```
 
 5. create a configuration file `acme_srv.cfg` in `/opt/acme2certifier/acme_srv/` or use the example stored in the examples directory
@@ -42,91 +42,91 @@ $ pip install -r /opt/acme2certifier/requirements.txt
 9. activate the wsgi database handler
 
 ```bash
-$ cp /opt/acme2certifier/examples/db_handler/wsgi_handler.py /opt/acme2certifier/acme_srv/db_handler.py
+sudo cp /opt/acme2certifier/examples/db_handler/wsgi_handler.py /opt/acme2certifier/acme_srv/db_handler.py
 ```
 
 10. copy the application file "acme2certifer_wsgi.py" from examples directory
 
 ```bash
-$ cp /opt/acme2certifier/examples/acme2certifier_wsgi.py /opt/acme2certifier/
+sudo cp /opt/acme2certifier/examples/acme2certifier_wsgi.py /opt/acme2certifier/
 ```
 
 11. set the correct permissions to the acme_srv-subdirectory
 
 ```bash
-$ chmod a+x /opt/acme2certifier/acme_srv
+sudo chmod a+x /opt/acme2certifier/acme_srv
 ```
 
 12. set the ownership of the acme_srv subdirectory to the user running nginx
 
 ```bash
-$ chown -R nginx /opt/acme2certifier/acme_srv
+sudo chown -R nginx /opt/acme2certifier/acme_srv
 ```
 
 13. Test acme2certifier by starting the application
 
 ```bash
 cd /opt/acme2certifier
-$ uwsgi --http-socket :8000 --plugin python3 --wsgi-file acme2certifier_wsgi.py
+sudo uwsgi --http-socket :8000 --plugin python3 --wsgi-file acme2certifier_wsgi.py
 
 ```
 
 14. Check access to directory resource in a parallel session to verify that everything works so far
 
 ```bash
-$ curl http://127.0.0.1:8000/directory
+curl http://127.0.0.1:8000/directory
 {"newAccount": "http://127.0.0.1:8000/acme_srv/newaccount", "fa8b347d3849421ebc4b234205418805": "https://community.letsencrypt.org/t/adding-random-entries-to-the-directory/33417", "keyChange": "http://127.0.0.1:8000/acme_srv/key-change", "newNonce": "http://127.0.0.1:8000/acme_srv/newnonce", "meta": {"home": "https://github.com/grindsa/acme2certifier", "author": "grindsa <grindelsack@gmail.com>"}, "newOrder": "http://127.0.0.1:8000/acme_srv/neworders", "revokeCert": "http://127.0.0.1:8000/acme_srv/revokecert"}$
 ```
 
 15. create an uWSGI config file or use the one stored in examples/nginx directory
 
 ```bash
-$ cp examples/nginx/acme2certifier.ini /opt/acme2certifier
+sudo cp examples/nginx/acme2certifier.ini /opt/acme2certifier
 ```
 
 16. activate python3 module in uWSGI config file
 
 ```bash
-$ echo "plugins = python3" >> examples/nginx/acme2certifier.ini
+sudo echo "plugins = python3" >> examples/nginx/acme2certifier.ini
 ```
 
 17. Create a Systemd Unit File for uWSGI or use the one stored in excample/nginx directory
 
 ```bash
-$ cp examples/nginx/uwsgi.service /etc/systemd/system/
-$ systemctl enable uwsgi.service
+sudo cp examples/nginx/uwsgi.service /etc/systemd/system/
+sudo systemctl enable uwsgi.service
 ```
 
 18. start uWSGI as service
 
 ```bash
-$ systemctl start uwsgi
+sudo systemctl start uwsgi
 ```
 
 19. configure NGINX as reverse proxy or use example stored in examples/nginx directory and modify it according to your needs
 
 ```bash
-$ cp examples/nginx/nginx_acme.conf /etc/nginx/conf.d/acme.conf
+sudo cp examples/nginx/nginx_acme.conf /etc/nginx/conf.d/acme.conf
 ```
 
 20. restart nginx
 
 ```bash
-$ systemctl restart nginx
+sudo systemctl restart nginx
 ```
 
 21. adapt SELinux configuration by applying a customized policy allowing nginx to communicate with uwsgi by using Unix sockets
 
 ```bash
-$ sudo checkmodule -M -m -o acme2certifier.mod examples/nginx/acme2certifier.te
-$ sudo semodule_package -o acme2certifier.pp -m acme2certifier.mod
-$ sudo semodule -i acme2certifier.pp
+sudo checkmodule -M -m -o acme2certifier.mod examples/nginx/acme2certifier.te
+sudo semodule_package -o acme2certifier.pp -m acme2certifier.mod
+sudo semodule -i acme2certifier.pp
 ```
 
 20. test the server by accessing the directory resource
 
 ```bash
-$ curl http://<your server name>/directory
+curl http://<your server name>/directory
 ```
 
 The above command should result in an error as the Selinx configuration needs to be adapted.
diff --git a/docs/install_nginx_wsgi_ub22.md b/docs/install_nginx_wsgi_ub22.md
index 2712e9a6..4edd2383 100644
--- a/docs/install_nginx_wsgi_ub22.md
+++ b/docs/install_nginx_wsgi_ub22.md
@@ -7,7 +7,7 @@ A [readymade shell script](../examples/install_scripts/a2c-ubuntu22-nginx.sh) pe
 1. Install nginx and the corresponding wsgi module
 
 ```bash
-$ sudo apt-get install -y python3-pip nginx uwsgi uwsgi-plugin-python3 curl
+sudo apt-get install -y python3-pip nginx uwsgi uwsgi-plugin-python3 curl krb5-user libgssapi-krb5-2 libkrb5-3 python3-gssapi
 ```
 
 2. download the acme2certifier from [Github](https://github.com/grindsa/acme2certifier/archive/refs/heads/master.tar.gz) and unpack it.
@@ -15,29 +15,29 @@ $ sudo apt-get install -y python3-pip nginx uwsgi uwsgi-plugin-python3 curl
 3. install the missing python modules via pip
 
 ```bash
-$ sudo pip3 install -r requirements.txt
+sudo pip3 install -r requirements.txt
 ```
 
 4. Copy files and directories you need to run acme2certifier
 
 ```bash
-$ sudo cp examples/acme2certifier_wsgi.py /var/www/acme2certifier/acme2certifier_wsgi.py
-$ sudo cp -R examples/ca_handler/ /var/www/acme2certifier/examples/ca_handler
-$ sudo cp -R examples/eab_handler/ /var/www/acme2certifier/examples/eab_handler
-$ sudo cp -R examples/hooks/ /var/www/acme2certifier/examples/hooks
-$ sudo cp -R examples/nginx/ /var/www/acme2certifier/examples/nginx
-$ sudo cp examples/acme_srv.cfg /var/www/acme2certifier/examples/
-$ sudo cp -R acme_srv/ /var/www/acme2certifier/acme_srv
-$ sudo cp -R tools/ /var/www/acme2certifier/tools
-$ sudo cp examples/db_handler/wsgi_handler.py /var/www/acme2certifier/acme_srv/db_handler.py
+sudo cp examples/acme2certifier_wsgi.py /var/www/acme2certifier/acme2certifier_wsgi.py
+sudo cp -R examples/ca_handler/ /var/www/acme2certifier/examples/ca_handler
+sudo cp -R examples/eab_handler/ /var/www/acme2certifier/examples/eab_handler
+sudo cp -R examples/hooks/ /var/www/acme2certifier/examples/hooks
+sudo cp -R examples/nginx/ /var/www/acme2certifier/examples/nginx
+sudo cp examples/acme_srv.cfg /var/www/acme2certifier/examples/
+sudo cp -R acme_srv/ /var/www/acme2certifier/acme_srv
+sudo cp -R tools/ /var/www/acme2certifier/tools
+sudo cp examples/db_handler/wsgi_handler.py /var/www/acme2certifier/acme_srv/db_handler.py
 ```
 
 5. Adapt the nginx configuration file (uwsgi socket file is located in `/var/www/acme2certifier`) and activate the configuration
 
 ```bash
-$ sed -i "s/run\/uwsgi\/acme.sock/var\/www\/acme2certifier\/acme.sock/g" examples/nginx/nginx_acme_srv.conf
-$ sudo cp examples/nginx/nginx_acme_srv.conf /etc/nginx/sites-available/acme_srv.conf
-$ sudo ln -s /etc/nginx/sites-available/acme_srv.conf /etc/nginx/sites-enabled/acme_srv.conf
+sudo sed -i "s/run\/uwsgi\/acme.sock/var\/www\/acme2certifier\/acme.sock/g" examples/nginx/nginx_acme_srv.conf
+sudo cp examples/nginx/nginx_acme_srv.conf /etc/nginx/sites-available/acme_srv.conf
+sudo ln -s /etc/nginx/sites-available/acme_srv.conf /etc/nginx/sites-enabled/acme_srv.conf
 ```
 
 6. A adapt the uwsgi configuration file in place it in `/var/www/acme2certifier`:
@@ -46,10 +46,10 @@ $ sudo ln -s /etc/nginx/sites-available/acme_srv.conf /etc/nginx/sites-enabled/a
     - uwsgi plugin for python3 must be activated
 
 ```bash
-$ sed -i "s/\/run\/uwsgi\/acme.sock/acme.sock/g" examples/nginx/acme2certifier.ini
-$ sed -i "s/nginx/www-data/g" examples/nginx/acme2certifier.ini
-$ echo "plugins=python3" >> examples/nginx/acme2certifier.ini
-$ sudo cp examples/nginx/acme2certifier.ini /var/www/acme2certifier
+sudo sed -i "s/\/run\/uwsgi\/acme.sock/acme.sock/g" examples/nginx/acme2certifier.ini
+sudo sed -i "s/nginx/www-data/g" examples/nginx/acme2certifier.ini
+sudo echo "plugins=python3" >> examples/nginx/acme2certifier.ini
+sudo cp examples/nginx/acme2certifier.ini /var/www/acme2certifier
 ```
 
 7. Pick the correct ca handler from `the examples/ca_handler` directory and copy it to `/var/www/acme2certifier/acme_srv/ca_handler.py`
@@ -58,13 +58,13 @@ $ sudo cp examples/nginx/acme2certifier.ini /var/www/acme2certifier
 9. ensure that the all files and directories under /var/www/acme2certifier are owned by the user running the webserver (www-data is just an example!)
 
 ```bash
-$ sudo chown -R www-data.www-data /var/www/acme2certifier/
+sudo chown -R www-data.www-data /var/www/acme2certifier/
 ```
 
 10. set correct permissions to acme subdirectory
 
 ```bash
-$ sudo chmod a+x /var/www/acme2certifier/acme_srv
+sudo chmod a+x /var/www/acme2certifier/acme_srv
 ```
 
 11. Create acme2certifier uwsgi service and place it under `/etc/systemd/system/`
@@ -86,26 +86,26 @@ ExecStart=uwsgi --ini acme2certifier.ini
 WantedBy=multi-user.target
 EOT
 
-$ sudo cp  acme2certifier.service /etc/systemd/system/acme2certifier.service
+sudo cp  acme2certifier.service /etc/systemd/system/acme2certifier.service
 ```
 
 12. Start and activate the acme2certifier service
 
 ```bash
-$ sudo systemctl start acme2certifier
-$ sudo systemctl enable acme2certifier
+sudo systemctl start acme2certifier
+sudo systemctl enable acme2certifier
 ```
 
 13. Restart nginx
 
 ```bash
-$ sudo systemctl restart nginx
+sudo systemctl restart nginx
 ```
 
 14. Check access to the directory resource to verify that nginx and uwsgi services are up and running
 
 ```bash
-$ curl http://127.0.0.1/directory
+curl http://127.0.0.1/directory
 {"newAccount": "http://127.0.0.1/acme_srv/newaccount", "fa8b347d3849421ebc4b234205418805": "https://community.letsencrypt.org/t/adding-random-entries-to-the-directory/33417", "keyChange": "http://127.0.0.1/acme_srv/key-change", "newNonce": "http://127.0.0.1/acme_srv/newnonce", "meta": {"home": "https://github.com/grindsa/acme2certifier", "author": "grindsa <grindelsack@gmail.com>"}, "newOrder": "http://127.0.0.1/acme_srv/neworders", "revokeCert": "http://127.0.0.1/acme_srv/revokecert"}
 ```
 
diff --git a/docs/install_rpm.md b/docs/install_rpm.md
index 3af460b6..5443d77d 100644
--- a/docs/install_rpm.md
+++ b/docs/install_rpm.md
@@ -1,5 +1,5 @@
 <!-- markdownlint-disable  MD013 MD014 MD029 -->
-<!-- wiki-title RPM installation on Alma Linux 9 -->
+<!-- wiki-title RPM installation on alma Linux 9 -->
 # RPM installation on AlmaLinux/Redhat EL/CentOS Stream 9
 
 1. Download the latest [RPM package](https://github.com/grindsa/acme2certifier/releases).
@@ -7,26 +7,45 @@
 2. Install "Extra Packages for Enterprise Linux (EPEL)"
 
 ```bash
-$ sudo yum install -y epel-release
-$ sudo yum update -y
+sudo yum install -y epel-release
+sudo yum update -y
 ```
 
 3. Install the RPM packages
 
 ```bash
-$ sudo yum -y localinstall /tmp/acme2certifier/acme2certifier-0.23.1-1.0.noarch.rpm
+sudo yum -y localinstall /tmp/acme2certifier/acme2certifier-0.23.1-1.0.noarch.rpm
 ```
 
+In case you install on Redhat 8.x you need to upgrade following packages
+
+- [python3-cryptography](https://cryptography.io/en/latest/) to version 36.0.1 or higher
+- [python3-dns](https://www.dnspython.org/) to version 2.1 or higher.
+- [python3-jwcrypto package](https://jwcrypto.readthedocs.io/en/latest/) to version 0.8 or higher.
+
+Backports of these packages being part of RHEL9 can be found in the [the a2c rpm repository](https://github.com/grindsa/sbom/raw/main/rpm-repo/RPMs/rhel8)
+
+- [python3-cryptography-36.0.1-4.el8.x86_64.rpm](https://github.com/grindsa/sbom/raw/main/rpm-repo/RPMs/rhel8/python3-cryptography-36.0.1-4.el8.x86_64.rpm)
+- [python3-dns-2.1.0-6.el8.noarch.rpm](https://github.com/grindsa/sbom/raw/main/rpm-repo/RPMs/rhel8/python3-dns-2.1.0-6.el8.noarch.rpm)
+- [python3-jwcrypto-0.8-4.el8.noarch.rpm](https://github.com/grindsa/sbom/raw/main/rpm-repo/RPMs/rhel8/python3-jwcrypto-0.8-4.el8.noarch.rpm)
+
+Depending on your ca_handler you may need additional modules:
+
+- [python3-impacket-0.11.0-1.el8.noarch.rpm](https://github.com/grindsa/sbom/raw/main/rpm-repo/RPMs/rhel8/python3-impacket-0.11.0-2grindsa.el8.noarch.rpm) when using [MS wcce handler](https://github.com/grindsa/acme2certifier/blob/master/docs/mswcce.md)
+- [python3-ntlm-auth-1.5.0-2.el8.noarch.rpm](https://github.com/grindsa/sbom/raw/main/rpm-repo/RPMs/rhel8/python3-ntlm-auth-1.5.0-2.el8.noarch.rpm) when using [MS wse handler](https://github.com/grindsa/acme2certifier/blob/master/docs/mscertsrv.md)
+- [python3-requests_ntlm-1.1.0-14.el8.noarch.rpm](https://github.com/grindsa/sbom/raw/main/rpm-repo/RPMs/rhel8/python3-requests_ntlm-1.1.0-14.el8.noarch.rpm) when using [MS wse handler](https://github.com/grindsa/acme2certifier/blob/master/docs/mscertsrv.md)
+- [python3-requests-pkcs12-1.16-1.el8.noarch.rpm](https://github.com/grindsa/sbom/raw/main/rpm-repo/RPMs/rhel8/python3-requests-pkcs12-1.16-1.el8.noarch.rpm) when using [EST](https://github.com/grindsa/acme2certifier/blob/master/docs/est.md) or [EJBCA](https://github.com/grindsa/acme2certifier/blob/master/docs/ejbca.md) handler
+
 4. Copy NGINX configuration file
 
 ```bash
-$ cp /opt/acme2certifier/examples/nginx/nginx_acme_srv.conf /etc/nginx/conf.d
+cp /opt/acme2certifier/examples/nginx/nginx_acme_srv.conf /etc/nginx/conf.d
 ```
 
 5. Copy NGINX ssl configuration file (optional)
 
 ```bash
-$ cp /opt/acme2certifier/examples/nginx/nginx_acme_srv_ssl.conf /etc/nginx/conf.d
+cp /opt/acme2certifier/examples/nginx/nginx_acme_srv_ssl.conf /etc/nginx/conf.d
 ```
 
 5. Create a configuration file `acme_srv.cfg` in `/opt/acme2certifier/acme_srv/` or use the example stored in the examples directory
@@ -35,15 +54,15 @@ $ cp /opt/acme2certifier/examples/nginx/nginx_acme_srv_ssl.conf /etc/nginx/conf.
 8. Enable and start the acme2certifier service
 
 ```bash
-$ systemctl enable acme2certifier.service
-$ systemctl start acme2certifier.service
+sudo systemctl enable acme2certifier.service
+sudo systemctl start acme2certifier.service
 ```
 
 9. Enable and start the nginx service
 
 ```bash
-$ systemctl enable nginx.service
-$ systemctl start nginx.service
+sudo systemctl enable nginx.service
+sudo systemctl start nginx.service
 ```
 
 10. Test the server by accessing the directory resource
diff --git a/docs/mscertsrv.md b/docs/mscertsrv.md
index cfb14315..c5566ca8 100644
--- a/docs/mscertsrv.md
+++ b/docs/mscertsrv.md
@@ -2,11 +2,11 @@
 <!-- wiki-title CA handler for Microsoft Certification Authority Web Enrollment Service -->
 # CA handler for Microsoft Certification Authority Web Enrollment Service
 
-This CA handler uses Microsofts [Certification Authority Web Enrollment service](https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/hh831649(v=ws.11)) for certificate enrollment and the python library [magnuswatn](https://github.com/magnuswatn/)/[certsrv](https://github.com/magnuswatn/certsrv) for communication with the enrollment service.
+This CA handler uses Microsofts [Certification Authority Web Enrollment service](https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/hh831649(v=ws.11)) for certificate enrollment and modified version of the python library [magnuswatn](https://github.com/magnuswatn/)/[certsrv](https://github.com/magnuswatn/certsrv) for communication with the enrollment service.
 
 When using the handler please be aware of the following limitations:
 
-- Authentication towards Web Enrollment Service is limited to "basic" or "ntlm". There is currently no support for ClientAuth
+- Authentication towards Web Enrollment Service is limited to "basic" "ntlm" or "gssapi" Kkerberos). There is currently no support for ClientAuth
 - Communication is limited to https
 - Revocation operations are not supported
 
@@ -16,6 +16,7 @@ When using the handler please be aware of the following limitations:
 2. You need to have a set of credentials with permissions to access the service and enrollment templates
 3. Authentication method (basic or ntlm) to the service must be configured correctly.
 4. (optional): In case you are installing from RPM and plan to use ntlm as authentication scheme you need two additonal python modules [python3-request-ntlm](https://pypi.org/project/requests_ntlm/) and [python3-ntlm-auth](https://pypi.org/project/ntlm-auth/) which are neither part of Standard nor the EPEL repo. If you have no clue from where to get these packaages feel free to use the ones being part of [the a2c github repository](https://github.com/grindsa/sbom/tree/main/rpm-repo/RPMs)
+5. (optional): In case you are installing from RPM and plan to use gssapi as authentication scheme you need two additonal python modules [python3-request-gssapi](https://pypi.org/project/requests-gssapi/) and [gssapi](https://pypi.org/project/gssapi/). If you have no clue from where to get these packaages feel free to use the ones being part of [the a2c github repository](https://github.com/grindsa/sbom/tree/main/rpm-repo/RPMs)
 
 It is helpful to verify the service access before starting the configuration of acme2certifier
 
@@ -31,6 +32,14 @@ root@rlh:~# curl -I --ntlm --user <user>:<password> -k https://<host>/certsrv/
 root@rlh:~# curl -I --user <user>:<password> -k https://<host>/certsrv/
 ```
 
+- service access by using gssapi authentication
+
+```bash
+root@rlh:~# export KRB5_CONFIG=<path>/krb5.conf
+root@rlh:~# kinit <username>
+root@rlh:~# curl --negotiate -u: <user>:<password> -k https://<host>/certsrv/
+```
+
 Access to the service is possible if you see the status code 200 returned as part of the response
 
 ```bash
@@ -69,6 +78,9 @@ password: <password>
 ca_bundle: <filename>
 auth_method: <basic|ntlm>
 template: <name>
+allowed_domainlist: ["example.com", "*.example2.com"]
+krb5_config: <path_to_individual>/krb5.conf
+eab_profiling: False
 ```
 
 - host - hostname of the system providing the Web enrollment service
@@ -78,5 +90,77 @@ template: <name>
 - password - password
 - password_variable - *optional* - name of the environment variable containing the password used for service access (a configured `password` parameter in acme_srv.cfg takes precedence)
 - ca_bundle - CA certificate bundle in pem format needed to validate the server certificate
-- auth_method - authentication method (either "basic" or "ntlm")
+- auth_method - authentication method (either "basic", "ntlm" or "gssapi")
+- krb5_config - *optional* - path to individual krb5.conf
 - template - certificate template used for enrollment
+- allowed_domainlist - *optional* - list of domain-names allowed for enrollment in json format example: ["bar.local$, bar.foo.local]
+- eab_profiling - optional - [activate eab profiling](eab_profiling.md) (default: False)
+
+## Passing a template from client to server
+
+The handler makes use of the [header_info_list feature](header_info.md) allowing an acme-client to specify a template name to be used during certificate enrollment. This feature is disabled by default and must be activate in `acme_srv.cfg` as shown below
+
+```config
+[Order]
+...
+header_info_list: ["HTTP_USER_AGENT"]
+```
+
+The acme-client can then specify the temmplate name as part of its user-agent string.
+
+Example for acme.sh:
+
+```bash
+docker exec -i acme-sh acme.sh --server http://<acme-srv> --issue -d <fqdn> --standalone --useragent template=foo --debug 3 --output-insecure
+```
+
+Example for lego:
+
+```bash
+docker run -i -v $PWD/lego:/.lego/ --rm --name lego goacme/lego -s http://<acme-srv> -a --email "lego@example.com" --user-agent template=foo -d <fqdn> --http run
+```
+
+# eab profiling
+
+This handler can use the [eab profiling feture](eab_profiling.md) to allow individual enrollment configuration per acme-account as well as restriction of CN and SANs to be submitted within the CSR. The feature is disabled by default and must be activated in `acme_srv.cfg`
+
+```cfg
+[EABhandler]
+eab_handler_file: examples/eab_handler/kid_profile_handler.py
+key_file: <profile_file>
+
+[CAhandler]
+eab_profiling: True
+```
+
+below an example key-file used during regression testing:
+
+```json
+{
+  "keyid_00": {
+    "hmac": "V2VfbmVlZF9hbm90aGVyX3ZlcnkfX2xvbmdfaG1hY190b19jaGVja19lYWJfZm9yX2tleWlkXzAwX2FzX2xlZ29fZW5mb3JjZXNfYW5faG1hY19sb25nZXJfdGhhbl8yNTZfYml0cw",
+    "cahandler": {
+      "template": ["WebServerModified", "WebServer"],
+      "allowed_domainlist": ["www.example.com", "www.example.org", "*.local"],
+      "unknown_key": "unknown_value"
+    }
+  },
+  "keyid_01": {
+    "hmac": "YW5vdXRoZXJfdmVyeV9sb25nX2htYWNfZm9yX2tleWlkXzAxX3doaWNoIHdpbGxfYmUgdXNlZF9kdXJpbmcgcmVncmVzc2lvbg",
+    "cahandler": {
+      "template": "WebServerModified",
+      "allowed_domainlist": ["www.example.com", "www.example.org", "*.local"],
+      "unknown_key": "unknown_value"
+    }
+  },
+  "keyid_02": {
+    "hmac": "dGhpc19pc19hX3ZlcnlfbG9uZ19obWFjX3RvX21ha2Vfc3VyZV90aGF0X2l0c19tb3JlX3RoYW5fMjU2X2JpdHM",
+    "cahandler": {
+      "allowed_domainlist": ["www.example.com", "www.example.org"]
+    }
+  },
+  "keyid_03": {
+    "hmac": "YW5kX2ZpbmFsbHlfdGhlX2xhc3RfaG1hY19rZXlfd2hpY2hfaXNfbG9uZ2VyX3RoYW5fMjU2X2JpdHNfYW5kX3Nob3VsZF93b3Jr"
+  }
+}
+```
diff --git a/docs/mswcce.md b/docs/mswcce.md
index 42c4df21..5483001d 100644
--- a/docs/mswcce.md
+++ b/docs/mswcce.md
@@ -16,14 +16,42 @@ When using the handler please be aware of the following limitations:
 3. (optional): In case you are installing from RPM or DEB and plan to use kerberos authentication you need an updated [impacket modules of version 0.11 or higher](https://github.com/fortra/impacket) as older versions have issues with the handling of utf8-encoded passwords. If you have no clue from where to get these packaages feel free to use the one being part of [the a2c github repository](https://github.com/grindsa/sbom/tree/main/rpm-repo/RPMs)
 4. You need to have a set of credentials with permissions to access the service and enrollment templates
 
-## Installation
+## Local Installation
 
-- install the [impacket](https://github.com/SecureAuthCorp/impacket) via pip (the module is already part of the docker images)
+- install the [impacket](https://github.com/fortra/impacket) module
+
+*IMPORTANT*:
+
+Some malware scanners like Microsoft Defender classify the impacket module as hacking-tool (see [forta/impacket#1762](https://github.com/fortra/impacket/issues/1762) or [forta/impacket#1271](https://github.com/fortra/impacket/issues/1271#issuecomment-1058729047)). Main reason for the alarms are not the library itself but rather the example script coming along with it.  To avoid hazzle with your CSIRT team I suggest to install a strip-down version of impacket which which do not contain the scripts flagged by the scanners. Packages for [RH8](https://github.com/grindsa/sbom/raw/main/rpm-repo/RPMs/rhel8/python3-impacket-0.11.0-2grindsa.el8.noarch.rpm) and [RH9](https://github.com/grindsa/sbom/raw/main/rpm-repo/RPMs/rhel9/python3-impacket-0.11.0-2grindsa.el9.noarch.rpm) can be found in my [SBOM repo](https://github.com/grindsa/sbom/tree/main/rpm-repo)
+
+In case you install impacket from pip or form sources I suggest to:
+
+- download the impacket package:
+
+```bash
+pip3 download impacket --no-deps
+```
+
+- unpack the archive
+
+```bash
+ tar xvfz impacket-0.11.0.tar.gz
+```
+
+- delete all files and subdirectories in `examples` sub-directory
+
+```bash
+rm -rf impacket-0.11.0/examples/*
+```
+
+- install the package
 
 ```bash
-root@rlh:~# pip install impacket
+python3 setup.py install
 ```
 
+## Configuration
+
 - modify the server configuration (acme_srv/acme_srv.cfg) and add the following parameters
 
 ```config
@@ -37,7 +65,10 @@ domain_controller: <ip address of domain controller>
 ca_name: <ca name>
 ca_bundle: <filename>
 template: <template name>
+timeout: 5
 use_kerberos: False
+allowed_domainlist: ["example.com", "*.example2.com"]
+eab_profiling: False
 ```
 
 - host - hostname of the system providing the enrollment service
@@ -48,7 +79,80 @@ use_kerberos: False
 - password_variable - *optional* - name of the environment variable containing the password used for service access (a configured `password` parameter in acme_srv.cfg takes precedence)
 - target_domain - *optional* - ads domain name
 - domain_controller - *optional* - IP Address of the domain controller / dns server.
-- ca_name: - certificate authority name
+- dns_server - *optional* - IP Address of dns server.
+- ca_name - certificate authority name
 - ca_bundle - CA certificate chain in pem format delievered along with the client certificate
 - template - certificate template used for enrollment
+- timeout - *optional* - enrollment timeout (default: 5)
 - use_kerberos - use kerboros for authentication; if set to `False` authentication will be done via NTLM. Considering a [Microsoft accouncement from October 2023](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/the-evolution-of-windows-authentication/ba-p/3926848) the usage of Kerberos should be preferred. Nevertheless, for backwards compatibility reasons the default setting is `False`
+- allowed_domainlist - *optional* - list of domain-names allowed for enrollment in json format example: ["bar.local$, bar.foo.local]
+- eab_profiling - optional - [activate eab profiling](eab_profiling.md) (default: False)
+
+## Passing a template from client to server
+
+The handler makes use of the [header_info_list feature](header_info.md) allowing an acme-client to specify a template name to be used during certificate enrollment. This feature is disabled by default and must be activate in `acme_srv.cfg` as shown below
+
+```config
+[Order]
+...
+header_info_list: ["HTTP_USER_AGENT"]
+```
+
+The acme-client can then specify the temmplate name as part of its user-agent string.
+
+Example for acme.sh:
+
+```bash
+docker exec -i acme-sh acme.sh --server http://<acme-srv> --issue -d <fqdn> --standalone --useragent template=foo --debug 3 --output-insecure
+```
+
+Example for lego:
+
+```bash
+docker run -i -v $PWD/lego:/.lego/ --rm --name lego goacme/lego -s http://<acme-srv> -a --email "lego@example.com" --user-agent template=foo -d <fqdn> --http run
+```
+
+# eab profiling
+
+This handler can use the [eab profiling feture](eab_profiling.md) to allow individual enrollment configuration per acme-account as well as restriction of CN and SANs to be submitted within the CSR. The feature is disabled by default and must be activated in `acme_srv.cfg`
+
+```cfg
+[EABhandler]
+eab_handler_file: examples/eab_handler/kid_profile_handler.py
+key_file: <profile_file>
+
+[CAhandler]
+eab_profiling: True
+```
+
+below an example key-file used during regression testing:
+
+```json
+{
+  "keyid_00": {
+    "hmac": "V2VfbmVlZF9hbm90aGVyX3ZlcnkfX2xvbmdfaG1hY190b19jaGVja19lYWJfZm9yX2tleWlkXzAwX2FzX2xlZ29fZW5mb3JjZXNfYW5faG1hY19sb25nZXJfdGhhbl8yNTZfYml0cw",
+    "cahandler": {
+      "template": ["WebServerModified", "WebServer"],
+      "allowed_domainlist": ["www.example.com", "www.example.org", "*.acme"],
+      "unknown_key": "unknown_value"
+    }
+  },
+  "keyid_01": {
+    "hmac": "YW5vdXRoZXJfdmVyeV9sb25nX2htYWNfZm9yX2tleWlkXzAxX3doaWNoIHdpbGxfYmUgdXNlZF9kdXJpbmcgcmVncmVzc2lvbg",
+    "cahandler": {
+      "template": "WebServerModified",
+      "allowed_domainlist": ["www.example.com", "www.example.org", "*.acme"],
+      "unknown_key": "unknown_value"
+    }
+  },
+  "keyid_02": {
+    "hmac": "dGhpc19pc19hX3ZlcnlfbG9uZ19obWFjX3RvX21ha2Vfc3VyZV90aGF0X2l0c19tb3JlX3RoYW5fMjU2X2JpdHM",
+    "cahandler": {
+      "allowed_domainlist": ["www.example.com", "www.example.org"]
+    }
+  },
+  "keyid_03": {
+    "hmac": "YW5kX2ZpbmFsbHlfdGhlX2xhc3RfaG1hY19rZXlfd2hpY2hfaXNfbG9uZ2VyX3RoYW5fMjU2X2JpdHNfYW5kX3Nob3VsZF93b3Jr"
+  }
+}
+```
diff --git a/docs/nclm.md b/docs/nclm.md
index 54dbffe8..bdcc49ed 100644
--- a/docs/nclm.md
+++ b/docs/nclm.md
@@ -4,7 +4,8 @@
 
 ## Pre-requisites
 
-- NCLM 19.0.0 or higher needs to be up and running
+- NCLM 24.2.0 or higher needs to be up and running
+- the external REST-API needs to be enabled
 - username and password to access NCLM via REST-Service
 - is a container created in NCLM which can be used to store the certificates
 
diff --git a/docs/upgrading.md b/docs/upgrading.md
index 7c7a5d6a..7da11da5 100644
--- a/docs/upgrading.md
+++ b/docs/upgrading.md
@@ -22,7 +22,6 @@ root@rlh:~# pip install django-rename-app
  ```cfg
  INSTALLED_APPS = [
      ...
-     'django_rename_app',
      'acme_srv'
      ...
  ]
diff --git a/docs/xca.md b/docs/xca.md
index 9728f6f3..37bb121e 100644
--- a/docs/xca.md
+++ b/docs/xca.md
@@ -41,6 +41,7 @@ template_name: XCA template to be applied to CSRs
 - `passphrase` - *optional* - passphrase to access the database and decrypt the private CA Key
 - `ca_cert_chain_list` - *optional* - List of root and intermediate CA certificates to be added to the bundle return to an ACME-client (the issuing CA cert must not be included)
 - `template_name` - *optional* - name of the XCA template to be applied during certificate issuance
+- eab_profiling - optional - [activate eab profiling](eab_profiling.md) (default: False)
 
 Template support has been introduced starting from v0.13. Support is limited to the below parameters which can be applied during certificate issuance:
 
@@ -56,4 +57,50 @@ Template support has been introduced starting from v0.13. Support is limited to
   - S: StateOrProvinceName
   - C: CountryName
 
+# eab profiling
+
+This handler can use the [eab profiling feture](eab_profiling.md) to allow individual enrollment configuration per acme-account as well as restriction of CN and SANs to be submitted within the CSR. The feature is disabled by default and must be activated in `acme_srv.cfg`
+
+```cfg
+[EABhandler]
+eab_handler_file: examples/eab_handler/kid_profile_handler.py
+key_file: <profile_file>
+
+[CAhandler]
+eab_profiling: True
+```
+
+below an example key-file used during regression testing:
+
+```json
+{
+  "keyid_00": {
+    "hmac": "V2VfbmVlZF9hbm90aGVyX3ZlcnkfX2xvbmdfaG1hY190b19jaGVja19lYWJfZm9yX2tleWlkXzAwX2FzX2xlZ29fZW5mb3JjZXNfYW5faG1hY19sb25nZXJfdGhhbl8yNTZfYml0cw",
+    "cahandler": {
+      "template_name": ["template", "acme"],
+      "allowed_domainlist": ["www.example.com", "www.example.org", "*.acme"],
+      "unknown_key": "unknown_value"
+    }
+  },
+  "keyid_01": {
+    "hmac": "YW5vdXRoZXJfdmVyeV9sb25nX2htYWNfZm9yX2tleWlkXzAxX3doaWNoIHdpbGxfYmUgdXNlZF9kdXJpbmcgcmVncmVzc2lvbg",
+    "cahandler": {
+      "template_name": "template",
+      "allowed_domainlist": ["www.example.com", "www.example.org", "*.acme"],
+      "issuing_ca_name": "root-ca",
+      "issuing_ca_key": "root-ca"
+    }
+  },
+  "keyid_02": {
+    "hmac": "dGhpc19pc19hX3ZlcnlfbG9uZ19obWFjX3RvX21ha2Vfc3VyZV90aGF0X2l0c19tb3JlX3RoYW5fMjU2X2JpdHM",
+    "cahandler": {
+      "allowed_domainlist": ["www.example.com", "www.example.org"]
+    }
+  },
+  "keyid_03": {
+    "hmac": "YW5kX2ZpbmFsbHlfdGhlX2xhc3RfaG1hY19rZXlfd2hpY2hfaXNfbG9uZ2VyX3RoYW5fMjU2X2JpdHNfYW5kX3Nob3VsZF93b3Jr"
+  }
+}
+```
+
 Enjoy enrolling and revoking certificates...
diff --git a/examples/Docker/almalinux-systemd/Dockerfile b/examples/Docker/almalinux-systemd/Dockerfile
index 9cdd452b..d263a374 100644
--- a/examples/Docker/almalinux-systemd/Dockerfile
+++ b/examples/Docker/almalinux-systemd/Dockerfile
@@ -1,15 +1,15 @@
 FROM almalinux:9
 ENV container docker
 
-RUN (cd /lib/systemd/system/sysinit.target.wants/; for i in ; do [ "$i" == systemd-tmpfiles-setup.service ] || rm -f "$i"; done);
+WORKDIR /lib/systemd/system/sysinit.target.wants/
+RUN for i in ; do [ "$i" == systemd-tmpfiles-setup.service ] || rm -f "$i"; done && \
+    rm -rf /lib/systemd/system/multi-user.target.wants/ && \
+    rm -rf /etc/systemd/system/.wants/ && \
+    rm -rf /lib/systemd/system/local-fs.target.wants/ && \
+    rm -f /lib/systemd/system/sockets.target.wants/udev && \
+    rm -f /lib/systemd/system/sockets.target.wants/initctl && \
+    rm -rf /lib/systemd/system/basic.target.wants/ && \
+    rm -f /lib/systemd/system/anaconda.target.wants/*
 
-RUN rm -rf /lib/systemd/system/multi-user.target.wants/ \
-&& rm -rf /etc/systemd/system/.wants/ \
-&& rm -rf /lib/systemd/system/local-fs.target.wants/ \
-&& rm -f /lib/systemd/system/sockets.target.wants/udev \
-&& rm -f /lib/systemd/system/sockets.target.wants/initctl \
-&& rm -rf /lib/systemd/system/basic.target.wants/ \
-&& rm -f /lib/systemd/system/anaconda.target.wants/*
-
-VOLUME [ “/sys/fs/cgroup” ]
+# VOLUME [ “/sys/fs/cgroup” ]
 CMD ["/usr/sbin/init"]
diff --git a/examples/Docker/almalinux-systemd/django_tester.sh b/examples/Docker/almalinux-systemd/django_tester.sh
index 05819539..36e0b3ee 100644
--- a/examples/Docker/almalinux-systemd/django_tester.sh
+++ b/examples/Docker/almalinux-systemd/django_tester.sh
@@ -4,8 +4,16 @@ case "$1" in
 
   "restart")
     echo "update configuration and restart service"
-    yes | cp /tmp/acme2certifier/acme_srv.cfg /opt/acme2certifier/acme_srv
-    yes | cp -R /tmp/acme2certifier/acme_ca/* /opt/acme2certifier/volume/acme_ca/
+    yes | cp /tmp/acme2certifier/volume/acme_srv.cfg /opt/acme2certifier/acme_srv
+    #if [ -d /tmp/acme2certifier/acme_ca ]; then
+    #  yes | cp -R /tmp/acme2certifier/acme_ca/* /opt/acme2certifier/volume/acme_ca/
+    #fi
+    if [ -d /tmp/acme2certifier/volume ]
+      then
+      echo "copying volume"
+      mkdir -p /opt/acme2certifier/volume
+      yes | cp -R /tmp/acme2certifier/volume/* /opt/acme2certifier/volume/
+    fi
     systemctl restart acme2certifier.service
     systemctl restart nginx.service
     ;;
@@ -18,7 +26,7 @@ case "$1" in
 
     yum -y install epel-release
     yum -y localinstall /tmp/acme2certifier/*.rpm
-    yum -y install python3-PyMySQL python3-psycopg2 python3-pyyaml python3-mysqlclient
+    yum -y install python3-PyMySQL python3-sqlparse python3-psycopg2 python3-pyyaml python3-mysqlclient
 
     yes | cp /opt/acme2certifier/examples/db_handler/django_handler.py /opt/acme2certifier/acme_srv/db_handler.py
     yes | cp -R /opt/acme2certifier/examples/django/* /opt/acme2certifier/
@@ -43,6 +51,10 @@ case "$1" in
       yes | cp -R /tmp/acme2certifier/nginx/* /etc/nginx/
     fi
 
+    cp /etc/nginx/nginx.conf /etc/nginx/nginx.conf.orig
+    head -n 37 /etc/nginx/nginx.conf.orig > /etc/nginx/nginx.conf
+    echo "}" >> /etc/nginx/nginx.conf
+
     cd /opt/acme2certifier
     python3 manage.py makemigrations
     python3 manage.py migrate
diff --git a/examples/Docker/almalinux-systemd/rpm_tester.sh b/examples/Docker/almalinux-systemd/rpm_tester.sh
index c4ef36f2..6e8b8c62 100644
--- a/examples/Docker/almalinux-systemd/rpm_tester.sh
+++ b/examples/Docker/almalinux-systemd/rpm_tester.sh
@@ -2,6 +2,12 @@
 
 case "$1" in
 
+  "update")
+    echo "update configuration only"
+    # yes | cp /tmp/acme2certifier/acme_srv.cfg /opt/acme2certifier/acme_srv
+    yes | cp -R /tmp/acme2certifier/acme_ca/* /opt/acme2certifier/volume/acme_ca/
+    ;;
+
   "restart")
     echo "update configuration and restart service"
     yes | cp /tmp/acme2certifier/acme_srv.cfg /opt/acme2certifier/acme_srv
@@ -19,6 +25,7 @@ case "$1" in
     yum -y install epel-release
     yum -y localinstall /tmp/acme2certifier/*.rpm
     cp /opt/acme2certifier/examples/nginx/nginx_acme_srv.conf /etc/nginx/conf.d
+    cp /opt/acme2certifier/examples/nginx/nginx_acme_srv_ssl.conf /etc/nginx/conf.d
     mkdir -p /opt/acme2certifier/volume/
 
     yes | cp /tmp/acme2certifier/acme_srv.cfg /opt/acme2certifier/acme_srv
@@ -34,6 +41,10 @@ case "$1" in
       yes | cp -R /tmp/acme2certifier/nginx/* /etc/nginx/
     fi
 
+    cp /etc/nginx/nginx.conf /etc/nginx/nginx.conf.orig
+    head -n 37 /etc/nginx/nginx.conf.orig > /etc/nginx/nginx.conf
+    echo "}" >> /etc/nginx/nginx.conf
+
     chown -R nginx.nginx /opt/acme2certifier/volume/
     ls -la /opt/acme2certifier/
     ls -la /opt/acme2certifier/volume
diff --git a/examples/Docker/apache2/django/Dockerfile b/examples/Docker/apache2/django/Dockerfile
index 2df89c5e..4159c0d2 100644
--- a/examples/Docker/apache2/django/Dockerfile
+++ b/examples/Docker/apache2/django/Dockerfile
@@ -1,4 +1,4 @@
-FROM ubuntu:22.04
+FROM ubuntu:24.04
 LABEL maintainer="grindelsack@gmail.com"
 
 ENV APACHE_RUN_USER www-data
@@ -7,16 +7,20 @@ ENV APACHE_LOG_DIR /var/log/apache2
 
 RUN apt-get update  && \
     DEBIAN_FRONTEND="noninteractive" apt-get install -y --no-install-recommends -y tzdata && \
-    apt-get install --no-install-recommends -y \
-    python3-pip \
+    DEBIAN_FRONTEND="noninteractive" apt-get install --no-install-recommends -y \
     apache2 \
     apache2-data \
-    libapache2-mod-wsgi-py3 \
     curl \
+    krb5-user \
+    libapache2-mod-wsgi-py3 \
+    libgssapi-krb5-2 \
+    libkrb5-3 \
     python3-django \
+    python3-gssapi \
     python3-mysqldb \
-    python3-pymysql \
+    python3-pip \
     python3-psycopg2 \
+    python3-pymysql \
     python3-yaml \
     && rm -rf /var/lib/apt/lists/* &&\
     mkdir -p /var/www/acme2certifier/volume && \
@@ -25,13 +29,24 @@ RUN apt-get update  && \
 COPY ./ /var/www/acme2certifier/
 
 # configure acme2certifier
-RUN pip3 install -r /var/www/acme2certifier/requirements.txt && pip3 install django_rename_app==0.1.3 && \
+RUN pip3 install impacket --break-system-packages && \
+    rm /usr/local/bin/*.py && \
+    rm -rf /usr/local/lib/python3.12/dist-packages/impacket/examples/* && \
+    pip3 install -r /var/www/acme2certifier/requirements.txt --break-system-packages && \
     cp /var/www/acme2certifier/examples/apache2/apache_django.conf /etc/apache2/sites-enabled/acme2certifier.conf && \
     cp -R /var/www/acme2certifier/examples/django/* /var/www/acme2certifier/  && \
     cp /var/www/acme2certifier/examples/db_handler/django_handler.py /var/www/acme2certifier/acme_srv/db_handler.py  && \
-    rm /var/www/acme2certifier/CHANGES.md /var/www/acme2certifier/README.md /var/www/acme2certifier/SECURITY.md /var/www/acme2certifier/setup.py /var/www/acme2certifier/requirements.txt && \
+    rm /var/www/acme2certifier/CHANGES.md && \
+    rm /var/www/acme2certifier/README.md && \
+    rm /var/www/acme2certifier/SECURITY.md && \
+    rm /var/www/acme2certifier/setup.py && \
+    rm /var/www/acme2certifier/requirements.txt && \
     cp /var/www/acme2certifier/examples/Docker/apache2/django/docker-entrypoint.sh /docker-entrypoint.sh && \
-    rm -rf /var/www/acme2certifier/examples/Docker /var/www/acme2certifier/examples/db_handler /var/www/acme2certifier/examples/nginx /var/www/acme2certifier/examples/acme_srv.db.example /var/www/acme2certifier/examples/acme2certifier_wsgi.py  && \
+    rm -rf /var/www/acme2certifier/examples/Docker && \
+    rm -rf /var/www/acme2certifier/examples/db_handler && \
+    rm -rf /var/www/acme2certifier/examples/nginx && \
+    rm -rf /var/www/acme2certifier/examples/acme_srv.db.example && \
+    rm -rf /var/www/acme2certifier/examples/acme2certifier_wsgi.py  && \
 	rm /var/www/acme2certifier/acme2certifier/settings.py && \
     chown -R www-data:www-data /var/www/acme2certifier/ && \
     sed -i "s/default = default_sect/\default = default_sect\nlegacy = legacy_sect/g" /etc/ssl/openssl.cnf && \
diff --git a/examples/Docker/apache2/django/docker-entrypoint.sh b/examples/Docker/apache2/django/docker-entrypoint.sh
index 0d5989d3..d3f9fa14 100644
--- a/examples/Docker/apache2/django/docker-entrypoint.sh
+++ b/examples/Docker/apache2/django/docker-entrypoint.sh
@@ -88,20 +88,17 @@ then
     ln -s /var/www/acme2certifier/volume/migrations /var/www/acme2certifier/acme_srv/
 fi
 
-# apply migrations or create a symlink for settings.py
+# create a symlink for settings.py
 if [ ! -L /var/www/acme2certifier/acme2certifier/settings.py ]
 then
     ln -s /var/www/acme2certifier/volume/settings.py /var/www/acme2certifier/acme2certifier/settings.py
 fi
 
-# check if we need to rename the app
-if !( grep "    'acme_srv'" /var/www/acme2certifier/volume/settings.py &> /dev/null)
+# check if we need to remove django_rename app
+if ( grep "    'django_rename_app'," /var/www/acme2certifier/volume/settings.py &> /dev/null)
 then
-    echo "rename django application" >> /proc/1/fd/1
-    sed -i "s/    'acme'/    'django_rename_app',\n    'acme_srv'/g" /var/www/acme2certifier/volume/settings.py
-    rm -rf /var/www/acme2certifier/volume/migrations/*
-    cp  -R /var/www/acme2certifier/examples/django/acme_srv/migrations /var/www/acme2certifier/volume/
-    python3 manage.py rename_app acme acme_srv
+    echo "remove django_rename application" >> /proc/1/fd/1
+    sed -i "/    'django_rename_app',/d" /var/www/acme2certifier/volume/settings.py
 fi
 
 echo "apply migrations"  >> /proc/1/fd/1
diff --git a/examples/Docker/apache2/wsgi/Dockerfile b/examples/Docker/apache2/wsgi/Dockerfile
index 657edce8..fa6eed5e 100644
--- a/examples/Docker/apache2/wsgi/Dockerfile
+++ b/examples/Docker/apache2/wsgi/Dockerfile
@@ -1,4 +1,4 @@
-FROM ubuntu:22.04
+FROM ubuntu:24.04
 LABEL maintainer="grindelsack@gmail.com"
 
 ENV APACHE_RUN_USER www-data
@@ -7,12 +7,16 @@ ENV APACHE_LOG_DIR /var/log/apache2
 
 RUN apt-get update  && \
     DEBIAN_FRONTEND="noninteractive" apt-get -y install --no-install-recommends tzdata && \
-    apt-get install --no-install-recommends -y \
-    python3-pip \
+    DEBIAN_FRONTEND="noninteractive" apt-get install --no-install-recommends -y \
     apache2 \
     apache2-data \
-    libapache2-mod-wsgi-py3 \
     curl \
+    krb5-user \
+    libapache2-mod-wsgi-py3 \
+    libgssapi-krb5-2 \
+    libkrb5-3 \
+    python3-gssapi \
+    python3-pip \
     && rm -rf /var/lib/apt/lists/* &&\
     mkdir -p /var/www/acme2certifier/volume && \
     mkdir -p /var/www/acme2certifier/examples /var/www/acme2certifier/examples/
@@ -20,13 +24,25 @@ RUN apt-get update  && \
 COPY ./ /var/www/acme2certifier/
 
 # configure acme2certifier
-RUN pip3 install -r /var/www/acme2certifier/requirements.txt  && \
+RUN pip3 install impacket --break-system-packages && \
+    rm /usr/local/bin/*.py && \
+    rm -rf /usr/local/lib/python3.12/dist-packages/impacket/examples/* && \
+    pip3 install -r /var/www/acme2certifier/requirements.txt --break-system-packages && \
     cp /var/www/acme2certifier/examples/apache2/apache_wsgi.conf /etc/apache2/sites-enabled/acme2certifier.conf  && \
     cp /var/www/acme2certifier/examples/acme2certifier_wsgi.py /var/www/acme2certifier/acme2certifier_wsgi.py  && \
     cp /var/www/acme2certifier/examples/db_handler/wsgi_handler.py /var/www/acme2certifier/acme_srv/db_handler.py  && \
-    rm /var/www/acme2certifier/CHANGES.md /var/www/acme2certifier/README.md /var/www/acme2certifier/SECURITY.md /var/www/acme2certifier/setup.py /var/www/acme2certifier/requirements.txt && \
+    rm /var/www/acme2certifier/CHANGES.md && \
+    rm /var/www/acme2certifier/README.md && \
+    rm /var/www/acme2certifier/SECURITY.md && \
+    rm /var/www/acme2certifier/setup.py && \
+    rm /var/www/acme2certifier/requirements.txt && \
     cp /var/www/acme2certifier/examples/Docker/apache2/wsgi/docker-entrypoint.sh /docker-entrypoint.sh && \
-    rm -rf /var/www/acme2certifier/examples/Docker /var/www/acme2certifier/examples/django /var/www/acme2certifier/examples/db_handler /var/www/acme2certifier/examples/nginx /var/www/acme2certifier/examples/acme_srv.db.example /var/www/acme2certifier/examples/acme2certifier_wsgi.py  && \
+    rm -rf /var/www/acme2certifier/examples/Docker && \
+    rm -rf /var/www/acme2certifier/examples/django && \
+    rm -rf /var/www/acme2certifier/examples/db_handler && \
+    rm -rf /var/www/acme2certifier/examples/nginx && \
+    rm -rf /var/www/acme2certifier/examples/acme_srv.db.example && \
+    rm -rf /var/www/acme2certifier/examples/acme2certifier_wsgi.py  && \
     chown -R www-data:www-data /var/www/acme2certifier/ && \
     sed -i "s/default = default_sect/\default = default_sect\nlegacy = legacy_sect/g" /etc/ssl/openssl.cnf && \
     sed -i "s/\[default_sect\]/\[default_sect\]\nactivate = 1\n\[legacy_sect\]\nactivate = 1/g" /etc/ssl/openssl.cnf && \
diff --git a/examples/Docker/nginx/django/Dockerfile b/examples/Docker/nginx/django/Dockerfile
index 727c0cf0..27f74e58 100644
--- a/examples/Docker/nginx/django/Dockerfile
+++ b/examples/Docker/nginx/django/Dockerfile
@@ -1,19 +1,23 @@
-FROM ubuntu:22.04
+FROM ubuntu:24.04
 LABEL maintainer="grindelsack@gmail.com"
 
 RUN apt-get update  && \
     DEBIAN_FRONTEND="noninteractive" apt-get install -y --no-install-recommends tzdata && \
-    apt-get install --no-install-recommends -y \
-    python3-pip \
-    nginx \
-    uwsgi \
-    uwsgi-plugin-python3 \
+    DEBIAN_FRONTEND="noninteractive" apt-get install --no-install-recommends -y \
     curl \
+    krb5-user \
+    libgssapi-krb5-2 \
+    libkrb5-3 \
+    nginx \
     python3-django \
+    python3-gssapi \
     python3-mysqldb \
-    python3-pymysql \
+    python3-pip \
     python3-psycopg2 \
+    python3-pymysql \
     python3-yaml \
+    uwsgi \
+    uwsgi-plugin-python3 \
     && rm -rf /var/lib/apt/lists/* &&\
     mkdir -p /var/www/acme2certifier/volume && \
     mkdir -p /var/www/acme2certifier/examples /var/www/acme2certifier/examples/ && \
@@ -21,7 +25,11 @@ RUN apt-get update  && \
 
 COPY ./ /var/www/acme2certifier/
 
-RUN pip3 install -r /var/www/acme2certifier/requirements.txt && pip3 install supervisor django_rename_app==0.1.3 && \
+RUN pip3 install impacket --break-system-packages && \
+    rm /usr/local/bin/*.py && \
+    rm -rf /usr/local/lib/python3.12/dist-packages/impacket/examples/* && \
+    pip3 install -r /var/www/acme2certifier/requirements.txt --break-system-packages && \
+    pip3 install supervisor --break-system-packages && \
     cp -R /var/www/acme2certifier/examples/django/* /var/www/acme2certifier/  && \
     cp /var/www/acme2certifier/examples/db_handler/django_handler.py /var/www/acme2certifier/acme_srv/db_handler.py  && \
 	cp /var/www/acme2certifier/examples/nginx/acme2certifier.ini /var/www/acme2certifier && \
@@ -35,8 +43,16 @@ RUN pip3 install -r /var/www/acme2certifier/requirements.txt && pip3 install sup
 	sed -i "s/default = default_sect/\default = default_sect\nlegacy = legacy_sect/g" /etc/ssl/openssl.cnf && \
     sed -i "s/\[default_sect\]/\[default_sect\]\nactivate = 1\n\[legacy_sect\]\nactivate = 1/g" /etc/ssl/openssl.cnf && \
 	rm /etc/nginx/sites-enabled/default && \
-    rm /var/www/acme2certifier/CHANGES.md /var/www/acme2certifier/README.md /var/www/acme2certifier/SECURITY.md /var/www/acme2certifier/setup.py /var/www/acme2certifier/requirements.txt && \
-	rm -rf /var/www/acme2certifier/examples/Docker /var/www/acme2certifier/examples/db_handler /var/www/acme2certifier/examples/apache2 /var/www/acme2certifier/examples/acme_srv.db.example /var/www/acme2certifier/examples/acme2certifier_wsgi.py  && \
+    rm /var/www/acme2certifier/CHANGES.md && \
+    rm /var/www/acme2certifier/README.md && \
+    rm /var/www/acme2certifier/SECURITY.md && \
+    rm /var/www/acme2certifier/setup.py && \
+    rm /var/www/acme2certifier/requirements.txt && \
+	rm -rf /var/www/acme2certifier/examples/Docker && \
+    rm -rf /var/www/acme2certifier/examples/db_handler && \
+    rm -rf /var/www/acme2certifier/examples/apache2 && \
+    rm -rf /var/www/acme2certifier/examples/acme_srv.db.example && \
+    rm -rf /var/www/acme2certifier/examples/acme2certifier_wsgi.py  && \
 	rm /var/www/acme2certifier/acme2certifier/settings.py && \
 	chmod a+rx /docker-entrypoint.sh
 
diff --git a/examples/Docker/nginx/django/docker-entrypoint.sh b/examples/Docker/nginx/django/docker-entrypoint.sh
index 55615c07..1b700d5c 100644
--- a/examples/Docker/nginx/django/docker-entrypoint.sh
+++ b/examples/Docker/nginx/django/docker-entrypoint.sh
@@ -89,20 +89,17 @@ then
     ln -s /var/www/acme2certifier/volume/migrations /var/www/acme2certifier/acme_srv/
 fi
 
-# apply migrations or create a symlink for settings.py
+# create a symlink for settings.py
 if [ ! -L /var/www/acme2certifier/acme2certifier/settings.py ]
 then
     ln -s /var/www/acme2certifier/volume/settings.py /var/www/acme2certifier/acme2certifier/settings.py
 fi
 
-# check if we need to rename the app
-if !( grep "    'acme_srv'" /var/www/acme2certifier/volume/settings.py &> /dev/null)
+# check if we need to remove django_rename app
+if ( grep "    'django_rename_app'," /var/www/acme2certifier/volume/settings.py &> /dev/null)
 then
-    echo "rename django application" >> /proc/1/fd/1
-    sed -i "s/    'acme'/    'django_rename_app',\n    'acme_srv'/g" /var/www/acme2certifier/volume/settings.py
-    rm -rf /var/www/acme2certifier/volume/migrations/*
-    cp  -R /var/www/acme2certifier/examples/django/acme_srv/migrations /var/www/acme2certifier/volume/
-    python3 manage.py rename_app acme acme_srv
+    echo "remove django_rename application" >> /proc/1/fd/1
+    sed -i "/    'django_rename_app',/d" /var/www/acme2certifier/volume/settings.py
 fi
 
 echo "apply migrations"  >> /proc/1/fd/1
diff --git a/examples/Docker/nginx/wsgi/Dockerfile b/examples/Docker/nginx/wsgi/Dockerfile
index fb501b6b..052c65ae 100644
--- a/examples/Docker/nginx/wsgi/Dockerfile
+++ b/examples/Docker/nginx/wsgi/Dockerfile
@@ -1,13 +1,17 @@
-FROM ubuntu:22.04
+FROM ubuntu:24.04
 LABEL maintainer="grindelsack@gmail.com"
 RUN apt-get update  && \
     DEBIAN_FRONTEND="noninteractive" apt-get install -y --no-install-recommends tzdata && \
-    apt-get install --no-install-recommends -y \
-    python3-pip \
+    DEBIAN_FRONTEND="noninteractive" apt-get install --no-install-recommends -y \
+    curl \
+    krb5-user \
+    libgssapi-krb5-2 \
+    libkrb5-3 \
     nginx \
+    python3-gssapi \
+    python3-pip \
     uwsgi \
     uwsgi-plugin-python3 \
-    curl \
     && rm -rf /var/lib/apt/lists/* &&\
     mkdir -p /var/www/acme2certifier/volume && \
     mkdir -p /var/www/acme2certifier/examples /var/www/acme2certifier/examples/ && \
@@ -16,7 +20,11 @@ RUN apt-get update  && \
 COPY ./ /var/www/acme2certifier/
 
 # configure acme2certifier
-RUN pip3 install -r /var/www/acme2certifier/requirements.txt && pip3 install supervisor && \
+RUN pip3 install impacket --break-system-packages && \
+    rm /usr/local/bin/*.py && \
+    rm -rf /usr/local/lib/python3.12/dist-packages/impacket/examples/* && \
+    pip3 install -r /var/www/acme2certifier/requirements.txt --break-system-packages && \
+    pip3 install supervisor --break-system-packages && \
     cp /var/www/acme2certifier/examples/acme2certifier_wsgi.py /var/www/acme2certifier/acme2certifier_wsgi.py && \
     cp /var/www/acme2certifier/examples/db_handler/wsgi_handler.py /var/www/acme2certifier/acme_srv/db_handler.py && \
 	cp /var/www/acme2certifier/examples/nginx/acme2certifier.ini /var/www/acme2certifier && \
@@ -30,8 +38,17 @@ RUN pip3 install -r /var/www/acme2certifier/requirements.txt && pip3 install sup
 	sed -i "s/default = default_sect/\default = default_sect\nlegacy = legacy_sect/g" /etc/ssl/openssl.cnf && \
     sed -i "s/\[default_sect\]/\[default_sect\]\nactivate = 1\n\[legacy_sect\]\nactivate = 1/g" /etc/ssl/openssl.cnf && \
 	rm /etc/nginx/sites-enabled/default && \
-    rm /var/www/acme2certifier/CHANGES.md /var/www/acme2certifier/README.md /var/www/acme2certifier/SECURITY.md /var/www/acme2certifier/setup.py /var/www/acme2certifier/requirements.txt && \
-	rm -rf /var/www/acme2certifier/examples/Docker /var/www/acme2certifier/examples/django /var/www/acme2certifier/examples/db_handler /var/www/acme2certifier/examples/apache2 /var/www/acme2certifier/examples/acme_srv.db.example /var/www/acme2certifier/examples/acme2certifier_wsgi.py  && \
+    rm /var/www/acme2certifier/CHANGES.md && \
+    rm /var/www/acme2certifier/README.md && \
+    rm /var/www/acme2certifier/SECURITY.md && \
+    rm /var/www/acme2certifier/setup.py && \
+    rm /var/www/acme2certifier/requirements.txt && \
+	rm -rf /var/www/acme2certifier/examples/Docker && \
+    rm -rf /var/www/acme2certifier/examples/django && \
+    rm -rf /var/www/acme2certifier/examples/db_handler && \
+    rm -rf /var/www/acme2certifier/examples/apache2 && \
+    rm -rf /var/www/acme2certifier/examples/acme_srv.db.example && \
+    rm -rf /var/www/acme2certifier/examples/acme2certifier_wsgi.py  && \
 	chmod a+rx /docker-entrypoint.sh
 
 WORKDIR /var/www/acme2certifier
diff --git a/examples/Docker/soap-srv/Dockerfile b/examples/Docker/soap-srv/Dockerfile
index 604d7d63..0b4dce1e 100644
--- a/examples/Docker/soap-srv/Dockerfile
+++ b/examples/Docker/soap-srv/Dockerfile
@@ -1,15 +1,25 @@
 FROM ubuntu:22.04
 LABEL maintainer="grindelsack@gmail.com"
 
-RUN DEBIAN_FRONTEND="noninteractive" apt-get update  && apt-get -y install --no-install-recommends tzdata  && apt-get install -y --no-install-recommends python3-pip curl && rm -rf /var/lib/apt/lists/*
+RUN apt-get update  && \
+    DEBIAN_FRONTEND="noninteractive" apt-get -y install --no-install-recommends tzdata && \
+    DEBIAN_FRONTEND="noninteractive" apt-get install --no-install-recommends -y \
+    apache2 \
+    apache2-data \
+    curl \
+    krb5-user \
+    libapache2-mod-wsgi-py3 \
+    libgssapi-krb5-2 \
+    libkrb5-3 \
+    python3-gssapi \
+    python3-pip \
+    && rm -rf /var/lib/apt/lists/*
+
 
 # install python requirements
 COPY requirements.txt /tmp/requirements.txt
-RUN pip3 install -r /tmp/requirements.txt
-
-
-# create folders for acme2certifier
-RUN mkdir -p /usr/local/soap-srv/acme_srv && \
+RUN pip3 install -r /tmp/requirements.txt &&\
+    mkdir -p /usr/local/soap-srv/acme_srv && \
 	mkdir -p /usr/local/soap-srv/examples/ca_handler
 
 COPY examples/soap/mock_soap_srv.py /usr/local/soap-srv/
diff --git a/examples/Docker/ubuntu-systemd/deb_tester.sh b/examples/Docker/ubuntu-systemd/deb_tester.sh
new file mode 100644
index 00000000..21494910
--- /dev/null
+++ b/examples/Docker/ubuntu-systemd/deb_tester.sh
@@ -0,0 +1,65 @@
+#!/bin/bash
+echo $1
+echo $2
+
+case "$1" in
+
+  "restart")
+    echo "update configuration and restart service"
+    yes | cp /tmp/acme2certifier/acme_srv.cfg /opt/acme2certifier/acme_srv
+    yes | cp -R /tmp/acme2certifier/acme_ca/* /opt/acme2certifier/volume/acme_ca/
+    systemctl restart acme2certifier.service
+    systemctl restart nginx.service
+    ;;
+
+  *)
+    echo "install missing packages"
+    apt-get update
+    apt-get -y upgrade
+    if [ "$2" = "apache2" ]; then
+      apt-get install -y apache2  apache2-data  libapache2-mod-wsgi-py3 rsyslog
+    elif [ "$2" = "nginx" ]; then
+      apt-get install -y python3-pip nginx uwsgi uwsgi-plugin-python3 rsyslog
+    fi
+
+    systemctl enable rsyslog
+    systemctl start syslog
+
+    echo "install a2c"
+    apt-get install -y /tmp/acme2certifier/acme2certifier*.deb
+
+    if [ "$2" = "apache2" ]; then
+      echo "configure apache"
+      cp /var/www/acme2certifier/examples/apache2/apache_wsgi.conf /etc/apache2/sites-available/acme2certifier.conf
+      cp /var/www/acme2certifier/examples/apache2/apache_wsgi_ssl.conf /etc/apache2/sites-available/acme2certifier_ssl.conf
+      a2enmod ssl
+      a2ensite acme2certifier
+      a2ensite acme2certifier_ssl
+      rm /etc/apache2/sites-enabled/000-default.conf
+    elif [ "$2" = "nginx" ]; then
+      echo "configure nginx"
+      cp /var/www/acme2certifier/examples/nginx/nginx_acme_srv.conf /etc/nginx/sites-available/acme_srv.conf
+      cp /var/www/acme2certifier/examples/nginx/nginx_acme_srv_ssl.conf /etc/nginx/sites-available/acme_srv_ssl.conf
+      rm /etc/nginx/sites-enabled/default
+      ln -s /etc/nginx/sites-available/acme_srv.conf /etc/nginx/sites-enabled/acme_srv.conf
+      ln -s /etc/nginx/sites-available/acme_srv_ssl.conf /etc/nginx/sites-enabled/acme_srv_ssl.conf
+      cp /var/www/acme2certifier/examples/nginx/acme2certifier.ini /var/www/acme2certifier
+      cp /var/www/acme2certifier/examples/nginx/acme2certifier.service /etc/systemd/system/acme2certifier.service
+      systemctl start acme2certifier
+      systemctl enable acme2certifier
+    fi
+
+    echo "copy data"
+    mkdir -p /var/www/acme2certifier/volume/
+    cp -R /tmp/acme2certifier/volume/* /var/www/acme2certifier/volume/
+
+    if [ -f /var/www/acme2certifier/acme_srv/acme_srv.cfg ]; then
+      rm /var/www/acme2certifier/acme_srv/acme_srv.cfg
+    fi
+    ln -s /var/www/acme2certifier/volume/acme_srv.cfg /var/www/acme2certifier/acme_srv/acme_srv.cfg
+
+    echo "change owner and start service"
+    chown -R www-data.www-data /var/www/acme2certifier/
+    systemctl start "$2"
+    ;;
+esac
diff --git a/examples/Docker/ubuntu-systemd/django_tester.sh b/examples/Docker/ubuntu-systemd/django_tester.sh
new file mode 100644
index 00000000..2800dfb7
--- /dev/null
+++ b/examples/Docker/ubuntu-systemd/django_tester.sh
@@ -0,0 +1,80 @@
+#!/bin/bash
+echo $1
+echo $2
+
+case "$1" in
+
+  "restart")
+    echo "update configuration and restart service"
+    yes | cp /tmp/acme2certifier/acme_srv.cfg /opt/acme2certifier/acme_srv
+    yes | cp -R /tmp/acme2certifier/acme_ca/* /opt/acme2certifier/volume/acme_ca/
+    systemctl restart acme2certifier.service
+    systemctl restart nginx.service
+    ;;
+
+  *)
+    echo "install missing packages"
+    apt-get update
+    apt-get -y upgrade
+    if [ "$2" = "apache2" ]; then
+      apt-get install -y apache2  apache2-data  libapache2-mod-wsgi-py3 rsyslog
+    elif [ "$2" = "nginx" ]; then
+      apt-get install -y python3-pip nginx uwsgi uwsgi-plugin-python3 rsyslog
+    fi
+
+    systemctl enable rsyslog
+    systemctl start syslog
+
+    echo "install a2c"
+    apt-get install -y /tmp/acme2certifier/acme2certifier*.deb
+
+    if [ "$2" = "apache2" ]; then
+      echo "configure apache"
+      cp /var/www/acme2certifier/examples/apache2/apache_wsgi.conf /etc/apache2/sites-available/acme2certifier.conf
+      cp /var/www/acme2certifier/examples/apache2/apache_wsgi_ssl.conf /etc/apache2/sites-available/acme2certifier_ssl.conf
+      a2enmod ssl
+      a2ensite acme2certifier
+      a2ensite acme2certifier_ssl
+      rm /etc/apache2/sites-enabled/000-default.conf
+    elif [ "$2" = "nginx" ]; then
+      echo "configure nginx"
+      cp /var/www/acme2certifier/examples/nginx/nginx_acme_srv.conf /etc/nginx/sites-available/acme_srv.conf
+      cp /var/www/acme2certifier/examples/nginx/nginx_acme_srv_ssl.conf /etc/nginx/sites-available/acme_srv_ssl.conf
+      rm /etc/nginx/sites-enabled/default
+      ln -s /etc/nginx/sites-available/acme_srv.conf /etc/nginx/sites-enabled/acme_srv.conf
+      ln -s /etc/nginx/sites-available/acme_srv_ssl.conf /etc/nginx/sites-enabled/acme_srv_ssl.conf
+      cp /var/www/acme2certifier/examples/nginx/acme2certifier.ini /var/www/acme2certifier
+      cp /var/www/acme2certifier/examples/nginx/acme2certifier.service /etc/systemd/system/acme2certifier.service
+      systemctl start acme2certifier
+      systemctl enable acme2certifier
+    fi
+
+    echo "configure django"
+    cp -R /var/www/acme2certifier/examples/django/* /var/www/acme2certifier/
+    cp -r /var/www/acme2certifier/examples/db_handler/django_handler.py /var/www/acme2certifier/acme_srv/db_handler.py
+
+    echo "copy data"
+    mkdir -p /var/www/acme2certifier/volume/
+    cp -R /tmp/acme2certifier/volume/* /var/www/acme2certifier/volume/
+
+    if [ -f /var/www/acme2certifier/acme_srv/acme_srv.cfg ]; then
+      rm /var/www/acme2certifier/acme_srv/acme_srv.cfg
+    fi
+    ln -s /var/www/acme2certifier/volume/acme_srv.cfg /var/www/acme2certifier/acme_srv/acme_srv.cfg
+
+    if [ -f /var/www/acme2certifier/acme2certifier/settings.py ]; then
+      rm /var/www/acme2certifier/acme2certifier/settings.py
+    fi
+    ln -s /var/www/acme2certifier/volume/acme2certifier/settings.py /var/www/acme2certifier/acme2certifier/settings.py
+
+    echo "appply migrations"
+    cd /var/www/acme2certifier
+    python3 tools/django_update.py
+
+    echo "change owner and start service"
+    chown -R www-data.www-data /var/www/acme2certifier/volume
+    chown -R www-data.www-data /var/www/acme2certifier/
+
+    systemctl start "$2"
+    ;;
+esac
diff --git a/examples/acme2certifier_wsgi.py b/examples/acme2certifier_wsgi.py
index ee0aacf6..4d354f7f 100644
--- a/examples/acme2certifier_wsgi.py
+++ b/examples/acme2certifier_wsgi.py
@@ -1,6 +1,6 @@
 #!/usr/bin/python
 # -*- coding: utf-8 -*-
-# pylint: disable=E0401, R1705, C0209
+# pylint: disable=E0401, R1705
 """ wsgi based acme server """
 from __future__ import print_function
 import re
@@ -48,7 +48,7 @@
 
 def err_wrong_request_mothod(start_response):
     """ this is the error response for a wrong reqest method """
-    start_response('405 {0}'.format(HTTP_CODE_DIC[405]), [('Content-Type', CONTENT_TYPE_JSON)])
+    start_response(f'405 {HTTP_CODE_DIC[405]}', [('Content-Type', CONTENT_TYPE_JSON)])
 
 
 def handle_exception(exc_type, exc_value, exc_traceback):
@@ -114,7 +114,7 @@ def acct(environ, start_response):
 
         # create header
         headers = create_header(response_dic)
-        start_response('{0} {1}'.format(response_dic['code'], HTTP_CODE_DIC[response_dic['code']]), headers)
+        start_response(f'{response_dic["code"]} {HTTP_CODE_DIC[response_dic["code"]]}', headers)
         return [json.dumps(response_dic['data']).encode('utf-8')]
 
 
@@ -124,9 +124,9 @@ def acmechallenge_serve(environ, start_response):
         key_authorization = acmechallenge.lookup(environ['PATH_INFO'])
         if not key_authorization:
             key_authorization = 'NOT FOUND'
-            start_response('404 {0}'.format(HTTP_CODE_DIC[404]), [('Content-Type', 'text/html')])
+            start_response(f'404 {HTTP_CODE_DIC[404]}', [('Content-Type', 'text/html')])
         else:
-            start_response('200 {0}'.format(HTTP_CODE_DIC[200]), [('Content-Type', 'text/html')])
+            start_response(f'200 {HTTP_CODE_DIC[200]}', [('Content-Type', 'text/html')])
         # logging
         logger_info(LOGGER, environ['REMOTE_ADDR'], environ['PATH_INFO'], {})
         return [key_authorization.encode('utf-8')]
@@ -148,7 +148,7 @@ def authz(environ, start_response):
 
             # create header
             headers = create_header(response_dic)
-            start_response('{0} {1}'.format(response_dic['code'], HTTP_CODE_DIC[response_dic['code']]), headers)
+            start_response(f'{response_dic["code"]} {HTTP_CODE_DIC[response_dic["code"]]}', headers)
 
             # logging
             logger_info(LOGGER, environ['REMOTE_ADDR'], environ['PATH_INFO'], response_dic)
@@ -168,7 +168,7 @@ def newaccount(environ, start_response):
 
             # create header
             headers = create_header(response_dic)
-            start_response('{0} {1}'.format(response_dic['code'], HTTP_CODE_DIC[response_dic['code']]), headers)
+            start_response(f'{response_dic["code"]} {HTTP_CODE_DIC[response_dic["code"]]}', headers)
 
             # logging
             logger_info(LOGGER, environ['REMOTE_ADDR'], environ['PATH_INFO'], response_dic)
@@ -197,7 +197,7 @@ def cert(environ, start_response):
             response_dic = certificate.new_post(request_body)
             # create header
             headers = create_header(response_dic, False)
-            start_response('{0} {1}'.format(response_dic['code'], HTTP_CODE_DIC[response_dic['code']]), headers)
+            start_response(f'{response_dic["code"]} {HTTP_CODE_DIC[response_dic["code"]]}', headers)
 
             # logging
             logger_info(LOGGER, environ['REMOTE_ADDR'], environ['PATH_INFO'], response_dic)
@@ -209,7 +209,7 @@ def cert(environ, start_response):
             # create header
             headers = create_header(response_dic)
             # create the response
-            start_response('{0} {1}'.format(response_dic['code'], HTTP_CODE_DIC[response_dic['code']]), headers)
+            start_response(f'{response_dic["code"]} {HTTP_CODE_DIC[response_dic["code"]]}', headers)
 
             # logging
             logger_info(LOGGER, environ['REMOTE_ADDR'], environ['PATH_INFO'], response_dic)
@@ -231,7 +231,7 @@ def chall(environ, start_response):
 
             # create header
             headers = create_header(response_dic)
-            start_response('{0} {1}'.format(response_dic['code'], HTTP_CODE_DIC[response_dic['code']]), headers)
+            start_response(f'{response_dic["code"]} {HTTP_CODE_DIC[response_dic["code"]]}', headers)
 
             # logging
             logger_info(LOGGER, environ['REMOTE_ADDR'], environ['PATH_INFO'], response_dic)
@@ -244,7 +244,7 @@ def chall(environ, start_response):
             # generate header
             headers = [('Content-Type', CONTENT_TYPE_JSON)]
             # create the response
-            start_response('{0} {1}'.format(response_dic['code'], HTTP_CODE_DIC[response_dic['code']]), headers)
+            start_response(f'{response_dic["code"]} {HTTP_CODE_DIC[response_dic["code"]]}', headers)
 
             # logging
             logger_info(LOGGER, environ['REMOTE_ADDR'], environ['PATH_INFO'], response_dic)
@@ -260,7 +260,7 @@ def newnonce(environ, start_response):
     """ generate a new nonce """
     if environ['REQUEST_METHOD'] in ['HEAD', 'GET']:
         nonce = Nonce(DEBUG, LOGGER)
-        headers = [('Content-Type', 'text/plain'), ('Replay-Nonce', '{0}'.format(nonce.generate_and_add()))]
+        headers = [('Content-Type', 'text/plain'), ('Replay-Nonce', f'{nonce.generate_and_add()}')]
         status = '200 OK' if environ['REQUEST_METHOD'] == 'HEAD' else '204 No content'
         start_response(status, headers)
         return []
@@ -278,7 +278,7 @@ def neworders(environ, start_response):
 
             # create header
             headers = create_header(response_dic)
-            start_response('{0} {1}'.format(response_dic['code'], HTTP_CODE_DIC[response_dic['code']]), headers)
+            start_response(f'{response_dic["code"]} {HTTP_CODE_DIC[response_dic["code"]]}', headers)
 
             # logging
             logger_info(LOGGER, environ['REMOTE_ADDR'], environ['PATH_INFO'], response_dic)
@@ -298,7 +298,7 @@ def order(environ, start_response):
 
             # create header
             headers = create_header(response_dic)
-            start_response('{0} {1}'.format(response_dic['code'], HTTP_CODE_DIC[response_dic['code']]), headers)
+            start_response(f'{response_dic["code"]} {HTTP_CODE_DIC[response_dic["code"]]}', headers)
 
             # logging
             logger_info(LOGGER, environ['REMOTE_ADDR'], environ['PATH_INFO'], response_dic)
@@ -317,7 +317,7 @@ def renewalinfo(environ, start_response):
             response_dic = renewalinfo_.update(request_body)
             # create header
             headers = create_header(response_dic, False)
-            start_response('{0} {1}'.format(response_dic['code'], HTTP_CODE_DIC[response_dic['code']]), headers)
+            start_response(f'{response_dic["code"]} {HTTP_CODE_DIC[response_dic["code"]]}', headers)
 
             # logging
             logger_info(LOGGER, environ['REMOTE_ADDR'], environ['PATH_INFO'], response_dic)
@@ -329,7 +329,7 @@ def renewalinfo(environ, start_response):
             # create header
             headers = create_header(response_dic)
             # create the response
-            start_response('{0} {1}'.format(response_dic['code'], HTTP_CODE_DIC[response_dic['code']]), headers)
+            start_response(f'{response_dic["code"]} {HTTP_CODE_DIC[response_dic["code"]]}', headers)
 
             # logging
             logger_info(LOGGER, environ['REMOTE_ADDR'], environ['PATH_INFO'], response_dic)
@@ -354,7 +354,7 @@ def revokecert(environ, start_response):
 
             # create header
             headers = create_header(response_dic)
-            start_response('{0} {1}'.format(response_dic['code'], HTTP_CODE_DIC[response_dic['code']]), headers)
+            start_response(f'{response_dic["code"]} {HTTP_CODE_DIC[response_dic["code"]]}', headers)
 
             # logging
             logger_info(LOGGER, environ['REMOTE_ADDR'], environ['PATH_INFO'], response_dic)
@@ -376,7 +376,7 @@ def trigger(environ, start_response):
 
             # create header
             headers = create_header(response_dic)
-            start_response('{0} {1}'.format(response_dic['code'], HTTP_CODE_DIC[response_dic['code']]), headers)
+            start_response(f'{response_dic["code"]} {HTTP_CODE_DIC[response_dic["code"]]}', headers)
 
             # logging
             logger_info(LOGGER, environ['REMOTE_ADDR'], environ['PATH_INFO'], response_dic)
@@ -399,7 +399,7 @@ def housekeeping(environ, start_response):
 
             # create header
             headers = create_header(response_dic)
-            start_response('{0} {1}'.format(response_dic['code'], HTTP_CODE_DIC[response_dic['code']]), headers)
+            start_response(f'{response_dic["code"]} {HTTP_CODE_DIC[response_dic["code"]]}', headers)
 
             # logging
             logger_info(LOGGER, environ['REMOTE_ADDR'], environ['PATH_INFO'], '****')
diff --git a/examples/ca_handler/asa_ca_handler.py b/examples/ca_handler/asa_ca_handler.py
new file mode 100644
index 00000000..7ae812e8
--- /dev/null
+++ b/examples/ca_handler/asa_ca_handler.py
@@ -0,0 +1,467 @@
+# -*- coding: utf-8 -*-
+""" Insta Active Security API  handler"""
+from __future__ import print_function
+from typing import Tuple, Dict
+import os
+import requests
+from requests.auth import HTTPBasicAuth
+# pylint: disable=e0401
+from acme_srv.helper import load_config, encode_url, csr_pubkey_get, csr_cn_get, csr_san_get, uts_now, uts_to_date_utc, b64_decode, cert_der2pem, convert_byte_to_string, cert_ski_get, csr_san_byte_get, header_info_field_validate, header_info_lookup, config_eab_profile_load, config_headerinfo_load, eab_profile_header_info_check
+
+
+class CAhandler(object):
+    """ EST CA  handler """
+
+    def __init__(self, _debug: bool = None, logger: object = None):
+        self.logger = logger
+        self.api_host = None
+        self.api_user = None
+        self.api_password = None
+        self.api_key = None
+        self.ca_bundle = None
+        self.proxy = None
+        self.request_timeout = 10
+        self.ca_name = None
+        self.auth = None
+        self.profile_name = None
+        self.cert_validity_days = 30
+        self.header_info_field = False
+        self.eab_handler = None
+        self.eab_profiling = False
+
+    def __enter__(self):
+        """ Makes CAhandler a Context Manager """
+        if not self.api_host:
+            self._config_load()
+        return self
+
+    def __exit__(self, *args):
+        """ cose the connection at the end of the context """
+
+    def _api_get(self, url: str) -> Tuple[int, Dict[str, str]]:
+        """ post data to API """
+        self.logger.debug('CAhandler._api_get()')
+        headers = {'x-api-key': self.api_key}
+
+        try:
+            api_response = requests.get(url=url, headers=headers, auth=self.auth, verify=self.ca_bundle, proxies=self.proxy, timeout=self.request_timeout)
+            code = api_response.status_code
+            try:
+                content = api_response.json()
+            except Exception as err_:
+                self.logger.error('CAhandler._api_get() returned error during json parsing: %s', err_)
+                content = str(err_)
+        except Exception as err_:
+            self.logger.error('CAhandler._api_get() returned error: %s', err_)
+            code = 500
+            content = str(err_)
+
+        return code, content
+
+    def _api_post(self, url: str, data: Dict[str, str]) -> Tuple[int, Dict[str, str]]:
+        """ post data to API """
+        self.logger.debug('CAhandler._api_post()')
+        headers = {'x-api-key': self.api_key}
+
+        try:
+            api_response = requests.post(url=url, headers=headers, json=data, auth=self.auth, verify=self.ca_bundle, proxies=self.proxy, timeout=self.request_timeout)
+            code = api_response.status_code
+            if api_response.text:
+                try:
+                    content = api_response.json()
+                except Exception as err_:
+                    self.logger.error('CAhandler._api_post() returned error during json parsing: %s', err_)
+                    content = str(err_)
+            else:
+                content = None
+        except Exception as err_:
+            self.logger.error('CAhandler._api_post() returned error: %s', err_)
+            code = 500
+            content = str(err_)
+
+        return code, content
+
+    def _auth_set(self):
+        """ set basic authentication header """
+        self.logger.debug('CAhandler._auth_set()')
+        if self.api_user and self.api_password:
+            self.auth = HTTPBasicAuth(self.api_user, self.api_password)
+        else:
+            self.logger.error('CAhandler._auth_set(): auth information incomplete. Either "api_user" or "api_password" parameter is missing in config file')
+        self.logger.debug('CAhandler._auth_set() ended')
+
+    def _config_host_load(self, config_dic: Dict[str, str]):
+        """ load hostname """
+        self.logger.debug('_config_host_load()')
+
+        api_host_variable = config_dic.get('api_host_variable')
+        if api_host_variable:
+            self.api_host = os.environ.get(api_host_variable)
+            if not self.api_host:
+                self.logger.error(f'CAhandler._config_host_load() could not load host_variable: {api_host_variable}')
+
+        api_host = config_dic.get('api_host')
+        if api_host:
+            if self.api_host:
+                self.logger.info('CAhandler._config_host_load() overwrite api_host')
+            self.api_host = api_host
+
+        self.logger.debug('_config_host_load() ended')
+
+    def _certificates_list(self) -> Dict[str, str]:
+        """ list profiles """
+        self.logger.debug('CAhandler._certificates_list()')
+
+        url = f'{self.api_host}/list_certificates?issuerName={encode_url(self.logger, self.ca_name)}'
+        _code, api_response = self._api_get(url)
+
+        self.logger.debug('CAhandler._certificates_list() ended')
+        return api_response
+
+    def _config_key_load(self, config_dic: Dict[str, str]):
+        """ load keyname """
+        self.logger.debug('_config_key_load()')
+
+        api_key_variable = config_dic.get('api_key_variable')
+        if api_key_variable:
+            self.api_key = os.environ.get(api_key_variable)
+            if not self.api_key:
+                self.logger.error(f'CAhandler._config_key_load() could not load key_variable: {api_key_variable}')
+
+        api_key = config_dic.get('api_key')
+        if api_key:
+            if self.api_key:
+                self.logger.info('CAhandler._config_key_load() overwrite api_key')
+            self.api_key = api_key
+
+        self.logger.debug('_config_key_load() ended')
+
+    def _config_password_load(self, config_dic: Dict[str, str]):
+        """ load passwordname """
+        self.logger.debug('_config_password_load()')
+
+        api_password_variable = config_dic.get('api_password_variable')
+        if api_password_variable:
+            self.api_password = os.environ.get(api_password_variable)
+            if not self.api_password:
+                self.logger.error(f'CAhandler._config_password_load() could not load password_variable: {api_password_variable}')
+
+        api_password = config_dic.get('api_password')
+        if api_password:
+            if self.api_password:
+                self.logger.info('CAhandler._config_password_load() overwrite api_password')
+            self.api_password = api_password
+
+        self.logger.debug('_config_password_load() ended')
+
+    def _config_user_load(self, config_dic: Dict[str, str]):
+        """ load username """
+        self.logger.debug('_config_user_load()')
+
+        api_user_variable = config_dic.get('api_user_variable')
+        if api_user_variable:
+            self.api_user = os.environ.get(api_user_variable)
+            if not self.api_user:
+                self.logger.error(f'CAhandler._config_user_load() could not load user_variable: {api_user_variable}')
+
+        api_user = config_dic.get('api_user')
+        if api_user:
+            if self.api_user:
+                self.logger.info('CAhandler._config_user_load() overwrite api_user')
+            self.api_user = api_user
+
+        self.logger.debug('_config_user_load() ended')
+
+    def _config_load(self):
+        """" load config from file """
+        self.logger.debug('CAhandler._config_load()')
+
+        config_dic = load_config(self.logger, 'CAhandler')
+
+        if 'CAhandler' in config_dic:
+            self._config_host_load(config_dic['CAhandler'])
+            self._config_user_load(config_dic['CAhandler'])
+            self._config_password_load(config_dic['CAhandler'])
+            self._config_key_load(config_dic['CAhandler'])
+            self.ca_name = config_dic['CAhandler'].get('ca_name')
+            self.profile_name = config_dic['CAhandler'].get('profile_name')
+
+            if 'ca_bundle' in config_dic['CAhandler'] and config_dic['CAhandler']['ca_bundle'] == 'False':
+                self.ca_bundle = False
+            else:
+                self.ca_bundle = config_dic['CAhandler'].get('ca_bundle')
+
+            try:
+                self.request_timeout = int(config_dic['CAhandler'].get('request_timeout', 10))
+            except Exception:
+                self.logger.error('CAhandler._config_load(): request_timeout not an integer')
+
+            try:
+                self.cert_validity_days = int(config_dic['CAhandler'].get('cert_validity_days', 30))
+            except Exception:
+                self.logger.error('CAhandler._config_load(): cert_validity_days not an integer')
+
+        for ele in ['api_host', 'api_user', 'api_password', 'api_key', 'ca_name', 'profile_name']:
+            if not getattr(self, ele):
+                self.logger.error('CAhandler._config_load(): %s not set', ele)
+
+        self._auth_set()
+
+        # load profiling
+        self.eab_profiling, self.eab_handler = config_eab_profile_load(self.logger, config_dic)
+        # load header info
+        self.header_info_field = config_headerinfo_load(self.logger, config_dic)
+
+        self.logger.debug('CAhandler._config_load() ended')
+
+    def _csr_cn_get(self, csr: str) -> str:
+        """ get CN from csr """
+        self.logger.debug('CAhandler._csr_cn_get()')
+
+        cn = csr_cn_get(self.logger, csr)
+
+        if not cn:
+            self.logger.info('CAhandler._csr_cn_get(): CN not found in CSR')
+            san_list = csr_san_get(self.logger, csr)
+            if san_list:
+                (_type, san_value) = san_list[0].split(':')
+                cn = san_value
+                self.logger.info('CAhandler._csr_cn_get(): CN not found in CSR. Using first SAN entry as CN: %s', san_value)
+            else:
+                self.logger.error('CAhandler._csr_cn_get(): CN not found in CSR. No SAN entries found')
+
+        self.logger.debug('CAhandler._csr_cn_get() ended with: %s', cn)
+        return cn
+
+    def _issuer_verify(self) -> str:
+        """ verify issuer """
+        self.logger.debug('CAhandler._issuer_verify()')
+
+        api_response = self._issuers_list()
+
+        if 'issuers' in api_response:
+            if self.ca_name in api_response['issuers']:
+                error = None
+            else:
+                error = f'CA {self.ca_name} not found'
+                self.logger.error('CAhandler.enroll(): CA %s not found', self.ca_name)
+        else:
+            error = 'Malformed response'
+            self.logger.error('CAhandler.enroll(): "Malformed response. "issuers" key not found')
+
+        self.logger.debug('CAhandler._issuer_verify() ended with: %s', error)
+        return error
+
+    def _issuers_list(self) -> Dict[str, str]:
+        """ list issuers """
+        self.logger.debug('CAhandler._list_issuers()')
+
+        url = f'{self.api_host}/list_issuers'
+        _code, api_response = self._api_get(url)
+
+        self.logger.debug('CAhandler._list_issuers() ended')
+        return api_response
+
+    def _profiles_list(self) -> Dict[str, str]:
+        """ list profiles """
+        self.logger.debug('CAhandler._profiles_list()')
+
+        url = f'{self.api_host}/list_profiles?issuerName={encode_url(self.logger, self.ca_name)}'
+        _code, api_response = self._api_get(url)
+
+        self.logger.debug('CAhandler._profiles_list() ended')
+        return api_response
+
+    def _profile_verify(self) -> str:
+        """ verify profile """
+        self.logger.debug('CAhandler._profile_verify(%s)', self.profile_name)
+        api_response = self._profiles_list()
+
+        if 'profiles' in api_response:
+            if self.profile_name in api_response['profiles']:
+                error = None
+            else:
+                error = f'Profile {self.profile_name} not found'
+                self.logger.error('CAhandler.enroll(): Profile %s not found', self.profile_name)
+        else:
+            error = 'Malformed response'
+            self.logger.error('CAhandler.enroll(): "Malformed response. "profiles" key not found')
+
+        self.logger.debug('CAhandler._profile_verify() ended with: %s', error)
+        return error
+
+    def _validity_dates_get(self) -> Tuple[str, str]:
+        """ calculate validity dates """
+        self.logger.debug('CAhandler._validity_dates_get()')
+
+        uts_now_ = uts_now()
+        validfrom = uts_to_date_utc(uts_now_, tformat='%Y-%m-%dT%H:%M:%S')
+        validto = uts_to_date_utc(uts_now_ + (self.cert_validity_days * 24 * 60 * 60), tformat='%Y-%m-%dT%H:%M:%S')
+
+        self.logger.debug('CAhandler._validity_dates_get() ended')
+        return validfrom, validto
+
+    def _pem_cert_chain_generate(self, certs_list: list) -> str:
+        """ generate PEM certificate chain """
+        self.logger.debug('CAhandler._pem_cert_chain_generate()')
+
+        pem_chain = ''
+        for cert in certs_list:
+            pem_chain += convert_byte_to_string(cert_der2pem(b64_decode(self.logger, cert)))
+
+        self.logger.debug('CAhandler._pem_cert_chain_generate() ended')
+        return pem_chain
+
+    def _issuer_chain_get(self) -> str:
+        """ get issuer chain """
+        self.logger.debug('CAhandler._issuer_chain_get()')
+
+        url = f'{self.api_host}/get_issuer_chain?issuerName={encode_url(self.logger, self.ca_name)}'
+        _code, api_response = self._api_get(url)
+        if 'certs' in api_response:
+            pem_chain = self._pem_cert_chain_generate(api_response['certs'])
+        else:
+            self.logger.error('CAhandler._issuer_chain_get(): "certs" key not found')
+            pem_chain = None
+
+        self.logger.debug('CAhandler._issuer_chain_get() ended')
+        return pem_chain
+
+    def _cert_get(self, data_dic: Dict[str, str]) -> str:
+        """ get certificate """
+        self.logger.debug('CAhandler._cert_get()')
+
+        url = f'{self.api_host}/issue_certificate'
+        code, api_response = self._api_post(url, data_dic)
+
+        if code == 200 and api_response:
+            cert = api_response
+        else:
+            self.logger.error('CAhandler._cert_get(): enrollment failed: %s/%s', code, api_response)
+            cert = None
+
+        self.logger.debug('CAhandler._cert_get() ended')
+        return cert
+
+    def _cert_status_get(self, certificate: str) -> str:
+        """ get certificate status """
+        self.logger.debug('CAhandler._cert_status_get()')
+
+        data_dic = {'certificateFile': certificate}
+        url = f'{self.api_host}/verify_certificate?issuerName={encode_url(self.logger, self.ca_name)}'
+        code, api_response = self._api_post(url, data_dic)
+        api_response['code'] = code
+
+        return api_response
+
+    def _enrollment_dic_create(self, csr: str) -> Dict[str, str]:
+        """ create enrollment dic """
+        self.logger.debug('CAhandler._enrollment_dic_create()')
+
+        # get public key from csr
+        csr_pubkey = csr_pubkey_get(self.logger, csr, encoding='base64der')
+        if csr_pubkey:
+            # get CN from csr
+            csr_cn = self._csr_cn_get(csr)
+
+            # calculate validiaty dates
+            validfrom, validto = self._validity_dates_get()
+
+            # prepare payload for api call
+            data_dic = {'publicKey': csr_pubkey, 'profileName': self.profile_name, 'issuerName': self.ca_name, 'cn': csr_cn, 'notBefore': validfrom, 'notAfter': validto}
+
+            # get SANs from csr as base64 encoded byte sequence
+            # sans_base64 = csr_san_byte_get(self.logger, csr)
+            # if sans_base64:
+            #    data_dic['extensions'] = [{'oid': '2.5.29.17', 'value': sans_base64}]  # 'Zm9vLmJhci5sb2NhbA=='
+
+        else:
+            self.logger.error('CAhandler._enrollment_dic_create(): public key not found')
+            data_dic = None
+
+        return data_dic
+
+    def enroll(self, csr: str) -> Tuple[str, str, str, str]:
+        """ enroll certificate  """
+        self.logger.debug('CAhandler.enroll()')
+
+        cert_bundle = None
+        error = None
+        cert_raw = None
+        poll_indentifier = None
+
+        # check for eab profiling and header_info
+        error = eab_profile_header_info_check(self.logger, self, csr, 'profile_name')
+
+        if not error:
+            # verify issuer
+            error = self._issuer_verify()
+
+        if not error:
+            # verify profile
+            error = self._profile_verify()
+            if not error:
+
+                # get issuer chain
+                issuer_chain = self._issuer_chain_get()
+
+                data_dic = self._enrollment_dic_create(csr)
+                if data_dic:
+                    cert_raw = self._cert_get(data_dic)
+
+                if cert_raw:
+                    cert = convert_byte_to_string(cert_der2pem(b64_decode(self.logger, cert_raw)))
+                    cert_bundle = cert + issuer_chain
+                else:
+                    error = 'Enrollment failed'
+
+        self.logger.debug('Certificate.enroll() ended with: %s', error)
+        return (error, cert_bundle, cert_raw, poll_indentifier)
+
+    def poll(self, _cert_name: str, poll_identifier: str, _csr: str) -> Tuple[str, str, str, str, bool]:
+        """ poll status of pending CSR and download certificates """
+        self.logger.debug('CAhandler.poll()')
+
+        error = 'Method not implemented.'
+        cert_bundle = None
+        cert_raw = None
+        rejected = False
+
+        self.logger.debug('CAhandler.poll() ended')
+        return (error, cert_bundle, cert_raw, poll_identifier, rejected)
+
+    def revoke(self, cert: str, _rev_reason: str = 'unspecified', _rev_date: str = uts_to_date_utc(uts_now())) -> Tuple[int, str, str]:
+        """ revoke certificate """
+        self.logger.debug('CAhandler.revoke()')
+
+        code = None
+        message = None
+        detail = None
+
+        cert_ski = cert_ski_get(self.logger, cert)    # get subjectKeyIdentifier from certificate
+
+        url = f'{self.api_host}/revoke_certificate?issuerName={encode_url(self.logger, self.ca_name)}&certificateId={cert_ski}'
+        data_dic = {}
+        code, content_dic = self._api_post(url, data_dic)
+        if content_dic:
+            message = 'urn:ietf:params:acme:error:serverInternal'
+            if 'Message' in content_dic:
+                detail = content_dic.get('Message')
+            elif 'message' in content_dic:
+                detail = content_dic.get('message')
+            else:
+                detail = 'Unknown error'
+
+        self.logger.debug('Certificate.revoke() ended')
+        return (code, message, detail)
+
+    def trigger(self, _payload: str) -> Tuple[str, str, str]:
+        """ process trigger message and return certificate """
+        self.logger.debug('CAhandler.trigger()')
+
+        error = 'Method not implemented.'
+        cert_bundle = None
+        cert_raw = None
+
+        self.logger.debug('CAhandler.trigger() ended with error: %s', error)
+        return (error, cert_bundle, cert_raw)
diff --git a/examples/ca_handler/certifier_ca_handler.py b/examples/ca_handler/certifier_ca_handler.py
index fd776a5b..8c31050f 100644
--- a/examples/ca_handler/certifier_ca_handler.py
+++ b/examples/ca_handler/certifier_ca_handler.py
@@ -9,8 +9,8 @@
 from typing import List, Tuple, Dict
 import requests
 from requests.auth import HTTPBasicAuth
-# pylint: disable=C0209, E0401
-from acme_srv.helper import load_config, cert_serial_get, uts_now, uts_to_date_utc, b64_decode, b64_encode, cert_pem2der, parse_url, proxy_check, error_dic_get, header_info_get
+# pylint: disable=e0401
+from acme_srv.helper import load_config, cert_serial_get, uts_now, uts_to_date_utc, b64_decode, b64_encode, cert_pem2der, parse_url, proxy_check, error_dic_get, config_eab_profile_load, config_headerinfo_load, eab_profile_header_info_check
 
 
 class CAhandler(object):
@@ -30,6 +30,8 @@ def __init__(self, debug: bool = False, logger: object = None):
         self.profile_id = None
         self.proxy = None
         self.header_info_field = False
+        self.eab_handler = None
+        self.eab_profiling = False
 
     def __enter__(self):
         """ Makes ACMEHandler a Context Manager """
@@ -85,34 +87,34 @@ def _api_post(self, url: str, data: Dict[str, str]) -> Dict[str, str]:
         try:
             api_response = requests.post(url=url, json=data, auth=self.auth, verify=self.ca_bundle, proxies=self.proxy, timeout=self.request_timeout).json()
         except Exception as err_:
-            self.logger.error('CAhandler._api_post() returned error: {0}'.format(err_))
+            self.logger.error('CAhandler._api_post() returned error: %s', err_)
             api_response = str(err_)
 
         return api_response
 
     def _ca_get(self, filter_key: str = None, filter_value: str = None) -> Dict[str, str]:
         """ get list of CAs"""
-        self.logger.debug('_ca_get({0}:{1})'.format(filter_key, filter_value))
+        self.logger.debug('_ca_get(%s:%s)', filter_key, filter_value)
         params = {}
 
         if filter_key:
-            params['q'] = '{0}:{1}'.format(filter_key, filter_value)
+            params['q'] = f'{filter_key}:{filter_value}'
 
         if self.api_host:
             try:
                 api_response = requests.get(self.api_host + '/v1/cas', auth=self.auth, params=params, proxies=self.proxy, verify=self.ca_bundle, timeout=self.request_timeout).json()
             except Exception as err_:
-                self.logger.error('CAhandler._ca_get() returned error: {0}'.format(str(err_)))
+                self.logger.error('CAhandler._ca_get() returned error: %s', str(err_))
                 api_response = {'status': 500, 'message': str(err_), 'statusMessage': 'Internal Server Error'}
         else:
             self.logger.error('CAhandler._ca_get(): api_host is misisng in configuration')
             api_response = {}
-        self.logger.debug('CAhandler._ca_get() ended with: {0}'.format(api_response))
+        self.logger.debug('CAhandler._ca_get() ended with: %s', api_response)
         return api_response
 
     def _ca_get_properties(self, filter_key: str, filter_value: str) -> Dict[str, str]:
         """ get properties for a single CAs"""
-        self.logger.debug('_ca_get_properties({0}:{1})'.format(filter_key, filter_value))
+        self.logger.debug('_ca_get_properties(%s:%s)', filter_key, filter_value)
         ca_list = self._ca_get(filter_key, filter_value)
         ca_dic = {}
         if 'status' in ca_list and 'message' in ca_list:
@@ -125,19 +127,15 @@ def _ca_get_properties(self, filter_key: str, filter_value: str) -> Dict[str, st
                     break
         if not ca_dic:
             ca_dic = {'status': 404, 'message': 'CA not found', 'statusMessage': 'Not Found'}
-        self.logger.debug('CAhandler._ca_get_properties() ended with: {0}'.format(ca_dic))
+        self.logger.debug('CAhandler._ca_get_properties() ended with: %s', ca_dic)
         return ca_dic
 
     def _cert_get(self, csr: str) -> Dict[str, str]:
         """ get certificate from CA """
-        self.logger.debug('CAhandler._cert_get({0})'.format(csr))
+        self.logger.debug('CAhandler._cert_get(%s)', csr)
         ca_dic = self._ca_get_properties('name', self.ca_name)
         cert_dic = {}
 
-        if self.header_info_field:
-            # parse profileid from http_header
-            self.profile_id = self._profile_id_get(csr=csr)
-
         if 'href' in ca_dic:
             data = {'ca': ca_dic['href'], 'pkcs10': csr}
 
@@ -150,18 +148,18 @@ def _cert_get(self, csr: str) -> Dict[str, str]:
         if not cert_dic:
             cert_dic = ca_dic
 
-        self.logger.debug('CAhandler._cert_get() ended with: {0}'.format(cert_dic))
+        self.logger.debug('CAhandler._cert_get() ended with: %s', cert_dic)
         return cert_dic
 
     def _cert_get_properties(self, serial: str, ca_link: str) -> Dict[str, str]:
         """ get properties for a single cert """
-        self.logger.debug('_cert_get_properties({0}: {1})'.format(serial, ca_link))
+        self.logger.debug('_cert_get_properties(%s:%s)', serial, ca_link)
 
-        params = {'q': 'issuer-id:{0},serial-number:{1}'.format(ca_link, serial)}
+        params = {'q': f'issuer-id:{ca_link},serial-number:{serial}'}
         try:
             api_response = requests.get(self.api_host + '/v1/certificates', auth=self.auth, params=params, verify=self.ca_bundle, proxies=self.proxy, timeout=self.request_timeout).json()
         except Exception as err_:
-            self.logger.error('CAhandler._cert_get_properties() returned error: {0}'.format(str(err_)))
+            self.logger.error('CAhandler._cert_get_properties() returned error: %s', str(err_))
             api_response = {'status': 500, 'message': str(err_), 'statusMessage': 'Internal Server Error'}
         self.logger.debug('CAhandler._cert_get_properties() ended')
         return api_response
@@ -213,7 +211,7 @@ def _config_user_load(self, config_dic: Dict[str, str]):
                 try:
                     self.api_user = os.environ[config_dic['CAhandler']['api_user_variable']]
                 except Exception as err:
-                    self.logger.error('CAhandler._config_load() could not load user_variable:{0}'.format(err))
+                    self.logger.error('CAhandler._config_load() could not load user_variable:%s', err)
             if 'api_user' in config_dic['CAhandler']:
                 if self.api_user:
                     self.logger.info('CAhandler._config_load() overwrite api_user')
@@ -232,7 +230,7 @@ def _config_password_load(self, config_dic: Dict[str, str]):
                 try:
                     self.api_password = os.environ[config_dic['CAhandler']['api_password_variable']]
                 except Exception as err:
-                    self.logger.error('CAhandler._config_load() could not load passphrase_variable:{0}'.format(err))
+                    self.logger.error('CAhandler._config_load() could not load passphrase_variable:%s', err)
             if 'api_password' in config_dic['CAhandler']:
                 if self.api_password:
                     self.logger.info('CAhandler._config_load() overwrite api_password_variable')
@@ -285,22 +283,10 @@ def _config_proxy_load(self, config_dic: Dict[str, str]):
                     proxy_server = proxy_check(self.logger, fqdn, proxy_list)
                     self.proxy = {'http': proxy_server, 'https': proxy_server}
             except Exception as err_:
-                self.logger.warning('Challenge._config_load() proxy_server_list failed with error: {0}'.format(err_))
+                self.logger.warning('Challenge._config_load() proxy_server_list failed with error: %s', err_)
 
         self.logger.debug('_config_proxy_load() ended')
 
-    def _config_headerinfo_get(self, config_dic: Dict[str, str]):
-        """ load parameters """
-        self.logger.debug('_config_header_info()')
-
-        if 'Order' in config_dic and 'header_info_list' in config_dic['Order'] and config_dic['Order']['header_info_list']:
-            try:
-                self.header_info_field = json.loads(config_dic['Order']['header_info_list'])[0]
-            except Exception as err_:
-                self.logger.warning('Order._config_orderconfig_load() header_info_list failed with error: {0}'.format(err_))
-
-        self.logger.debug('_config_header_info() ended')
-
     def _config_load(self):
         """" load config from file """
         # pylint: disable=R0912, R0915
@@ -318,12 +304,13 @@ def _config_load(self):
             self._config_password_load(config_dic)
             # load parameters from config
             self._config_parameter_load(config_dic)
-            # load headerinfo
-            self._config_headerinfo_get(config_dic)
+            # load profiling
+            self.eab_profiling, self.eab_handler = config_eab_profile_load(self.logger, config_dic)
+            # load header info
+            self.header_info_field = config_headerinfo_load(self.logger, config_dic)
 
         # load proxy configuration
         self._config_proxy_load(config_dic)
-
         self.logger.debug('CAhandler._config_load() ended')
 
     def _poll_cert_get(self, request_dic: Dict[str, str], poll_identifier: str, error: str) -> Tuple[str, str, str, str, bool]:
@@ -362,7 +349,7 @@ def _poll_cert_get(self, request_dic: Dict[str, str], poll_identifier: str, erro
 
     def _loop_poll(self, request_url: str) -> Tuple[str, str, str, str]:
         """ poll request """
-        self.logger.debug('CAhandler._loop_poll({0})'.format(request_url))
+        self.logger.debug('CAhandler._loop_poll(%s)', request_url)
 
         error = None
         cert_bundle = None
@@ -387,16 +374,16 @@ def _loop_poll(self, request_url: str) -> Tuple[str, str, str, str]:
             self.logger.error('CAhandler._loop_poll(): no request url specified')
             poll_identifier = request_url
 
-        self.logger.debug('CAhandler._loop_poll() ended with error: {0}'.format(error))
+        self.logger.debug('CAhandler._loop_poll() ended with error: %s', error)
         return (error, cert_bundle, cert_raw, poll_identifier)
 
     def _pem_list_cert_get(self, cert_dic: Dict[str, str]) -> Dict[str, str]:
         self.logger.debug('CAhandler._pem_list_cert_get()')
         if 'issuer' in cert_dic:
-            self.logger.debug('issuer found: {0}'.format(cert_dic['issuer']))
+            self.logger.debug('issuer found: %s', cert_dic['issuer'])
             ca_cert_dic = requests.get(cert_dic['issuer'], auth=self.auth, verify=self.ca_bundle, proxies=self.proxy, timeout=self.request_timeout).json()
         else:
-            self.logger.debug('issuer found: {0}'.format(cert_dic['issuerCa']))
+            self.logger.debug('issuer found: %s', cert_dic['issuerCa'])
             ca_cert_dic = requests.get(cert_dic['issuerCa'], auth=self.auth, verify=self.ca_bundle, proxies=self.proxy, timeout=self.request_timeout).json()
 
         cert_dic = {}
@@ -440,37 +427,16 @@ def _pem_cert_chain_generate(self, cert_dic: str) -> str:
         if pem_list:
             pem_file = ''
             for cert in pem_list:
-                pem_file = '{0}-----BEGIN CERTIFICATE-----\n{1}\n-----END CERTIFICATE-----\n'.format(pem_file, textwrap.fill(cert, 64))
+                pem_file = f'{pem_file}-----BEGIN CERTIFICATE-----\n{textwrap.fill(cert, 64)}\n-----END CERTIFICATE-----\n'
         else:
             pem_file = None
 
         self.logger.debug('CAhandler._pem_cert_chain_generate() ended')
         return pem_file
 
-    def _profile_id_get(self, csr: str) -> str:
-        """ get profile id from csr """
-        self.logger.debug('CAhandler._profile_id_get({0})'.format(csr))
-        profile_id = None
-
-        # parse profileid from http_header
-        header_info = header_info_get(self.logger, csr=csr)
-        if header_info:
-            try:
-                header_info_dic = json.loads(header_info[-1]['header_info'])
-                if self.header_info_field in header_info_dic:
-                    for ele in header_info_dic[self.header_info_field].split(' '):
-                        if 'profileid' in ele.lower():
-                            profile_id = ele.split('=')[1]
-                            break
-            except Exception as err:
-                self.logger.error('CAhandler._profile_id_get() could not parse profile_id: {0}'.format(err))
-
-        self.logger.debug('CAhandler._profile_id_get() ended with: {0}'.format(profile_id))
-        return profile_id
-
     def _request_poll(self, request_url: str) -> Tuple[str, str, str, str, bool]:
         """ poll request """
-        self.logger.debug('CAhandler._request_poll({0})'.format(request_url))
+        self.logger.debug('CAhandler._request_poll(%s)', request_url)
 
         error = None
         cert_bundle = None
@@ -481,7 +447,7 @@ def _request_poll(self, request_url: str) -> Tuple[str, str, str, str, bool]:
         try:
             request_dic = requests.get(request_url, auth=self.auth, verify=self.ca_bundle, proxies=self.proxy, timeout=self.request_timeout).json()
         except Exception as err:
-            self.logger.error('CAhandler._request.poll() returned: {0}'.format(err))
+            self.logger.error('CAhandler._request.poll() returned: %s', err)
             request_dic = {}
 
         # check response
@@ -492,11 +458,11 @@ def _request_poll(self, request_url: str) -> Tuple[str, str, str, str, bool]:
                 error = 'Request rejected by operator'
                 rejected = True
             else:
-                error = 'Unknown request status: {0}'.format(request_dic['status'])
+                error = f'Unknown request status: {request_dic["status"]}'
         else:
             error = '"status" field not found in response.'
 
-        self.logger.debug('CAhandler._request_poll() ended with error: {0}'.format(error))
+        self.logger.debug('CAhandler._request_poll() ended with error: %s', error)
         return (error, cert_bundle, cert_raw, poll_identifier, rejected)
 
     def _trigger_bundle_build(self, cert_raw: str, ca_dic: Dict[str, str]) -> Tuple[str, str]:
@@ -518,18 +484,24 @@ def _trigger_bundle_build(self, cert_raw: str, ca_dic: Dict[str, str]) -> Tuple[
         else:
             error = 'serial number lookup via rest failed'
 
-        self.logger.debug('CAhandler._trigger_bundle_build() ended with:  {0}'.format(error))
+        self.logger.debug('CAhandler._trigger_bundle_build() ended with:  %s', error)
         return (error, cert_bundle)
 
     def enroll(self, csr: str) -> Tuple[str, str, str, str]:
         """ enroll certificate """
         self.logger.debug('Certificate.enroll()')
         cert_bundle = None
-        error = None
         cert_raw = None
         poll_identifier = None
 
-        cert_dic = self._cert_get(csr)
+        # check for eab profiling and header_info
+        error = eab_profile_header_info_check(self.logger, self, csr, 'profile_id')
+
+        # enrollment starts here
+        if not error:
+            cert_dic = self._cert_get(csr)
+        else:
+            cert_dic = None
 
         if cert_dic:
             if 'status' in cert_dic:
@@ -537,7 +509,7 @@ def enroll(self, csr: str) -> Tuple[str, str, str, str]:
                 if 'message' in cert_dic:
                     error = cert_dic['message']
                 else:
-                    error = 'unknown errror'
+                    error = 'unknown error'
             elif 'certificateBase64' in cert_dic:
                 # this is a valid cert generate the bundle
                 cert_bundle = self._pem_cert_chain_generate(cert_dic)
@@ -548,7 +520,9 @@ def enroll(self, csr: str) -> Tuple[str, str, str, str]:
             else:
                 error = 'no certificate information found'
         else:
-            error = 'internal error'
+            if not error:
+                error = 'internal error'
+
         self.logger.debug('Certificate.enroll() ended')
         return (error, cert_bundle, cert_raw, poll_identifier)
 
@@ -564,13 +538,13 @@ def poll(self, cert_name: str, poll_identifier: str, _csr: str) -> Tuple[str, st
         if poll_identifier:
             (error, cert_bundle, cert_raw, poll_identifier, rejected) = self._request_poll(poll_identifier)
         else:
-            self.logger.debug('skipping cert: {0} as there is no poll_identifier'.format(cert_name))
+            self.logger.debug('skipping cert: %s as there is no poll_identifier', cert_name)
 
         return (error, cert_bundle, cert_raw, poll_identifier, rejected)
 
     def revoke(self, cert: str, rev_reason: str = 'unspecified', rev_date: str = uts_to_date_utc(uts_now())) -> Tuple[int, str, str]:
         """ revoke certificate """
-        self.logger.debug('CAhandler.revoke({0}: {1})'.format(rev_reason, rev_date))
+        self.logger.debug('CAhandler.revoke(%s: %s)', rev_reason, rev_date)
 
         # get error message
         err_dic = error_dic_get(self.logger)
@@ -620,5 +594,5 @@ def trigger(self, payload: str) -> Tuple[str, str, str]:
         else:
             error = 'No payload given'
 
-        self.logger.debug('CAhandler.trigger() ended with error: {0}'.format(error))
+        self.logger.debug('CAhandler.trigger() ended with error: %s', error)
         return (error, cert_bundle, cert_raw)
diff --git a/examples/ca_handler/digicert_ca_handler.py b/examples/ca_handler/digicert_ca_handler.py
new file mode 100644
index 00000000..35070a71
--- /dev/null
+++ b/examples/ca_handler/digicert_ca_handler.py
@@ -0,0 +1,316 @@
+# -*- coding: utf-8 -*-
+""" CA handler using Digicert CertCentralAPI"""
+from __future__ import print_function
+from typing import Tuple, Dict
+import json
+import requests
+# pylint: disable=e0401
+from acme_srv.helper import load_config, cert_pem2der, b64_encode, allowed_domainlist_check, eab_profile_header_info_check, uts_now, uts_to_date_utc, cert_serial_get, config_eab_profile_load, config_headerinfo_load, request_operation, csr_cn_lookup
+
+
+CONTENT_TYPE = 'application/json'
+
+
+class CAhandler(object):
+    """ Digicert CertCentralAP handler """
+
+    def __init__(self, _debug: bool = None, logger: object = None):
+        self.logger = logger
+        self.api_url = 'https://www.digicert.com/services/v2/'
+        self.api_key = None
+        self.cert_type = 'ssl_basic'
+        self.signature_hash = 'sha256'
+        self.order_validity = 1
+        self.proxy = None
+        self.request_timeout = 10
+        self.organization_id = None
+        self.organization_name = None
+        self.allowed_domainlist = []
+        self.header_info_field = False
+        self.eab_handler = None
+        self.eab_profiling = False
+
+    def __enter__(self):
+        """ Makes CAhandler a Context Manager """
+        if not self.api_key:
+            self._config_load()
+        return self
+
+    def __exit__(self, *args):
+        """ cose the connection at the end of the context """
+
+    def _allowed_domainlist_check(self, csr: str) -> str:
+        """ check allowed domainlist """
+        self.logger.debug('CAhandler._allowed_domainlist_check()')
+
+        error = None
+        # check CN and SAN against black/whitlist
+        if self.allowed_domainlist:
+            # check sans / cn against list of allowed comains from config
+            result = allowed_domainlist_check(self.logger, csr, self.allowed_domainlist)
+            if not result:
+                error = 'Either CN or SANs are not allowed by configuration'
+
+        self.logger.debug('CAhandler._allowed_domainlist_check() ended with %s', error)
+        return error
+
+    def _api_get(self, url: str) -> Tuple[int, Dict[str, str]]:
+        """ post data to API """
+        self.logger.debug('CAhandler._api_get()')
+        headers = {
+            'X-DC-DEVKEY': self.api_key,
+            'Content-Type': CONTENT_TYPE
+        }
+        code, content = request_operation(self.logger, method='get', url=url, headers=headers, proxy=self.proxy, timeout=self.request_timeout, payload=None)
+
+        self.logger.debug('CAhandler._api_get() ended with code: %s', code)
+        return code, content
+
+    def _api_post(self, url: str, data: Dict[str, str]) -> Tuple[int, Dict[str, str]]:
+        """ post data to API """
+        self.logger.debug('CAhandler._api_post()')
+        headers = {
+            'X-DC-DEVKEY': self.api_key,
+            'Content-Type': CONTENT_TYPE
+        }
+        code, content = request_operation(self.logger, method='post', url=url, headers=headers, proxy=self.proxy, timeout=self.request_timeout, payload=data)
+
+        self.logger.debug('CAhandler._api_post() ended with code: %s', code)
+        return code, content
+
+    def _api_put(self, url: str, data: Dict[str, str]) -> Tuple[int, Dict[str, str]]:
+        """ post data to API """
+        self.logger.debug('CAhandler._api_put()')
+        headers = {
+            'X-DC-DEVKEY': self.api_key,
+            'Content-Type': CONTENT_TYPE
+        }
+        code, content = request_operation(self.logger, method='put', url=url, headers=headers, proxy=self.proxy, timeout=self.request_timeout, payload=data)
+
+        self.logger.debug('CAhandler._api_put() ended with code: %s', code)
+        return code, content
+
+    def _config_check(self) -> str:
+        """ check config """
+        self.logger.debug('CAhandler._config_check()')
+
+        error = None
+        for ele in ['api_url', 'api_key', 'organization_name']:
+            if not getattr(self, ele):
+                error = f'{ele} parameter in missing in config file'
+                self.logger.error('CAhandler._config_check() ended with error: %s', error)
+                break
+
+        self.logger.debug('CAhandler._config_check() ended with: %s', error)
+        return error
+
+    def _config_load(self):
+        """" load config from file """
+        self.logger.debug('CAhandler._config_load()')
+
+        config_dic = load_config(self.logger, 'CAhandler')
+        if 'CAhandler' in config_dic:
+            cfg_dic = dict(config_dic['CAhandler'])
+            self.api_url = cfg_dic.get('api_url', 'https://www.digicert.com/services/v2/')
+            self.api_key = cfg_dic.get('api_key', None)
+            self.cert_type = cfg_dic.get('cert_type', 'ssl_basic')
+            self.signature_hash = cfg_dic.get('signature_hash', 'sha256')
+            self.order_validity = cfg_dic.get('order_validity', 1)
+            self.request_timeout = cfg_dic.get('request_timeout', 10)
+            self.organization_id = cfg_dic.get('organization_id', None)
+            self.organization_name = cfg_dic.get('organization_name', None)
+
+            if 'allowed_domainlist' in config_dic['CAhandler']:
+                try:
+                    self.allowed_domainlist = json.loads(config_dic['CAhandler']['allowed_domainlist'])
+                except Exception as err:
+                    self.logger.error('CAhandler._config_load(): failed to parse allowed_domainlist: %s', err)
+                    self.allowed_domainlist = 'failed to parse'
+
+        # load profiling
+        self.eab_profiling, self.eab_handler = config_eab_profile_load(self.logger, config_dic)
+        # load header info
+        self.header_info_field = config_headerinfo_load(self.logger, config_dic)
+
+        self.logger.debug('CAhandler._config_load() ended')
+
+    def _order_send(self, csr: str, csr_cn) -> Tuple[str, str]:
+        """ place certificate order """
+        self.logger.debug('CAhandler._order_send()')
+        order_url = f'{self.api_url}order/certificate/{self.cert_type}'
+
+        if not csr.endswith('='):
+            # padding if needed
+            csr = csr + '=' * (-len(csr) % 4)
+
+        if (not self.organization_id or self.eab_profiling) and self.organization_name and self.api_key:
+            self.organization_id = self._organiation_id_get()
+
+        if self.organization_id:
+            data_dic = {
+                'certificate': {
+                    'common_name': csr_cn,
+                    'csr': csr,
+                    'signature_hash': self.signature_hash,
+                    'server_platform': {
+                        'id': 34
+                    }
+                },
+                'organization': {
+                    'id': self.organization_id,
+                },
+                'order_validity': {
+                    'years': self.order_validity
+                }
+            }
+            # enroll certificate
+            code, content = self._api_post(order_url, data_dic)
+        else:
+            self.logger.error('CAhandler._order_send() failed: configuration incomplete: organisation_id is missing')
+            code = 500
+            content = 'organisation_id is missing'
+
+        self.logger.debug('CAhandler._order_send() ended with code: %s', code)
+        return code, content
+
+    def _order_response_parse(self, content: Dict[str, str]) -> Tuple[str, str, str]:
+        """ parse order response """
+        self.logger.debug('CAhandler._order_response_parse()')
+
+        cert_bundle = None
+        cert_raw = None
+        poll_identifier = None
+
+        if content and 'certificate_chain' in content:
+            cert_bundle = ''
+            for cert in content['certificate_chain']:
+                if 'pem' in cert:
+                    cert_bundle += cert['pem'] + '\n'
+                else:
+                    self.logger.error('CAhandler._order_response_parse() failed: no pem in certificate_chain')
+            cert_raw = b64_encode(self.logger, cert_pem2der(content['certificate_chain'][0]['pem']))
+            if 'id' in content:
+                poll_identifier = content['id']
+            else:
+                self.logger.error('CAhandler._order_response_parse() polling_identifier generation failed: no id in response')
+        else:
+            self.logger.error('CAhandler._order_response_parse() failed: no certificate_chain in response')
+
+        self.logger.debug('CAhandler._order_response_parse() ended')
+        return cert_bundle, cert_raw, poll_identifier
+
+    def _organiation_id_get(self):
+        """ get organization ID """
+        self.logger.debug('CAhandler._organiation_id_get()')
+
+        org_url = f'{self.api_url}organization'
+        code, content = self._api_get(org_url)
+
+        organization_id = None
+        if code in (200, 201):
+            for org in content['organizations']:
+                if org['name'] == self.organization_name:
+                    self.logger.debug('CAhandler._organiation_id_get() found organization ID: %s', org['id'])
+                    organization_id = org['id']
+                    break
+
+        if not organization_id:
+            self.logger.error('CAhandler._organiation_id_get() failed')
+
+        self.logger.debug('CAhandler._organiation_id_get() ended with: %s', organization_id)
+        return organization_id
+
+    def _csr_check(self, csr: str) -> str:
+        """ check csr """
+        self.logger.debug('CAhandler._csr_check()')
+
+        # check for allowed domainlist
+        error = self._allowed_domainlist_check(csr)
+
+        # check for eab profiling and header_info
+        if not error:
+            error = eab_profile_header_info_check(self.logger, self, csr, 'cert_type')
+
+        self.logger.debug('CAhandler._csr_check() ended with: %s', error)
+        return error
+
+    def enroll(self, csr: str) -> Tuple[str, str, str, str]:
+        """ enroll certificate  """
+        self.logger.debug('CAhandler.enroll()')
+
+        cert_bundle = None
+        error = None
+        cert_raw = None
+        poll_indentifier = None
+
+        # check configuration
+        error = self._config_check()
+
+        if not error:
+            # check csr and profiling
+            error = self._csr_check(csr)
+
+            if not error:
+                csr_cn = csr_cn_lookup(self.logger, csr)
+                code, content = self._order_send(csr, csr_cn)
+
+                if code in (200, 201):
+                    # successful
+                    cert_bundle, cert_raw, poll_indentifier = self._order_response_parse(content)
+                else:
+                    if 'errors' in content:
+                        error = f"Error during order creation: {code} - {content['errors']}"
+                    else:
+                        error = f'Error during order creation: {code} - {content}'
+
+        self.logger.debug('Certificate.enroll() ended')
+        return (error, cert_bundle, cert_raw, poll_indentifier)
+
+    def poll(self, _cert_name: str, poll_identifier: str, _csr: str) -> Tuple[str, str, str, str, bool]:
+        """ poll status of pending CSR and download certificates """
+        self.logger.debug('CAhandler.poll()')
+
+        error = 'Method not implemented.'
+        cert_bundle = None
+        cert_raw = None
+        rejected = False
+
+        self.logger.debug('CAhandler.poll() ended')
+        return (error, cert_bundle, cert_raw, poll_identifier, rejected)
+
+    def revoke(self, certificate_raw: str, _rev_reason: str = 'unspecified', _rev_date: str = uts_to_date_utc(uts_now())) -> Tuple[int, str, str]:
+        """ revoke certificate """
+        self.logger.debug('CAhandler.revoke()')
+
+        code = None
+        message = None
+        detail = None
+
+        cert_serial = cert_serial_get(self.logger, certificate_raw, hexformat=True)
+
+        if cert_serial:
+            revocation_url = f'{self.api_url}certificate/{cert_serial}/revoke'
+            data_dic = {
+                'skip_approval': True
+            }
+            code, detail = self._api_put(revocation_url, data_dic)
+            if code == 204:
+                # rewrite reponse code to not confuse with success
+                code = 200
+        else:
+            code = 500
+            detail = 'Failed to parse certificate serial'
+
+        self.logger.debug('Certificate.revoke() ended')
+        return (code, message, detail)
+
+    def trigger(self, _payload: str) -> Tuple[str, str, str]:
+        """ process trigger message and return certificate """
+        self.logger.debug('CAhandler.trigger()')
+
+        error = 'Method not implemented.'
+        cert_bundle = None
+        cert_raw = None
+
+        self.logger.debug('CAhandler.trigger() ended with error: %s', error)
+        return (error, cert_bundle, cert_raw)
diff --git a/examples/ca_handler/entrust_ca_handler.py b/examples/ca_handler/entrust_ca_handler.py
new file mode 100644
index 00000000..df5ab70d
--- /dev/null
+++ b/examples/ca_handler/entrust_ca_handler.py
@@ -0,0 +1,557 @@
+# -*- coding: utf-8 -*-
+""" CA handler using Entrust ECS Enterprise"""
+from __future__ import print_function
+from typing import Tuple, Dict, List
+import datetime
+import os
+import json
+import requests
+from requests_pkcs12 import Pkcs12Adapter
+# pylint: disable=e0401
+from acme_srv.helper import load_config, cert_pem2der, b64_encode, allowed_domainlist_check, eab_profile_header_info_check, uts_now, uts_to_date_utc, cert_serial_get, config_eab_profile_load, config_headerinfo_load, header_info_get, b64_url_recode, request_operation, csr_cn_lookup
+
+
+CONTENT_TYPE = 'application/json'
+
+
+# hardcoded Entrust Root Certification Authority - G2
+ENTRUST_ROOT_CA = '''-----BEGIN CERTIFICATE-----
+MIIEPjCCAyagAwIBAgIESlOMKDANBgkqhkiG9w0BAQsFADCBvjELMAkGA1UEBhMC
+VVMxFjAUBgNVBAoTDUVudHJ1c3QsIEluYy4xKDAmBgNVBAsTH1NlZSB3d3cuZW50
+cnVzdC5uZXQvbGVnYWwtdGVybXMxOTA3BgNVBAsTMChjKSAyMDA5IEVudHJ1c3Qs
+IEluYy4gLSBmb3IgYXV0aG9yaXplZCB1c2Ugb25seTEyMDAGA1UEAxMpRW50cnVz
+dCBSb290IENlcnRpZmljYXRpb24gQXV0aG9yaXR5IC0gRzIwHhcNMDkwNzA3MTcy
+NTU0WhcNMzAxMjA3MTc1NTU0WjCBvjELMAkGA1UEBhMCVVMxFjAUBgNVBAoTDUVu
+dHJ1c3QsIEluYy4xKDAmBgNVBAsTH1NlZSB3d3cuZW50cnVzdC5uZXQvbGVnYWwt
+dGVybXMxOTA3BgNVBAsTMChjKSAyMDA5IEVudHJ1c3QsIEluYy4gLSBmb3IgYXV0
+aG9yaXplZCB1c2Ugb25seTEyMDAGA1UEAxMpRW50cnVzdCBSb290IENlcnRpZmlj
+YXRpb24gQXV0aG9yaXR5IC0gRzIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
+AoIBAQC6hLZy254Ma+KZ6TABp3bqMriVQRrJ2mFOWHLP/vaCeb9zYQYKpSfYs1/T
+RU4cctZOMvJyig/3gxnQaoCAAEUesMfnmr8SVycco2gvCoe9amsOXmXzHHfV1IWN
+cCG0szLni6LVhjkCsbjSR87kyUnEO6fe+1R9V77w6G7CebI6C1XiUJgWMhNcL3hW
+wcKUs/Ja5CeanyTXxuzQmyWC48zCxEXFjJd6BmsqEZ+pCm5IO2/b1BEZQvePB7/1
+U1+cPvQXLOZprE4yTGJ36rfo5bs0vBmLrpxR57d+tVOxMyLlbc9wPBr64ptntoP0
+jaWvYkxN4FisZDQSA/i2jZRjJKRxAgMBAAGjQjBAMA4GA1UdDwEB/wQEAwIBBjAP
+BgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBRqciZ60B7vfec7aVHUbI2fkBJmqzAN
+BgkqhkiG9w0BAQsFAAOCAQEAeZ8dlsa2eT8ijYfThwMEYGprmi5ZiXMRrEPR9RP/
+jTkrwPK9T3CMqS/qF8QLVJ7UG5aYMzyorWKiAHarWWluBh1+xLlEjZivEtRh2woZ
+Rkfz6/djwUAFQKXSt/S1mja/qYh2iARVBCuch38aNzx+LaUa2NSJXsq9rD1s2G2v
+1fN2D807iDginWyTmsQ9v4IbZT+mD12q/OWyFcq1rca8PdCE6OoGcrBNOTJ4vz4R
+nAuknZoh8/CbCzB428Hch0P+vGOaysXCHMnHjf87ElgI5rY97HosTvuDls4MPGmH
+VHOkc8KT/1EQrBVUAdj8BbGJoX90g5pJ19xOe4pIb4tF9g==
+-----END CERTIFICATE-----
+'''
+
+
+class CAhandler(object):
+    """ Digicert CertCentralAP handler """
+
+    def __init__(self, _debug: bool = None, logger: object = None):
+        self.logger = logger
+        self.api_url = 'https://api.entrust.net/enterprise/v2'
+        self.client_cert = None
+        self.cert_passphrase = None
+        self.username = None
+        self.password = None
+        self.organization_name = None
+        self.certtype = 'STANDARD_SSL'
+        self.cert_validity_days = 365
+        self.entrust_root_cert = ENTRUST_ROOT_CA
+        self.proxy = None
+        self.session = None
+        self.request_timeout = 10
+
+        self.allowed_domainlist = []
+        self.header_info_field = False
+        self.eab_handler = None
+        self.eab_profiling = False
+
+    def __enter__(self):
+        """ Makes CAhandler a Context Manager """
+        if not self.session:
+            self._config_load()
+        return self
+
+    def __exit__(self, *args):
+        """ cose the connection at the end of the context """
+
+    def _allowed_domainlist_check(self, csr: str) -> str:
+        """ check allowed domainlist """
+        self.logger.debug('CAhandler._allowed_domainlist_check()')
+
+        error = None
+        # check CN and SAN against black/whitlist
+        if self.allowed_domainlist:
+            # check sans / cn against list of allowed comains from config
+            result = allowed_domainlist_check(self.logger, csr, self.allowed_domainlist)
+            if not result:
+                error = 'Either CN or SANs are not allowed by configuration'
+
+        self.logger.debug('CAhandler._allowed_domainlist_check() ended with %s', error)
+        return error
+
+    def _api_get(self, url: str) -> Tuple[int, Dict[str, str]]:
+        """ post data to API """
+        self.logger.debug('CAhandler._api_get()')
+        headers = {
+            'Content-Type': CONTENT_TYPE
+        }
+
+        code, content = request_operation(self.logger, session=self.session, method='get', url=url, headers=headers, proxy=self.proxy, timeout=self.request_timeout, payload=None)
+        self.logger.debug('CAhandler._api_get() ended with code: %s', code)
+        return code, content
+
+    def _api_post(self, url: str, data: Dict[str, str]) -> Tuple[int, Dict[str, str]]:
+        """ post data to API """
+        self.logger.debug('CAhandler._api_post()')
+        headers = {
+            'Content-Type': CONTENT_TYPE
+        }
+        code, content = request_operation(self.logger, session=self.session, method='post', url=url, headers=headers, proxy=self.proxy, timeout=self.request_timeout, payload=data)
+        self.logger.debug('CAhandler._api_post() ended with code: %s', code)
+        return code, content
+
+    def _api_put(self, url: str, data: Dict[str, str]) -> Tuple[int, Dict[str, str]]:
+        """ post data to API """
+        self.logger.debug('CAhandler._api_put()')
+        headers = {
+            'Content-Type': CONTENT_TYPE
+        }
+        code, content = request_operation(self.logger, session=self.session, method='put', url=url, headers=headers, proxy=self.proxy, timeout=self.request_timeout, payload=data)
+
+        self.logger.debug('CAhandler._api_put() ended with code: %s', code)
+        return code, content
+
+    def _certificates_get_from_serial(self, cert_serial: str) -> List[str]:
+        """ get certificates """
+        self.logger.debug('CAhandler._certificates_get_from_serial()')
+
+        # for some reason entrust custs leading zeros from serial number
+        if cert_serial.startswith('0'):
+            self.logger.info('CAhandler._certificates_get_from_serial() remove leading zeros from serial number')
+            cert_serial = cert_serial.lstrip('0')
+
+        code, content = self._api_get(self.api_url + f'/certificates?serialNumber={cert_serial}')
+
+        if code == 200 and 'certificates' in content:
+            cert_list = content['certificates']
+        else:
+            self.logger.error('CAhandler._certificates_get_from_serial() for %s failed with code: %s', cert_serial, code)
+            cert_list = []
+
+        self.logger.debug('CAhandler._certificates_get_from_serial() ended with code: %s and %s certificate', code, len(cert_list))
+        return cert_list
+
+    def _config_load(self):
+        """" load config from file """
+        self.logger.debug('CAhandler._config_load()')
+
+        config_dic = load_config(self.logger, 'CAhandler')
+        if 'CAhandler' in config_dic:
+            cfg_dic = dict(config_dic['CAhandler'])
+            self.api_url = cfg_dic.get('api_url', 'https://api.entrust.net/enterprise/v2')
+            try:
+                self.request_timeout = int(cfg_dic.get('request_timeout', 10))
+            except Exception as err:
+                self.logger.error('CAhandler._config_load(): failed to parse request_timeout %s', err)
+            try:
+                self.cert_validity_days = int(cfg_dic.get('cert_validity_days', 365))
+            except Exception as err:
+                self.logger.error('CAhandler._config_load(): failed to parse cert_validity_days %s', err)
+
+            self.username = cfg_dic.get('username', None)
+            self.password = cfg_dic.get('password', None)
+            self.organization_name = cfg_dic.get('organization_name', None)
+            self.certtype = cfg_dic.get('certtype', 'STANDARD_SSL')
+            self._config_session_load(config_dic)
+
+            if 'allowed_domainlist' in config_dic['CAhandler']:
+                try:
+                    self.allowed_domainlist = json.loads(config_dic['CAhandler']['allowed_domainlist'])
+                except Exception as err:
+                    self.logger.error('CAhandler._config_load(): failed to parse allowed_domainlist: %s', err)
+                    self.allowed_domainlist = 'failed to parse'
+            # load root CA
+            self._config_root_load(config_dic)
+
+        # load profiling
+        self.eab_profiling, self.eab_handler = config_eab_profile_load(self.logger, config_dic)
+        # load header info
+        self.header_info_field = config_headerinfo_load(self.logger, config_dic)
+
+        self.logger.debug('CAhandler._config_load() ended')
+
+    def _config_passphrase_load(self, config_dic: Dict[str, str]):
+        """ load passphrase """
+        self.logger.debug('CAhandler._config_passphrase_load()')
+        if 'cert_passphrase_variable' in config_dic['CAhandler'] or 'cert_passphrase' in config_dic['CAhandler']:
+            if 'cert_passphrase_variable' in config_dic['CAhandler']:
+                self.logger.debug('CAhandler._config_passphrase_load(): load passphrase from environment variable')
+                try:
+                    self.cert_passphrase = os.environ[config_dic['CAhandler']['cert_passphrase_variable']]
+                except Exception as err:
+                    self.logger.error('CAhandler._config_passphrase_load() could not load cert_passphrase_variable:%s', err)
+
+            if 'cert_passphrase' in config_dic['CAhandler']:
+                self.logger.debug('CAhandler._config_passphrase_load(): load passphrase from config file')
+                if self.cert_passphrase:
+                    self.logger.info('CAhandler._config_load() overwrite cert_passphrase')
+                self.cert_passphrase = config_dic['CAhandler']['cert_passphrase']
+        self.logger.debug('CAhandler._config_passphrase_load() ended')
+
+    def _config_root_load(self, config_dic: Dict[str, str]):
+        """ load root CA """
+        self.logger.debug('CAhandler._config_root_load()')
+        if 'entrust_root_cert' in config_dic['CAhandler']:
+            if os.path.isfile(config_dic['CAhandler']['entrust_root_cert']):
+                self.logger.debug('CAhandler._config_root_load(): load root CA from config file')
+                with open(config_dic['CAhandler']['entrust_root_cert'], 'r', encoding='utf8') as ca_file:
+                    self.entrust_root_cert = ca_file.read()
+            else:
+                self.logger.error('CAhandler._config_root_load(): root CA file configured but not not found. Using default one.')
+
+        self.logger.debug('CAhandler._config_root_load() ended')
+
+    def _config_session_load(self, config_dic: Dict[str, str]):
+        """ load session """
+        self.logger.debug('CAhandler._config_session_load()')
+
+        with requests.Session() as self.session:
+            # client auth via pem files
+            if 'client_cert' in config_dic['CAhandler'] and 'client_key' in config_dic['CAhandler']:
+                self.logger.debug('CAhandler._config_session_load() cert and key in pem format')
+                self.session.cert = (config_dic['CAhandler']['client_cert'], config_dic['CAhandler']['client_key'])
+
+            else:
+                self._config_passphrase_load(config_dic)
+                if 'client_cert' in config_dic['CAhandler'] and self.cert_passphrase:
+                    self.logger.debug('CAhandler._config_session_load() cert and passphrase')
+                    self.session.mount(self.api_url, Pkcs12Adapter(pkcs12_filename=config_dic['CAhandler']['client_cert'], pkcs12_password=self.cert_passphrase))
+                else:
+                    self.logger.warning('CAhandler._config_load() configuration might be incomplete: "client_cert. "client_key" or "client_passphrase[_variable] parameter is missing in config file')
+            self.session.auth = (self.username, self.password)
+
+        self.logger.debug('CAhandler._config_session_load() ended')
+
+    def _org_domain_cfg_check(self) -> str:
+        """ check organizations """
+        self.logger.debug('CAhandler._organizations_check()')
+
+        error = None
+        org_dic = self._organizations_get()
+        if self.organization_name not in org_dic:
+            error = f'Organization {self.organization_name} not found in Entrust API'
+            self.logger.error('CAhandler._organizations_check() ended with error: %s', error)
+        else:
+            domain_list = self._domains_get(org_dic[self.organization_name])
+            if not self.allowed_domainlist:
+                self.logger.info('CAhandler._organizations_check(): allowed_domainlist is empty, using domains from Entrust API')
+                self.allowed_domainlist = domain_list
+
+        self.logger.debug('CAhandler._organizations_check() ended with %s', error)
+        return error
+
+    def _organizations_get(self) -> Dict[str, str]:
+        """ get organizations """
+        self.logger.debug('CAhandler._organizations_get()')
+
+        code, content = self._api_get(self.api_url + '/organizations')
+        org_dic = {}
+        if code == 200 and 'organizations' in content:
+            self.logger.debug('CAhandler._organizations_get() ended with code: 200')
+            for org in content['organizations']:
+                if 'verificationStatus' in org and org['verificationStatus'] == 'APPROVED':
+                    if 'name' in org and 'clientId' in org:
+                        org_dic[org['name']] = org['clientId']
+        else:
+            self.logger.error('CAhandler._organizations_get(): malformed response')
+
+        self.logger.debug('CAhandler._organizations_get() ended with code: %s', code)
+        return org_dic
+
+    def _domains_get(self, org_id: str) -> List[str]:
+        """ get domains """
+        self.logger.debug('CAhandler._domains_get()')
+
+        code, content = self._api_get(self.api_url + f'/clients/{org_id}/domains')
+
+        api_domain_list = []
+        if code == 200 and 'domains' in content:
+            self.logger.debug('CAhandler._domains_get() ended with code: 200')
+
+            for domain in content['domains']:
+                if 'verificationStatus' in domain and domain['verificationStatus'] == 'APPROVED':
+                    if 'domainName' in domain:
+                        api_domain_list.append(domain['domainName'])
+        else:
+            self.logger.error('CAhandler._domains_get(): malformed response')
+
+        self.logger.debug('CAhandler._domains_get() ended with code: %s', code)
+        return api_domain_list
+
+    def credential_check(self):
+        """ test connection to Entrust api """
+        self.logger.debug('CAhandler.credential_check()')
+
+        error = None
+        code, content = self._api_get(self.api_url + '/application/version')
+        if code != 200:
+            error = f'Connection to Entrust API failed: {content}'
+
+        self.logger.debug('CAhandler.credential_check() ended with code: %s', code)
+        return error
+
+    def _config_check(self) -> str:
+        """ check config """
+        self.logger.debug('CAhandler._config_check()')
+
+        error = None
+        for ele in ['api_url', 'username', 'password', 'organization_name']:
+            if not getattr(self, ele):
+                error = f'{ele} parameter in missing in config file'
+                self.logger.error('CAhandler._config_check() ended with error: %s', error)
+                break
+
+        self.logger.debug('CAhandler._config_check() ended with: %s', error)
+        return error
+
+    def _enroll_check(self, csr: str) -> str:
+        """ check csr """
+        self.logger.debug('CAhandler._enroll_check()')
+
+        # check for eab profiling and header_info
+        error = eab_profile_header_info_check(self.logger, self, csr, 'cert_type')
+
+        if not error:
+            error = self._config_check()
+
+        if not error:
+            error = self.credential_check()
+
+        if not error:
+            error = self._org_domain_cfg_check()
+
+        if not error:
+            # check for allowed domainlist
+            error = self._allowed_domainlist_check(csr)
+
+        self.logger.debug('CAhandler._enroll_check() ended with %s', error)
+        return error
+
+    def _trackingid_get(self, cert_raw: str) -> int:
+        """ get tracking id """
+        self.logger.debug('CAhandler._trackingid_get()')
+
+        tracking_id = None
+        # we misuse header_info_get() to get the tracking id from database
+        cert_recode = b64_url_recode(self.logger, cert_raw)
+        pid_list = header_info_get(self.logger, csr=cert_recode, vlist=['poll_identifier'], field_name='cert_raw')
+
+        for ele in pid_list:
+            if 'poll_identifier' in ele:
+                tracking_id = ele['poll_identifier']
+                break
+
+        if not tracking_id:
+            # lookup through Entrust API
+            self.logger.info('CAhandler._trackingid_get(): tracking_id not found in database. Lookup trough Entrust API')
+            cert_serial = cert_serial_get(self.logger, cert_raw, hexformat=True)
+            certificate_list = self._certificates_get_from_serial(cert_serial)
+            for ele in certificate_list:
+                if 'trackingId' in ele:
+                    tracking_id = ele['trackingId']
+                    break
+
+        self.logger.debug('CAhandler._trackingid_get() ended with %s', tracking_id)
+        return tracking_id
+
+    def _response_parse(self, content: Dict[str, str]) -> Tuple[str, str]:
+        """ parse response """
+        self.logger.debug('CAhandler._response_parse()')
+
+        cert_bundle = None
+        cert_raw = None
+        poll_indentifier = None
+
+        if 'trackingId' in content:
+            poll_indentifier = content['trackingId']
+        if 'endEntityCert' in content and 'chainCerts' in content:
+            cert_raw = b64_encode(self.logger, cert_pem2der(content['endEntityCert']))
+            for cnt, ca_cert in enumerate(content['chainCerts']):
+                if cnt == 0:
+                    cert_bundle = ca_cert + '\n'
+                else:
+                    cert_bundle += ca_cert + '\n'
+
+            # add Entrust Root CA
+            if cert_bundle:
+                cert_bundle += self.entrust_root_cert + '\n'
+            else:
+                cert_bundle = self.entrust_root_cert + '\n'
+        self.logger.debug('CAhandler._response_parse() ended')
+        return cert_bundle, cert_raw, poll_indentifier
+
+    def _enroll(self, csr: str) -> Tuple[str, str]:
+        """ enroll certificate """
+        self.logger.debug('CAhandler._enroll()')
+
+        error = None
+        cert_raw = None
+        cert_bundle = None
+        poll_indentifier = None
+
+        # get CN and SANs
+        cn = csr_cn_lookup(self.logger, csr)
+
+        # calculate cert expiry date
+        certexpirydate = datetime.datetime.now() + datetime.timedelta(days=self.cert_validity_days)
+
+        data_dic = {
+            'csr': csr,
+            'signingAlg': 'SHA-2',
+            'eku': "SERVER_AND_CLIENT_AUTH",
+            'cn': cn,
+            'org': self.organization_name,
+            'endUserKeyStorageAgreement': True,
+            'certType': self.certtype,
+            "certExpiryDate": certexpirydate.strftime('%Y-%m-%d')
+        }
+
+        code, content = self._api_post(self.api_url + '/certificates', data_dic)
+
+        if code == 201:
+            cert_bundle, cert_raw, poll_indentifier = self._response_parse(content)
+        else:
+            if 'errors' in content:
+                error = f"Error during order creation: {code} - {content['errors']}"
+            else:
+                error = f'Error during order creation: {code} - {content}'
+            self.logger.error('CAhandler._enroll() failed with error: %s', error)
+
+        self.logger.debug('CAhandler._enroll() ended with code: %s', code)
+        return error, cert_bundle, cert_raw, poll_indentifier
+
+    def revoke_by_trackingid(self, tracking_id: int, _rev_reason: str = 'unspecified') -> Tuple[int, str]:
+        """ revoke certificate """
+        self.logger.debug('CAhandler.revoke_by_trackingid()')
+        code, content = self._api_post(self.api_url + f'/certificates/{tracking_id}/revocations', {'crlReason': _rev_reason, 'revocationComment': 'revoked by acme2certifier'})
+        self.logger.debug('CAhandler.revoke_by_trackingid() ended with code: %s', code)
+        return code, content
+
+    def _total_get(self, content: str) -> int:
+        """ get total number of certificates """
+        self.logger.debug('CAhandler._total_get()')
+        total = 1
+
+        if isinstance(content, dict) and 'summary' in content and 'total' in content['summary']:
+            self.logger.debug('CAhandler.certificates_get() total number of certificates: %s', content['summary']['total'])
+            total = content['summary']['total']   # get total number of certificates
+        else:
+            self.logger.error('CAhandler.certificates_get() failed did not get any total value: %s', content)
+            raise StopIteration('Certificates lookup failed: did not get any total value')
+
+        self.logger.debug('CAhandler._total_get() ended with %s', total)
+        return total
+
+    def certificates_get(self, limit=200) -> List[str]:
+        """ get certificates """
+        self.logger.debug('CAhandler.certificates_get()')
+
+        # set initial values
+        offset = 0
+        cert_list = []
+        prev_data = []
+        total = 1
+        while len(cert_list) < total:
+            self.logger.info('fetching certs offset: %s, limit: %s, total: %s, buffered: %s', offset, limit, total, len(cert_list))
+            code, content = self._api_get(self.api_url + f'/certificates?limit={limit}&offset={offset}')
+            if code == 200:
+                if offset == 0:
+                    # updte totals or throw error
+                    total = self._total_get(content)
+
+                # extend certificate list or throw error
+                if 'certificates' in content:
+                    # cover cases where we wont get new data as we have to avoid loops
+                    if prev_data != content['certificates']:
+                        cert_list.extend(content['certificates'])
+                        prev_data = content['certificates']
+                        offset = offset + limit
+                    else:
+                        self.logger.error('CAhandler.certificates_get() failed to get new data')
+                        break
+            else:
+                self.logger.error('CAhandler.certificates_get() failed with code: %s', code)
+                break
+
+        self.logger.debug('CAhandler.certificates_get() ended with code: %s and %s certificate', code, len(cert_list))
+        return cert_list
+
+    def enroll(self, csr: str) -> Tuple[str, str, str, str]:
+        """ enroll certificate  """
+        self.logger.debug('CAhandler.enroll()')
+
+        cert_bundle = None
+        error = None
+        cert_raw = None
+        poll_indentifier = None
+
+        error = self._enroll_check(csr)
+
+        if not error:
+            error, cert_bundle, cert_raw, poll_indentifier = self._enroll(csr)
+
+        self.logger.debug('Certificate.enroll() ended')
+        return error, cert_bundle, cert_raw, poll_indentifier
+
+    def poll(self, _cert_name: str, poll_identifier: str, _csr: str) -> Tuple[str, str, str, str, bool]:
+        """ poll status of pending CSR and download certificates """
+        self.logger.debug('CAhandler.poll()')
+
+        error = 'Method not implemented.'
+        cert_bundle = None
+        cert_raw = None
+        rejected = False
+
+        self.logger.debug('CAhandler.poll() ended')
+        return (error, cert_bundle, cert_raw, poll_identifier, rejected)
+
+    def revoke(self, certificate_raw: str, _rev_reason: str = 'unspecified', _rev_date: str = uts_to_date_utc(uts_now())) -> Tuple[int, str, str]:
+        """ revoke certificate """
+        self.logger.debug('CAhandler.revoke()')
+
+        code = None
+        message = None
+        detail = None
+
+        # get tracking id as input for revocation call
+        tracking_id = self._trackingid_get(certificate_raw)
+
+        if tracking_id:
+            code, content = self.revoke_by_trackingid(tracking_id, _rev_reason)
+            if code == 200:
+                message = 'Certificate revoked'
+            else:
+                code = 500
+                message = 'urn:ietf:params:acme:error:serverInternal'
+                detail = content
+        else:
+            code = 500
+            message = 'urn:ietf:params:acme:error:serverInternal'
+            detail = 'Failed to get tracking id'
+
+        self.logger.debug('CAhandler.poll() ended')
+
+        self.logger.debug('Certificate.revoke() ended')
+        return (code, message, detail)
+
+    def trigger(self, _payload: str) -> Tuple[str, str, str]:
+        """ process trigger message and return certificate """
+        self.logger.debug('CAhandler.trigger()')
+
+        error = 'Method not implemented.'
+        cert_bundle = None
+        cert_raw = None
+
+        self.logger.debug('CAhandler.trigger() ended with error: %s', error)
+        return (error, cert_bundle, cert_raw)
diff --git a/examples/ca_handler/nclm_ca_handler.py b/examples/ca_handler/nclm_ca_handler.py
index fc2de2e9..29b46216 100644
--- a/examples/ca_handler/nclm_ca_handler.py
+++ b/examples/ca_handler/nclm_ca_handler.py
@@ -6,8 +6,8 @@
 import json
 from typing import List, Tuple, Dict
 import requests
-# pylint: disable=C0209, E0401, R0913
-from acme_srv.helper import load_config, build_pem_file, csr_cn_get, b64_encode, b64_url_recode, convert_string_to_byte, csr_san_get, cert_serial_get, date_to_uts_utc, uts_now, parse_url, proxy_check, error_dic_get
+# pylint: disable=e0401, r0913
+from acme_srv.helper import load_config, build_pem_file, b64_encode, b64_url_recode, convert_string_to_byte, cert_serial_get, uts_now, parse_url, proxy_check, error_dic_get, uts_to_date_utc, header_info_get, eab_profile_header_info_check, config_eab_profile_load, config_headerinfo_load
 
 
 class CAhandler(object):
@@ -16,18 +16,21 @@ class CAhandler(object):
     def __init__(self, _debug=None, logger=None):
         self.logger = logger
         self.api_host = None
+        self.nclm_version = None
+        self.api_version = '/v2'
         self.ca_bundle = True
         self.credential_dic = {'api_user': None, 'api_password': None}
-        self.tsg_info_dic = {'name': None, 'id': None}
-        self.endpoint_dic = {'tsg': '/targetsystemgroups/'}
+        self.container_info_dic = {'name': None, 'id': None}
         self.template_info_dic = {'name': None, 'id': None}
-        self.request_delta_treshold = 300
         self.headers = None
         self.ca_name = None
         self.error = None
         self.wait_interval = 5
         self.proxy = None
         self.request_timeout = 20
+        self.header_info_field = False
+        self.eab_handler = None
+        self.eab_profiling = False
 
     def __enter__(self):
         """ Makes CAhandler a Context Manager """
@@ -36,8 +39,8 @@ def __enter__(self):
             self._config_check()
         if not self.headers and not self.error:
             self._login()
-        if not self.tsg_info_dic['id'] and not self.error:
-            self._tsg_id_lookup()
+        if not self.container_info_dic['id'] and not self.error:
+            self._container_id_lookup()
         return self
 
     def __exit__(self, *args):
@@ -47,52 +50,34 @@ def _api_post(self, url: str, data: Dict[str, str]) -> Dict[str, str]:
         """  generic wrapper for an API post call """
         self.logger.debug('CAhandler._api_post()')
         try:
-            api_response = requests.post(url=url, json=data, headers=self.headers, verify=self.ca_bundle, proxies=self.proxy, timeout=self.request_timeout).json()
+            response = requests.post(url=url, json=data, headers=self.headers, verify=self.ca_bundle, proxies=self.proxy, timeout=self.request_timeout)
+            try:
+                api_response = response.json()
+            except Exception:
+                api_response = {'status': response.status_code}
         except Exception as err_:
-            self.logger.error('CAhandler._api_post() returned error: {0}'.format(err_))
+            self.logger.error('CAhandler._api_post() returned error: %s', err_)
             api_response = str(err_)
 
-        self.logger.debug('CAhandler._api_post() ended with: {0}'.format(api_response))
+        self.logger.debug('CAhandler._api_post() ended with: %s', api_response)
         return api_response
 
-    def _ca_id_lookup(self) -> int:
-        """ lookup CA ID based on CA_name """
-        self.logger.debug('CAhandler._ca_id_lookup()')
-        # query CAs
-        ca_list = requests.get(self.api_host + '/ca?freeText=' + str(self.ca_name), headers=self.headers, verify=self.ca_bundle, proxies=self.proxy, timeout=self.request_timeout).json()
-        ca_id = None
-        if 'CAs' in ca_list:
-            for ca_cert in ca_list['CAs']:
-                # compare name or description field against config value
-                if ('name' in ca_cert and ca_cert['name'] == self.ca_name) or ('desc' in ca_cert and ca_cert['desc'] == self.ca_name):
-                    if 'id' in ca_cert:
-                        ca_id = ca_cert['id']
-        else:
-            # log error
-            self.logger.error('ca_id.lookup() no CAs found in response ...')
-
-        if not ca_id:
-            # log error
-            self.logger.error('_ca_id_lookup(): no ca id found for {0}'.format(self.ca_name))
-        self.logger.debug('CAhandler._ca_id_lookup() ended with: {0}'.format(ca_id))
-        return ca_id
-
     def _ca_id_get(self, ca_list: Dict[str, str]) -> int:
         """ get ca_id """
         self.logger.debug('CAhandler._ca_id_get()')
         ca_id = None
-        if 'ca' in ca_list and 'items' in ca_list['ca']:
-            for ca_ in ca_list['ca']['items']:
+        if 'items' in ca_list:
+            for ca_ in ca_list['items']:
                 # compare name or description field against config value
-                if ('displayName' in ca_ and ca_['displayName'] == self.ca_name):
+                if ('name' in ca_ and ca_['name'] == self.ca_name):
                     # pylint: disable=R1723
-                    if 'policyLinkId' in ca_:
-                        ca_id = ca_['policyLinkId']
+                    if 'id' in ca_:
+                        ca_id = ca_['id']
                         break
                     else:
                         self.logger.error('ca_id.lookup() policyLinkId field is missing  ...')
 
-        self.logger.debug('CAhandler._ca_id_get() with {0}'.format(ca_id))
+        self.logger.debug('CAhandler._ca_id_get() with %s', ca_id)
         return ca_id
 
     def _ca_policylink_id_lookup(self) -> int:
@@ -100,48 +85,89 @@ def _ca_policylink_id_lookup(self) -> int:
         self.logger.debug('CAhandler._ca_policylink_id_lookup()')
 
         # query CAs
-        ca_list = requests.get(self.api_host + '/policy/ca?entityRef=CONTAINER&entityId={0}&allowedOnly=true&withTemplateById=0&enrollWithImportedCSR=true&csrHasPrivateKey=false&csrTemplateVersion=0'.format(self.tsg_info_dic['id']), headers=self.headers, verify=self.ca_bundle, proxies=self.proxy, timeout=self.request_timeout).json()
-        ca_id = None
-        if 'ca' in ca_list:
+        ca_list = requests.get(f'{self.api_host}{self.api_version}/containers/{self.container_info_dic["id"]}/issuers', headers=self.headers, verify=self.ca_bundle, proxies=self.proxy, timeout=self.request_timeout).json()
+        if 'items' in ca_list:
             ca_id = self._ca_id_get(ca_list)
         else:
             # log error
+            ca_id = None
             self.logger.error('ca_id.lookup() no CAs found in response ...')
 
         if not ca_id:
             # log error
-            self.logger.error('CAhandler_ca_policylink_id_lookup(): no policylink id found for {0}'.format(self.ca_name))
-        self.logger.debug('CAhandler._ca_policylink_id_lookup() ended with: {0}'.format(ca_id))
+            self.logger.error('CAhandler_ca_policylink_id_lookup(): no policylink id found for %s', self.ca_name)
+        self.logger.debug('CAhandler._ca_policylink_id_lookup() ended with: %s', ca_id)
         return ca_id
 
-    def _cert_bundle_get(self, cert_dic: Dict[str, str], count: int, cert_id: int, cert_raw: str, cert_bundle: str, issuer_loop: bool, error: str) -> Tuple[str, str, str, bool, int]:
-        """ get ca bundle """
-        self.logger.debug('CAhandler._cert_bundle_get()')
-        if count == 1:
-            if 'der' in cert_dic['certificate']:
-                cert_raw = cert_dic['certificate']['der']
-            else:
-                error = 'no der certificate returned for id {0}'.format(cert_id)
-                self.logger.error('CAhandler._cert_bundle_build(): no der certificate returned for id: {0}'.format(cert_id))
+    def _cert_enroll(self, csr: str, policylink_id: int) -> Tuple[str, str, str]:
+        """ enroll operation """
+        self.logger.debug('CAhandler._cert_enroll()')
 
-        if 'pem' in cert_dic['certificate']:
-            cert_bundle = '{0}{1}'.format(cert_bundle, cert_dic['certificate']['pem'])
+        error = None
+        cert_bundle = None
+        cert_raw = None
+        cert_id = None
+
+        # post csr
+        job_id = self._csr_post(csr, policylink_id)
+
+        if job_id:
+            cert_id = self._cert_id_get(job_id)
+            if cert_id:
+                (error, cert_bundle, cert_raw) = self._cert_bundle_build(cert_id)
+            else:
+                self.logger.error('CAhandler.eroll(): certifcate_id lookup failed for job: %s', job_id)
+                error = 'Certifcate_id lookup failed'
         else:
-            error = 'no pem certificate returned for id {0}'.format(cert_id)
-            self.logger.error('CAhandler._cert_bundle_build(): no pem certificate returned for id: {0}'.format(cert_id))
+            self.logger.error('CAhandler.eroll(): job_id lookup failed for job')
+            error = 'job_id lookup failed'
 
-        if 'issuerInfo' in cert_dic['certificate']:
-            if 'id' in cert_dic['certificate']['issuerInfo'] and cert_dic['certificate']['issuerInfo']['id'] != cert_id:
-                self.logger.debug('CAhandler._cert_bundle_build() fetch certificate for certid: {0}'.format(cert_dic['certificate']['issuerInfo']['id']))
-                cert_id = cert_dic['certificate']['issuerInfo']['id']
+        self.logger.debug('CAhandler._cert_enroll() ended with error: %s', error)
+        return (error, cert_bundle, cert_raw, cert_id)
+
+    def _csr_post(self, csr: str, policylink_id: int) -> Dict[str, str]:
+        """ post csr """
+        self.logger.debug('CAhandler._csr_post()')
+
+        job_id = None
+        # build_pem_file
+        csr = build_pem_file(self.logger, None, csr, 64, True)
+        csr = b64_encode(self.logger, convert_string_to_byte(csr))
+        data_dic = {'allowDuplicateCn': True, 'request': {'pkcs10': csr}}
+
+        # add template if correctly configured
+        if 'id' in self.template_info_dic and self.template_info_dic['id']:
+            data_dic['template'] = {'id': self.template_info_dic['id']}
+
+        response = self._api_post(f"{self.api_host}{self.api_version}/containers/{self.container_info_dic['id']}/issuers/{policylink_id}/csr", data_dic)
+
+        if 'id' in response:
+            job_id = response['id']
+
+        self.logger.debug('CAhandler._csr_post() ended with: %s', job_id)
+        return job_id
+
+    def _issuer_certid_get(self, cert_dic: Tuple[str, str]) -> Tuple[str, bool]:
+        """ get cert id of issuer """
+        self.logger.debug('CAhandler._issuer_certid_get()')
+
+        cert_id = None
+        issuer_loop = False
+
+        if isinstance(cert_dic, dict) and 'urls' in cert_dic and 'issuer' in cert_dic['urls']:
+            self.logger.debug('CAhandler._cert_bundle_build() fetch issuer : %s', cert_dic['urls']['issuer'])
+            cert_dic = requests.get(self.api_host + cert_dic['urls']['issuer'], headers=self.headers, verify=self.ca_bundle, proxies=self.proxy, timeout=self.request_timeout).json()
+            if 'urls' in cert_dic and 'certificate' in cert_dic['urls']:
+                cert_id = cert_dic['urls']['certificate'].replace('/v2/certificates/', '')
+                self.logger.debug('CAhandler._cert_bundle_build() fetch certificate for issuer-certid: %s', cert_id)
                 issuer_loop = True
 
-        self.logger.debug('CAhandler._cert_bundle_get() ended with: {0}'.format(cert_id))
-        return (error, cert_raw, cert_bundle, issuer_loop, cert_id)
+        self.logger.debug('CAhandler._issuer_certid_get() ended with: %s', cert_id)
+        return (cert_id, issuer_loop)
 
     def _cert_bundle_build(self, cert_id: int) -> Tuple[str, str, str]:
         """ download cert and create bundle """
-        self.logger.debug('CAhandler._cert_bundle_build({0})'.format(cert_id))
+        self.logger.debug('CAhandler._cert_bundle_build(%s)', cert_id)
         cert_bundle = ''
         error = None
         cert_raw = None
@@ -152,14 +178,17 @@ def _cert_bundle_build(self, cert_id: int) -> Tuple[str, str, str]:
             # set issuer loop to False to avoid ending in an endless loop
             issuer_loop = False
             count += 1
-            self.logger.debug('CAhandler._cert_bundle_build() fetch certificate for certid: {0}'.format(cert_id))
+            self.logger.debug('CAhandler._cert_bundle_build() fetch certificate for certid: %s', cert_id)
 
-            cert_dic = requests.get(self.api_host + '/certificates/' + str(cert_id), headers=self.headers, verify=self.ca_bundle, proxies=self.proxy, timeout=self.request_timeout).json()
-            if 'certificate' in cert_dic:
-                (error, cert_raw, cert_bundle, issuer_loop, cert_id) = self._cert_bundle_get(cert_dic, count, cert_id, cert_raw, cert_bundle, issuer_loop, error)
-            else:
-                self.logger.error('CAhandler._cert_bundle_build(): invalid reponse returned for id: {0}'.format(cert_id))
-                error = 'invalid reponse returned for id: {0}'.format(cert_id)
+            cert_dic = requests.get(f'{self.api_host}{self.api_version}/certificates/{cert_id}', headers=self.headers, verify=self.ca_bundle, proxies=self.proxy, timeout=self.request_timeout).json()
+            if 'der' in cert_dic:
+                if count == 1:
+                    # get cert_raw
+                    cert_raw = cert_dic['der']
+
+                # build_pem_file
+                cert_bundle = build_pem_file(self.logger, existing=cert_bundle, certificate=cert_dic['der'], wrap=True, csr=False)
+                cert_id, issuer_loop = self._issuer_certid_get(cert_dic)
 
         # we need this for backwards compability
         if cert_bundle == '':
@@ -168,79 +197,68 @@ def _cert_bundle_build(self, cert_id: int) -> Tuple[str, str, str]:
         self.logger.debug('CAhandler._cert_bundle_build() ended')
         return (error, cert_bundle, cert_raw)
 
-    def _cert_list_fetch(self, url: str) -> List[str]:
-        """ fetch certificate list and consider pagination """
-        self.logger.debug('CAhandler._cert_list_fetch({0})'.format(url))
-
-        cert_list = []
-        while url:
-            try:
-                _tmp_cert_list = requests.get(url, headers=self.headers, verify=self.ca_bundle, proxies=self.proxy, timeout=self.request_timeout).json()
-            except Exception as err_:
-                self.logger.error('CAhandler._cert_list_fetch() returned error: {0}'.format(str(err_)))
-                _tmp_cert_list = []
+    def _cert_id_get(self, job_id: int) -> int:
+        """ lookup get cert_id from enrollment job """
+        self.logger.debug('CAhandler._cert_id_get(%s)', job_id)
 
-            if 'certificates' in _tmp_cert_list:
-                cert_list.extend(_tmp_cert_list['certificates'])
-                if 'next' in _tmp_cert_list and _tmp_cert_list['next']:
-                    url = self.api_host + _tmp_cert_list['next']
-                else:
-                    url = None
-            else:
-                url = None
+        cert_id = None
+        # check job status
+        cnt = 0
+        while cnt < 10:
+            response = requests.get(f"{self.api_host}{self.api_version}/jobs/{job_id}", headers=self.headers, verify=self.ca_bundle, proxies=self.proxy, timeout=self.request_timeout).json()
+            if 'status' in response and response['status'] == 'done':
+                if 'entities' in response and len(response['entities']) > 0:
+                    if 'ref' in response['entities'][0] and response['entities'][0]['ref'].lower() == 'certificate':
+                        cert_id = response['entities'][0]['url'].replace('/v2/certificates/', '')
+                break
+            time.sleep(self.wait_interval)
 
-        self.logger.debug('CAhandler._cert_list_fetch() ended with {0} entries'.format(len(cert_list)))
-        return cert_list
+        self.logger.debug('CAhandler._cert_id_get() ended with: %s', cert_id)
+        return cert_id
 
-    def _cert_list_lookup(self, csr_cn: str) -> Dict[str, str]:
+    def _certid_get_from_serial(self, cert_raw: str) -> List[str]:
         """ get certificates """
-        self.logger.debug('CAhandler._cert_list_lookup({0})'.format(csr_cn))
+        self.logger.debug('CAhandler._certid_get_from_serial()')
 
+        cert_serial = cert_serial_get(self.logger, cert_raw, hexformat=True)
+
+        # search for certificate
         try:
-            if csr_cn:
-                url = self.api_host + '/certificates?freeText==' + str(csr_cn) + '&stateCurrent=false&stateHistory=false&stateWaiting=false&stateManual=false&stateUnattached=false&expiresAfter=%22%22&expiresBefore=%22%22&sortAttribute=createdAt&sortOrder=desc&containerId=' + str(self.tsg_info_dic['id'])
-            else:
-                url = self.api_host + '/certificates?stateCurrent=false&stateHistory=false&stateWaiting=false&stateManual=false&stateUnattached=false&expiresAfter=%22%22&expiresBefore=%22%22&sortAttribute=createdAt&sortOrder=desc&containerId=' + str(self.tsg_info_dic['id'])
-            cert_list = self._cert_list_fetch(url)
+            cert_list = requests.get(f"{self.api_host}{self.api_version}/certificates?freeText=={cert_serial}&containerId={self.container_info_dic['id']}", headers=self.headers, verify=self.ca_bundle, proxies=self.proxy, timeout=self.request_timeout).json()
         except Exception as err_:
-            self.logger.error('CAhandler._cert_id_lookup() returned error: {0}'.format(str(err_)))
+            self.logger.error('CAhandler._certid_get_from_serial(): request get aborted with err: %s', err_)
             cert_list = []
 
-        self.logger.debug('CAhandler._cert_list_lookup() ended')
-        return cert_list
-
-    def _cert_id_get(self, cert_list: Dict[str, str], san_list: List[str]) -> int:
-        """ lookup certificate id from certificate_list """
-        self.logger.debug('CAhandler._cert_id_get()')
-        cert_id = None
-        for cert in sorted(cert_list, key=lambda i: i['certificateId'], reverse=True):
-            # lets compare the SAN (this is more reliable than comparing the CN (certbot does not set a CN
-            if san_list and 'subjectAltName' in cert:
-                result = self._san_compare(san_list, cert['subjectAltName'])
-                if result and 'certificateId' in cert:
-                    cert_id = cert['certificateId']
-                    break
+        if cert_list and 'items' in cert_list and len(cert_list['items']) > 0 and 'id' in cert_list['items'][0]:
+            cert_id = cert_list['items'][0]['id']
+        else:
+            cert_id = None
+            self.logger.error('CAhandler._certid_get_from_serial(): no certificate found for serial: %s', cert_serial)
 
-        self.logger.debug('CAhandler._cert_id_get() ended')
+        self.logger.debug('CAhandler._certid_get_from_serial() ended with code: %s', cert_id)
         return cert_id
 
-    def _cert_id_lookup(self, csr_cn: str, san_list: List[str] = None) -> int:
-        """ lookup cert id based on CN """
-        self.logger.debug('CAhandler._cert_id_lookup({0}:{1})'.format(csr_cn, san_list))
-
-        # get certificate list having the csr cn
-        cert_list = self._cert_list_lookup(csr_cn)
+    def _cert_id_lookup(self, cert_raw: str) -> int:
+        """ get tracking id """
+        self.logger.debug('CAhandler._cert_id_lookup()')
 
         cert_id = None
-        if cert_list:
-            try:
-                cert_id = self._cert_id_get(cert_list, san_list)
-            except Exception as err_:
-                self.logger.error('_cert_id_lookup(): response incomplete: {0}'.format(err_))
-        else:
-            self.logger.error('_cert_id_lookup(): no certificates found for {0}'.format(csr_cn))
 
-        self.logger.debug('CAhandler._cert_id_lookup() ended with: {0}'.format(cert_id))
+        # we misuse header_info_get() to get the tracking id from database
+        cert_recode = b64_url_recode(self.logger, cert_raw)
+        pid_list = header_info_get(self.logger, csr=cert_recode, vlist=['poll_identifier'], field_name='cert_raw')
+
+        for ele in pid_list:
+            if 'poll_identifier' in ele:
+                cert_id = ele['poll_identifier']
+                break
+
+        if not cert_id:
+            # lookup through NCLM API
+            self.logger.info('CAhandler._cert_id_lookup(): cert_id not found in database. Lookup trough NCLM API')
+            cert_id = self._certid_get_from_serial(cert_raw)
+
+        self.logger.debug('CAhandler._cert_id_lookup() ended with %s', cert_id)
         return cert_id
 
     def _config_api_access_check(self):
@@ -268,7 +286,7 @@ def _config_names_check(self):
         self.logger.debug('CAhandler._config_names_check()')
 
         if not self.error:
-            if not bool('name' in self.tsg_info_dic and bool(self.tsg_info_dic['name'])):
+            if not bool('name' in self.container_info_dic and bool(self.container_info_dic['name'])):
                 self.logger.error('"tsg_name" to be set in config file')
                 self.error = 'tsg_name to be set in config file'
 
@@ -298,7 +316,7 @@ def _config_api_user_load(self, config_dic: Dict[str, str]):
             try:
                 self.credential_dic['api_user'] = os.environ[config_dic['CAhandler']['api_user_variable']]
             except Exception as err:
-                self.logger.error('CAhandler._config_load() could not load user_variable:{0}'.format(err))
+                self.logger.error('CAhandler._config_load() could not load user_variable:%s', err)
         if 'api_user' in config_dic['CAhandler']:
             if self.credential_dic['api_user']:
                 self.logger.info('CAhandler._config_load() overwrite api_user')
@@ -314,7 +332,7 @@ def _config_api_password_load(self, config_dic: Dict[str, str]):
             try:
                 self.credential_dic['api_password'] = os.environ[config_dic['CAhandler']['api_password_variable']]
             except Exception as err:
-                self.logger.error('CAhandler._config_load() could not load password_variable:{0}'.format(err))
+                self.logger.error('CAhandler._config_load() could not load password_variable:%s', err)
         if 'api_password' in config_dic['CAhandler']:
             if self.credential_dic['api_password']:
                 self.logger.info('CAhandler._config_load() overwrite api_password')
@@ -333,7 +351,10 @@ def _config_names_load(self, config_dic: Dict[str, str]):
             self.ca_name = config_dic['CAhandler']['ca_name']
 
         if 'tsg_name' in config_dic['CAhandler']:
-            self.tsg_info_dic['name'] = config_dic['CAhandler']['tsg_name']
+            self.container_info_dic['name'] = config_dic['CAhandler']['tsg_name']
+
+        if 'container_name' in config_dic['CAhandler']:
+            self.container_info_dic['name'] = config_dic['CAhandler']['container_name']
 
         if 'template_name' in config_dic['CAhandler']:
             self.template_info_dic['name'] = config_dic['CAhandler']['template_name']
@@ -353,7 +374,7 @@ def _config_proxy_load(self, config_dic: Dict[str, str]):
                     proxy_server = proxy_check(self.logger, fqdn, proxy_list)
                     self.proxy = {'http': proxy_server, 'https': proxy_server}
             except Exception as err_:
-                self.logger.warning('Challenge._config_load() proxy_server_list failed with error: {0}'.format(err_))
+                self.logger.warning('Challenge._config_load() proxy_server_list failed with error: %s', err_)
 
         self.logger.debug('CAhandler._config_proxy_load() ended')
 
@@ -361,12 +382,6 @@ def _config_timer_load(self, config_dic: Dict[str, str]):
         """ load timer """
         self.logger.debug('CAhandler._config_proxy_load()')
 
-        if 'request_delta_treshold' in config_dic['CAhandler']:
-            try:
-                self.request_delta_treshold = int(config_dic['CAhandler']['request_delta_treshold'])
-            except Exception:
-                self.logger.error('CAhandler._config_load() could not load request_delta_treshold:{0}'.format(config_dic['CAhandler']['request_delta_treshold']))
-
         # check if we get a ca bundle for verification
         if 'ca_bundle' in config_dic['CAhandler']:
             try:
@@ -395,263 +410,154 @@ def _config_load(self):
             self._config_timer_load(config_dic)
 
         self._config_proxy_load(config_dic)
+        # load profiling
+        self.eab_profiling, self.eab_handler = config_eab_profile_load(self.logger, config_dic)
+        # load header info
+        self.header_info_field = config_headerinfo_load(self.logger, config_dic)
 
         self.logger.debug('CAhandler._config_load() ended')
 
-    def _lastrequests_get(self) -> Dict[str, str]:
-        """ last requests get """
-        self.logger.debug('CAhandler._lastrequests_get()')
-
-        req_all = []
-        # special certbot scenario (no CN in CSR). No better idea how to handle this, take first request
+    def _container_id_lookup(self):
+        """ get target system id based on name """
+        self.logger.debug('CAhandler._container_id_lookup() for tsg: %s', self.container_info_dic['name'])
         try:
-            result = requests.get(self.api_host + '/requests', headers=self.headers, verify=self.ca_bundle, proxies=self.proxy, timeout=self.request_timeout).json()
-            if 'requests' in result:
-                req_all = result['requests']
-            else:
-                self.logger.error('_lastrequests_get(): response incomplete:')
+            tsg_list = requests.get(self.api_host + '/containers?freeText=' + str(self.container_info_dic['name']) + '&offset=0&limit=50&fetchPath=true', headers=self.headers, verify=self.ca_bundle, proxies=self.proxy, timeout=self.request_timeout).json()
         except Exception as err_:
-            self.logger.error('CAhandler._lastrequests_get() returned error: {0}'.format(str(err_)))
-
-        self.logger.debug('CAhandler._lastrequests_get() endet with {0}'.format(len(req_all)))
-        return req_all
-
-    def _reqcn_lookup(self, req: Dict[str, str]) -> str:
-        self.logger.debug('CAhandler._reqcn_lookup()')
-
-        req_cn = None
-        if 'subjectName' in req:
-            # split the subject and filter CN
-            subject_list = req['subjectName'].split(',')
-            for field in subject_list:
-                field = field.strip()
-                if field.startswith('CN='):
-                    req_cn = field.lower().replace('cn=', '')
-                    break
-
-        self.logger.debug('CAhandler._reqcn_lookup() ended with: {0}'.format(req_cn))
-        return req_cn
-
-    def _reqid_from_last_requests(self, last_request_list: Dict[str, str], csr: str) -> int:
-        """ get reqid """
-        self.logger.debug('CAhandler._reqid_from_last_requests()')
-
-        req_id = None
-        for _req in sorted(last_request_list, key=lambda i: i['requestId'], reverse=True):
-            if 'pkcs10' in _req and _req['pkcs10'] == csr:
-                req_id = _req['requestId']
-                break
-
-        self.logger.debug('CAhandler._reqid_from_last_requests() ended with: {0}'.format(req_id))
-        return req_id
-
-    def _reqid_lookup(self, csr: str, csr_cn: str, uts_n: int, unused_request_list: Dict[str, str], last_request_list: Dict[str, str]) -> int:
-        """ lookup request """
-        self.logger.debug('CAhandler._reqid_lookup()')
-
-        req_id = None
-
-        # check every CSR
-        for req in sorted(unused_request_list, key=lambda i: i['requestID'], reverse=True):
-            req_cn = None
-            # check the import date and consider only csr which are less then 5min old
-            csr_uts = date_to_uts_utc(req['addedAt'][:25], '%Y-%m-%dT%H:%M:%S.%f')
-            if uts_n - csr_uts < self.request_delta_treshold:
-
-                # get common name from requst
-                req_cn = self._reqcn_lookup(req)
+            self.logger.error('CAhandler._container_id_lookup() returned error: %s', err_)
+            tsg_list = []
 
-                if csr_cn:
-                    if req_cn == csr_cn.lower() and 'requestID' in req:
-                        req_id = req['requestID']
+        if 'items' in tsg_list:
+            for tsg in tsg_list['items']:
+                if 'name' in tsg and 'id' in tsg:
+                    if self.container_info_dic['name'] == tsg['name']:
+                        self.container_info_dic['id'] = tsg['id']
                         break
                 else:
-                    req_id = self._reqid_from_last_requests(last_request_list, csr)
-
-        self.logger.debug('CAhandler._reqid_lookup() ended with: {0}'.format(req_id))
-        return req_id
-
-    def _csr_id_lookup(self, csr_cn: str, _csr_san_list: Dict[str, str], csr: str = None) -> int:
-        """ lookup CSR based on CN """
-        self.logger.debug('CAhandler._csr_id_lookup()')
-
-        # uts
-        uts_n = uts_now()
-
-        # get unused requests from NCLM
-        unused_request_list = self._unusedrequests_get()
-
-        # get last 50 requests
-        if not csr_cn:
-            last_request_list = self._lastrequests_get()
+                    self.logger.error('CAhandler._container_id_lookup() incomplete response: %s', tsg)
         else:
-            last_request_list = []
-
-        try:
-            req_id = self._reqid_lookup(csr, csr_cn, uts_n, unused_request_list, last_request_list)
-        except Exception as err_:
-            self.logger.error('_csr_id_lookup(): response incomplete: {0}'.format(err_))
-            req_id = None
-
-        self.logger.debug('CAhandler._csr_id_lookup() ended with: {0}'.format(req_id))
-        return req_id
+            self.logger.error('CAhandler._container_id_lookup() no target-system-groups found for filter: %s.', self.container_info_dic['name'])
+        self.logger.debug('CAhandler._container_id_lookup() ended with: %s', str(self.container_info_dic['id']))
 
     def _login(self):
         """ _login into NCLM API """
         self.logger.debug('CAhandler._login()')
         # check first if API is reachable
-        api_response = requests.get(self.api_host, proxies=self.proxy, timeout=self.request_timeout)
-        self.logger.debug('api response code:{0}'.format(api_response.status_code))
+        api_response = requests.get(self.api_host + '/v1', proxies=self.proxy, timeout=self.request_timeout)
+        self.logger.debug('api response code:%s', api_response.status_code)
+
         if api_response.ok:
             # all fine try to login
-            self.logger.debug('log in to {0} as user "{1}"'.format(self.api_host, self.credential_dic['api_user']))
+            if 'versionNumber' in api_response.json():
+                self.nclm_version = api_response.json()['versionNumber']
+                self.logger.debug('NCLM version: %s', self.nclm_version)
+
+            self.logger.debug('log in to %s as user "%s"', self.api_host, self.credential_dic['api_user'])
             data = {'username': self.credential_dic['api_user'], 'password': self.credential_dic['api_password']}
-            api_response = requests.post(url=self.api_host + '/token?grant_type=client_credentials', json=data, proxies=self.proxy, timeout=self.request_timeout)
+            api_response = requests.post(url=self.api_host + self.api_version + '/token?grant_type=client_credentials', json=data, proxies=self.proxy, timeout=self.request_timeout)
+
             if api_response.ok:
                 json_dic = api_response.json()
                 if 'access_token' in json_dic:
-                    self.headers = {"Authorization": "Bearer {0}".format(json_dic['access_token'])}
+                    self.headers = {"Authorization": f"Bearer {json_dic['access_token']}"}
                     _username = json_dic.get('username', None)
                     _realms = json_dic.get('realms', None)
-                    self.logger.debug('login response:\n user: {0}\n token: {1}\n realms: {2}\n'.format(_username, json_dic['access_token'], _realms))
+                    self.logger.debug('login response:\n user: %s\n token: %s\n realms: %s\n', _username, json_dic['access_token'], _realms)
                 else:
-                    self.logger.error('CAhandler._login(): No token returned. Aborting...')
+                    self.logger.error('CAhandler._login(): No token returned. Aborting.')
             else:
-                self.logger.error('CAhandler._login() error during post: {0}'.format(api_response.status_code))
+                self.logger.error('CAhandler._login() error during post: %s', api_response.status_code)
         else:
             # If response code is not ok (200), print the resulting http error code with description
-            self.logger.error('CAhandler._login() error during get: {0}'.format(api_response.status_code))
+            self.logger.error('CAhandler._login() error during get: %s', api_response.status_code)
 
-    def _request_import(self, csr: str) -> Dict[str, str]:
-        """ import certificate request to NCLM """
-        self.logger.debug('CAhandler._request_import()')
-        data_dic = {'pkcs10': csr}
-        try:
-            result = self._api_post(self.api_host + self.endpoint_dic['tsg'] + str(self.tsg_info_dic['id']) + '/importrequest', data_dic)
-        except Exception as err_:
-            self.logger.error('CAhandler._request_import() returned error: {0}'.format(str(err_)))
-            result = None
-        return result
+    def _revocation_status_poll(self, job_id: int, err_dic: Dict[str, str]) -> Tuple[int, str, str]:
+        """ poll status of revocation job """
+        self.logger.debug('CAhandler._revocation_status_poll()')
 
-    def _unusedrequests_get(self) -> Dict[str, str]:
-        """ get unused requests """
-        self.logger.debug('CAhandler.requests_get()')
-        try:
-            result = requests.get(self.api_host + self.endpoint_dic['tsg'] + str(self.tsg_info_dic['id']) + '/unusedrequests', headers=self.headers, verify=self.ca_bundle, proxies=self.proxy, timeout=self.request_timeout).json()
-        except Exception as err_:
-            self.logger.error('CAhandler._unusedrequests_get() returned error: {0}'.format(str(err_)))
-            result = None
-        return result
-
-    def _san_compare(self, csr_san: str, cert_san: str) -> bool:
-        """ compare sans from csr with san in cert """
-        self.logger.debug('CAhandler._san_compare({0}, {1})'.format(csr_san, cert_san))
-        # convert csr_sans to lower case
-        csr_san_lower = []
-        for ele in csr_san:
-            for san in ele.split(','):
-                csr_san_lower.append(san.strip().lower())
-
-        # build cert_san list in the same format as csr_san
-        cert_san_lower = []
-        for stype in cert_san:
-            for san in cert_san[stype]:
-                cert_san_lower.append('{0}:{1}'.format(stype.lower(), san.lower()))
-
-        result = False
-
-        # compare lists
-        if sorted(csr_san_lower) == sorted(cert_san_lower):
-            result = True
-
-        self.logger.debug('CAhandler._san_compare() ended with: {0}'.format(result))
-        return result
-
-    def _template_list_get(self) -> Dict[str, str]:
+        cnt = 0
+        while cnt < 10:
+            response = requests.get(f"{self.api_host}{self.api_version}/jobs/{job_id}", headers=self.headers, verify=self.ca_bundle, proxies=self.proxy, timeout=self.request_timeout).json()
+            if 'status' in response and response['status'] in ['done', 'failed']:
+                if response['status'] == 'done':
+                    code = 200
+                    message = None
+                    detail = None
+                elif response['status'] == 'failed':
+                    code = 500
+                    message = err_dic['serverinternal']
+                    detail = 'Revocation operation failed: error from API'
+                break
+            time.sleep(self.wait_interval)
+            cnt += 1
+
+        if cnt == 10:
+            code = 500
+            message = err_dic['serverinternal']
+            detail = 'Revocation operation failed: Timeout'
+
+        self.logger.debug('CAhandler._revocation_status_poll() ended with: %s', code)
+        return (code, message, detail)
+
+    def _template_list_get(self, ca_id: int) -> Dict[str, str]:
         """ get list of templates """
-        self.logger.debug('CAhandler._template_id_lookup({0})'.format(self.tsg_info_dic['id']))
+        self.logger.debug('CAhandler._template_list_get(%s)', ca_id)
         try:
-            template_list = requests.get(self.api_host + '/policy/ca/7/templates?entityRef=CONTAINER&entityId=' + str(self.tsg_info_dic['id']) + '&allowedOnly=true&enroll=true', headers=self.headers, verify=self.ca_bundle, proxies=self.proxy, timeout=self.request_timeout).json()
+            template_list = requests.get(f"{self.api_host}{self.api_version}/containers/{self.container_info_dic['id']}/issuers/{ca_id}/templates", headers=self.headers, verify=self.ca_bundle, proxies=self.proxy, timeout=self.request_timeout).json()
         except Exception as err_:
-            self.logger.error('CAhandler._template_id_lookup() returned error: {0}'.format(err_))
+            self.logger.error('CAhandler._template_list_get() returned error: %s', err_)
             template_list = []
 
+        if 'items' in template_list:
+            tmpl_cnt = len(template_list['items'])
+        else:
+            tmpl_cnt = 0
+
+        self.logger.debug('CAhandler._template_list_get() ended with: %s templates', tmpl_cnt)
         return template_list
 
     def _templates_enumerate(self, template_list: Dict[str, str]):
         """ get template id based on name """
-        self.logger.debug('CAhandler._template_id_lookup() for template: {0}'.format(self.template_info_dic['name']))
+        self.logger.debug('CAhandler._templates_enumerate() for template: %s', self.template_info_dic['name'])
 
-        for template in template_list['template']['items']:
-            if 'allowed' in template and template['allowed'] and 'linkType' in template and template['linkType'].lower() == 'template':
-                if 'displayName' in template and template['displayName'] == self.template_info_dic['name']:
-                    if 'policyLinkId' in template:
-                        self.template_info_dic['id'] = template['policyLinkId']
-                        break
+        for template in template_list['items']:
+            if 'name' in template and template['name'] == self.template_info_dic['name']:
+                if 'id' in template:
+                    self.template_info_dic['id'] = template['id']
+                    break
 
-    def _template_id_lookup(self):
+    def _template_id_lookup(self, ca_id: int):
         """ get template id based on name """
-        self.logger.debug('CAhandler._template_id_lookup() for template: {0}'.format(self.template_info_dic['name']))
+        self.logger.debug('CAhandler._template_id_lookup() for template: %s', self.template_info_dic['name'])
 
         # get list of templates
-        template_list = self._template_list_get()
+        template_list = self._template_list_get(ca_id)
 
         # enumerate templates to get template-id
-        if 'template' in template_list and 'items' in template_list['template']:
+        if 'items' in template_list:
             self._templates_enumerate(template_list)
         else:
-            self.logger.error('CAhandler._template_id_lookup() no templates found for filter: {0}...'.format(self.template_info_dic['name']))
+            self.logger.error('CAhandler._template_id_lookup() no templates found for filter: %s.', self.template_info_dic['name'])
 
-        self.logger.debug('CAhandler._template_id_lookup() ended with: {0}'.format(str(self.template_info_dic['id'])))
+        self.logger.debug('CAhandler._template_id_lookup() ended with: %s', str(self.template_info_dic['id']))
 
-    def _tsg_id_lookup(self):
-        """ get target system id based on name """
-        self.logger.debug('CAhandler._tsg_id_lookup() for tsg: {0}'.format(self.tsg_info_dic['name']))
-        try:
-            tsg_list = requests.get(self.api_host + '/targetsystemgroups?freeText=' + str(self.tsg_info_dic['name']) + '&offset=0&limit=50&fetchPath=true', headers=self.headers, verify=self.ca_bundle, proxies=self.proxy, timeout=self.request_timeout).json()
-        except Exception as err_:
-            self.logger.error('CAhandler._tsg_id_lookup() returned error: {0}'.format(err_))
-            tsg_list = []
-        if 'targetSystemGroups' in tsg_list:
-            for tsg in tsg_list['targetSystemGroups']:
-                if 'name' in tsg and 'id' in tsg:
-                    if self.tsg_info_dic['name'] == tsg['name']:
-                        self.tsg_info_dic['id'] = tsg['id']
-                        break
-                else:
-                    self.logger.error('CAhandler._tsg_id_lookup() incomplete response: {0}'.format(tsg))
-        else:
-            self.logger.error('CAhandler._tsg_id_lookup() no target-system-groups found for filter: {0}...'.format(self.tsg_info_dic['name']))
-        self.logger.debug('CAhandler._tsg_id_lookup() ended with: {0}'.format(str(self.tsg_info_dic['id'])))
-
-    def _cert_enroll(self, csr: str, csr_cn: str, csr_san_list: List[str], policylink_id: int) -> Tuple[str, str, str]:
-        """ enroll operation """
-        self.logger.debug('CAhandler._cert_enroll()')
+    def _enroll(self, csr: str, ca_id: int) -> Tuple[str, str, str, str]:
+        """ enroll certificate from NCLM """
+        self.logger.debug('CAhandler._enroll()')
 
         error = None
         cert_bundle = None
         cert_raw = None
+        cert_id = None
 
-        # build_pem_file
-        csr = build_pem_file(self.logger, None, csr, 64, True)
-        csr = b64_encode(self.logger, convert_string_to_byte(csr))
-        data_dic = {'allowDuplicateCn': True, 'request': {'pkcs10': csr}, 'ca': {'selectedId': policylink_id}}
-
-        # add template if correctly configured
-        if 'id' in self.template_info_dic and self.template_info_dic['id']:
-            data_dic['template'] = {'selectedId': self.template_info_dic['id']}
-
-        self._api_post(self.api_host + self.endpoint_dic['tsg'] + str(self.tsg_info_dic['id']) + '/enroll', data_dic)
-        # wait for certificate enrollment to get finished
-        time.sleep(self.wait_interval)
-        cert_id = self._cert_id_lookup(csr_cn, csr_san_list)
-        if cert_id:
-            (error, cert_bundle, cert_raw) = self._cert_bundle_build(cert_id)
+        if ca_id and self.container_info_dic['id']:
+            # enroll operation
+            (error, cert_bundle, cert_raw, cert_id) = self._cert_enroll(csr, ca_id)
         else:
-            error = 'certifcate id lookup failed for:  {0}, {1}'.format(csr_cn, csr_san_list)
-            self.logger.error('CAhandler.eroll(): certifcate id lookup failed for:  {0}, {1}'.format(csr_cn, csr_san_list))
+            error = f'Enrollment aborted. ca: {ca_id}, tsg_id: {self.container_info_dic["id"]}'
+            self.logger.error('CAhandler.eroll(): Enrollment aborted. ca_id: %s, container: %s', ca_id, self.container_info_dic['id'])
 
-        return (error, cert_bundle, cert_raw)
+        self.logger.debug('CAhandler._enroll() ended with: %s', error)
+        return (error, cert_bundle, cert_raw, cert_id)
 
     def enroll(self, csr: str) -> Tuple[str, str, str, str]:
         """ enroll certificate from NCLM """
@@ -660,35 +566,34 @@ def enroll(self, csr: str) -> Tuple[str, str, str, str]:
         cert_bundle = None
         error = None
         cert_raw = None
+        cert_id = None
 
         # recode csr
         csr = b64_url_recode(self.logger, csr)
 
         if not self.error:
-            if self.tsg_info_dic['id']:
+            if self.container_info_dic['id']:
 
                 # templating
-                policylink_id = self._ca_policylink_id_lookup()
-                if policylink_id and self.template_info_dic['name'] and not self.template_info_dic['id']:
-                    self._template_id_lookup()
+                ca_id = self._ca_policylink_id_lookup()
 
-                # get common name of CSR
-                csr_cn = csr_cn_get(self.logger, csr)
-                csr_san_list = csr_san_get(self.logger, csr)
+                if ca_id and self.template_info_dic['name'] and not self.template_info_dic['id']:
+                    self._template_id_lookup(ca_id)
 
-                if policylink_id and self.tsg_info_dic['id']:
-                    # enroll operation
-                    (error, cert_bundle, cert_raw) = self._cert_enroll(csr, csr_cn, csr_san_list, policylink_id)
+                # check for eab profiling and header_info
+                error = eab_profile_header_info_check(self.logger, self, csr, 'profile_id')
+                if not error:
+                    (error, cert_bundle, cert_raw, cert_id) = self._enroll(csr, ca_id)
                 else:
-                    error = 'enrollment aborted. policylink_id: {0}, tsg_id: {1}'.format(policylink_id, self.tsg_info_dic['id'])
-                    self.logger.error('CAhandler.eroll(): enrollment aborted. policylink_id: {0}, tsg_id: {1}'.format(policylink_id, self.tsg_info_dic['id']))
+                    self.logger.error('CAhandler.eroll(): EAB profile lookup failed with error: %s', error)
             else:
-                error = 'CAhandler.eroll(): ID lookup for targetSystemGroup "{0}" failed.'.format(self.tsg_info_dic['name'])
+                error = f'CAhandler.eroll(): ID lookup for container"{self.container_info_dic["name"]}" failed.'
         else:
+            error = self.error
             self.logger.error(self.error)
 
         self.logger.debug('CAhandler.enroll() ended')
-        return (error, cert_bundle, cert_raw, None)
+        return (error, cert_bundle, cert_raw, cert_id)
 
     def poll(self, _cert_name: str, poll_identifier: str, _csr: str) -> Tuple[str, str, str, str, bool]:
         """ poll status of pending CSR and download certificates """
@@ -702,43 +607,32 @@ def poll(self, _cert_name: str, poll_identifier: str, _csr: str) -> Tuple[str, s
         self.logger.debug('CAhandler.poll() ended')
         return (error, cert_bundle, cert_raw, poll_identifier, rejected)
 
-    def revoke(self, cert: str, rev_reason: str, rev_date: str) -> Tuple[int, str, str]:
+    def revoke(self, cert: str, rev_reason: str = 'unspecified', rev_date: str = uts_to_date_utc(uts_now())) -> Tuple[int, str, str]:
         """ revoke certificate """
         self.logger.debug('CAhandler.revoke()')
-        # get serial from pem file and convert to formated hex
-        serial = '0{:x}'.format(cert_serial_get(self.logger, cert))
-        hex_serial = ':'.join(serial[i:i + 2] for i in range(0, len(serial), 2))
-
-        # search for certificate
-        try:
-            cert_list = requests.get(self.api_host + '/certificates?freeText==' + str(hex_serial) + '&stateCurrent=false&stateHistory=false&stateWaiting=false&stateManual=false&stateUnattached=false&expiresAfter=%22%22&expiresBefore=%22%22&sortAttribute=createdAt&sortOrder=desc&containerId=' + str(self.tsg_info_dic['id']), headers=self.headers, verify=self.ca_bundle, proxies=self.proxy, timeout=self.request_timeout).json()
-        except Exception as err_:
-            self.logger.error('CAhandler.revoke(): request get aborted with err: {0}'.format(err_))
-            cert_list = []
 
         err_dic = error_dic_get(self.logger)
-        if 'certificates' in cert_list:
-            try:
-                cert_id = cert_list['certificates'][0]['certificateId']
-                data_dic = {'reason': rev_reason, 'time': rev_date}
-                try:
-                    detail = self._api_post(self.api_host + '/certificates/' + str(cert_id) + '/revocationrequest', data_dic)
-                    code = 200
-                    message = None
-                except Exception as err:
-                    self.logger.error('CAhandler.revoke(): _api_post got aborted with err: {0}'.format(err))
-                    code = 500
-                    message = err_dic['serverinternal']
-                    detail = 'Revocation operation failed'
-            except Exception:
-                code = 404
-                message = err_dic['serverinternal']
-                detail = 'CertificateID could not be found'
-        else:
-            code = 404
-            message = err_dic['serverinternal']
-            detail = 'Cert could not be found'
 
+        code = 500
+        message = err_dic['serverinternal']
+        detail = 'Revocation operation failed'
+
+        # get tracking id as input for revocation call
+        cert_id = self._cert_id_lookup(cert)
+
+        if cert_id:
+            data_dic = {'reason': rev_reason, 'time': rev_date}
+            response = self._api_post(f"{self.api_host}{self.api_version}/certificates/{cert_id}/revoke", data_dic)
+            if 'urls' in response and 'job' in response['urls']:
+                job_id = response['urls']['job'].replace('/v2/jobs/', '')
+            else:
+                job_id = None
+                self.logger.error('CAhandler.revoke(): job_id lookup failed for certificate: %s', cert_id)
+
+        if job_id:
+            (code, message, detail) = self._revocation_status_poll(job_id, err_dic)
+
+        self.logger.debug('CAhandler.revoke() ended with: %s', code)
         return (code, message, detail)
 
     def trigger(self, _payload: str) -> Tuple[str, str, str]:
@@ -749,5 +643,5 @@ def trigger(self, _payload: str) -> Tuple[str, str, str]:
         cert_bundle = None
         cert_raw = None
 
-        self.logger.debug('CAhandler.trigger() ended with error: {0}'.format(error))
+        self.logger.debug('CAhandler.trigger() ended with error: %s', error)
         return (error, cert_bundle, cert_raw)
diff --git a/examples/ca_handler/skeleton_ca_handler.py b/examples/ca_handler/skeleton_ca_handler.py
index f0ab6e1a..b6ad48e6 100644
--- a/examples/ca_handler/skeleton_ca_handler.py
+++ b/examples/ca_handler/skeleton_ca_handler.py
@@ -2,7 +2,7 @@
 """ skeleton for customized CA handler """
 from __future__ import print_function
 from typing import Tuple
-# pylint: disable=C0209, E0401
+# pylint: disable=e0401
 from acme_srv.helper import load_config, header_info_get
 
 
@@ -34,7 +34,7 @@ def _config_load(self):
 
     def _stub_func(self, parameter: str):
         """" load config from file """
-        self.logger.debug('CAhandler._stub_func({0})'.format(parameter))
+        self.logger.debug('CAhandler._stub_func(%s)', parameter)
 
         self.logger.debug('CAhandler._stub_func() ended')
 
@@ -90,5 +90,5 @@ def trigger(self, payload: str) -> Tuple[str, str, str]:
         cert_raw = None
         self._stub_func(payload)
 
-        self.logger.debug('CAhandler.trigger() ended with error: {0}'.format(error))
+        self.logger.debug('CAhandler.trigger() ended with error: %s', error)
         return (error, cert_bundle, cert_raw)
diff --git a/examples/db_handler/django_handler.py b/examples/db_handler/django_handler.py
index d2ba7ff8..95dd41b2 100644
--- a/examples/db_handler/django_handler.py
+++ b/examples/db_handler/django_handler.py
@@ -1,7 +1,7 @@
 #!/usr/bin/python
 # -*- coding: utf-8 -*-
 """ django handler for acme2certifier """
-# pylint: disable=c0209, c0413, c0415, c0401, e0401, e1123, r0904, w0611
+# pylint: disable=c0413, c0415, c0401, e0401, e1123, r0904, w0611
 from __future__ import print_function
 import os
 import sys
@@ -16,14 +16,16 @@ def initialize():  # nopep8
     import django
     # pylint: disable=E1101
     django.setup()
+    return django.VERSION[0]
 
 
-initialize()
+DJANGO_VERSION = initialize()
 from django.conf import settings  # nopep8
 from django.db import transaction  # nopep8
 from django.db.models import QuerySet  # nopep8
 from acme_srv.models import Account, Authorization, Cahandler, Certificate, Challenge, Cliaccount, Housekeeping, Nonce, Order, Status  # nopep8
-import acme_srv.monkey_patches  # nopep8 lgtm [py/unused-import]
+if DJANGO_VERSION < 4:
+    import acme_srv.monkey_patches  # nopep8 lgtm [py/unused-import]
 
 
 class DBstore(object):
@@ -33,39 +35,39 @@ def __init__(self, _debug: bool = False, logger: object = None):
         """ init """
         self.logger = logger
 
-    def _account_getinstance(self, aname: str) -> QuerySet[Account]:
+    def _account_getinstance(self, aname: str) -> QuerySet:
         """ get account instance """
-        self.logger.debug('DBStore._account_getinstance({0})'.format(aname))
+        self.logger.debug('DBStore._account_getinstance(%s)', aname)
         return Account.objects.get(name=aname)
 
-    def _authorization_getinstance(self, name: str) -> QuerySet[Authorization]:
+    def _authorization_getinstance(self, name: str) -> QuerySet:
         """ get authorization instance """
-        self.logger.debug('DBStore._authorization_getinstance({0})'.format(name))
+        self.logger.debug('DBStore._authorization_getinstance(%s)', name)
         return Authorization.objects.get(name=name)
 
     def _modify_key(self, mkey: str, operant: str) -> str:
         """ quick hack """
-        self.logger.debug('DBStore._modify_key({0}/{1})'.format(mkey, operant))
+        self.logger.debug('DBStore._modify_key(%s/%s)', mkey, operant)
 
         if operant == '<=':
-            mkey = '{0}__lte'.format(mkey)
+            mkey = f'{mkey}__lte'
 
-        self.logger.debug('DBStore._modify_key() ended with: {0}'.format(mkey))
+        self.logger.debug('DBStore._modify_key() ended with: %s', mkey)
         return mkey
 
-    def _order_getinstance(self, value: str = id, mkey: id = 'id') -> QuerySet[Order]:
+    def _order_getinstance(self, value: str = id, mkey: id = 'id') -> QuerySet:
         """ get order instance """
-        self.logger.debug('DBStore._order_getinstance({0}:{1})'.format(mkey, value))
+        self.logger.debug('DBStore._order_getinstance(%s:%s)', mkey, value)
         return Order.objects.get(**{mkey: value})
 
-    def _status_getinstance(self, value: str, mkey: str = 'id') -> QuerySet[Status]:
+    def _status_getinstance(self, value: str, mkey: str = 'id') -> QuerySet:
         """ get account instance """
-        self.logger.debug('DBStore._status_getinstance({0}:{1})'.format(mkey, value))
+        self.logger.debug('DBStore._status_getinstance(%s:%s)', mkey, value)
         return Status.objects.get(**{mkey: value})
 
     def account_add(self, data_dic: Dict[str, str]) -> Tuple[str, bool]:
         """ add account in database """
-        self.logger.debug('DBStore.account_add({0})'.format(data_dic))
+        self.logger.debug('DBStore.account_add(%s)', data_dic)
         account_list = self.account_lookup('jwk', data_dic['jwk'])
         if account_list:
             created = False
@@ -78,9 +80,9 @@ def account_add(self, data_dic: Dict[str, str]) -> Tuple[str, bool]:
 
     def account_lookup(self, mkey: str, value: str) -> Dict[str, str]:
         """ search account for a given id """
-        self.logger.debug('DBStore.account_lookup({0}:{1})'.format(mkey, value))
+        self.logger.debug('DBStore.account_lookup(%s:%s)', mkey, value)
         account_dict = Account.objects.filter(**{mkey: value}).values('id', 'jwk', 'name', 'contact', 'alg', 'created_at')[:1]
-        if account_dict:
+        if account_dict.exists():
             result = account_dict[0]
         else:
             result = None
@@ -88,19 +90,19 @@ def account_lookup(self, mkey: str, value: str) -> Dict[str, str]:
 
     def account_delete(self, aname):
         """ add account in database """
-        self.logger.debug('DBStore.account_delete({0})'.format(aname))
+        self.logger.debug('DBStore.account_delete(%s)', aname)
         result = Account.objects.filter(name=aname).delete()
         return result
 
     def account_update(self, data_dic: Dict[str, str]) -> int:
         """ update existing account """
-        self.logger.debug('DBStore.account_update({0})'.format(data_dic))
+        self.logger.debug('DBStore.account_update(%s)', data_dic)
         obj, _created = Account.objects.update_or_create(name=data_dic['name'], defaults=data_dic)
         obj.save()
-        self.logger.debug('acct_id({0})'.format(obj.id))
+        self.logger.debug('acct_id(%s)', obj.id)
         return obj.id
 
-    def accountlist_get(self) -> Tuple[List[str], QuerySet[Account]]:
+    def accountlist_get(self) -> Tuple[List[str], QuerySet]:
         """ accountlist_get """
         self.logger.debug('DBStore.accountlist_get()')
         vlist = [
@@ -116,7 +118,7 @@ def accountlist_get(self) -> Tuple[List[str], QuerySet[Account]]:
 
     def authorization_add(self, data_dic: Dict[str, str]) -> int:
         """ add authorization to database """
-        self.logger.debug('DBStore.authorization_add({0})'.format(data_dic))
+        self.logger.debug('DBStore.authorization_add(%s)', data_dic)
 
         # get some instance for DB insert
         if 'order' in data_dic:
@@ -127,18 +129,18 @@ def authorization_add(self, data_dic: Dict[str, str]) -> int:
         # add authorization
         obj, _created = Authorization.objects.update_or_create(name=data_dic['name'], defaults=data_dic)
         obj.save()
-        self.logger.debug('auth_id({0})'.format(obj.id))
+        self.logger.debug('auth_id(%s)', obj.id)
         return obj.id
 
-    def authorization_lookup(self, mkey: str, value: str, vlist: List[str] = ('type', 'value')) -> QuerySet[Authorization]:
+    def authorization_lookup(self, mkey: str, value: str, vlist: List[str] = ('type', 'value')) -> QuerySet:
         """ search account for a given id """
-        self.logger.debug('authorization_lookup({0}:{1}:{2})'.format(mkey, value, vlist))
+        self.logger.debug('authorization_lookup(%s:%s:%s)', mkey, value, vlist)
         authz_list = Authorization.objects.filter(**{mkey: value}).values(*vlist)[::1]
         return authz_list
 
-    def authorizations_expired_search(self, mkey: str, value: str, vlist: List[str] = ('id', 'name', 'expires', 'identifiers', 'created_at', 'status__id', 'status__name', 'account__id', 'account__name', 'acccount__contact'), operant: str = 'LIKE') -> QuerySet[Authorization]:
+    def authorizations_expired_search(self, mkey: str, value: str, vlist: List[str] = ('id', 'name', 'expires', 'identifiers', 'created_at', 'status__id', 'status__name', 'account__id', 'account__name', 'acccount__contact'), operant: str = 'LIKE') -> QuerySet:
         """ search order table for a certain key/value pair """
-        self.logger.debug('DBStore.authorizations_invalid_search(column:{0}, pattern:{1})'.format(mkey, value))
+        self.logger.debug('DBStore.authorizations_invalid_search(column:%s, pattern:%s)', mkey, value)
 
         mkey = self._modify_key(mkey, operant)
 
@@ -147,12 +149,12 @@ def authorizations_expired_search(self, mkey: str, value: str, vlist: List[str]
 
     def authorization_update(self, data_dic: Dict[str, str]) -> int:
         """ update existing authorization """
-        self.logger.debug('DBStore.authorization_update({0})'.format(data_dic))
+        self.logger.debug('DBStore.authorization_update(%s)', data_dic)
         # get some instance for DB insert
         if 'status' in data_dic:
             data_dic['status'] = self._status_getinstance(data_dic['status'], 'name')
 
-        if settings.DATABASES['default']['ENGINE'] == 'django.db.backends.sqlite3':
+        if DJANGO_VERSION < 4 and settings.DATABASES['default']['ENGINE'] == 'django.db.backends.sqlite3':
             self.logger.debug('DBStore.authorization_update(): patching transaction to transform all atomic blocks into immediate transactions')
             with transaction.atomic(immediate=True):
                 # update authorization
@@ -163,12 +165,12 @@ def authorization_update(self, data_dic: Dict[str, str]) -> int:
             obj, _created = Authorization.objects.update_or_create(name=data_dic['name'], defaults=data_dic)
             obj.save()
 
-        self.logger.debug('auth_id({0})'.format(obj.id))
+        self.logger.debug('auth_id(%s)', obj.id)
         return obj.id
 
     def cahandler_add(self, data_dic: Dict[str, str]) -> Tuple[str, bool]:
         """ add cahandler to database """
-        self.logger.debug('DBStore.cahandler_add({0})'.format(data_dic))
+        self.logger.debug('DBStore.cahandler_add(%s)', data_dic)
         cahandler_list = self.cahandler_lookup('name', data_dic['name'])
         if cahandler_list:
             created = False
@@ -181,9 +183,9 @@ def cahandler_add(self, data_dic: Dict[str, str]) -> Tuple[str, bool]:
 
     def cahandler_lookup(self, mkey: str, value: str) -> Dict[str, str]:
         """ search cahandler for a given id """
-        self.logger.debug('DBStore.cahandler_lookup({0}:{1})'.format(mkey, value))
+        self.logger.debug('DBStore.cahandler_lookup(%s:%s)', mkey, value)
         cahandler_dict = Cahandler.objects.filter(**{mkey: value}).values('name', 'value1', 'value2', 'created_at')[:1]
-        if cahandler_dict:
+        if cahandler_dict.exists():
             result = cahandler_dict[0]
         else:
             result = None
@@ -191,7 +193,7 @@ def cahandler_lookup(self, mkey: str, value: str) -> Dict[str, str]:
 
     def challenge_add(self, value: str, mtype: str, data_dic: Dict[str, str]) -> int:
         """ add challenge to database """
-        self.logger.debug('DBStore.challenge_add({0}:{1})'.format(value, mtype))
+        self.logger.debug('DBStore.challenge_add(%s:%s)', value, mtype)
 
         # get order instance for DB insert
         data_dic['authorization'] = self._authorization_getinstance(data_dic['authorization'])
@@ -199,7 +201,7 @@ def challenge_add(self, value: str, mtype: str, data_dic: Dict[str, str]) -> int
         # replace orderstatus with an instance
         data_dic['status'] = self._status_getinstance(data_dic['status'])
 
-        if settings.DATABASES['default']['ENGINE'] == 'django.db.backends.sqlite3':
+        if DJANGO_VERSION < 4 and settings.DATABASES['default']['ENGINE'] == 'django.db.backends.sqlite3':
             self.logger.debug('DBStore.challenge_add(): patching transaction to transform all atomic blocks into immediate transactions')
             with transaction.atomic(immediate=True):
                 obj, _created = Challenge.objects.update_or_create(name=data_dic['name'], defaults=data_dic)
@@ -208,8 +210,8 @@ def challenge_add(self, value: str, mtype: str, data_dic: Dict[str, str]) -> int
             obj, _created = Challenge.objects.update_or_create(name=data_dic['name'], defaults=data_dic)
             obj.save()
 
-        self.logger.debug('cid({0})'.format(obj.id))
-        self.logger.debug('DBStore.challenge_add({0}:{1}:{2})'.format(value, mtype, obj.id))
+        self.logger.debug('cid(%s)', obj.id)
+        self.logger.debug('DBStore.challenge_add(%s:%s:%s)', value, mtype, obj.id)
         return obj.id
 
     def certificate_add(self, data_dic: Dict[str, str]) -> int:
@@ -222,12 +224,12 @@ def certificate_add(self, data_dic: Dict[str, str]) -> int:
         # add certificate/CSR
         obj, _created = Certificate.objects.update_or_create(name=data_dic['name'], defaults=data_dic)
         obj.save()
-        self.logger.debug('DBStore.certificate_add() ended with :{0}'.format(obj.id))
+        self.logger.debug('DBStore.certificate_add() ended with :%s', obj.id)
         return obj.id
 
     def certificate_account_check(self, account_name: str, certificate: str) -> str:
         """ check issuer against certificate """
-        self.logger.debug('DBStore.certificate_account_check({0})'.format(account_name))
+        self.logger.debug('DBStore.certificate_account_check(%s)', account_name)
 
         result = None
         certificate_list = self.certificate_lookup('cert_raw', certificate, ['name', 'order__name', 'order__account__name'])
@@ -241,15 +243,15 @@ def certificate_account_check(self, account_name: str, certificate: str) -> str:
                 # no account name given (message signed with domain key
                 result = certificate_list['order']
 
-        self.logger.debug('DBStore.certificate_account_check() ended with: {0}'.format(result))
+        self.logger.debug('DBStore.certificate_account_check() ended with: %s', result)
         return result
 
-    def certificate_delete(self, mkey: str, value: str) -> QuerySet[Certificate]:
+    def certificate_delete(self, mkey: str, value: str) -> QuerySet:
         """ delete certificate from table """
-        self.logger.debug('DBStore.certificate_delete({0}:{1})'.format(mkey, value))
+        self.logger.debug('DBStore.certificate_delete(%s:%s)', mkey, value)
         Certificate.objects.filter(**{mkey: value}).delete()
 
-    def certificatelist_get(self) -> Tuple[List[str], List[QuerySet[Certificate]]]:
+    def certificatelist_get(self) -> Tuple[List[str], List[QuerySet]]:
         """ certificatelist_get """
         self.logger.debug('DBStore.certificatelist_get()')
         vlist = [
@@ -261,7 +263,7 @@ def certificatelist_get(self) -> Tuple[List[str], List[QuerySet[Certificate]]]:
 
     def certificate_lookup(self, mkey: str, value: str, vlist: List[str] = ('name', 'csr', 'cert', 'order__name')) -> Dict[str, str]:
         """ search certificate based on "something" """
-        self.logger.debug('DBStore.certificate_lookup({0}:{1})'.format(mkey, value))
+        self.logger.debug('DBStore.certificate_lookup(%s:%s)', mkey, value)
         certificate_list = Certificate.objects.filter(**{mkey: value}).values(*vlist)[:1]
         if certificate_list:
             result = certificate_list[0]
@@ -270,18 +272,18 @@ def certificate_lookup(self, mkey: str, value: str, vlist: List[str] = ('name',
                 del result['order__name']
         else:
             result = None
-        self.logger.debug('DBStore.certificate_lookup() ended with: {0}'.format(result))
+        self.logger.debug('DBStore.certificate_lookup() ended with: %s', result)
         return result
 
-    def certificates_search(self, mkey: str, value: str, vlist: List[str] = ('name', 'csr', 'cert', 'order__name'), operator=None) -> QuerySet[Certificate]:
+    def certificates_search(self, mkey: str, value: str, vlist: List[str] = ('name', 'csr', 'cert', 'order__name'), operant=None) -> QuerySet:
         """ search certificate based on "something" """
-        self.logger.debug('DBStore.certificates_search({0}:{1})'.format(mkey, value))
-        mkey = self._modify_key(mkey, operator)
+        self.logger.debug('DBStore.certificates_search(%s:%s)', mkey, value)
+        mkey = self._modify_key(mkey, operant)
         return Certificate.objects.filter(**{mkey: value}).values(*vlist)
 
     def challenge_lookup(self, mkey: str, value: str, vlist: List[str] = ('type', 'token', 'status__name')) -> Dict[str, str]:
         """ search account for a given id """
-        self.logger.debug('DBStore.challenge_lookup({0}:{1})'.format(mkey, value))
+        self.logger.debug('DBStore.challenge_lookup(%s:%s)', mkey, value)
         challenge_list = Challenge.objects.filter(**{mkey: value}).values(*vlist)[:1]
         if challenge_list:
             result = challenge_list[0]
@@ -295,14 +297,14 @@ def challenge_lookup(self, mkey: str, value: str, vlist: List[str] = ('type', 't
             result = None
         return result
 
-    def challenges_search(self, mkey: str, value: str, vlist: List[str] = ('name', 'type', 'cert', 'status__name', 'token')) -> QuerySet[Challenge]:
+    def challenges_search(self, mkey: str, value: str, vlist: List[str] = ('name', 'type', 'cert', 'status__name', 'token')) -> QuerySet:
         """ search challenges based on "something" """
-        self.logger.debug('DBStore.challenges_search({0}:{1})'.format(mkey, value))
+        self.logger.debug('DBStore.challenges_search(%s:%s)', mkey, value)
         return Challenge.objects.filter(**{mkey: value}).values(*vlist)
 
     def challenge_update(self, data_dic: Dict[str, str]):
         """ update challenge """
-        self.logger.debug('challenge_update({0})'.format(data_dic))
+        self.logger.debug('challenge_update(%s)', data_dic)
         # replace orderstatus with an instance
         if 'status' in data_dic:
             data_dic['status'] = self._status_getinstance(data_dic['status'], 'name')
@@ -311,23 +313,23 @@ def challenge_update(self, data_dic: Dict[str, str]):
 
     def cli_jwk_load(self, aname: str) -> Dict[str, str]:
         """ looad account informatino and build jwk key dictionary from cliaccounts teable """
-        self.logger.debug('DBStore.cli_jwk_load({0})'.format(aname))
+        self.logger.debug('DBStore.cli_jwk_load(%s)', aname)
         account_dict = Cliaccount.objects.filter(name=aname).values('jwk')[:1]
         jwk_dict = {}
         if account_dict:
             try:
                 jwk_dict = json.loads(account_dict[0]['jwk'].decode())
             except Exception as _err:
-                self.logger.error('DBStore.cli_jwk_load(): error: {0}'.format(_err))
+                self.logger.error('DBStore.cli_jwk_load(): error: %s', _err)
                 jwk_dict = json.loads(account_dict[0]['jwk'])
         return jwk_dict
 
     def cli_permissions_get(self, aname: str) -> Dict[str, str]:
         """ looad account informations and build jwk key dictionary from cliaccounts teable """
-        self.logger.debug('DBStore.cli_jwk_load({0})'.format(aname))
+        self.logger.debug('DBStore.cli_jwk_load(%s)', aname)
         account_dict = Cliaccount.objects.filter(name=aname).values('reportadmin', 'cliadmin', 'certificateadmin')[:1]
         permissions_dict = {}
-        if account_dict:
+        if account_dict.exists():
             permissions_dict = account_dict[0]
         return permissions_dict
 
@@ -339,12 +341,12 @@ def dbversion_get(self) -> Tuple[Dict[str, str], str]:
             result = version_list[0]
         else:
             result = None
-        self.logger.debug('DBStore.dbversion_get() ended with {0}'.format(result))
+        self.logger.debug('DBStore.dbversion_get() ended with %s', result)
         return (result, 'tools/django_update.py')
 
     def hkparameter_add(self, data_dic: Dict[str, str]):
         """ add housekeeping paramter to database """
-        self.logger.debug('DBStore.hkparameter_add({0})'.format(data_dic))
+        self.logger.debug('DBStore.hkparameter_add(%s)', data_dic)
         obj, _created = Housekeeping.objects.update_or_create(name=data_dic['name'], defaults=data_dic)
         obj.save()
 
@@ -356,12 +358,12 @@ def hkparameter_get(self, parameter: str) -> str:
             result = result_list[0]
         else:
             result = None
-        self.logger.debug('DBStore.hkparameter_get() ended with {0}'.format(result))
+        self.logger.debug('DBStore.hkparameter_get() ended with %s', result)
         return result
 
     def jwk_load(self, aname: str) -> Dict[str, str]:
         """ looad account informatino and build jwk key dictionary """
-        self.logger.debug('DBStore.jwk_load({0})'.format(aname))
+        self.logger.debug('DBStore.jwk_load(%s)', aname)
         account_dict = Account.objects.filter(name=aname).values('jwk', 'alg')[:1]
         jwk_dict = {}
         if account_dict:
@@ -376,7 +378,7 @@ def nonce_add(self, nonce: str) -> int:
         """ check if nonce is in datbase
         in: nonce
         return: rowid """
-        self.logger.debug('DBStore.nonce_add({0})'.format(nonce))
+        self.logger.debug('DBStore.nonce_add(%s)', nonce)
         obj = Nonce(nonce=nonce)
         obj.save()
         return obj.id
@@ -385,19 +387,19 @@ def nonce_check(self, nonce: str) -> bool:
         """ ceck if nonce is in datbase
         in: nonce
         return: true in case nonce exit, otherwise false """
-        self.logger.debug('DBStore.nonce_check({0})'.format(nonce))
+        self.logger.debug('DBStore.nonce_check(%s)', nonce)
         nonce_list = Nonce.objects.filter(nonce=nonce).values('nonce')[:1]
         return bool(nonce_list)
 
     def nonce_delete(self, nonce: str):
         """ delete nonce from datbase
         in: nonce """
-        self.logger.debug('DBStore.nonce_delete({0})'.format(nonce))
+        self.logger.debug('DBStore.nonce_delete(%s)', nonce)
         Nonce.objects.filter(nonce=nonce).delete()
 
     def order_add(self, data_dic: Dict[str, str]) -> int:
         """ add order to database """
-        self.logger.debug('DBStore.order_add({0})'.format(data_dic))
+        self.logger.debug('DBStore.order_add(%s)', data_dic)
         # replace accountid with instance
         data_dic['account'] = self._account_getinstance(data_dic['account'])
 
@@ -405,12 +407,12 @@ def order_add(self, data_dic: Dict[str, str]) -> int:
         data_dic['status'] = self._status_getinstance(data_dic['status'], 'id')
         obj, _created = Order.objects.update_or_create(name=data_dic['name'], defaults=data_dic)
         obj.save()
-        self.logger.debug('order_id({0})'.format(obj.id))
+        self.logger.debug('order_id(%s)', obj.id)
         return obj.id
 
     def order_lookup(self, mkey: str, value: str, vlist: List[str] = ('name', 'notbefore', 'notafter', 'identifiers', 'status__name', 'account__name', 'expires')) -> Dict[str, str]:
         """ search orders for a given ordername """
-        self.logger.debug('order_lookup({0}:{1})'.format(mkey, value))
+        self.logger.debug('order_lookup(%s:%s)', mkey, value)
         order_list = Order.objects.filter(**{mkey: value}).values(*vlist)[:1]
         if order_list:
             result = order_list[0]
@@ -426,15 +428,15 @@ def order_lookup(self, mkey: str, value: str, vlist: List[str] = ('name', 'notbe
 
     def order_update(self, data_dic: Dict[str, str]):
         """ update order """
-        self.logger.debug('order_update({0})'.format(data_dic))
+        self.logger.debug('order_update(%s)', data_dic)
         # replace orderstatus with an instance
         if 'status' in data_dic:
             data_dic['status'] = self._status_getinstance(data_dic['status'], 'name')
         obj, _created = Order.objects.update_or_create(name=data_dic['name'], defaults=data_dic)
         obj.save()
 
-    def orders_invalid_search(self, mkey: str, value: str, vlist: List[str] = ('id', 'name', 'expires', 'identifiers', 'created_at', 'status__id', 'status__name', 'account__id', 'account__name', 'acccount__contact'), operant='LIKE') -> QuerySet[Order]:
+    def orders_invalid_search(self, mkey: str, value: str, vlist: List[str] = ('id', 'name', 'expires', 'identifiers', 'created_at', 'status__id', 'status__name', 'account__id', 'account__name', 'acccount__contact'), operant='LIKE') -> QuerySet:
         """ search order table for a certain key/value pair """
-        self.logger.debug('DBStore.orders_search(column:{0}, pattern:{1})'.format(mkey, value))
+        self.logger.debug('DBStore.orders_search(column:%s, pattern:%s)', mkey, value)
         mkey = self._modify_key(mkey, operant)
         return Order.objects.filter(**{mkey: value}, status__id__gt=1).values(*vlist)
diff --git a/examples/db_handler/wsgi_handler.py b/examples/db_handler/wsgi_handler.py
index 53704522..1ef703f8 100644
--- a/examples/db_handler/wsgi_handler.py
+++ b/examples/db_handler/wsgi_handler.py
@@ -1,5 +1,5 @@
+# pylint: disable=c0302, r0904, w0102
 # -*- coding: utf-8 -*-
-# pylint: disable=c0209, c0302, r0904, r0915
 """ wsgi handler for acme2certifier """
 from __future__ import print_function
 import sqlite3
@@ -46,26 +46,27 @@ def __init__(self, debug: bool = False, logger: object = None, db_name: str = No
 
     def _account_search(self, column: str, string: str) -> List[str]:
         """ search account table for a certain key/value pair """
-        self.logger.debug('DBStore._account_search(column:{0}, pattern:{1})'.format(column, string))
+        self.logger.debug('DBStore._account_search(column:%s, pattern:%s)', column, string)
         self._db_open()
+        result = None
         try:
-            pre_statement = 'SELECT * from account WHERE {0} LIKE ?'.format(column)
+            pre_statement = f'SELECT * from account WHERE {column} LIKE ?'
             self.cursor.execute(pre_statement, [string])
             result = self.cursor.fetchone()
         except Exception as err:
-            self.logger.error('DBStore._account_search(column:{0}, pattern:{1}) failed with err: {2}'.format(column, string, err))
+            self.logger.error('DBStore._account_search(column:%s, pattern:%s) failed with err: %s', column, string, err)
         self._db_close()
-        self.logger.debug('DBStore._account_search() ended with: {0}'.format(bool(result)))
+        self.logger.debug('DBStore._account_search() ended with: %s', bool(result))
         return result
 
     def _authorization_search(self, column: str, string: str) -> List[str]:
         """ search account table for a certain key/value pair """
-        self.logger.debug('DBStore._authorization_search(column:{0}, pattern:{1})'.format(column, string))
+        self.logger.debug('DBStore._authorization_search(column:%s, pattern:%s)', column, string)
         if column == 'name':
             self.logger.debug('rename name to authorization.name')
             column = 'authorization.name'
         self._db_open()
-        pre_statement = '''SELECT
+        pre_statement = f'''SELECT
                             authorization.*,
                             orders.id as orders__id,
                             orders.name as order__name,
@@ -76,34 +77,33 @@ def _authorization_search(self, column: str, string: str) -> List[str]:
                         LEFT JOIN orders on orders.id = authorization.order_id
                         LEFT JOIN status on status.id = authorization.status_id
                         LEFT JOIN account on account.id = orders.account_id
-                        WHERE {0} LIKE ?'''.format(column)
+                        WHERE {column} LIKE ?'''
         try:
             self.cursor.execute(pre_statement, [string])
             result = self.cursor.fetchall()
         except Exception as err:
-            self.logger.error('DBStore._authorization_search(column:{0}, pattern:{1}) failed with err: {2}'.format(column, string, err))
+            self.logger.error('DBStore._authorization_search(column:%s, pattern:%s) failed with err: %s', column, string, err)
         self._db_close()
         self.logger.debug('DBStore._authorization_search() ended')
         return result
 
     def _cahandler_search(self, column: str, string: str) -> List[str]:
         """ search cahandler table for a certain key/value pair """
-        self.logger.debug('DBStore._cahandler_search(column:{0}, pattern:{1})'.format(column, string))
+        self.logger.debug('DBStore._cahandler_search(column:%s, pattern:%s)', column, string)
         self._db_open()
-        pre_statement = '''SELECT cahandler.* from cahandler WHERE {0} LIKE ?'''.format(column)
+        pre_statement = f'''SELECT cahandler.* from cahandler WHERE {column} LIKE ?'''
         try:
             self.cursor.execute(pre_statement, [string])
             result = self.cursor.fetchone()
         except Exception as err:
-            self.logger.error('DBStore._cahandler_search(column:{0}, pattern:{1}) failed with err: {2}'.format(column, string, err))
+            self.logger.error('DBStore._cahandler_search(column:%s, pattern:%s) failed with err: %s', column, string, err)
             result = None
         self._db_close()
         self.logger.debug('DBStore._cahandler_search() ended')
         return result
 
     def _certificate_account_check(self, account_name: str, certificate_dic: Dict[str, str], order_dic: Dict[str, str]) -> List[str]:
-        self.logger.debug('DBStore._certificate_account_check({0})'.format(account_name))
-
+        self.logger.debug('DBStore._certificate_account_check(%s)', account_name)
         result = None
         if account_name:
             # if there is an acoount name validate it against the account_name from db-query
@@ -116,13 +116,12 @@ def _certificate_account_check(self, account_name: str, certificate_dic: Dict[st
             # no account name given (message signed with domain key)
             result = certificate_dic['order__name']
             self.logger.debug('message signed with domain key')
-
-        self.logger.debug('DBStore._certificate_account_check() ended with: {0}'.format(result))
+        self.logger.debug('DBStore._certificate_account_check() ended with: %s', result)
         return result
 
     def _certificate_insert(self, data_dic: Dict[str, str]) -> int:
         """ insert certificate """
-        self.logger.debug('_certificate_insert() for {0}'.format(data_dic['name']))
+        self.logger.debug('_certificate_insert() for %s', data_dic['name'])
         # change order name to id but tackle cases where we cannot do this
         try:
             data_dic['order'] = dict_from_row(self._order_search('name', data_dic['order']))['id']
@@ -139,15 +138,14 @@ def _certificate_insert(self, data_dic: Dict[str, str]) -> int:
         else:
             self.cursor.execute('''INSERT INTO Certificate(name, csr, order_id, header_info) VALUES(:name, :csr, :order, :header_info)''', data_dic)
         self._db_close()
-        self.logger.debug('insert new entry for {0}'.format(data_dic['name']))
+        self.logger.debug('insert new entry for %s', data_dic['name'])
 
         rid = self.cursor.lastrowid
-        self.logger.debug('_certificate_insert() ended with: {0}'.format(rid))
+        self.logger.debug('_certificate_insert() ended with: %s', rid)
         return rid
 
     def _certificate_update(self, data_dic: Dict[str, str], exists: Dict[str, str]) -> int:
-        self.logger.debug('_certificate_update() for {0} id:{1}'.format(data_dic['name'], dict_from_row(exists)['id']))
-
+        self.logger.debug('_certificate_update() for %s id:%s', data_dic['name'], dict_from_row(exists)['id'])
         self._db_open()
         if 'error' in data_dic:
             self.cursor.execute('''UPDATE Certificate SET error = :error, poll_identifier = :poll_identifier WHERE name = :name''', data_dic)
@@ -159,42 +157,41 @@ def _certificate_update(self, data_dic: Dict[str, str], exists: Dict[str, str])
             if 'replaced' not in data_dic:
                 data_dic['replaced'] = exists['replaced']
 
-            self.cursor.execute('''UPDATE Certificate SET cert = :cert, cert_raw = :cert_raw, issue_uts = :issue_uts, expire_uts = :expire_uts, renewal_info = :renewal_info, poll_identifier = :poll_identifier, replaced = :replaced, header_info = :header_info WHERE name = :name''', data_dic)
+            self.cursor.execute('''UPDATE Certificate SET cert = :cert, cert_raw = :cert_raw, issue_uts = :issue_uts, expire_uts = :expire_uts, renewal_info = :renewal_info, poll_identifier = :poll_identifier, replaced = :replaced, header_info = :header_info, serial = :serial, aki = :aki WHERE name = :name''', data_dic)
         self._db_close()
         rid = dict_from_row(exists)['id']
-
-        self.logger.debug('_certificate_update() ended with: {0}'.format(rid))
+        self.logger.debug('_certificate_update() ended with: %s', rid)
         return rid
 
     def _certificate_search(self, column: str, string: str) -> Dict[str, str]:
         """ search certificate table for a certain key/value pair """
-        self.logger.debug('DBStore._certificate_search(column:{0}, pattern:{1})'.format(column, string))
+        self.logger.debug('DBStore._certificate_search(column:%s, pattern:%s)', column, string)
         self._db_open()
-
         if column != 'order__name':
-            column = 'certificate.{0}'.format(column)
-            self.logger.debug('modified column to {0}'.format(column))
+            column = f'certificate.{column}'
+            self.logger.debug(f'modified column to {column}')
 
-        pre_statement = '''SELECT certificate.*,
+        pre_statement = f'''SELECT certificate.*,
                             orders.id as order__id,
                             orders.name as order__name,
                             orders.status_id as order__status_id,
-                            account.name as order__account__name
+                            account.name as order__account__name,
+                            account.eab_kid as order__account__eab_kid
                             from certificate
                             INNER JOIN orders on orders.id = certificate.order_id
                             INNER JOIN account on account.id = orders.account_id
-                            WHERE {0} LIKE ?'''.format(column)
+                            WHERE {column} LIKE ?'''
         self.cursor.execute(pre_statement, [string])
         result = self.cursor.fetchone()
         self._db_close()
-        self.logger.debug('DBStore._certificate_search() ended with: {0}'.format(bool(result)))
+        self.logger.debug('DBStore._certificate_search() ended with: %s', bool(result))
         return result
 
     def _challenge_search(self, column: str, string: str) -> List[str]:
         """ search challenge table for a certain key/value pair """
-        self.logger.debug('DBStore._challenge_search(column:{0}, pattern:{1})'.format(column, string))
+        self.logger.debug('DBStore._challenge_search(column:%s, pattern:%s)', column, string)
         self._db_open()
-        pre_statement = '''
+        pre_statement = f'''
             SELECT
                 challenge.*,
                 status.id as status__id,
@@ -211,29 +208,29 @@ def _challenge_search(self, column: str, string: str) -> List[str]:
             INNER JOIN authorization on authorization.id = challenge.authorization_id
             INNER JOIN orders on orders.id = authorization.order_id
             INNER JOIN account on account.id = orders.account_id
-            WHERE challenge.{0} LIKE ?'''.format(column)
+            WHERE challenge.{column} LIKE ?'''
         try:
             self.cursor.execute(pre_statement, [string])
             result = self.cursor.fetchone()
         except Exception as err:
-            self.logger.error('DBStore._challenge_search(column:{0}, pattern:{1}) failed with err: {2}'.format(column, string, err))
+            self.logger.error('DBStore._challenge_search(column:%s, pattern:%s) failed with err: %s', column, string, err)
         self._db_close()
         self.logger.debug('DBStore._challenge_search() ended')
         return result
 
     def _cliaccount_search(self, column: str, string: str) -> Dict[str, str]:
         """ search account table for a certain key/value pair """
-        self.logger.debug('DBStore._cliaccount_search(column:{0}, pattern:{1})'.format(column, string))
+        self.logger.debug('DBStore._cliaccount_search(column:%s, pattern:%s)', column, string)
         self._db_open()
         try:
-            pre_statement = 'SELECT * from cliaccount WHERE {0} LIKE ?'.format(column)
+            pre_statement = f'SELECT * from cliaccount WHERE {column} LIKE ?'
             self.cursor.execute(pre_statement, [string])
             result = self.cursor.fetchone()
         except Exception as err:
-            self.logger.error('DBStore._cliaccount_search(column:{0}, pattern:{1}) failed with err: {2}'.format(column, string, err))
+            self.logger.error('DBStore._cliaccount_search(column:%s, pattern:%s) failed with err: %s', column, string, err)
             result = None
         self._db_close()
-        self.logger.debug('DBStore._account_search() ended with: {0}'.format(bool(result)))
+        self.logger.debug('DBStore._account_search() ended with: %s', bool(result))
         return result
 
     def _db_close(self):
@@ -245,7 +242,7 @@ def _db_close(self):
 
     def _db_create(self):
         """ create the database if dos not exist """
-        self.logger.debug('DBStore._db_create({0})'.format(self.db_name))
+        self.logger.debug('DBStore._db_create(%s)', self.db_name)
         self._db_open()
         # create nonce table
         self.logger.debug('create nonce')
@@ -287,10 +284,10 @@ def _db_create(self):
         ''')
         self.logger.debug('create certificate')
         self.cursor.execute('''
-            CREATE TABLE "certificate" ("id" integer NOT NULL PRIMARY KEY AUTOINCREMENT, "name" varchar(15) NOT NULL UNIQUE, "cert" text, "cert_raw" text, "error" text, "order_id" integer NOT NULL REFERENCES "order" ("id"), "csr" text NOT NULL, "poll_identifier" text,  "header_info" text, "created_at" TIMESTAMP DEFAULT CURRENT_TIMESTAMP NOT NULL, "renewal_info" text, "issue_uts" integer DEFAULT 0, "expire_uts" integer DEFAULT 0, "replaced" bolean DEFAULT 0)
+            CREATE TABLE "certificate" ("id" integer NOT NULL PRIMARY KEY AUTOINCREMENT, "name" varchar(15) NOT NULL UNIQUE, "cert" text, "cert_raw" text, "error" text, "order_id" integer NOT NULL REFERENCES "order" ("id"), "csr" text NOT NULL, "poll_identifier" text,  "header_info" text, "created_at" TIMESTAMP DEFAULT CURRENT_TIMESTAMP NOT NULL, "renewal_info" text, "aki" text, "serial" text, "issue_uts" integer DEFAULT 0, "expire_uts" integer DEFAULT 0, "replaced" bolean DEFAULT 0)
         ''')
         self.cursor.execute('''
-            CREATE TABLE "housekeeping" ("id" integer NOT NULL PRIMARY KEY AUTOINCREMENT, "name" varchar(15) NOT NULL UNIQUE, "value" text, "modified_at" TIMESTAMP DEFAULT CURRENT_TIMESTAMP NOT NULL)
+            CREATE TABLE "housekeeping" ("id" integer NOT NULL PRIMARY KEY AUTOINCREMENT, "name" varchar(30) NOT NULL UNIQUE, "value" text, "modified_at" TIMESTAMP DEFAULT CURRENT_TIMESTAMP NOT NULL)
         ''')
         self.cursor.execute('''
             CREATE TRIGGER [UpdateLastTime]
@@ -304,7 +301,7 @@ def _db_create(self):
             END
         ''')
 
-        self.cursor.execute('''INSERT OR IGNORE INTO housekeeping (name, value) VALUES ("dbversion", "{0}")'''.format(__dbversion__))
+        self.cursor.execute(f'''INSERT OR IGNORE INTO housekeeping (name, value) VALUES ("dbversion", "{__dbversion__}")''')
         self.cursor.execute('''
             CREATE TABLE "cahandler" ("id" integer NOT NULL PRIMARY KEY AUTOINCREMENT, "name" varchar(15) NOT NULL UNIQUE, "value1" text, "value2" text, "created_at" TIMESTAMP DEFAULT CURRENT_TIMESTAMP NOT NULL)
         ''')
@@ -313,11 +310,9 @@ def _db_create(self):
 
     def _db_open(self):
         """ opens db and sets cursor """
-        # self.logger.debug('DBStore._db_open()')
         self.dbs = sqlite3.connect(self.db_name)
         self.dbs.row_factory = sqlite3.Row
         self.cursor = self.dbs.cursor()
-        # self.logger.debug('DBStore._db_open() ended')
 
     def _db_update_account(self):
         """ update account table """
@@ -386,6 +381,12 @@ def _db_update_certificate(self):
         if 'header_info' not in certificate_column_list:
             self.logger.info('alter certificate table - add header_info')
             self.cursor.execute('''ALTER TABLE certificate ADD COLUMN header_info text''')
+        if 'aki' not in certificate_column_list:
+            self.logger.info('alter certificate table - add aki')
+            self.cursor.execute('''ALTER TABLE certificate ADD COLUMN aki text''')
+        if 'serial' not in certificate_column_list:
+            self.logger.info('alter certificate table - add serial')
+            self.cursor.execute('''ALTER TABLE certificate ADD COLUMN serial text''')
 
     def _db_update_challenge(self):
         """ alter challenge table """
@@ -420,7 +421,7 @@ def _db_update_housekeeping(self):
         if self.cursor.fetchone()[0] != 1:
             self.logger.info('create housekeeping table and trigger')
             self.cursor.execute('''
-                CREATE TABLE "housekeeping" ("id" integer NOT NULL PRIMARY KEY AUTOINCREMENT, "name" varchar(15) NOT NULL UNIQUE, "value" text, "modified_at" TIMESTAMP DEFAULT CURRENT_TIMESTAMP NOT NULL)
+                CREATE TABLE "housekeeping" ("id" integer NOT NULL PRIMARY KEY AUTOINCREMENT, "name" varchar(30) NOT NULL UNIQUE, "value" text, "modified_at" TIMESTAMP DEFAULT CURRENT_TIMESTAMP NOT NULL)
             ''')
             self.cursor.execute('''
                 CREATE TRIGGER [UpdateLastTime]
@@ -433,6 +434,17 @@ def _db_update_housekeeping(self):
                     update housekeeping set modified_at=CURRENT_TIMESTAMP where id=OLD.id;
                 END
             ''')
+        else:
+            self.cursor.execute('''PRAGMA table_info(housekeeping)''')
+            for column in self.cursor.fetchall():
+                if column[1] == 'name' and column[2].lower() == 'varchar(15)':
+                    self.logger.info('alter housekeeping table  - change size of the name field to 30')
+                    self.cursor.execute('''ALTER TABLE housekeeping RENAME TO tmp_hk''')
+                    self.cursor.execute('''
+                        CREATE TABLE "housekeeping" ("id" integer NOT NULL PRIMARY KEY AUTOINCREMENT, "name" varchar(30) NOT NULL UNIQUE, "value" text, "modified_at" TIMESTAMP DEFAULT CURRENT_TIMESTAMP NOT NULL)
+                    ''')
+                    self.cursor.execute('''INSERT INTO housekeeping(id, name, value, modified_at) SELECT id, name, value, modified_at  FROM tmp_hk''')
+                    self.cursor.execute('''DROP TABLE tmp_hk''')
 
     def _db_update_orders(self):
         """ alter orders table """
@@ -455,7 +467,7 @@ def _db_update_status(self):
         self.logger.debug('DBStore._db_update_status()')
 
         # add additional values to status table
-        pre_statement = 'SELECT * from status WHERE status.{0} LIKE ?'.format('name')
+        pre_statement = 'SELECT * from status WHERE status.name LIKE ?'
         self.cursor.execute(pre_statement, ['deactivated'])
         if not self.cursor.fetchone():
             self.logger.info('adding additional status')
@@ -466,10 +478,10 @@ def _db_update_status(self):
 
     def _order_search(self, column: str, string: str) -> List[str]:
         """ search order table for a certain key/value pair """
-        self.logger.debug('DBStore._order_search(column:{0}, pattern:{1})'.format(column, string))
+        self.logger.debug('DBStore._order_search(column:%s, pattern:%s)', column, string)
         self._db_open()
 
-        pre_statement = '''
+        pre_statement = f'''
                     SELECT
                         orders.*,
                         status.name as status__name,
@@ -479,21 +491,21 @@ def _order_search(self, column: str, string: str) -> List[str]:
                     from orders
                     INNER JOIN status on status.id = orders.status_id
                     INNER JOIN account on account.id = orders.account_id
-                    WHERE orders.{0} LIKE ?'''.format(column)
+                    WHERE orders.{column} LIKE ?'''
         try:
             self.cursor.execute(pre_statement, [string])
             result = self.cursor.fetchone()
         except Exception as err:
-            self.logger.error('DBStore._order_search(column:{0}, pattern:{1}) failed with err: {2}'.format(column, string, err))
+            self.logger.error('DBStore._order_search(column:%s, pattern:%s) failed with err: %s', column, string, err)
         self._db_close()
         self.logger.debug('DBStore._order_search() ended')
         return result
 
     def _status_search(self, column: str, string: str) -> Tuple[str, bool]:
         """ search status table for a certain key/value pair """
-        self.logger.debug('DBStore._status_search(column:{0}, pattern:{1})'.format(column, string))
+        self.logger.debug('DBStore._status_search(column:%s, pattern:%s)', column, string)
         self._db_open()
-        pre_statement = 'SELECT * from status WHERE status.{0} LIKE ?'.format(column)
+        pre_statement = f'SELECT * from status WHERE status.{column} LIKE ?'
         self.cursor.execute(pre_statement, [string])
         result = self.cursor.fetchone()
         self._db_close()
@@ -502,7 +514,7 @@ def _status_search(self, column: str, string: str) -> Tuple[str, bool]:
 
     def account_add(self, data_dic):
         """ add account in database """
-        self.logger.debug('DBStore.account_add({0})'.format(data_dic))
+        self.logger.debug('DBStore.account_add(%s)', data_dic)
 
         # add eab_kid field if not existing
         if 'eab_kid' not in data_dic:
@@ -516,7 +528,7 @@ def account_add(self, data_dic):
         if bool(exists):
             # update
             aname = exists[1]
-            self.logger.debug('account exists: {0} id: {1}'.format(aname, exists[0]))
+            self.logger.debug('account exists: %s id: %s', aname, exists[0])
             self.cursor.execute('''UPDATE ACCOUNT SET alg = :alg, jwk = :jwk, contact = :contact WHERE jwk = :jwk''', data_dic)
         else:
             # insert
@@ -530,7 +542,7 @@ def account_add(self, data_dic):
 
     def account_delete(self, aname: str) -> bool:
         """ add account in database """
-        self.logger.debug('DBStore.account_delete({0})'.format(aname))
+        self.logger.debug('DBStore.account_delete(%s)', aname)
         self._db_open()
         pre_statement = 'DELETE FROM account WHERE name LIKE ?'
         self.cursor.execute(pre_statement, [aname])
@@ -541,7 +553,7 @@ def account_delete(self, aname: str) -> bool:
 
     def account_lookup(self, column: str, string: str) -> Dict[str, str]:
         """ lookup account table for a certain key/value pair and return id"""
-        self.logger.debug('DBStore.account_lookup(column:{0}, pattern:{1})'.format(column, string))
+        self.logger.debug('DBStore.account_lookup(column:%s, pattern:%s)', column, string)
         try:
             result = dict_from_row(self._account_search(column, string))
         except Exception as _err:
@@ -553,7 +565,7 @@ def account_lookup(self, column: str, string: str) -> Dict[str, str]:
 
     def account_update(self, data_dic: Dict[str, str]) -> List[str]:
         """ update existing account """
-        self.logger.debug('DBStore.account_update({0})'.format(data_dic))
+        self.logger.debug('DBStore.account_update(%s)', data_dic)
 
         try:
             lookup = dict_from_row(self._account_search('name', data_dic['name']))
@@ -647,17 +659,17 @@ def accountlist_get(self) -> Tuple[List[str], List[str]]:
 
     def authorization_add(self, data_dic: Dict[str, str]) -> int:
         """ add authorization to database """
-        self.logger.debug('DBStore.authorization_add({0})'.format(data_dic))
+        self.logger.debug('DBStore.authorization_add(%s)', data_dic)
         self._db_open()
         self.cursor.execute('''INSERT INTO authorization(name, order_id, type, value) VALUES(:name, :order, :type, :value)''', data_dic)
         rid = self.cursor.lastrowid
         self._db_close()
-        self.logger.debug('DBStore.authorization_add() ended with: {0}'.format(rid))
+        self.logger.debug('DBStore.authorization_add() ended with: %s', rid)
         return rid
 
     def authorization_lookup(self, column: str, string: str, vlist: List[str] = ('type', 'value')) -> List[str]:
         """ search account for a given id """
-        self.logger.debug('DBStore.authorization_lookup(column:{0}, pattern:{1})'.format(column, string))
+        self.logger.debug('DBStore.authorization_lookup(column:%s, pattern:%s)', column, string)
 
         try:
             lookup = self._authorization_search(column, string)
@@ -676,9 +688,9 @@ def authorization_lookup(self, column: str, string: str, vlist: List[str] = ('ty
 
     def authorizations_expired_search(self, column: str, string: str, vlist: List[str] = ('id', 'name', 'expires', 'value', 'created_at', 'token', 'status__id', 'status__name', 'order__id', 'order__name'), operant='LIKE') -> List[str]:
         """ search order table for a certain key/value pair """
-        self.logger.debug('DBStore.authorizations_expired_search(column:{0}, pattern:{1})'.format(column, string))
+        self.logger.debug('DBStore.authorizations_expired_search(column:%s, pattern:%s)', column, string)
         self._db_open()
-        pre_statement = '''SELECT
+        pre_statement = f'''SELECT
                                 authorization.*,
                                 status.name as status__name,
                                 status.id as status__id,
@@ -687,7 +699,7 @@ def authorizations_expired_search(self, column: str, string: str, vlist: List[st
                                 FROM authorization
                             LEFT JOIN status on status.id = authorization.status_id
                             LEFT JOIN orders on orders.id = authorization.order_id
-                            WHERE status__name NOT LIKE 'expired' AND authorization.{0} {1} ?'''.format(column, operant)
+                            WHERE status__name NOT LIKE 'expired' AND authorization.{column} {operant} ?'''
 
         self.cursor.execute(pre_statement, [string])
         rows = self.cursor.fetchall()
@@ -707,7 +719,7 @@ def authorizations_expired_search(self, column: str, string: str, vlist: List[st
 
     def authorization_update(self, data_dic: Dict[str, str]) -> List[str]:
         """ update existing authorization """
-        self.logger.debug('DBStore.authorization_update({0})'.format(data_dic))
+        self.logger.debug('DBStore.authorization_update(%s)', data_dic)
 
         lookup = self._authorization_search('name', data_dic['name'])
         if lookup:
@@ -733,7 +745,7 @@ def authorization_update(self, data_dic: Dict[str, str]) -> List[str]:
 
     def certificate_account_check(self, account_name: str, certificate: str) -> List[str]:
         """ check issuer against certificate """
-        self.logger.debug('DBStore.certificate_account_check({0})'.format(account_name))
+        self.logger.debug('DBStore.certificate_account_check(%s)', account_name)
 
         # search certificate table to get the order-id
         certificate_dic = self.certificate_lookup('cert_raw', certificate, ['name', 'order__name'])
@@ -751,12 +763,12 @@ def certificate_account_check(self, account_name: str, certificate: str) -> List
             else:
                 self.logger.debug('order_dic empty')
 
-        self.logger.debug('DBStore.certificate_account_check() ended with: {0}'.format(result))
+        self.logger.debug('DBStore.certificate_account_check() ended with: %s', result)
         return result
 
     def cahandler_add(self, data_dic: Dict[str, str]) -> int:
         """ add cahandler values to database """
-        self.logger.debug('DBStore.cahandler_add({0})'.format(data_dic))
+        self.logger.debug('DBStore.cahandler_add(%s)', data_dic)
         if 'value2' not in data_dic:
             data_dic['value2'] = ''
 
@@ -765,7 +777,7 @@ def cahandler_add(self, data_dic: Dict[str, str]) -> int:
         self._db_open()
         if bool(exists):
             # update
-            self.logger.debug('parameter existss: {0} id: {1}'.format('name', data_dic['name']))
+            self.logger.debug(f'parameter exists: name id: {data_dic["name"]}')
             self.cursor.execute('''UPDATE CAHANDLER SET name = :name, value1 = :value1, 'value2' = :value2 WHERE name = :name''', data_dic)
             rid = exists['id']
         else:
@@ -774,12 +786,12 @@ def cahandler_add(self, data_dic: Dict[str, str]) -> int:
             rid = self.cursor.lastrowid
 
         self._db_close()
-        self.logger.debug('DBStore.authorization_add() ended with: {0}'.format(rid))
+        self.logger.debug('DBStore.authorization_add() ended with: %s', rid)
         return rid
 
     def cahandler_lookup(self, column: str, string: str, vlist: List[str] = ['name', 'value1', 'value2', 'created_at']) -> Dict[str, str]:
         """ lookup ca handler """
-        self.logger.debug('DBStore.cahandler_lookup(column:{0}, pattern:{1})'.format(column, string))
+        self.logger.debug('DBStore.cahandler_lookup(column:%s, pattern:%s)', column, string)
 
         try:
             lookup = dict_from_row(self._cahandler_search(column, string))
@@ -798,13 +810,13 @@ def cahandler_lookup(self, column: str, string: str, vlist: List[str] = ['name',
 
     def cliaccount_add(self, data_dic: Dict[str, str]) -> int:
         """ add cli user """
-        self.logger.debug('DBStore.cliuser_add({0})'.format(data_dic['name']))
+        self.logger.debug('DBStore.cliuser_add(%s)', data_dic['name'])
         exists = self._cliaccount_search('name', data_dic['name'])
 
         rid = None
         self._db_open()
         if bool(exists):
-            self.logger.debug('cliaccount existss: {0} id: {1}'.format('name', data_dic['name']))
+            self.logger.debug('cliaccount exists: name id: %s', data_dic['name'])
             if 'contact' not in data_dic:
                 data_dic['contact'] = exists['contact']
             if 'jwk' not in data_dic:
@@ -815,19 +827,19 @@ def cliaccount_add(self, data_dic: Dict[str, str]) -> int:
             self.cursor.execute('''INSERT INTO cliaccount(name, jwk, contact, reportadmin, cliadmin, certificateadmin) VALUES(:name, :jwk, :contact, :reportadmin, :cliadmin, :certificateadmin)''', data_dic)
             rid = self.cursor.lastrowid
         self._db_close()
-        self.logger.debug('DBStore.cliaccount_add() ended with: {0}'.format(rid))
+        self.logger.debug('DBStore.cliaccount_add() ended with: %s', rid)
         return rid
 
     def cliaccount_delete(self, data_dic: Dict[str, str]):
         """ add cli user """
-        self.logger.debug('DBStore.cliaccount_delete({0})'.format(data_dic['name']))
+        self.logger.debug('DBStore.cliaccount_delete(%s)', data_dic['name'])
         exists = self._cliaccount_search('name', data_dic['name'])
         if exists:
             self._db_open()
             self.cursor.execute('''DELETE FROM cliaccount WHERE name=:name''', data_dic)
             self._db_close()
         else:
-            self.logger.error('DBStore.cliaccount_delete() failed for kid: {0}'.format(data_dic['name']))
+            self.logger.error('DBStore.cliaccount_delete() failed for kid: %s', data_dic['name'])
         self.logger.debug('DBStore.cliaccount_delete() ended')
 
     def cliaccountlist_get(self) -> List[str]:
@@ -857,7 +869,7 @@ def cliaccountlist_get(self) -> List[str]:
 
     def certificate_add(self, data_dic: Dict[str, str]) -> int:
         """ add csr/certificate to database """
-        self.logger.debug('DBStore.certificate_add({0})'.format(data_dic['name']))
+        self.logger.debug('DBStore.certificate_add(%s)', data_dic['name'])
         # check if we alredy have an entry for the key
         exists = self._certificate_search('name', data_dic['name'])
 
@@ -868,19 +880,22 @@ def certificate_add(self, data_dic: Dict[str, str]) -> int:
                 data_dic['renewal_info'] = exists['renewal_info']
             if 'header_info' not in data_dic:
                 data_dic['header_info'] = exists['header_info']
-
+            if 'aki' not in data_dic:
+                data_dic['aki'] = exists['aki']
+            if 'serial' not in data_dic:
+                data_dic['serial'] = exists['serial']
             rid = self._certificate_update(data_dic, exists)
         else:
             rid = self._certificate_insert(data_dic)
 
-        self.logger.debug('DBStore.certificate_add() ended with: {0}'.format(rid))
+        self.logger.debug('DBStore.certificate_add() ended with: %s', rid)
         return rid
 
     def certificate_delete(self, mkey: str, string: str) -> Tuple[List[str], List[str]]:
         """ delete certificate from table """
-        self.logger.debug('DBStore.certificate_delete({0}:{1})'.format(mkey, string))
+        self.logger.debug('DBStore.certificate_delete(%s:%s)', mkey, string)
         self._db_open()
-        pre_statement = '''DELETE from certificate WHERE {0} = ?'''.format(mkey)
+        pre_statement = f'''DELETE from certificate WHERE {mkey} = ?'''
         self.cursor.execute(pre_statement, [string])
         self._db_close()
 
@@ -930,7 +945,7 @@ def certificatelist_get(self) -> Tuple[List[str], List[str]]:
 
     def certificate_lookup(self, column: str, string: str, vlist: List[str] = ('name', 'csr', 'cert', 'order__name')) -> Dict[str, str]:
         """ search certificate based on "something" """
-        self.logger.debug('DBstore.certificate_lookup({0}:{1})'.format(column, string))
+        self.logger.debug('DBstore.certificate_lookup(%s:%s)', column, string)
 
         try:
             lookup = dict_from_row(self._certificate_search(column, string))
@@ -946,19 +961,19 @@ def certificate_lookup(self, column: str, string: str, vlist: List[str] = ('name
         else:
             result = {}
 
-        self.logger.debug('DBStore.certificate_lookup() ended with: {0}'.format(result))
+        self.logger.debug('DBStore.certificate_lookup() ended with: %s', result)
         return result
 
     def certificates_search(self, column: str, string: str, vlist: List[str] = ('name', 'csr', 'cert', 'order__name'), operant='LIKE') -> List[str]:
         """ search certificate table for a certain key/value pair """
-        self.logger.debug('DBStore.certificates_search(column:{0}, pattern:{1})'.format(column, string))
+        self.logger.debug('DBStore.certificates_search(column:%s, pattern:%s)', column, string)
         self._db_open()
 
         if column == 'order__status_id':
             column = 'orders.status_id'
-            self.logger.debug('modified column to {0}'.format(column))
+            self.logger.debug('modified column to %s', column)
 
-        pre_statement = '''SELECT certificate.*,
+        pre_statement = f'''SELECT certificate.*,
                             orders.id as order__id,
                             orders.name as order__name,
                             orders.status_id as order__status_id,
@@ -966,10 +981,9 @@ def certificates_search(self, column: str, string: str, vlist: List[str] = ('nam
                             from certificate
                             INNER JOIN orders on orders.id = certificate.order_id
                             INNER JOIN account on account.id = orders.account_id
-                            WHERE {0} {1} ?'''.format(column, operant)
+                            WHERE {column} {operant} ?'''
         self.cursor.execute(pre_statement, [string])
         rows = self.cursor.fetchall()
-
         cert_list = []
         for row in rows:
             lookup = dict_from_row(row)
@@ -987,10 +1001,10 @@ def certificates_search(self, column: str, string: str, vlist: List[str] = ('nam
 
     def challenges_search(self, column: str, string: str, vlist: List[str] = ('name', 'type', 'status__name', 'token')) -> List[str]:
         """ search challenge table for a certain key/value pair """
-        self.logger.debug('DBStore._challenge_search(column:{0}, pattern:{1})'.format(column, string))
+        self.logger.debug('DBStore._challenge_search(column:%s, pattern:%s)', column, string)
         self._db_open()
 
-        pre_statement = '''
+        pre_statement = f'''
             SELECT
                 challenge.*,
                 status.id as status__id,
@@ -1007,7 +1021,7 @@ def challenges_search(self, column: str, string: str, vlist: List[str] = ('name'
             INNER JOIN authorization on authorization.id = challenge.authorization_id
             INNER JOIN orders on orders.id = authorization.order_id
             INNER JOIN account on account.id = orders.account_id
-            WHERE {0} LIKE ?'''.format(column)
+            WHERE {column} LIKE ?'''
         self.cursor.execute(pre_statement, [string])
         rows = self.cursor.fetchall()
 
@@ -1028,7 +1042,7 @@ def challenges_search(self, column: str, string: str, vlist: List[str] = ('name'
 
     def challenge_add(self, value: str, mtype: str, data_dic: Dict[str, str]) -> int:
         """ add challenge to database """
-        self.logger.debug('DBStore.challenge_add({0}:{1})'.format(value, mtype))
+        self.logger.debug('DBStore.challenge_add(%s:%s)', value, mtype)
         authorization = self.authorization_lookup('name', data_dic['authorization'], ['id'])
 
         if "status" not in data_dic:
@@ -1046,7 +1060,7 @@ def challenge_add(self, value: str, mtype: str, data_dic: Dict[str, str]) -> int
 
     def challenge_lookup(self, column: str, string: str, vlist: List[str] = ('type', 'token', 'status__name')) -> Dict[str, str]:
         """ search account for a given id """
-        self.logger.debug('DBStore.challenge_lookup({0}:{1})'.format(column, string))
+        self.logger.debug('DBStore.challenge_lookup(%s:%s)', column, string)
 
         try:
             lookup = dict_from_row(self._challenge_search(column, string))
@@ -1063,12 +1077,12 @@ def challenge_lookup(self, column: str, string: str, vlist: List[str] = ('type',
                 else:
                     result[ele] = lookup[ele]
 
-        self.logger.debug('DBStore.challenge_lookup() ended with:{0}'.format(result))
+        self.logger.debug('DBStore.challenge_lookup() ended with:%s', result)
         return result
 
     def challenge_update(self, data_dic: Dict[str, str]):
         """ update challenge """
-        self.logger.debug('DBStore.challenge_update({0})'.format(data_dic))
+        self.logger.debug('DBStore.challenge_update(%s)', data_dic)
         lookup = self._challenge_search('name', data_dic['name'])
         lookup = dict_from_row(lookup)
 
@@ -1090,17 +1104,17 @@ def challenge_update(self, data_dic: Dict[str, str]):
 
     def cli_jwk_load(self, aname: str) -> Dict[str, str]:
         """ looad cliaccount information and build jwk key dictionary """
-        self.logger.debug('DBStore.cli_jwk_load({0})'.format(aname))
+        self.logger.debug('DBStore.cli_jwk_load(%s)', aname)
         account_list = self._cliaccount_search('name', aname)
         jwk_dict = {}
         if account_list:
             jwk_dict = json.loads(account_list[2])
-        self.logger.debug('DBStore.jwk_load() ended with: {0}'.format(jwk_dict))
+        self.logger.debug('DBStore.jwk_load() ended with: %s', jwk_dict)
         return jwk_dict
 
     def cli_permissions_get(self, aname: str) -> Dict[str, str]:
         """ looad cliaccount information and build jwk key dictionary """
-        self.logger.debug('DBStore.cli_jwk_load({0})'.format(aname))
+        self.logger.debug('DBStore.cli_jwk_load(%s)', aname)
         account_list = self._cliaccount_search('name', aname)
         account_dic = {}
         if account_list:
@@ -1141,9 +1155,9 @@ def db_update(self):
         self._db_update_cliaccount()
 
         # version update
-        self.logger.info('update dbversion to {0}'.format(__dbversion__))
-        self.cursor.execute('''INSERT OR IGNORE INTO housekeeping (name, value) VALUES ("dbversion", "{0}")'''.format(__dbversion__))
-        self.cursor.execute('''UPDATE housekeeping SET value = "{0}" WHERE name="dbversion"'''.format(__dbversion__))
+        self.logger.info(f'update dbversion to {__dbversion__}')
+        self.cursor.execute(f'''INSERT OR IGNORE INTO housekeeping (name, value) VALUES ("dbversion", "{__dbversion__}")''')
+        self.cursor.execute(f'''UPDATE housekeeping SET value = "{__dbversion__}" WHERE name="dbversion"''')
 
         self._db_close()
         self.logger.debug('DBStore.db_update() ended')
@@ -1152,7 +1166,7 @@ def dbversion_get(self) -> Tuple[List[str], str]:
         """ get db version from housekeeping table """
         self.logger.debug('DBStore.dbversion_get()')
         self._db_open()
-        pre_statement = 'SELECT value from housekeeping WHERE housekeeping.{0} LIKE ?'.format('name')
+        pre_statement = 'SELECT value from housekeeping WHERE housekeeping.name LIKE ?'
         self.cursor.execute(pre_statement, ['dbversion'])
         query = list(self.cursor.fetchone())
         if query:
@@ -1161,7 +1175,7 @@ def dbversion_get(self) -> Tuple[List[str], str]:
             self.logger.error('DBStore.dbversion_get() lookup failed')
             result = None
         self._db_close()
-        self.logger.debug('DBStore.dbversion_get() ended with {0}'.format(result))
+        self.logger.debug('DBStore.dbversion_get() ended with %s', result)
         return (result, 'tools/db_update.py')
 
     def hkparameter_add(self, data_dic: Dict[str, str]) -> Tuple[str, bool]:
@@ -1173,7 +1187,7 @@ def hkparameter_add(self, data_dic: Dict[str, str]) -> Tuple[str, bool]:
         self._db_open()
         if bool(exists):
             # update
-            self.logger.debug('parameter exists: {0}'.format(data_dic['name']))
+            self.logger.debug(f'parameter exists: {data_dic["name"]}')
             self.cursor.execute('''UPDATE HOUSEKEEPING SET name = :name, value = :value WHERE name = :name''', data_dic)
         else:
             # insert
@@ -1188,7 +1202,7 @@ def hkparameter_get(self, parameter: str) -> List[str]:
         """ get parameter from housekeeping table """
         self.logger.debug('DBStore.hkparameter_get()')
         self._db_open()
-        pre_statement = 'SELECT value from housekeeping WHERE housekeeping.{0} LIKE ?'.format('name')
+        pre_statement = 'SELECT value from housekeeping WHERE housekeeping.name LIKE ?'
         self.cursor.execute(pre_statement, [parameter])
         try:
             query = list(self.cursor.fetchone())
@@ -1200,25 +1214,25 @@ def hkparameter_get(self, parameter: str) -> List[str]:
         else:
             result = None
         self._db_close()
-        self.logger.debug('DBStore.hkparameter_get() ended with {0}'.format(result))
+        self.logger.debug('DBStore.hkparameter_get() ended with %s', result)
         return result
 
     def jwk_load(self, aname: str) -> Dict[str, str]:
         """ looad account informatino and build jwk key dictionary """
-        self.logger.debug('DBStore.jwk_load({0})'.format(aname))
+        self.logger.debug('DBStore.jwk_load(%s)', aname)
         account_list = self._account_search('name', aname)
         jwk_dict = {}
         if account_list:
             jwk_dict = json.loads(account_list[3])
             jwk_dict['alg'] = account_list[2]
-        self.logger.debug('DBStore.jwk_load() ended with: {0}'.format(jwk_dict))
+        self.logger.debug('DBStore.jwk_load() ended with: %s', jwk_dict)
         return jwk_dict
 
     def nonce_add(self, nonce: str) -> int:
         """ check if nonce is in datbase
         in: nonce
         return: rowid """
-        self.logger.debug('DBStore.nonce_add({0})'.format(nonce))
+        self.logger.debug('DBStore.nonce_add(%s)', nonce)
         self._db_open()
         self.cursor.execute('''INSERT INTO nonce(nonce) VALUES(:nonce)''', {'nonce': nonce})
         rid = self.cursor.lastrowid
@@ -1230,7 +1244,7 @@ def nonce_check(self, nonce: str) -> bool:
         """ ceck if nonce is in datbase
         in: nonce
         return: true in case nonce exit, otherwise false """
-        self.logger.debug('DBStore.nonce_check({0})'.format(nonce))
+        self.logger.debug('DBStore.nonce_check(%s)', nonce)
         self._db_open()
         self.cursor.execute('''SELECT nonce FROM nonce WHERE nonce=:nonce''', {'nonce': nonce})
         result = bool(self.cursor.fetchone())
@@ -1241,7 +1255,7 @@ def nonce_check(self, nonce: str) -> bool:
     def nonce_delete(self, nonce: str):
         """ delete nonce from datbase
         in: nonce """
-        self.logger.debug('DBStore.nonce_delete({0})'.format(nonce))
+        self.logger.debug('DBStore.nonce_delete(%s)', nonce)
         self._db_open()
         self.cursor.execute('''DELETE FROM nonce WHERE nonce=:nonce''', {'nonce': nonce})
         self._db_close()
@@ -1249,7 +1263,7 @@ def nonce_delete(self, nonce: str):
 
     def order_add(self, data_dic: Dict[str, str]) -> int:
         """ add order to database """
-        self.logger.debug('DBStore.order_add({0})'.format(data_dic))
+        self.logger.debug('DBStore.order_add(%s)', data_dic)
         if 'notbefore' not in data_dic:
             data_dic['notbefore'] = ''
 
@@ -1270,7 +1284,7 @@ def order_add(self, data_dic: Dict[str, str]) -> int:
 
     def order_lookup(self, column: str, string: str, vlist: List[str] = ('notbefore', 'notafter', 'identifiers', 'expires', 'status__name')) -> Dict[str, str]:
         """ search orders for a given ordername """
-        self.logger.debug('order_lookup({0}:{1})'.format(column, string))
+        self.logger.debug('order_lookup(%s:%s)', column, string)
 
         try:
             lookup = dict_from_row(self._order_search(column, string))
@@ -1290,12 +1304,12 @@ def order_lookup(self, column: str, string: str, vlist: List[str] = ('notbefore'
                 else:
                     result[ele] = lookup[ele]
 
-        self.logger.debug('DBStore.order_lookup() ended with: {0}'.format(result))
+        self.logger.debug('DBStore.order_lookup() ended with: %s', result)
         return result
 
     def order_update(self, data_dic: Dict[str, str]):
         """ update order """
-        self.logger.debug('order_update({0})'.format(data_dic))
+        self.logger.debug('order_update(%s)', data_dic)
         if 'status' in data_dic:
             data_dic['status'] = dict_from_row(self._status_search('name', data_dic['status']))['id']
         self._db_open()
@@ -1305,10 +1319,10 @@ def order_update(self, data_dic: Dict[str, str]):
 
     def orders_invalid_search(self, column: str, string: str, vlist: List[str] = ('id', 'name', 'expires', 'identifiers', 'created_at', 'status__id', 'status__name', 'account__id', 'account__name', 'account__contact'), operant='LIKE') -> List[str]:
         """ search order table for a certain key/value pair """
-        self.logger.debug('DBStore.orders_search(column:{0}, pattern:{1})'.format(column, string))
+        self.logger.debug('DBStore.orders_invalid_search(column:%s, pattern:%s)', column, string)
         self._db_open()
 
-        pre_statement = '''SELECT
+        pre_statement = f'''SELECT
                                 orders.*,
                                 status.name as status__name,
                                 status.id as status__id,
@@ -1318,7 +1332,7 @@ def orders_invalid_search(self, column: str, string: str, vlist: List[str] = ('i
                                 FROM orders
                             LEFT JOIN status on status.id = orders.status_id
                             LEFT JOIN account on account.id = orders.account_id
-                            WHERE orders.status_id > 1 AND orders.{0} {1} ?'''.format(column, operant)
+                            WHERE orders.status_id > 1 AND orders.{column} {operant} ?'''
 
         self.cursor.execute(pre_statement, [string])
         rows = self.cursor.fetchall()
@@ -1333,5 +1347,5 @@ def orders_invalid_search(self, column: str, string: str, vlist: List[str] = ('i
             order_list.append(result)
 
         self._db_close()
-        self.logger.debug('DBStore.orders_search() ended')
+        self.logger.debug('DBStore.orders_invalid_search() ended')
         return order_list
diff --git a/examples/django/acme2certifier/urls.py b/examples/django/acme2certifier/urls.py
index a37c1eb6..e5606b5a 100644
--- a/examples/django/acme2certifier/urls.py
+++ b/examples/django/acme2certifier/urls.py
@@ -1,20 +1,5 @@
-"""acme2certifier URL Configuration
-
-The `urlpatterns` list routes URLs to views. For more information please see:
-    https://docs.djangoproject.com/en/1.11/topics/http/urls/
-Examples:
-Function views
-    1. Add an import:  from my_app import views
-    2. Add a URL to urlpatterns:  url(r'^$', views.home, name='home')
-Class-based views
-    1. Add an import:  from other_app.views import Home
-    2. Add a URL to urlpatterns:  url(r'^$', Home.as_view(), name='home')
-Including another URLconf
-    1. Import the include() function: from django.conf.urls import url, include
-    2. Add a URL to urlpatterns:  url(r'^blog/', include('blog.urls'))
-"""
-# pylint: disable=C0330
-from django.conf.urls import include, url
+"""acme2certifier URL Configuration"""
+from django.urls import include, re_path
 from django.contrib import admin
 from acme_srv import views
 from acme_srv.helper import load_config
@@ -24,22 +9,22 @@
 
 # check ifwe need to prefix the url
 if 'Directory' in CONFIG and 'url_prefix' in CONFIG['Directory']:
-    prefix = CONFIG['Directory']['url_prefix'] + '/'
-    if prefix.startswith('/'):
-        prefix = prefix.lstrip('/')
+    PREFIX = CONFIG['Directory']['url_prefix'] + '/'
+    if PREFIX.startswith('/'):
+        PREFIX = PREFIX.lstrip('/')
 else:
-    prefix = ''
+    PREFIX = ''
 
 urlpatterns = [
-    url(r'^admin/', admin.site.urls),
-    url(r'^$', views.directory, name='index'),
-    url(r'^directory$', views.directory, name='directory'),
-    url(r'^{0}get_servername$'.format(prefix), views.servername_get, name='servername_get'),
-    url(r'^{0}trigger$'.format(prefix), views.trigger, name='trigger'),
-    url(r'^{0}housekeeping$'.format(prefix), views.housekeeping, name='housekeeping'),
-    url(r'^{0}acme/'.format(prefix), include('acme_srv.urls'))
+    re_path(r'^admin/', admin.site.urls),
+    re_path(r'^$', views.directory, name='index'),
+    re_path(r'^directory$', views.directory, name='directory'),
+    re_path(rf'^{PREFIX}get_servername$', views.servername_get, name='servername_get'),
+    re_path(rf'^{PREFIX}trigger$', views.trigger, name='trigger'),
+    re_path(rf'^{PREFIX}housekeeping$', views.housekeeping, name='housekeeping'),
+    re_path(rf'^{PREFIX}acme/', include('acme_srv.urls'))
 ]
 
 # check if we need to activate the url pattern for challenge verification
 if 'CAhandler' in CONFIG and 'acme_url' in CONFIG['CAhandler']:
-    urlpatterns.append(url(r'^{0}.well-known/acme-challenge/'.format(prefix), views.acmechallenge_serve, name='acmechallenge_serve'))
+    urlpatterns.append(re_path(rf'^{PREFIX}.well-known/acme-challenge/', views.acmechallenge_serve, name='acmechallenge_serve'))
diff --git a/examples/django/acme_srv/a2c_response.py b/examples/django/acme_srv/a2c_response.py
index 9cca8769..c01cd0da 100644
--- a/examples/django/acme_srv/a2c_response.py
+++ b/examples/django/acme_srv/a2c_response.py
@@ -23,7 +23,7 @@ def __init__(self, data, encoder=DjangoJSONEncoder, safe=True,
             json_dumps_params = {}
 
         if 'status' in kwargs and kwargs['status'] > 201:
-            kwargs.setdefault('content_type', 'problem+json')
+            kwargs.setdefault('content_type', 'application/problem+json')
         else:
             kwargs.setdefault('content_type', 'application/json')
 
diff --git a/examples/django/acme_srv/fixture/status.yaml b/examples/django/acme_srv/fixture/status.yaml
index a669d6ef..d0622951 100644
--- a/examples/django/acme_srv/fixture/status.yaml
+++ b/examples/django/acme_srv/fixture/status.yaml
@@ -34,4 +34,4 @@
     pk: 1
     fields:
         name: dbversion
-        value: 0.23.1
+        value: 0.33.2
diff --git a/examples/django/acme_srv/models.py b/examples/django/acme_srv/models.py
index 22be6d78..6738b15f 100644
--- a/examples/django/acme_srv/models.py
+++ b/examples/django/acme_srv/models.py
@@ -104,6 +104,8 @@ class Certificate(models.Model):
     expire_uts = models.IntegerField(default=0)
     issue_uts = models.IntegerField(default=0)
     renewal_info = models.TextField(null=True, blank=True)  # NOSONAR
+    aki = models.TextField(null=True, blank=True)  # NOSONAR
+    serial = models.TextField(null=True, blank=True)  # NOSONAR
     replaced = models.BooleanField(default=False)
     header_info = models.TextField(null=True, blank=True)  # NOSONAR
     created_at = models.DateTimeField(auto_now_add=True, null=True)  # NOSONAR
@@ -114,7 +116,7 @@ def __unicode__(self):
 
 class Housekeeping(models.Model):
     """ housekeeping """
-    name = models.CharField(max_length=15, unique=True)
+    name = models.CharField(max_length=30, unique=True)
     value = models.CharField(max_length=30, blank=True)
     modified_at = models.DateTimeField('value', auto_now_add=True, null=True)
 
diff --git a/examples/django/acme_srv/tests.py b/examples/django/acme_srv/tests.py
index a83eb721..ed46e7f4 100644
--- a/examples/django/acme_srv/tests.py
+++ b/examples/django/acme_srv/tests.py
@@ -1,4 +1,5 @@
 # -*- coding: utf-8 -*-
+""" tester """
 from __future__ import unicode_literals
 
 # Create your tests here.
diff --git a/examples/django/acme_srv/urls.py b/examples/django/acme_srv/urls.py
index 8e02b36c..2a320d99 100644
--- a/examples/django/acme_srv/urls.py
+++ b/examples/django/acme_srv/urls.py
@@ -1,20 +1,20 @@
 # -*- coding: utf-8 -*-
 """ urls for acme django database """
-from django.conf.urls import url
+from django.urls import re_path
 from acme_srv import views
 
 urlpatterns = [
-    url(r'^acct', views.acct, name='acct'),
-    url(r'^authz', views.authz, name='authz'),
-    url(r'^cert', views.cert, name='cert'),
-    url(r'^chall', views.chall, name='chall'),
-    url(r'^directory$', views.directory, name='directory'),
-    url(r'^newaccount$', views.newaccount, name='newaccount'),
-    url(r'^key-change$', views.acct, name='acct'),
-    url(r'^newnonce$', views.newnonce, name='newnonce'),
-    url(r'^neworders$', views.neworders, name='neworders'),
-    url(r'^order', views.order, name='order'),
-    url(r'^revokecert', views.revokecert, name='revokecert'),
-    url(r'^renewal-info', views.renewalinfo, name='renewalinfo'),
-    url(r'^servername_get$', views.servername_get, name='servername_get'),
+    re_path(r'^acct', views.acct, name='acct'),
+    re_path(r'^authz', views.authz, name='authz'),
+    re_path(r'^cert', views.cert, name='cert'),
+    re_path(r'^chall', views.chall, name='chall'),
+    re_path(r'^directory$', views.directory, name='directory'),
+    re_path(r'^newaccount$', views.newaccount, name='newaccount'),
+    re_path(r'^key-change$', views.acct, name='acct'),
+    re_path(r'^newnonce$', views.newnonce, name='newnonce'),
+    re_path(r'^neworders$', views.neworders, name='neworders'),
+    re_path(r'^order', views.order, name='order'),
+    re_path(r'^revokecert', views.revokecert, name='revokecert'),
+    re_path(r'^renewal-info', views.renewalinfo, name='renewalinfo'),
+    re_path(r'^servername_get$', views.servername_get, name='servername_get'),
 ]
diff --git a/examples/django/acme_srv/views.py b/examples/django/acme_srv/views.py
index 394d3cfd..26317485 100644
--- a/examples/django/acme_srv/views.py
+++ b/examples/django/acme_srv/views.py
@@ -1,5 +1,4 @@
 # -*- coding: utf-8 -*-
-# pylint: disable=C0209, E0611, E0401
 """ acme app main view """
 from __future__ import unicode_literals, print_function
 from django.http import HttpResponse, HttpResponseNotFound
@@ -54,20 +53,15 @@ def pretty_request(request):
         if not header.startswith('HTTP'):
             continue
         header = '-'.join([h.capitalize() for h in header[5:].lower().split('_')])
-        headers += '{}: {}\n'.format(header, value)
+        headers += f'{header}: {value}\n'
 
     return (
-        '{method} HTTP/1.1\n'
-        'Content-Length: {content_length}\n'
-        'Content-Type: {content_type}\n'
-        '{headers}\n\n'
-        '{body}'
-    ).format(
-        method=request.method,
-        content_length=request.META['CONTENT_LENGTH'],
-        content_type=request.META['CONTENT_TYPE'],
-        headers=headers,
-        body=request.body, )
+        f'{request.method} HTTP/1.1\n'
+        f'Content-Length: {request.META["CONTENT_LENGTH"]}\n'
+        f'Content-Type: {request.META["CONTENT_TYPE"]}\n'
+        f'{headers}\n\n'
+        f'{request.body}'
+    )
 
 
 def directory(request):
diff --git a/examples/eab_handler/file_handler.py b/examples/eab_handler/file_handler.py
index 9d9d7c02..f44909b1 100644
--- a/examples/eab_handler/file_handler.py
+++ b/examples/eab_handler/file_handler.py
@@ -2,8 +2,9 @@
 # -*- coding: utf-8 -*-
 """ eab file handler """
 from __future__ import print_function
+from typing import Dict
 import csv
-# pylint: disable=C0209, E0401
+# pylint: disable=E0401
 from acme_srv.helper import load_config
 
 
@@ -33,21 +34,33 @@ def _config_load(self):
 
         self.logger.debug('EABhandler._config_load() ended')
 
-    def mac_key_get(self, kid: str = None) -> str:
-        """ check external account binding """
-        self.logger.debug('EABhandler.mac_key_get({})'.format(kid))
+    def key_file_load(self) -> Dict[str, str]:
+        """ load key_file """
+        self.logger.debug('EABhandler.key_file_load()')
 
-        mac_key = None
-        if self.key_file and kid:
+        data_dic = {}
+        if self.key_file:
             try:
                 with open(self.key_file, mode='r', encoding='utf8') as csv_file:
                     csv_reader = csv.DictReader(csv_file)
                     for row in csv_reader:
-                        if 'eab_kid' in row and 'eab_mac' in row and row['eab_kid'] == kid:
-                            mac_key = row['eab_mac']
-                            break
+                        data_dic[row['eab_kid']] = row['eab_mac']
             except Exception as err:
-                self.logger.error('EABhandler.mac_key_get() error: {0}'.format(err))
+                self.logger.error('EABhandler.key_file_load() error: %s', err)
+
+        self.logger.debug('EABhandler.key_file_load() ended: {%s}', bool(data_dic))
+        return data_dic
 
-        self.logger.debug('EABhandler.mac_key_get() ended with: {0}'.format(bool(mac_key)))
+    def mac_key_get(self, kid: str = None) -> str:
+        """ check external account binding """
+        self.logger.debug('EABhandler.mac_key_get(%s)', kid)
+
+        mac_key = None
+        if self.key_file and kid:
+            data_dic = self.key_file_load()
+            if kid in data_dic:
+                mac_key = data_dic[kid]
+            else:
+                self.logger.error('EABhandler.mac_key_get() error: kid not found')
+        self.logger.debug('EABhandler.mac_key_get() ended with: %s', bool(mac_key))
         return mac_key
diff --git a/examples/eab_handler/json_handler.py b/examples/eab_handler/json_handler.py
index 499d9de1..45c0e078 100644
--- a/examples/eab_handler/json_handler.py
+++ b/examples/eab_handler/json_handler.py
@@ -3,6 +3,7 @@
 """ eab json handler """
 from __future__ import print_function
 import json
+from typing import Dict
 # pylint: disable=C0209, E0401
 from acme_srv.helper import load_config
 
@@ -33,19 +34,29 @@ def _config_load(self):
 
         self.logger.debug('EABhandler._config_load() ended')
 
+    def key_file_load(self) -> Dict[str, str]:
+        """ load key_file """
+        self.logger.debug('EABhandler.key_file_load()')
+
+        data_dic = {}
+        if self.key_file:
+            try:
+                with open(self.key_file, encoding='utf8') as json_file:
+                    data_dic = json.load(json_file)
+            except Exception as err:
+                self.logger.error('EABhandler.key_file_load() error: {0}'.format(err))
+
+        self.logger.debug('EABhandler.key_file_load() ended: {0}'.format(bool(data_dic)))
+        return data_dic
+
     def mac_key_get(self, kid: str = None) -> str:
         """ check external account binding """
         self.logger.debug('EABhandler.mac_key_get({})'.format(kid))
-
         mac_key = None
-        try:
-            if self.key_file and kid:
-                with open(self.key_file, encoding='utf8') as json_file:
-                    data_dic = json.load(json_file)
-                    if kid in data_dic:
-                        mac_key = data_dic[kid]
-        except Exception as err:
-            self.logger.error('EABhandler.mac_key_get() error: {0}'.format(err))
+
+        data_dic = self.key_file_load()
+        if kid and kid in data_dic:
+            mac_key = data_dic[kid]
 
         self.logger.debug('EABhandler.mac_key_get() ended with: {0}'.format(bool(mac_key)))
         return mac_key
diff --git a/examples/eab_handler/key_file.csv b/examples/eab_handler/key_file.csv
index 8c584043..125e093e 100644
--- a/examples/eab_handler/key_file.csv
+++ b/examples/eab_handler/key_file.csv
@@ -1,5 +1,5 @@
 eab_kid,eab_mac
-keyid_00,bWFjXzAw
-keyid_01,bWFjXzAx
-keyid_02,bWFjXzAy
-keyid_03,bWFjXzAz
+keyid_00,V2VfbmVlZF9hbm90aGVyX3ZlcnkfX2xvbmdfaG1hY190b19jaGVja19lYWJfZm9yX2tleWlkXzAwX2FzX2xlZ29fZW5mb3JjZXNfYW5faG1hY19sb25nZXJfdGhhbl8yNTZfYml0cw
+keyid_01,YW5vdXRoZXJfdmVyeV9sb25nX2htYWNfZm9yX2tleWlkXzAxX3doaWNoIHdpbGxfYmUgdXNlZF9kdXJpbmcgcmVncmVzc2lvbg
+keyid_02,dGhpc19pc19hX3ZlcnlfbG9uZ19obWFjX3RvX21ha2Vfc3VyZV90aGF0X2l0c19tb3JlX3RoYW5fMjU2X2JpdHM
+keyid_03,YW5kX2ZpbmFsbHlfdGhlX2xhc3RfaG1hY19rZXlfd2hpY2hfaXNfbG9uZ2VyX3RoYW5fMjU2X2JpdHNfYW5kX3Nob3VsZF93b3Jr
diff --git a/examples/eab_handler/key_file.json b/examples/eab_handler/key_file.json
index 4989b504..d91c0a61 100644
--- a/examples/eab_handler/key_file.json
+++ b/examples/eab_handler/key_file.json
@@ -1,6 +1,6 @@
 {
-  "keyid_01": "bWFjXzAw",
-  "keyid_01": "bWFjXzAx",
-  "keyid_02": "bWFjXzAy",
-  "keyid_03": "bWFjXzAz"
+  "keyid_00": "V2VfbmVlZF9hbm90aGVyX3ZlcnkfX2xvbmdfaG1hY190b19jaGVja19lYWJfZm9yX2tleWlkXzAwX2FzX2xlZ29fZW5mb3JjZXNfYW5faG1hY19sb25nZXJfdGhhbl8yNTZfYml0cw",
+  "keyid_01": "YW5vdXRoZXJfdmVyeV9sb25nX2htYWNfZm9yX2tleWlkXzAxX3doaWNoIHdpbGxfYmUgdXNlZF9kdXJpbmcgcmVncmVzc2lvbg",
+  "keyid_02": "dGhpc19pc19hX3ZlcnlfbG9uZ19obWFjX3RvX21ha2Vfc3VyZV90aGF0X2l0c19tb3JlX3RoYW5fMjU2X2JpdHM",
+  "keyid_03": "YW5kX2ZpbmFsbHlfdGhlX2xhc3RfaG1hY19rZXlfd2hpY2hfaXNfbG9uZ2VyX3RoYW5fMjU2X2JpdHNfYW5kX3Nob3VsZF93b3Jr"
 }
diff --git a/examples/eab_handler/kid_profile_handler.py b/examples/eab_handler/kid_profile_handler.py
new file mode 100644
index 00000000..0684e668
--- /dev/null
+++ b/examples/eab_handler/kid_profile_handler.py
@@ -0,0 +1,227 @@
+#!/usr/bin/python
+# -*- coding: utf-8 -*-
+""" eab json handler """
+from __future__ import print_function
+import yaml
+import json
+import re
+from typing import List, Tuple
+# pylint: disable=C0209, E0401
+from acme_srv.helper import load_config, csr_cn_get, csr_san_get
+
+
+class EABhandler(object):
+    """ EAB file handler """
+
+    def __init__(self, logger: object = None):
+        self.logger = logger
+        self.key_file = None
+
+    def __enter__(self):
+        """ Makes EABhandler a Context Manager """
+        if not self.key_file:
+            self._config_load()
+        return self
+
+    def __exit__(self, *args):
+        """ cose the connection at the end of the context """
+
+    def _config_load(self):
+        """" load config from file """
+        self.logger.debug('EABhandler._config_load()')
+
+        config_dic = load_config(self.logger, 'EABhandler')
+        if 'EABhandler' in config_dic and 'key_file' in config_dic['EABhandler']:
+            self.key_file = config_dic['EABhandler']['key_file']
+
+        self.logger.debug('EABhandler._config_load() ended')
+
+    def _chk_san_lists_get(self, csr: str) -> Tuple[List[str], List[bool]]:
+        """ check lists  """
+        self.logger.debug('EABhandler._chk_san_lists_get()')
+
+        # get sans and build a list
+        _san_list = csr_san_get(self.logger, csr)
+
+        check_list = []
+        san_list = []
+
+        if _san_list:
+            for san in _san_list:
+                try:
+                    # SAN list must be modified/filtered)
+                    (_san_type, san_value) = san.lower().split(':')
+                    san_list.append(san_value)
+                except Exception:
+                    # force check to fail as something went wrong during parsing
+                    check_list.append(False)
+                    self.logger.info('EABhandler._csr_check(): san_list parsing failed at entry: {0}'.format(san))
+
+        self.logger.debug('EABhandler._chk_san_lists_get() ended')
+        return (san_list, check_list)
+
+    def _cn_add(self, csr: str, san_list: List[str]) -> Tuple[List[str], str]:
+        """ add CN if required """
+        self.logger.debug('EABhandler._cn_add()')
+
+        # get common name and attach it to san_list
+        cn_ = csr_cn_get(self.logger, csr)
+
+        if cn_:
+            cn_ = cn_.lower()
+            if cn_ not in san_list:
+                # append cn to san_list
+                self.logger.debug('EABhandler._csr_check(): append cn to san_list')
+                san_list.append(cn_)
+
+        self.logger.debug('EABhandler._cn_add() ended')
+        return san_list
+
+    def _list_regex_check(self, entry: str, list_: List[str]) -> bool:
+        """ check entry against regex """
+        self.logger.debug('EABhandler._list_regex_check()')
+
+        check_result = False
+        for regex in list_:
+            if regex.startswith('*.'):
+                regex = regex.replace('*.', '.')
+            regex_compiled = re.compile(regex)
+            if bool(regex_compiled.search(entry)):
+                # parameter is in set flag accordingly and stop loop
+                check_result = True
+
+        self.logger.debug('EABhandler._list_regex_check() ended with: {0}'.format(check_result))
+        return check_result
+
+    def _wllist_check(self, entry: str, list_: List[str], toggle: bool = False) -> bool:
+        """ check string against list """
+        self.logger.debug('EABhandler._wllist_check({0}:{1})'.format(entry, toggle))
+        self.logger.debug('check against list: {0}'.format(list_))
+
+        # default setting
+        check_result = False
+
+        if entry:
+            if list_:
+                check_result = self._list_regex_check(entry, list_)
+            else:
+                # empty list, flip parameter to make the check successful
+                check_result = True
+
+        if toggle:
+            # toggle result if this is a blocked_domainlist
+            check_result = not check_result
+
+        self.logger.debug('EABhandler._wllist_check() ended with: {0}'.format(check_result))
+        return check_result
+
+    def allowed_domains_check(self, csr: str, domain_list: List[str]) -> str:
+        """ check allowed domains """
+        self.logger.debug('EABhandler.allowed_domains_check()')
+
+        (san_list, check_list) = self._chk_san_lists_get(csr)
+        (san_list) = self._cn_add(csr, san_list)
+
+        # go over the san list and check each entry
+        for san in san_list:
+            check_list.append(self._wllist_check(san, domain_list))
+
+        if check_list:
+            # cover a cornercase with empty checklist (no san, no cn)
+            if False in check_list:
+                result = "Either CN or SANs are not allowed by profile"
+            else:
+                result = False
+
+        self.logger.debug('EABhandler.allowed_domains_check() ended with: %s', result)
+        return result
+
+    def eab_kid_get(self, csr: str) -> str:
+        """ get eab kid  from datbases based on csr"""
+        self.logger.debug('EABhandler.eab_kid_get()')
+        try:
+            # look up eab_kid from database based on csr
+            from acme_srv.db_handler import DBstore  # pylint: disable=c0415
+            dbstore = DBstore(False, self.logger)
+            result_dic = dbstore.certificate_lookup('csr', csr, vlist=['name', 'order__name', 'order__account__name', 'order__account__eab_kid'])
+            if result_dic and 'order__account__eab_kid' in result_dic:
+                eab_kid = result_dic['order__account__eab_kid']
+            else:
+                eab_kid = None
+        except Exception as err:
+            self.logger.error('EABhandler._eab_profile_get() database error: {0}'.format(err))
+            eab_kid = None
+
+        self.logger.debug('EABhandler.eab_kid_get() ended with: %s', eab_kid)
+        return eab_kid
+
+    def eab_profile_get(self, csr: str) -> str:
+        """ get eab profile """
+        self.logger.debug('EABhandler._eab_profile_get()')
+
+        # load profiles from key_file
+        profiles_dic = self.key_file_load()
+
+        # get eab_kid from database
+        eab_kid = self.eab_kid_get(csr)
+
+        # get profile from profiles_dic
+        if profiles_dic and eab_kid and eab_kid in profiles_dic and 'cahandler' in profiles_dic[eab_kid]:
+            profile_dic = profiles_dic[eab_kid]['cahandler']
+        else:
+            profile_dic = {}
+
+        self.logger.debug('EABhandler._eab_profile_get() ended with: %s', bool(profile_dic))
+        return profile_dic
+
+    def keyfile_content_load(self, key_file_content) -> dict:
+        """ load profiles from key_file """
+        self.logger.debug('EABhandler.keyfile_content_load()')
+
+        try:
+            profiles_dic = json.loads(key_file_content)
+        except Exception as err:
+            self.logger.error('EABhandler.keyfile_content_load(): error: {0}'.format(err))
+            try:
+                profiles_dic = yaml.safe_load(key_file_content)
+            except Exception as err:
+                self.logger.error('EABhandler.keyfile_content_load(): error: {0}'.format(err))
+                profiles_dic = {}
+
+        self.logger.debug('EABhandler.keyfile_content_load() ended with %s', bool(profiles_dic))
+        return profiles_dic
+
+    def key_file_load(self):
+        """ load profiles from key_file """
+        self.logger.debug('EABhandler.key_file_load()')
+
+        if self.key_file:
+            try:
+                with open(self.key_file, encoding='utf8') as key_file_content:
+                    profiles_dic = self.keyfile_content_load(key_file_content.read())
+            except Exception as err:
+                self.logger.error('EABhandler.key_file_load() error: {0}'.format(err))
+                profiles_dic = {}
+        else:
+            self.logger.error('EABhandler.key_file_load() no key_file specified')
+            profiles_dic = {}
+
+        self.logger.debug('EABhandler.key_file_load() ended with %s', bool(profiles_dic))
+        return profiles_dic
+
+    def mac_key_get(self, kid: str = None) -> str:
+        """ check external account binding """
+        self.logger.debug('EABhandler.mac_key_get({})'.format(kid))
+
+        mac_key = None
+        try:
+            if self.key_file and kid:
+                with open(self.key_file, encoding='utf8') as key_file_content:
+                    data_dic = self.keyfile_content_load(key_file_content.read())
+                    if kid in data_dic and 'hmac' in data_dic[kid]:
+                        mac_key = data_dic[kid]['hmac']
+        except Exception as err:
+            self.logger.error('EABhandler.mac_key_get() error: {0}'.format(err))
+
+        self.logger.debug('EABhandler.mac_key_get() ended with: {0}'.format(bool(mac_key)))
+        return mac_key
diff --git a/examples/eab_handler/kid_profiles.json b/examples/eab_handler/kid_profiles.json
new file mode 100644
index 00000000..f2fff84f
--- /dev/null
+++ b/examples/eab_handler/kid_profiles.json
@@ -0,0 +1,31 @@
+{
+  "keyid_00": {
+    "hmac": "V2VfbmVlZF9hbm90aGVyX3ZlcnkfX2xvbmdfaG1hY190b19jaGVja19lYWJfZm9yX2tleWlkXzAwX2FzX2xlZ29fZW5mb3JjZXNfYW5faG1hY19sb25nZXJfdGhhbl8yNTZfYml0cw",
+    "cahandler": {
+      "profile_id": ["profile_1", "profile_2", "profile_3"],
+      "allowed_domainlist": ["www.example.com", "www.example.org", "*.example.net"],
+      "ca_name": "example_ca",
+      "api_user": "api_user",
+      "api_password": "api_password"
+    }
+  },
+  "keyid_01": {
+    "hmac": "YW5vdXRoZXJfdmVyeV9sb25nX2htYWNfZm9yX2tleWlkXzAxX3doaWNoIHdpbGxfYmUgdXNlZF9kdXJpbmcgcmVncmVzc2lvbg",
+    "cahandler": {
+      "profile_id": "profile_2",
+      "allowed_domainlist": ["www.example.com", "www.example.org", "*.example.net"],
+      "ca_name": "example_ca_2",
+      "api_user": "api_user_2",
+      "api_password": "api_password_2"
+    }
+  },
+  "keyid_02": {
+    "hmac": "dGhpc19pc19hX3ZlcnlfbG9uZ19obWFjX3RvX21ha2Vfc3VyZV90aGF0X2l0c19tb3JlX3RoYW5fMjU2X2JpdHM",
+    "cahandler": {
+      "allowed_domainlist": ["www.example.com", "www.example.org"]
+    }
+  },
+  "keyid_03": {
+    "hmac": "YW5kX2ZpbmFsbHlfdGhlX2xhc3RfaG1hY19rZXlfd2hpY2hfaXNfbG9uZ2VyX3RoYW5fMjU2X2JpdHNfYW5kX3Nob3VsZF93b3Jr"
+  }
+}
diff --git a/examples/eab_handler/kid_profiles.yml b/examples/eab_handler/kid_profiles.yml
new file mode 100644
index 00000000..f53812e9
--- /dev/null
+++ b/examples/eab_handler/kid_profiles.yml
@@ -0,0 +1,34 @@
+---
+keyid_00:
+  hmac: V2VfbmVlZF9hbm90aGVyX3ZlcnkfX2xvbmdfaG1hY190b19jaGVja19lYWJfZm9yX2tleWlkXzAwX2FzX2xlZ29fZW5mb3JjZXNfYW5faG1hY19sb25nZXJfdGhhbl8yNTZfYml0cw
+  cahandler:
+    profile_id:
+    - profile_1
+    - profile_2
+    - profile_3
+    allowed_domainlist:
+    - www.example.com
+    - www.example.org
+    - "*.example.net"
+    ca_name: example_ca
+    api_user: api_user
+    api_password: api_password
+keyid_01:
+  hmac: YW5vdXRoZXJfdmVyeV9sb25nX2htYWNfZm9yX2tleWlkXzAxX3doaWNoIHdpbGxfYmUgdXNlZF9kdXJpbmcgcmVncmVzc2lvbg
+  cahandler:
+    profile_id: profile_2
+    allowed_domainlist:
+    - www.example.com
+    - www.example.org
+    - "*.example.net"
+    ca_name: example_ca_2
+    api_user: api_user_2
+    api_password: api_password_2
+keyid_02:
+  hmac: dGhpc19pc19hX3ZlcnlfbG9uZ19obWFjX3RvX21ha2Vfc3VyZV90aGF0X2l0c19tb3JlX3RoYW5fMjU2X2JpdHM
+  cahandler:
+    allowed_domainlist:
+    - www.example.com
+    - www.example.org
+keyid_03:
+  hmac: YW5kX2ZpbmFsbHlfdGhlX2xhc3RfaG1hY19rZXlfd2hpY2hfaXNfbG9uZ2VyX3RoYW5fMjU2X2JpdHNfYW5kX3Nob3VsZF93b3Jr
\ No newline at end of file
diff --git a/examples/eab_handler/skeleton_eab_handler.py b/examples/eab_handler/skeleton_eab_handler.py
index 44d5bc31..94041b67 100644
--- a/examples/eab_handler/skeleton_eab_handler.py
+++ b/examples/eab_handler/skeleton_eab_handler.py
@@ -34,7 +34,7 @@ def _config_load(self):
 
     def mac_key_get(self, kid: str = None) -> str:
         """ check external account binding """
-        self.logger.debug('EABhandler.mac_key_get({})'.format(kid))
+        self.logger.debug('EABhandler.mac_key_get(%s)', kid)
         mac_key = 'mac_key'
 
         return mac_key
diff --git a/examples/ejbca/certprofile_acmeca-673448746.xml b/examples/ejbca/certprofile_acmeca1-673448746.xml
similarity index 95%
rename from examples/ejbca/certprofile_acmeca-673448746.xml
rename to examples/ejbca/certprofile_acmeca1-673448746.xml
index 9061e9e4..da3ff314 100644
--- a/examples/ejbca/certprofile_acmeca-673448746.xml
+++ b/examples/ejbca/certprofile_acmeca1-673448746.xml
@@ -1,9 +1,9 @@
 <?xml version="1.0" encoding="UTF-8"?>
-<java version="11.0.17" class="java.beans.XMLDecoder">
+<java version="11.0.23" class="java.beans.XMLDecoder">
  <object class="java.util.LinkedHashMap">
   <void method="put">
    <string>version</string>
-   <float>49.0</float>
+   <float>52.0</float>
   </void>
   <void method="put">
    <string>type</string>
@@ -719,5 +719,33 @@
    <string>usecustomdnorderldap</string>
    <boolean>false</boolean>
   </void>
+  <void method="put">
+   <string>allowexpiredvalidityenddate</string>
+   <boolean>false</boolean>
+  </void>
+  <void method="put">
+   <string>numofreqapprovals</string>
+   <int>1</int>
+  </void>
+  <void method="put">
+   <string>approvalsettings</string>
+   <object class="java.util.ArrayList"/>
+  </void>
+  <void method="put">
+   <string>approvalProfile</string>
+   <int>-1</int>
+  </void>
+  <void method="put">
+   <string>usetruncatedsubjectkeyidentifier</string>
+   <boolean>false</boolean>
+  </void>
+  <void method="put">
+   <string>usevalidityassuredshortterm</string>
+   <boolean>false</boolean>
+  </void>
+  <void method="put">
+   <string>validityassuredshorttermcritical</string>
+   <boolean>false</boolean>
+  </void>
  </object>
 </java>
diff --git a/examples/ejbca/certprofile_acmeca2-83252423.xml b/examples/ejbca/certprofile_acmeca2-83252423.xml
new file mode 100644
index 00000000..b442ef51
--- /dev/null
+++ b/examples/ejbca/certprofile_acmeca2-83252423.xml
@@ -0,0 +1,755 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<java version="11.0.23" class="java.beans.XMLDecoder">
+ <object class="java.util.LinkedHashMap">
+  <void method="put">
+   <string>version</string>
+   <float>52.0</float>
+  </void>
+  <void method="put">
+   <string>type</string>
+   <int>1</int>
+  </void>
+  <void method="put">
+   <string>certversion</string>
+   <string>X509v3</string>
+  </void>
+  <void method="put">
+   <string>encodedvalidity</string>
+   <string>2y</string>
+  </void>
+  <void method="put">
+   <string>usecertificatevalidityoffset</string>
+   <boolean>false</boolean>
+  </void>
+  <void method="put">
+   <string>certificatevalidityoffset</string>
+   <string>-10m</string>
+  </void>
+  <void method="put">
+   <string>useexpirationrestrictionforweekdays</string>
+   <boolean>false</boolean>
+  </void>
+  <void method="put">
+   <string>expirationrestrictionforweekdaysbefore</string>
+   <boolean>true</boolean>
+  </void>
+  <void method="put">
+   <string>expirationrestrictionweekdays</string>
+   <object class="java.util.ArrayList">
+    <void method="add">
+     <boolean>true</boolean>
+    </void>
+    <void method="add">
+     <boolean>true</boolean>
+    </void>
+    <void method="add">
+     <boolean>false</boolean>
+    </void>
+    <void method="add">
+     <boolean>false</boolean>
+    </void>
+    <void method="add">
+     <boolean>false</boolean>
+    </void>
+    <void method="add">
+     <boolean>true</boolean>
+    </void>
+    <void method="add">
+     <boolean>true</boolean>
+    </void>
+   </object>
+  </void>
+  <void method="put">
+   <string>allowvalidityoverride</string>
+   <boolean>false</boolean>
+  </void>
+  <void method="put">
+   <string>description</string>
+   <string></string>
+  </void>
+  <void method="put">
+   <string>allowextensionoverride</string>
+   <boolean>false</boolean>
+  </void>
+  <void method="put">
+   <string>allowdnoverride</string>
+   <boolean>true</boolean>
+  </void>
+  <void method="put">
+   <string>allowdnoverridebyeei</string>
+   <boolean>true</boolean>
+  </void>
+  <void method="put">
+   <string>allowbackdatedrevokation</string>
+   <boolean>false</boolean>
+  </void>
+  <void method="put">
+   <string>usecertificatestorage</string>
+   <boolean>true</boolean>
+  </void>
+  <void method="put">
+   <string>storecertificatedata</string>
+   <boolean>true</boolean>
+  </void>
+  <void method="put">
+   <string>storesubjectaltname</string>
+   <boolean>true</boolean>
+  </void>
+  <void method="put">
+   <string>usebasicconstrants</string>
+   <boolean>true</boolean>
+  </void>
+  <void method="put">
+   <string>basicconstraintscritical</string>
+   <boolean>true</boolean>
+  </void>
+  <void method="put">
+   <string>usesubjectkeyidentifier</string>
+   <boolean>true</boolean>
+  </void>
+  <void method="put">
+   <string>subjectkeyidentifiercritical</string>
+   <boolean>false</boolean>
+  </void>
+  <void method="put">
+   <string>useauthoritykeyidentifier</string>
+   <boolean>true</boolean>
+  </void>
+  <void method="put">
+   <string>authoritykeyidentifiercritical</string>
+   <boolean>false</boolean>
+  </void>
+  <void method="put">
+   <string>usesubjectalternativename</string>
+   <boolean>true</boolean>
+  </void>
+  <void method="put">
+   <string>subjectalternativenamecritical</string>
+   <boolean>false</boolean>
+  </void>
+  <void method="put">
+   <string>useissueralternativename</string>
+   <boolean>true</boolean>
+  </void>
+  <void method="put">
+   <string>issueralternativenamecritical</string>
+   <boolean>false</boolean>
+  </void>
+  <void method="put">
+   <string>usecrldistributionpoint</string>
+   <boolean>false</boolean>
+  </void>
+  <void method="put">
+   <string>usedefaultcrldistributionpoint</string>
+   <boolean>false</boolean>
+  </void>
+  <void method="put">
+   <string>crldistributionpointcritical</string>
+   <boolean>false</boolean>
+  </void>
+  <void method="put">
+   <string>crldistributionpointuri</string>
+   <string></string>
+  </void>
+  <void method="put">
+   <string>usefreshestcrl</string>
+   <boolean>false</boolean>
+  </void>
+  <void method="put">
+   <string>usecadefinedfreshestcrl</string>
+   <boolean>false</boolean>
+  </void>
+  <void method="put">
+   <string>freshestcrluri</string>
+   <string></string>
+  </void>
+  <void method="put">
+   <string>crlissuer</string>
+   <string></string>
+  </void>
+  <void method="put">
+   <string>usecertificatepolicies</string>
+   <boolean>false</boolean>
+  </void>
+  <void method="put">
+   <string>certificatepoliciescritical</string>
+   <boolean>false</boolean>
+  </void>
+  <void method="put">
+   <string>certificatepolicies</string>
+   <object class="java.util.ArrayList"/>
+  </void>
+  <void method="put">
+   <string>availablekeyalgorithms</string>
+   <object class="java.util.ArrayList">
+    <void method="add">
+     <string>DSA</string>
+    </void>
+    <void method="add">
+     <string>ECDSA</string>
+    </void>
+    <void method="add">
+     <string>RSA</string>
+    </void>
+    <void method="add">
+     <string>Ed25519</string>
+    </void>
+    <void method="add">
+     <string>Ed448</string>
+    </void>
+   </object>
+  </void>
+  <void method="put">
+   <string>availableeccurves</string>
+   <object class="java.util.ArrayList">
+    <void method="add">
+     <string>ANY_EC_CURVE</string>
+    </void>
+   </object>
+  </void>
+  <void method="put">
+   <string>availablebitlengths</string>
+   <object class="java.util.ArrayList">
+    <void method="add">
+     <int>0</int>
+    </void>
+    <void method="add">
+     <int>110</int>
+    </void>
+    <void method="add">
+     <int>112</int>
+    </void>
+    <void method="add">
+     <int>113</int>
+    </void>
+    <void method="add">
+     <int>126</int>
+    </void>
+    <void method="add">
+     <int>128</int>
+    </void>
+    <void method="add">
+     <int>131</int>
+    </void>
+    <void method="add">
+     <int>160</int>
+    </void>
+    <void method="add">
+     <int>161</int>
+    </void>
+    <void method="add">
+     <int>162</int>
+    </void>
+    <void method="add">
+     <int>163</int>
+    </void>
+    <void method="add">
+     <int>167</int>
+    </void>
+    <void method="add">
+     <int>173</int>
+    </void>
+    <void method="add">
+     <int>179</int>
+    </void>
+    <void method="add">
+     <int>189</int>
+    </void>
+    <void method="add">
+     <int>190</int>
+    </void>
+    <void method="add">
+     <int>191</int>
+    </void>
+    <void method="add">
+     <int>192</int>
+    </void>
+    <void method="add">
+     <int>193</int>
+    </void>
+    <void method="add">
+     <int>224</int>
+    </void>
+    <void method="add">
+     <int>225</int>
+    </void>
+    <void method="add">
+     <int>232</int>
+    </void>
+    <void method="add">
+     <int>233</int>
+    </void>
+    <void method="add">
+     <int>236</int>
+    </void>
+    <void method="add">
+     <int>237</int>
+    </void>
+    <void method="add">
+     <int>238</int>
+    </void>
+    <void method="add">
+     <int>239</int>
+    </void>
+    <void method="add">
+     <int>256</int>
+    </void>
+    <void method="add">
+     <int>257</int>
+    </void>
+    <void method="add">
+     <int>281</int>
+    </void>
+    <void method="add">
+     <int>282</int>
+    </void>
+    <void method="add">
+     <int>289</int>
+    </void>
+    <void method="add">
+     <int>307</int>
+    </void>
+    <void method="add">
+     <int>320</int>
+    </void>
+    <void method="add">
+     <int>353</int>
+    </void>
+    <void method="add">
+     <int>367</int>
+    </void>
+    <void method="add">
+     <int>384</int>
+    </void>
+    <void method="add">
+     <int>407</int>
+    </void>
+    <void method="add">
+     <int>409</int>
+    </void>
+    <void method="add">
+     <int>418</int>
+    </void>
+    <void method="add">
+     <int>431</int>
+    </void>
+    <void method="add">
+     <int>512</int>
+    </void>
+    <void method="add">
+     <int>521</int>
+    </void>
+    <void method="add">
+     <int>570</int>
+    </void>
+    <void method="add">
+     <int>1024</int>
+    </void>
+    <void method="add">
+     <int>1536</int>
+    </void>
+    <void method="add">
+     <int>2048</int>
+    </void>
+    <void method="add">
+     <int>3072</int>
+    </void>
+    <void method="add">
+     <int>4096</int>
+    </void>
+    <void method="add">
+     <int>6144</int>
+    </void>
+    <void method="add">
+     <int>8192</int>
+    </void>
+   </object>
+  </void>
+  <void method="put">
+   <string>minimumavailablebitlength</string>
+   <int>0</int>
+  </void>
+  <void method="put">
+   <string>maximumavailablebitlength</string>
+   <int>8192</int>
+  </void>
+  <void method="put">
+   <string>signaturealgorithm</string>
+   <null/>
+  </void>
+  <void method="put">
+   <string>usekeyusage</string>
+   <boolean>true</boolean>
+  </void>
+  <void method="put">
+   <string>keyusage</string>
+   <object class="java.util.ArrayList">
+    <void method="add">
+     <boolean>true</boolean>
+    </void>
+    <void method="add">
+     <boolean>false</boolean>
+    </void>
+    <void method="add">
+     <boolean>true</boolean>
+    </void>
+    <void method="add">
+     <boolean>false</boolean>
+    </void>
+    <void method="add">
+     <boolean>false</boolean>
+    </void>
+    <void method="add">
+     <boolean>false</boolean>
+    </void>
+    <void method="add">
+     <boolean>false</boolean>
+    </void>
+    <void method="add">
+     <boolean>false</boolean>
+    </void>
+    <void method="add">
+     <boolean>false</boolean>
+    </void>
+   </object>
+  </void>
+  <void method="put">
+   <string>allowkeyusageoverride</string>
+   <boolean>false</boolean>
+  </void>
+  <void method="put">
+   <string>keyusagecritical</string>
+   <boolean>true</boolean>
+  </void>
+  <void method="put">
+   <string>useextendedkeyusage</string>
+   <boolean>true</boolean>
+  </void>
+  <void method="put">
+   <string>extendedkeyusage</string>
+   <object class="java.util.ArrayList">
+    <void method="add">
+     <string>1.3.6.1.5.5.7.3.2</string>
+    </void>
+   </object>
+  </void>
+  <void method="put">
+   <string>extendedkeyusagecritical</string>
+   <boolean>false</boolean>
+  </void>
+  <void method="put">
+   <string>usedocumenttypelist</string>
+   <boolean>false</boolean>
+  </void>
+  <void method="put">
+   <string>documenttypelistcritical</string>
+   <boolean>false</boolean>
+  </void>
+  <void method="put">
+   <string>documenttypelist</string>
+   <object class="java.util.ArrayList"/>
+  </void>
+  <void method="put">
+   <string>availablecas</string>
+   <object class="java.util.ArrayList">
+    <void method="add">
+     <int>-1</int>
+    </void>
+   </object>
+  </void>
+  <void method="put">
+   <string>usedpublishers</string>
+   <object class="java.util.ArrayList"/>
+  </void>
+  <void method="put">
+   <string>useocspnocheck</string>
+   <boolean>false</boolean>
+  </void>
+  <void method="put">
+   <string>useldapdnorder</string>
+   <boolean>true</boolean>
+  </void>
+  <void method="put">
+   <string>usecustomdnorder</string>
+   <boolean>false</boolean>
+  </void>
+  <void method="put">
+   <string>usemicrosofttemplate</string>
+   <boolean>false</boolean>
+  </void>
+  <void method="put">
+   <string>microsofttemplate</string>
+   <string></string>
+  </void>
+  <void method="put">
+   <string>usemsobjectsidextension</string>
+   <boolean>true</boolean>
+  </void>
+  <void method="put">
+   <string>usecardnumber</string>
+   <boolean>false</boolean>
+  </void>
+  <void method="put">
+   <string>usecnpostfix</string>
+   <boolean>false</boolean>
+  </void>
+  <void method="put">
+   <string>cnpostfix</string>
+   <string></string>
+  </void>
+  <void method="put">
+   <string>usesubjectdnsubset</string>
+   <boolean>false</boolean>
+  </void>
+  <void method="put">
+   <string>subjectdnsubset</string>
+   <object class="java.util.ArrayList"/>
+  </void>
+  <void method="put">
+   <string>usesubjectaltnamesubset</string>
+   <boolean>false</boolean>
+  </void>
+  <void method="put">
+   <string>subjectaltnamesubset</string>
+   <object class="java.util.ArrayList"/>
+  </void>
+  <void method="put">
+   <string>usepathlengthconstraint</string>
+   <boolean>false</boolean>
+  </void>
+  <void method="put">
+   <string>pathlengthconstraint</string>
+   <int>0</int>
+  </void>
+  <void method="put">
+   <string>useqcstatement</string>
+   <boolean>false</boolean>
+  </void>
+  <void method="put">
+   <string>usepkixqcsyntaxv2</string>
+   <boolean>false</boolean>
+  </void>
+  <void method="put">
+   <string>useqcstatementcritical</string>
+   <boolean>false</boolean>
+  </void>
+  <void method="put">
+   <string>useqcstatementraname</string>
+   <string></string>
+  </void>
+  <void method="put">
+   <string>useqcsematicsid</string>
+   <string></string>
+  </void>
+  <void method="put">
+   <string>useqcetsiqccompliance</string>
+   <boolean>false</boolean>
+  </void>
+  <void method="put">
+   <string>useqcetsisignaturedevice</string>
+   <boolean>false</boolean>
+  </void>
+  <void method="put">
+   <string>useqcetsivaluelimit</string>
+   <boolean>false</boolean>
+  </void>
+  <void method="put">
+   <string>qcetsivaluelimit</string>
+   <int>0</int>
+  </void>
+  <void method="put">
+   <string>qcetsivaluelimitexp</string>
+   <int>0</int>
+  </void>
+  <void method="put">
+   <string>qcetsivaluelimitcurrency</string>
+   <string></string>
+  </void>
+  <void method="put">
+   <string>useqcetsiretentionperiod</string>
+   <boolean>false</boolean>
+  </void>
+  <void method="put">
+   <string>qcetsiretentionperiod</string>
+   <int>0</int>
+  </void>
+  <void method="put">
+   <string>useqccountries</string>
+   <boolean>false</boolean>
+  </void>
+  <void method="put">
+   <string>qccountriestring</string>
+   <string></string>
+  </void>
+  <void method="put">
+   <string>useqccustomstring</string>
+   <boolean>false</boolean>
+  </void>
+  <void method="put">
+   <string>qccustomstringoid</string>
+   <string></string>
+  </void>
+  <void method="put">
+   <string>qccustomstringtext</string>
+   <string></string>
+  </void>
+  <void method="put">
+   <string>qcetsipds</string>
+   <null/>
+  </void>
+  <void method="put">
+   <string>qcetsitype</string>
+   <null/>
+  </void>
+  <void method="put">
+   <string>usecertificatetransparencyincerts</string>
+   <boolean>false</boolean>
+  </void>
+  <void method="put">
+   <string>usecertificatetransparencyinocsp</string>
+   <boolean>false</boolean>
+  </void>
+  <void method="put">
+   <string>usecertificatetransparencyinpublisher</string>
+   <boolean>false</boolean>
+  </void>
+  <void method="put">
+   <string>usesubjectdirattributes</string>
+   <boolean>false</boolean>
+  </void>
+  <void method="put">
+   <string>usenameconstraints</string>
+   <boolean>false</boolean>
+  </void>
+  <void method="put">
+   <string>useauthorityinformationaccess</string>
+   <boolean>false</boolean>
+  </void>
+  <void method="put">
+   <string>caissuers</string>
+   <object class="java.util.ArrayList"/>
+  </void>
+  <void method="put">
+   <string>usedefaultcaissuer</string>
+   <boolean>false</boolean>
+  </void>
+  <void method="put">
+   <string>usedefaultocspservicelocator</string>
+   <boolean>false</boolean>
+  </void>
+  <void method="put">
+   <string>ocspservicelocatoruri</string>
+   <string></string>
+  </void>
+  <void method="put">
+   <string>cvcaccessrights</string>
+   <int>3</int>
+  </void>
+  <void method="put">
+   <string>usedcertificateextensions</string>
+   <object class="java.util.ArrayList"/>
+  </void>
+  <void method="put">
+   <string>approvals</string>
+   <object class="java.util.LinkedHashMap">
+    <void method="put">
+     <object class="java.lang.Enum" method="valueOf">
+      <class>org.cesecore.certificates.ca.ApprovalRequestType</class>
+      <string>KEYRECOVER</string>
+     </object>
+     <int>-1</int>
+    </void>
+    <void method="put">
+     <object class="java.lang.Enum" method="valueOf">
+      <class>org.cesecore.certificates.ca.ApprovalRequestType</class>
+      <string>ADDEDITENDENTITY</string>
+     </object>
+     <int>-1</int>
+    </void>
+    <void method="put">
+     <object class="java.lang.Enum" method="valueOf">
+      <class>org.cesecore.certificates.ca.ApprovalRequestType</class>
+      <string>REVOCATION</string>
+     </object>
+     <int>-1</int>
+    </void>
+   </object>
+  </void>
+  <void method="put">
+   <string>useprivkeyusageperiodnotbefore</string>
+   <boolean>false</boolean>
+  </void>
+  <void method="put">
+   <string>useprivkeyusageperiod</string>
+   <boolean>false</boolean>
+  </void>
+  <void method="put">
+   <string>useprivkeyusageperiodnotafter</string>
+   <boolean>false</boolean>
+  </void>
+  <void method="put">
+   <string>privkeyusageperiodstartoffset</string>
+   <long>0</long>
+  </void>
+  <void method="put">
+   <string>privkeyusageperiodlength</string>
+   <long>63072000</long>
+  </void>
+  <void method="put">
+   <string>usesingleactivecertificateconstraint</string>
+   <boolean>false</boolean>
+  </void>
+  <void method="put">
+   <string>overridableextensionoids</string>
+   <object class="java.util.LinkedHashSet"/>
+  </void>
+  <void method="put">
+   <string>nonoverridableextensionoids</string>
+   <object class="java.util.LinkedHashSet"/>
+  </void>
+  <void method="put">
+   <string>eabnamespaces</string>
+   <object class="java.util.LinkedHashSet"/>
+  </void>
+  <void method="put">
+   <string>usecabforganizationidentifier</string>
+   <boolean>false</boolean>
+  </void>
+  <void method="put">
+   <string>usecustomdnorderldap</string>
+   <boolean>false</boolean>
+  </void>
+  <void method="put">
+   <string>allowexpiredvalidityenddate</string>
+   <boolean>false</boolean>
+  </void>
+  <void method="put">
+   <string>numofreqapprovals</string>
+   <int>1</int>
+  </void>
+  <void method="put">
+   <string>approvalsettings</string>
+   <object class="java.util.ArrayList"/>
+  </void>
+  <void method="put">
+   <string>approvalProfile</string>
+   <int>-1</int>
+  </void>
+  <void method="put">
+   <string>usetruncatedsubjectkeyidentifier</string>
+   <boolean>false</boolean>
+  </void>
+  <void method="put">
+   <string>usevalidityassuredshortterm</string>
+   <boolean>false</boolean>
+  </void>
+  <void method="put">
+   <string>validityassuredshorttermcritical</string>
+   <boolean>false</boolean>
+  </void>
+  <void method="put">
+   <string>keyusageforbidencyrptionusageforecc</string>
+   <boolean>false</boolean>
+  </void>
+ </object>
+</java>
diff --git a/examples/ejbca/entityprofile_acmeca-1535885215.xml b/examples/ejbca/entityprofile_acmeca-1535885215.xml
index bf437967..4945a840 100644
--- a/examples/ejbca/entityprofile_acmeca-1535885215.xml
+++ b/examples/ejbca/entityprofile_acmeca-1535885215.xml
@@ -1,9 +1,9 @@
 <?xml version="1.0" encoding="UTF-8"?>
-<java version="11.0.17" class="java.beans.XMLDecoder">
+<java version="11.0.23" class="java.beans.XMLDecoder">
  <object class="java.util.LinkedHashMap">
   <void method="put">
    <string>version</string>
-   <float>17.0</float>
+   <float>18.0</float>
   </void>
   <void method="put">
    <string>NUMBERARRAY</string>
@@ -475,7 +475,7 @@
   </void>
   <void method="put">
    <int>30</int>
-   <string>673448746</string>
+   <string>673448746;83252423</string>
   </void>
   <void method="put">
    <int>2000030</int>
@@ -1049,5 +1049,9 @@
    <int>5000518</int>
    <boolean>false</boolean>
   </void>
+  <void method="put">
+   <string>REDACTPII</string>
+   <boolean>false</boolean>
+  </void>
  </object>
 </java>
diff --git a/examples/hooks/exception_test_hooks.py b/examples/hooks/exception_test_hooks.py
index b20638f7..92b6230a 100644
--- a/examples/hooks/exception_test_hooks.py
+++ b/examples/hooks/exception_test_hooks.py
@@ -1,5 +1,5 @@
 # -*- coding: utf-8 -*-
-# pylint: disable=c0209, e0401, r0913, w0613
+# pylint: disable=e0401, r0913, w0613
 """ exception hook class for testing only """
 from acme_srv.helper import load_config
 
@@ -33,18 +33,18 @@ def _config_load(self):
 
     def pre_hook(self, certificate_name, order_name, _csr) -> None:
         """ run before obtaining any certificates """
-        self.logger.debug('Hook.pre_hook({0}/{1})'.format(certificate_name, order_name))
+        self.logger.debug('Hook.pre_hook(%s/%s)', certificate_name, order_name)
         if self.raise_pre_hook_exception:
             raise SystemError('raise_pre_hook_exception')
 
     def post_hook(self, certificate_name, order_name, _csr, _error) -> None:
         """ run after *attempting* to obtain/renew certificates """
-        self.logger.debug('Hook.post_hook({0}/{1})'.format(certificate_name, order_name))
+        self.logger.debug('Hook.post_hook(%s/%s)', certificate_name, order_name)
         if self.raise_post_hook_exception:
             raise SystemError('raise_post_hook_exception')
 
     def success_hook(self, certificate_name, order_name, _csr, _certificate, _certificate_raw, _poll_identifier) -> None:
         """ run after each successful certificate enrollment/renewal """
-        self.logger.debug('Hook.success_hook({0}/{1})'.format(certificate_name, order_name))
+        self.logger.debug('Hook.success_hook(%s/%s)', certificate_name, order_name)
         if self.raise_success_hook_exception:
             raise SystemError('raise_success_hook_exception')
diff --git a/examples/hooks/skeleton_hooks.py b/examples/hooks/skeleton_hooks.py
index e05e81f1..1b8000a6 100644
--- a/examples/hooks/skeleton_hooks.py
+++ b/examples/hooks/skeleton_hooks.py
@@ -1,5 +1,5 @@
 # -*- coding: utf-8 -*-
-# pylint: disable=c0209, r0913, w0613
+# pylint: disable=r0913, w0613
 """ example hook class """
 
 
diff --git a/examples/install_scripts/a2c-centos9-nginx.sh b/examples/install_scripts/a2c-centos9-nginx.sh
index fff3db8c..3f1aef80 100644
--- a/examples/install_scripts/a2c-centos9-nginx.sh
+++ b/examples/install_scripts/a2c-centos9-nginx.sh
@@ -10,7 +10,7 @@ echo "## Installing missing packages"
 sudo yum install -y epel-release
 sudo yum update -y
 
-sudo yum install -y python-pip nginx python3-uwsgidecorators.x86_64 tar uwsgi-plugin-python3 policycoreutils-python-utils
+sudo yum install -y python-pip nginx python3-uwsgidecorators.x86_64 tar uwsgi-plugin-python3 policycoreutils-python-utils krb5-libs krb5-devel gcc python3-devel
 
 # 2. create directory
 sudo mkdir /opt/acme2certifier
@@ -58,6 +58,12 @@ sudo systemctl start uwsgi
 # 19 - 20 configure nginxinsta
 echo "## Configure and enable nginx services"
 sudo cp examples/nginx/nginx_acme_srv.conf /etc/nginx/conf.d/nginx_acme_srv.conf
+sudo cp examples/nginx/nginx_acme_srv_ssl.conf /etc/nginx/conf.d/nginx_acme_srv_ssl.conf
+echo "## Add keyfile and certificate"
+sudo mkdir -p /var/www/acme2certifier/volume/
+sudo cp .github/acme2certifier_cert.pem /var/www/acme2certifier/volume/
+sudo cp .github/acme2certifier_key.pem /var/www/acme2certifier/volume/
+
 sudo systemctl enable nginx.service
 sudo systemctl restart nginx
 sudo systemctl status nginx.service
diff --git a/examples/install_scripts/a2c-ubuntu22-apache2.sh b/examples/install_scripts/a2c-ubuntu22-apache2.sh
index 6a2ab7ef..20fdbb1c 100644
--- a/examples/install_scripts/a2c-ubuntu22-apache2.sh
+++ b/examples/install_scripts/a2c-ubuntu22-apache2.sh
@@ -6,22 +6,31 @@
 #   - execute this script with "sh ./examples/install_scripts/a2c-ubuntu22-apache2.sh"
 
 # 1 install needed packages
-sudo apt-get install -y apache2 libapache2-mod-wsgi-py3 python3-pip apache2-data
+sudo apt-get update
+sudo apt-get install -y apache2 libapache2-mod-wsgi-py3 python3-pip apache2-data curl krb5-user libgssapi-krb5-2 libkrb5-3 python3-gssapi
 
 # 2 check if mod wsgi got activated
 apache2ctl -M | grep -i wsgi
 
 # 4 install needed python modules
 sudo pip3 install -r requirements.txt
+sudo pip3 install pyopenssl --upgrade
 
 # 5 configure apache2
 sudo cp examples/apache2/apache_wsgi.conf /etc/apache2/sites-available/acme2certifier.conf
 
+# 6 enable ssl
+sudo cp examples/apache2/apache_wsgi_ssl.conf /etc/apache2/sites-available/acme2certifier_ssl.conf
+sudo mkdir -p /var/www/acme2certifier/volume/
+sudo cp .github/acme2certifier.pem /var/www/acme2certifier/volume/
+sudo a2enmod ssl
+
 # 7 activate a2c
 sudo a2ensite acme2certifier.conf
+sudo a2ensite acme2certifier_ssl.conf
 
 # 8 create data directory
-sudo mkdir /var/www/acme2certifier
+sudo mkdir -p /var/www/acme2certifier
 
 # 9 copy main wsgi file
 sudo cp examples/acme2certifier_wsgi.py /var/www/acme2certifier
diff --git a/examples/install_scripts/a2c-ubuntu22-nginx.sh b/examples/install_scripts/a2c-ubuntu22-nginx.sh
index 58982ffc..91d71b54 100644
--- a/examples/install_scripts/a2c-ubuntu22-nginx.sh
+++ b/examples/install_scripts/a2c-ubuntu22-nginx.sh
@@ -8,11 +8,12 @@
 # 1 install needed packages
 echo "## Install missing packages"
 sudo apt-get update
-sudo apt-get install -y python3-pip nginx uwsgi uwsgi-plugin-python3 curl
+sudo apt-get install -y python3-pip nginx uwsgi uwsgi-plugin-python3 curl krb5-user libgssapi-krb5-2 libkrb5-3 python3-gssapi
 
 # 3 install needed python modules
 echo "## Install missing pythom modules"
 sudo pip3 install -r requirements.txt
+sudo pip3 install pyopenssl --upgrade
 
 # 8 create data directory
 echo "## Create directory structure required by acme2certifier"
@@ -30,9 +31,17 @@ sudo cp examples/db_handler/wsgi_handler.py /var/www/acme2certifier/acme_srv/db_
 
 echo "## Modify nginx configuration file"
 sed -i "s/run\/uwsgi\/acme.sock/var\/www\/acme2certifier\/acme.sock/g" examples/nginx/nginx_acme_srv.conf
+sed -i "s/run\/uwsgi\/acme.sock/var\/www\/acme2certifier\/acme.sock/g" examples/nginx/nginx_acme_srv_ssl.conf
 sudo cp examples/nginx/nginx_acme_srv.conf /etc/nginx/sites-available/acme_srv.conf
+sudo cp examples/nginx/nginx_acme_srv_ssl.conf /etc/nginx/sites-available/acme_srv_ssl.conf
 sudo  rm /etc/nginx/sites-enabled/default
 sudo ln -s /etc/nginx/sites-available/acme_srv.conf /etc/nginx/sites-enabled/acme_srv.conf
+sudo ln -s /etc/nginx/sites-available/acme_srv_ssl.conf /etc/nginx/sites-enabled/acme_srv_ssl.conf
+
+echo "## Add keyfile and certificate"
+sudo mkdir -p /var/www/acme2certifier/volume/
+sudo cp .github/acme2certifier_cert.pem /var/www/acme2certifier/volume/
+sudo cp .github/acme2certifier_key.pem /var/www/acme2certifier/volume/
 
 echo "## Modify uwsgi configuration file"
 sed -i "s/\/run\/uwsgi\/acme.sock/acme.sock/g" examples/nginx/acme2certifier.ini
diff --git a/examples/install_scripts/debian/postinst b/examples/install_scripts/debian/postinst
index 294dc79d..27c5cbf8 100644
--- a/examples/install_scripts/debian/postinst
+++ b/examples/install_scripts/debian/postinst
@@ -24,6 +24,13 @@ set -e
 
 case "$1" in
     configure)
+
+    if [ -d /var/www/acme2certifier/acme2certifier ]; then
+        echo "django environment detected"
+        cp -R /var/www/acme2certifier/examples/django/acme_srv/* /var/www/acme2certifier/acme_srv/
+        cp -f /var/www/acme2certifier/examples/db_handler/django_handler.py /var/www/acme2certifier/acme_srv/db_handler.py
+    fi
+
 	chown -R www-data.www-data /var/www/acme2certifier
     ;;
 
diff --git a/examples/install_scripts/rpm/acme2certifier.spec b/examples/install_scripts/rpm/acme2certifier.spec
index 2bd8ab0a..c1445b3c 100644
--- a/examples/install_scripts/rpm/acme2certifier.spec
+++ b/examples/install_scripts/rpm/acme2certifier.spec
@@ -38,6 +38,7 @@ Requires:       python3-josepy
 Requires:       python3-xmltodict
 Requires:       python3-pyasn1
 Requires:       python3-pyasn1-modules
+Requires:       python3-pyyaml
 Requires(post): policycoreutils
 
 BuildArch:		noarch
@@ -136,6 +137,9 @@ WorkingDirectory=%{dest_dir}
 
 %files
 %defattr(-,root,root,-)
+%config(noreplace) %{dest_dir}/%{projname}/acme_srv/acme_srv.cfg
+# %config(noreplace) %{dest_dir}/%{projname}/acme_srv/db_handler.py
+
 %license LICENSE
 %doc *.md requirements.txt docs/*.md
 %attr(0755,nginx,-)%{dest_dir}/%{projname}/
@@ -144,6 +148,12 @@ WorkingDirectory=%{dest_dir}
 %changelog
 
 %post
+if [ -d %{dest_dir}/%{projname}/%{projname} ]; then
+    echo "django environment detected"
+    cp -R %{dest_dir}/%{projname}/examples/django/acme_srv/* %{dest_dir}/%{projname}/acme_srv/
+    cp -f %{dest_dir}/%{projname}/examples/db_handler/django_handler.py %{dest_dir}/%{projname}/acme_srv/db_handler.py
+fi
+
 cat <<EOT > /tmp/acme2certifier.te
 module acme2certifier 1.0;
 
diff --git a/examples/nginx/nginx_acme_srv.conf b/examples/nginx/nginx_acme_srv.conf
index 4d5c5a80..11131785 100644
--- a/examples/nginx/nginx_acme_srv.conf
+++ b/examples/nginx/nginx_acme_srv.conf
@@ -1,6 +1,13 @@
+# zone with 10mb memory which is 160k/s - 5requests per client per second
+limit_req_zone $binary_remote_addr zone=ip:10m rate=5r/s;
+
 server {
     listen 80 default_server;
     listen [::]:80 default_server;
+
+    # first 5 requests go trough instantly 5more requests evey 100ms
+    limit_req zone=ip burst=10; # delay=5;
+
     server_name _;
     location = favicon.ico { access_log off; log_not_found off; }
     location / {
diff --git a/examples/nginx/nginx_acme_srv_ssl.conf b/examples/nginx/nginx_acme_srv_ssl.conf
index 9d80f4eb..947d38a0 100644
--- a/examples/nginx/nginx_acme_srv_ssl.conf
+++ b/examples/nginx/nginx_acme_srv_ssl.conf
@@ -1,6 +1,12 @@
+# zone with 10mb memory which is 160k/s - 5requests per client per second
+# limit_req_zone $binary_remote_addr zone=ip:10m rate=5r/s;
 server {
     listen 443 ssl default_server;
     listen [::]:443 ssl default_server;
+
+    # first 5 requests go trough instantly 5more requests evey 100ms
+    limit_req zone=ip burst=10; # delay=5;
+
     server_name _;
     location = favicon.ico { access_log off; log_not_found off; }
     location / {
diff --git a/examples/nginx/supervisord.conf b/examples/nginx/supervisord.conf
index 0ae799c3..08c7e0c7 100644
--- a/examples/nginx/supervisord.conf
+++ b/examples/nginx/supervisord.conf
@@ -3,7 +3,7 @@
 nodaemon=true
 
 [program:uwsgi]
-command=/usr/bin/uwsgi_python3 --ini /var/www/acme2certifier/acme2certifier.ini
+command=/usr/bin/uwsgi_python312 --ini /var/www/acme2certifier/acme2certifier.ini
 stdout_logfile=/dev/stdout
 stdout_logfile_maxbytes=0
 stderr_logfile=/dev/stderr
diff --git a/examples/soap/mock_soap_srv.py b/examples/soap/mock_soap_srv.py
index 58a615e9..97f6eb6b 100644
--- a/examples/soap/mock_soap_srv.py
+++ b/examples/soap/mock_soap_srv.py
@@ -1,13 +1,13 @@
 # -*- coding: utf-8 -*-
 """ soap-server mock providing endpoint for soap ca handler """
-# pylint: disable=c0209, c0413, e0401
+# pylint: disable=c0413, e0401
 import os
 import sys
 import argparse
 import tempfile
 import json
 import subprocess
-from typing import List, Tuple, Dict
+from typing import List, Dict
 from http.client import responses
 from wsgiref.simple_server import WSGIServer, WSGIRequestHandler
 import xmltodict
@@ -45,9 +45,9 @@ def _csr_get(logger, soap_dic: Dict[str, str], soapenvelope: str, soapbody: str,
         if 'aur:CertificateRequestRaw' in soap_dic[soapenvelope][soapbody][aurrequestcertificate][aurrequest]:
             csr = soap_dic[soapenvelope][soapbody][aurrequestcertificate][aurrequest]['aur:CertificateRequestRaw']
         if 'aur:ProfileName' in soap_dic[soapenvelope][soapbody][aurrequestcertificate][aurrequest]:
-            logger.info('got request profilename: {0}'.format(soap_dic[soapenvelope][soapbody][aurrequestcertificate][aurrequest]['aur:ProfileName']))
+            logger.info('got request profilename: %s', soap_dic[soapenvelope][soapbody][aurrequestcertificate][aurrequest]['aur:ProfileName'])
         if 'aur:Email' in soap_dic[soapenvelope][soapbody][aurrequestcertificate][aurrequest]:
-            logger.info('got request email: {0}'.format(soap_dic[soapenvelope][soapbody][aurrequestcertificate][aurrequest]['aur:Email']))
+            logger.info('got request email: %s', soap_dic[soapenvelope][soapbody][aurrequestcertificate][aurrequest]['aur:Email'])
 
     return csr
 
@@ -71,7 +71,7 @@ def _csr_lookup(logger, soap_dic: Dict[str, str]) -> str:
 def _opensslcmd_pem2pkcs7_convert(logger, tmp_dir: str, filename_list: List[str]) -> List[str]:
     """ build openssl command """
     logger.debug('_opensslcmd_pem2pkcs7_convert()')
-    cmd_list = ['openssl', 'crl2pkcs7', '-nocrl', '-outform', 'DER', '-out', '{0}/cert.p7b'.format(tmp_dir)]
+    cmd_list = ['openssl', 'crl2pkcs7', '-nocrl', '-outform', 'DER', '-out', f'{tmp_dir}/cert.p7b']
 
     for filename in filename_list:
         cmd_list.append('-certfile')
@@ -90,7 +90,7 @@ def _opensslcmd_csr_extract(logger, pkcs7_file: str, csr_file: str) -> List[str]
 
 def _file_load_binary(logger, filename: str) -> List[str]:
     """ load file at once """
-    logger.debug('file_open({0})'.format(filename))
+    logger.debug('file_open(%s)', filename)
     with open(filename, 'rb') as _file:
         lines = _file.read()
     return lines
@@ -98,7 +98,7 @@ def _file_load_binary(logger, filename: str) -> List[str]:
 
 def _file_load(logger, filename: str) -> List[str]:
     """ load file at once """
-    logger.debug('file_open({0})'.format(filename))
+    logger.debug('file_open(%s)', filename)
     with open(filename, 'r', encoding='utf8') as _file:
         lines = _file.read()
     return lines
@@ -106,14 +106,14 @@ def _file_load(logger, filename: str) -> List[str]:
 
 def _file_dump_binary(logger, filename: str, data_: str):
     """ dump content in binary format to file """
-    logger.debug('file_dump({0})'.format(filename))
+    logger.debug('file_dump(%s)', filename)
     with open(filename, 'wb') as file_:
         file_.write(data_)  # lgtm [py/clear-text-storage-sensitive-data]
 
 
 def _file_dump(logger, filename: str, data_: str):
     """ dump content to  file """
-    logger.debug('file_dump({0})'.format(filename))
+    logger.debug('file_dump(%s)', filename)
     with open(filename, 'w', encoding='utf8') as file_:
         file_.write(data_)  # lgtm [py/clear-text-storage-sensitive-data]
 
@@ -125,16 +125,16 @@ def _pem2pkcs7_convert(logger, tmp_dir: str, pem: str) -> str:
     filename_list = []
     for cnt, certificate in enumerate(certificate_list):
         if certificate:
-            certificate = '{0}-----END CERTIFICATE-----\n'.format(certificate)
-            _file_dump(logger, '{0}/{1}.pem'.format(tmp_dir, cnt), certificate)
-            filename_list.append('{0}/{1}.pem'.format(tmp_dir, cnt))
+            certificate = f'{certificate}-----END CERTIFICATE-----\n'
+            _file_dump(logger, f'{tmp_dir}/{cnt}.pem', certificate)
+            filename_list.append(f'{tmp_dir}/{cnt}.pem')
 
     openssl_cmd = _opensslcmd_pem2pkcs7_convert(logger, tmp_dir, filename_list)
 
     rcode = subprocess.call(openssl_cmd)
 
     if not rcode:
-        content = b64_encode(logger, _file_load_binary(logger, '{0}/cert.p7b'.format(tmp_dir)))
+        content = b64_encode(logger, _file_load_binary(logger, f'{tmp_dir}/cert.p7b'))
     else:
         content = None
 
@@ -181,12 +181,12 @@ def _csr_extract(logger, tmp_dir: str, csr: str) -> str:
 
     if csr:
         # dump csr into a file
-        _file_dump_binary(logger, '{0}/file.p7b'.format(tmp_dir), b64_decode(logger, csr))
-        openssl_cmd = _opensslcmd_csr_extract(logger, '{0}/file.p7b'.format(tmp_dir), '{0}/csr.der'.format(tmp_dir))
+        _file_dump_binary(logger, f'{tmp_dir}/file.p7b', b64_decode(logger, csr))
+        openssl_cmd = _opensslcmd_csr_extract(logger, f'{tmp_dir}/file.p7b', f'{tmp_dir}/csr.der')
         rcode = subprocess.call(openssl_cmd)
 
         if not rcode:
-            content = convert_byte_to_string(b64_url_encode(logger, _file_load_binary(logger, '{0}/csr.der'.format(tmp_dir))))
+            content = convert_byte_to_string(b64_url_encode(logger, _file_load_binary(logger, f'{tmp_dir}/csr.der')))
         else:
             content = None
     else:
@@ -211,7 +211,7 @@ def request_process(logger, csr: str) -> bytes:
 
     # extract csr from pkcs7 construct
     csr = _csr_extract(logger, tmp_dir, csr)
-    logger.debug('csr: {0}'.format(csr))
+    logger.debug('csr: %s', csr)
 
     # enroll certificate
     (error, cert_bundle, _cert_raw, _unused) = ca_handler.enroll(csr)
@@ -222,17 +222,17 @@ def request_process(logger, csr: str) -> bytes:
         pkcs7 = None
 
     if not ERROR and pkcs7:
-        soap_response = """
+        soap_response = f"""
     <s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
     <s:Body>
         <RequestCertificateResponse xmlns="http://monetplus.cz/services/kb/aurora">
         <RequestCertificateResult xmlns:i="http://www.w3.org/2001/XMLSchema-instance">
-            <IssuedCertificate>{0}</IssuedCertificate>
+            <IssuedCertificate>{pkcs7}</IssuedCertificate>
         </RequestCertificateResult>
         </RequestCertificateResponse>
     </s:Body>
     </s:Envelope>
-    """.format(pkcs7)
+    """
     else:
         soap_response = """
     <s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
@@ -256,7 +256,7 @@ def soap_srv(environ, start_response) -> List[str]:
 
     if csr:
         # try:
-        status = "{0} {1}".format(HTTP_STATUS_CODE, responses[int(HTTP_STATUS_CODE)])
+        status = f"{HTTP_STATUS_CODE} {responses[int(HTTP_STATUS_CODE)]}"
         # Except Exception as error:
         # status = "500 Internal Server Error"
         headers = [("Content-type", "text/xml")]
diff --git a/requirements.txt b/requirements.txt
index ec48c95d..146d3599 100644
--- a/requirements.txt
+++ b/requirements.txt
@@ -13,4 +13,8 @@ acme
 xmltodict
 pyasn1
 pyasn1_modules
-requests_pkcs12
\ No newline at end of file
+requests_pkcs12
+requests_gssapi
+gssapi
+pyyaml
+werkzeug>=3.0.6 # not directly required, pinned by Snyk to avoid a vulnerability
diff --git a/test/ca/acme2certifier-clean.xdb b/test/ca/acme2certifier-clean.xdb
index b34e6972..d1f712da 100644
Binary files a/test/ca/acme2certifier-clean.xdb and b/test/ca/acme2certifier-clean.xdb differ
diff --git a/test/test_account.py b/test/test_account.py
index 379c6568..19439b7c 100644
--- a/test/test_account.py
+++ b/test/test_account.py
@@ -1285,7 +1285,7 @@ def test_126_config_load(self, mock_load_cfg, mock_eab):
         self.assertTrue(self.account.eab_check)
         self.assertTrue(self.account.eab_handler)
 
-    @patch('importlib.import_module')
+    @patch('acme_srv.account.eab_handler_load')
     @patch('acme_srv.account.load_config')
     def test_127_config_load(self, mock_load_cfg, mock_imp):
         """ test _config_load account with contact_check_disable True """
@@ -1294,6 +1294,7 @@ def test_127_config_load(self, mock_load_cfg, mock_imp):
         mock_load_cfg.return_value = parser
         mock_imp.return_value = Mock()
         self.account._config_load()
+        self.account._config_load()
         self.assertFalse(self.account.inner_header_nonce_allow)
         self.assertFalse(self.account.ecc_only)
         self.assertFalse(self.account.tos_check_disable)
diff --git a/test/test_asa_ca_handler.py b/test/test_asa_ca_handler.py
new file mode 100644
index 00000000..b7a507fa
--- /dev/null
+++ b/test/test_asa_ca_handler.py
@@ -0,0 +1,941 @@
+#!/usr/bin/python
+# -*- coding: utf-8 -*-
+""" unittests for openssl_ca_handler """
+# pylint: disable=C0415, R0904, W0212
+import sys
+import os
+import unittest
+from unittest.mock import patch, Mock, MagicMock
+import requests
+import base64
+
+sys.path.insert(0, '.')
+sys.path.insert(1, '..')
+
+class TestACMEHandler(unittest.TestCase):
+    """ test class for cgi_handler """
+
+    def setUp(self):
+        """ setup unittest """
+        import logging
+        from examples.ca_handler.asa_ca_handler import CAhandler
+        logging.basicConfig(level=logging.CRITICAL)
+        self.logger = logging.getLogger('test_a2c')
+        self.cahandler = CAhandler(False, self.logger)
+        self.dir_path = os.path.dirname(os.path.realpath(__file__))
+        self.maxDiff = None
+
+    def test_001_default(self):
+        """ default test which always passes """
+        self.assertEqual('foo', 'foo')
+
+    @patch('examples.ca_handler.asa_ca_handler.CAhandler._config_load')
+    def test_002__enter__(self, mock_cfg):
+        """ test enter  called """
+        mock_cfg.return_value = True
+        self.cahandler.__enter__()
+        self.assertTrue(mock_cfg.called)
+
+    def test_003_poll(self):
+        """ test polling """
+        self.assertEqual(('Method not implemented.', None, None, 'poll_identifier', False), self.cahandler.poll('cert_name', 'poll_identifier', 'csr'))
+
+    def test_004_trigger(self):
+        """ test polling """
+        self.assertEqual(('Method not implemented.', None, None), self.cahandler.trigger('payload'))
+
+    @patch('examples.ca_handler.asa_ca_handler.load_config')
+    def test_005_config_load(self, mock_config_load):
+        """ test _config_load """
+        mock_config_load.return_value = {'CAhandler': {'api_host': 'api_host'}}
+        with self.assertLogs('test_a2c', level='INFO') as lcm:
+            self.cahandler._config_load()
+        self.assertIn('ERROR:test_a2c:CAhandler._config_load(): api_user not set', lcm.output)
+        self.assertIn('ERROR:test_a2c:CAhandler._config_load(): api_password not set', lcm.output)
+        self.assertIn('ERROR:test_a2c:CAhandler._config_load(): api_key not set', lcm.output)
+        self.assertEqual('api_host', self.cahandler.api_host)
+        self.assertFalse(self.cahandler.api_user)
+        self.assertFalse(self.cahandler.api_password)
+        self.assertFalse(self.cahandler.api_key)
+        self.assertFalse(self.cahandler.ca_bundle)
+        self.assertFalse(self.cahandler.proxy)
+        self.assertEqual(10, self.cahandler.request_timeout)
+        self.assertEqual(30, self.cahandler.cert_validity_days)
+        self.assertFalse(self.cahandler.header_info_field)
+
+    @patch('examples.ca_handler.asa_ca_handler.load_config')
+    def test_006_config_load(self, mock_config_load):
+        """ test _config_load """
+        mock_config_load.return_value = {'CAhandler': {'api_user': 'api_user'}}
+        with self.assertLogs('test_a2c', level='INFO') as lcm:
+            self.cahandler._config_load()
+        self.assertIn('ERROR:test_a2c:CAhandler._config_load(): api_host not set', lcm.output)
+        self.assertIn('ERROR:test_a2c:CAhandler._config_load(): api_password not set', lcm.output)
+        self.assertIn('ERROR:test_a2c:CAhandler._config_load(): api_key not set', lcm.output)
+        self.assertFalse(self.cahandler.api_host)
+        self.assertEqual('api_user', self.cahandler.api_user)
+        self.assertFalse(self.cahandler.api_password)
+        self.assertFalse(self.cahandler.api_key)
+        self.assertFalse(self.cahandler.ca_bundle)
+        self.assertFalse(self.cahandler.proxy)
+        self.assertEqual(10, self.cahandler.request_timeout)
+        self.assertEqual(30, self.cahandler.cert_validity_days)
+        self.assertFalse(self.cahandler.header_info_field)
+
+    @patch('examples.ca_handler.asa_ca_handler.load_config')
+    def test_007_config_load(self, mock_config_load):
+        """ test _config_load """
+        mock_config_load.return_value = {'CAhandler': {'api_password': 'api_password'}}
+        with self.assertLogs('test_a2c', level='INFO') as lcm:
+            self.cahandler._config_load()
+        self.assertIn('ERROR:test_a2c:CAhandler._config_load(): api_host not set', lcm.output)
+        self.assertIn('ERROR:test_a2c:CAhandler._config_load(): api_user not set', lcm.output)
+        self.assertIn('ERROR:test_a2c:CAhandler._config_load(): api_key not set', lcm.output)
+        self.assertFalse(self.cahandler.api_host)
+        self.assertFalse(self.cahandler.api_user)
+        self.assertEqual('api_password', self.cahandler.api_password)
+        self.assertFalse(self.cahandler.api_key)
+        self.assertFalse(self.cahandler.ca_bundle)
+        self.assertFalse(self.cahandler.proxy)
+        self.assertEqual(10, self.cahandler.request_timeout)
+        self.assertEqual(30, self.cahandler.cert_validity_days)
+        self.assertFalse(self.cahandler.header_info_field)
+
+    @patch('examples.ca_handler.asa_ca_handler.load_config')
+    def test_008_config_load(self, mock_config_load):
+        """ test _config_load """
+        mock_config_load.return_value = {'CAhandler': {'api_key': 'api_key'}}
+        with self.assertLogs('test_a2c', level='INFO') as lcm:
+            self.cahandler._config_load()
+        self.assertIn('ERROR:test_a2c:CAhandler._config_load(): api_host not set', lcm.output)
+        self.assertIn('ERROR:test_a2c:CAhandler._config_load(): api_user not set', lcm.output)
+        self.assertIn('ERROR:test_a2c:CAhandler._config_load(): api_password not set', lcm.output)
+        self.assertFalse(self.cahandler.api_host)
+        self.assertFalse(self.cahandler.api_user)
+        self.assertFalse(self.cahandler.api_password)
+        self.assertEqual('api_key', self.cahandler.api_key)
+        self.assertFalse(self.cahandler.ca_bundle)
+        self.assertFalse(self.cahandler.proxy)
+        self.assertEqual(10, self.cahandler.request_timeout)
+        self.assertEqual(30, self.cahandler.cert_validity_days)
+        self.assertFalse(self.cahandler.header_info_field)
+
+    @patch('examples.ca_handler.asa_ca_handler.load_config')
+    def test_009_config_load(self, mock_config_load):
+        """ test _config_load """
+        mock_config_load.return_value = {'CAhandler': {'api_host': 'api_host', 'api_user': 'api_user', 'api_password': 'api_password', 'api_key': 'api_key'}}
+        self.cahandler._config_load()
+        self.assertEqual('api_host', self.cahandler.api_host)
+        self.assertEqual('api_user', self.cahandler.api_user)
+        self.assertEqual('api_password', self.cahandler.api_password)
+        self.assertEqual('api_key', self.cahandler.api_key)
+        self.assertFalse(self.cahandler.proxy)
+        self.assertEqual(10, self.cahandler.request_timeout)
+        self.assertEqual(30, self.cahandler.cert_validity_days)
+        self.assertFalse(self.cahandler.header_info_field)
+
+    @patch('examples.ca_handler.asa_ca_handler.load_config')
+    def test_010_config_load(self, mock_config_load):
+        """ test _config_load """
+        mock_config_load.return_value = {'foo': 'bar'}
+        with self.assertLogs('test_a2c', level='INFO') as lcm:
+            self.cahandler._config_load()
+        self.assertIn('ERROR:test_a2c:CAhandler._config_load(): api_host not set', lcm.output)
+        self.assertIn('ERROR:test_a2c:CAhandler._config_load(): api_user not set', lcm.output)
+        self.assertIn('ERROR:test_a2c:CAhandler._config_load(): api_password not set', lcm.output)
+        self.assertIn('ERROR:test_a2c:CAhandler._config_load(): api_key not set', lcm.output)
+        self.assertFalse(self.cahandler.api_host)
+        self.assertFalse(self.cahandler.api_user)
+        self.assertFalse(self.cahandler.api_password)
+        self.assertFalse(self.cahandler.api_key)
+        self.assertFalse(self.cahandler.ca_bundle)
+        self.assertFalse(self.cahandler.proxy)
+        self.assertEqual(10, self.cahandler.request_timeout)
+        self.assertEqual(30, self.cahandler.cert_validity_days)
+        self.assertFalse(self.cahandler.header_info_field)
+
+    @patch('examples.ca_handler.asa_ca_handler.load_config')
+    def test_011_config_load(self, mock_config_load):
+        """ test _config_load """
+        mock_config_load.return_value = {'CAhandler': {'request_timeout': 20}}
+        with self.assertLogs('test_a2c', level='INFO') as lcm:
+            self.cahandler._config_load()
+        self.assertIn('ERROR:test_a2c:CAhandler._config_load(): api_host not set', lcm.output)
+        self.assertIn('ERROR:test_a2c:CAhandler._config_load(): api_user not set', lcm.output)
+        self.assertIn('ERROR:test_a2c:CAhandler._config_load(): api_key not set', lcm.output)
+        self.assertIn('ERROR:test_a2c:CAhandler._config_load(): api_password not set', lcm.output)
+        self.assertFalse(self.cahandler.api_host)
+        self.assertFalse(self.cahandler.api_user)
+        self.assertFalse(self.cahandler.api_password)
+        self.assertFalse(self.cahandler.api_key)
+        self.assertFalse(self.cahandler.ca_bundle)
+        self.assertFalse(self.cahandler.proxy)
+        self.assertEqual(20, self.cahandler.request_timeout)
+        self.assertEqual(30, self.cahandler.cert_validity_days)
+        self.assertFalse(self.cahandler.header_info_field)
+
+    @patch('examples.ca_handler.asa_ca_handler.load_config')
+    def test_012_config_load(self, mock_config_load):
+        """ test _config_load """
+        mock_config_load.return_value = {'CAhandler': {'request_timeout': 'aa'}}
+        with self.assertLogs('test_a2c', level='INFO') as lcm:
+            self.cahandler._config_load()
+        self.assertIn('ERROR:test_a2c:CAhandler._config_load(): api_host not set', lcm.output)
+        self.assertIn('ERROR:test_a2c:CAhandler._config_load(): api_user not set', lcm.output)
+        self.assertIn('ERROR:test_a2c:CAhandler._config_load(): api_key not set', lcm.output)
+        self.assertIn('ERROR:test_a2c:CAhandler._config_load(): api_password not set', lcm.output)
+        self.assertIn('ERROR:test_a2c:CAhandler._config_load(): request_timeout not an integer', lcm.output)
+        self.assertFalse(self.cahandler.api_host)
+        self.assertFalse(self.cahandler.api_user)
+        self.assertFalse(self.cahandler.api_password)
+        self.assertFalse(self.cahandler.api_key)
+        self.assertFalse(self.cahandler.ca_bundle)
+        self.assertFalse(self.cahandler.proxy)
+        self.assertEqual(10, self.cahandler.request_timeout)
+        self.assertEqual(30, self.cahandler.cert_validity_days)
+        self.assertFalse(self.cahandler.header_info_field)
+
+    @patch('examples.ca_handler.asa_ca_handler.load_config')
+    def test_013_config_load(self, mock_config_load):
+        """ test _config_load """
+        mock_config_load.return_value = {'CAhandler': {'cert_validity_days': 10}}
+        with self.assertLogs('test_a2c', level='INFO') as lcm:
+            self.cahandler._config_load()
+        self.assertIn('ERROR:test_a2c:CAhandler._config_load(): api_host not set', lcm.output)
+        self.assertIn('ERROR:test_a2c:CAhandler._config_load(): api_user not set', lcm.output)
+        self.assertIn('ERROR:test_a2c:CAhandler._config_load(): api_key not set', lcm.output)
+        self.assertIn('ERROR:test_a2c:CAhandler._config_load(): api_password not set', lcm.output)
+        # self.assertIn('ERROR:test_a2c:CAhandler._config_load(): request_timeout not an integer', lcm.output)
+        self.assertFalse(self.cahandler.api_host)
+        self.assertFalse(self.cahandler.api_user)
+        self.assertFalse(self.cahandler.api_password)
+        self.assertFalse(self.cahandler.api_key)
+        self.assertFalse(self.cahandler.ca_bundle)
+        self.assertFalse(self.cahandler.proxy)
+        self.assertEqual(10, self.cahandler.request_timeout)
+        self.assertEqual(10, self.cahandler.cert_validity_days)
+        self.assertFalse(self.cahandler.header_info_field)
+
+    @patch('examples.ca_handler.asa_ca_handler.load_config')
+    def test_014_config_load(self, mock_config_load):
+        """ test _config_load """
+        mock_config_load.return_value = {'CAhandler': {'cert_validity_days': 'aa'}}
+        with self.assertLogs('test_a2c', level='INFO') as lcm:
+            self.cahandler._config_load()
+        self.assertIn('ERROR:test_a2c:CAhandler._config_load(): api_host not set', lcm.output)
+        self.assertIn('ERROR:test_a2c:CAhandler._config_load(): api_user not set', lcm.output)
+        self.assertIn('ERROR:test_a2c:CAhandler._config_load(): api_key not set', lcm.output)
+        self.assertIn('ERROR:test_a2c:CAhandler._config_load(): api_password not set', lcm.output)
+        self.assertIn('ERROR:test_a2c:CAhandler._config_load(): cert_validity_days not an integer', lcm.output)
+        self.assertFalse(self.cahandler.api_host)
+        self.assertFalse(self.cahandler.api_user)
+        self.assertFalse(self.cahandler.api_password)
+        self.assertFalse(self.cahandler.api_key)
+        self.assertFalse(self.cahandler.ca_bundle)
+        self.assertFalse(self.cahandler.proxy)
+        self.assertEqual(10, self.cahandler.request_timeout)
+        self.assertEqual(30, self.cahandler.cert_validity_days)
+        self.assertFalse(self.cahandler.header_info_field)
+
+    @patch('examples.ca_handler.asa_ca_handler.load_config')
+    def test_015_config_load(self, mock_config_load):
+        """ test _config_load """
+        mock_config_load.return_value = {'CAhandler': {'ca_bundle': 'aa'}}
+        with self.assertLogs('test_a2c', level='INFO') as lcm:
+            self.cahandler._config_load()
+        self.assertIn('ERROR:test_a2c:CAhandler._config_load(): api_host not set', lcm.output)
+        self.assertIn('ERROR:test_a2c:CAhandler._config_load(): api_user not set', lcm.output)
+        self.assertIn('ERROR:test_a2c:CAhandler._config_load(): api_key not set', lcm.output)
+        self.assertIn('ERROR:test_a2c:CAhandler._config_load(): api_password not set', lcm.output)
+        self.assertFalse(self.cahandler.api_host)
+        self.assertFalse(self.cahandler.api_user)
+        self.assertFalse(self.cahandler.api_password)
+        self.assertFalse(self.cahandler.api_key)
+        self.assertEqual('aa', self.cahandler.ca_bundle)
+        self.assertFalse(self.cahandler.proxy)
+        self.assertEqual(10, self.cahandler.request_timeout)
+        self.assertEqual(30, self.cahandler.cert_validity_days)
+        self.assertFalse(self.cahandler.header_info_field)
+
+    @patch('examples.ca_handler.asa_ca_handler.load_config')
+    def test_016_config_load(self, mock_config_load):
+        """ test _config_load """
+        mock_config_load.return_value = {'CAhandler': {'ca_bundle': 'False'}}
+        with self.assertLogs('test_a2c', level='INFO') as lcm:
+            self.cahandler._config_load()
+        self.assertIn('ERROR:test_a2c:CAhandler._config_load(): api_host not set', lcm.output)
+        self.assertIn('ERROR:test_a2c:CAhandler._config_load(): api_user not set', lcm.output)
+        self.assertIn('ERROR:test_a2c:CAhandler._config_load(): api_key not set', lcm.output)
+        self.assertIn('ERROR:test_a2c:CAhandler._config_load(): api_password not set', lcm.output)
+        self.assertFalse(self.cahandler.api_host)
+        self.assertFalse(self.cahandler.api_user)
+        self.assertFalse(self.cahandler.api_password)
+        self.assertFalse(self.cahandler.api_key)
+        self.assertFalse(self.cahandler.ca_bundle)
+        self.assertFalse(self.cahandler.proxy)
+        self.assertEqual(10, self.cahandler.request_timeout)
+        self.assertEqual(30, self.cahandler.cert_validity_days)
+        self.assertFalse(self.cahandler.header_info_field)
+
+    @patch('examples.ca_handler.asa_ca_handler.load_config')
+    def test_017_config_load(self, mock_config_load):
+        """ test _config_load """
+        mock_config_load.return_value = {'Order': {'header_info_list': '["foo"]'}}
+        with self.assertLogs('test_a2c', level='INFO') as lcm:
+            self.cahandler._config_load()
+        self.assertIn('ERROR:test_a2c:CAhandler._config_load(): api_host not set', lcm.output)
+        self.assertIn('ERROR:test_a2c:CAhandler._config_load(): api_user not set', lcm.output)
+        self.assertIn('ERROR:test_a2c:CAhandler._config_load(): api_key not set', lcm.output)
+        self.assertIn('ERROR:test_a2c:CAhandler._config_load(): api_password not set', lcm.output)
+        self.assertFalse(self.cahandler.api_host)
+        self.assertFalse(self.cahandler.api_user)
+        self.assertFalse(self.cahandler.api_password)
+        self.assertFalse(self.cahandler.api_key)
+        self.assertFalse(self.cahandler.ca_bundle)
+        self.assertFalse(self.cahandler.proxy)
+        self.assertEqual(10, self.cahandler.request_timeout)
+        self.assertEqual(30, self.cahandler.cert_validity_days)
+        self.assertEqual('foo', self.cahandler.header_info_field)
+
+    @patch.object(requests, 'post')
+    def test_018__api_post(self, mock_req):
+        """ test _api_post() """
+        mockresponse = Mock()
+        mockresponse.status_code = 'status_code'
+        mockresponse.json = lambda: {'foo': 'bar'}
+        mock_req.return_value = mockresponse
+        self.assertEqual(('status_code', {'foo': 'bar'}), self.cahandler._api_post('url', 'data'))
+
+    @patch('requests.post')
+    def test_019__api_post(self, mock_req):
+        """ test _api_post() """
+        mockresponse = Mock()
+        mockresponse.status_code = 'status_code'
+        mockresponse.json = "aaaa"
+        mock_req.return_value = mockresponse
+        with self.assertLogs('test_a2c', level='INFO') as lcm:
+            self.assertEqual(('status_code', "'str' object is not callable"), self.cahandler._api_post('url', 'data'))
+        self.assertIn("ERROR:test_a2c:CAhandler._api_post() returned error during json parsing: 'str' object is not callable", lcm.output)
+
+    @patch('requests.post')
+    def test_020__api_post(self, mock_req):
+        """ test _api_post() """
+        mockresponse = Mock()
+        mockresponse.status_code = 'status_code'
+        mockresponse.text = None
+        mock_req.return_value = mockresponse
+        self.assertEqual(('status_code', None), self.cahandler._api_post('url', 'data'))
+
+    @patch('requests.post')
+    def test_021__api_post(self, mock_req):
+        """ test _api_post(= """
+        self.cahandler.api_host = 'api_host'
+        self.cahandler.auth = 'auth'
+        mock_req.side_effect = Exception('exc_api_post')
+        with self.assertLogs('test_a2c', level='INFO') as lcm:
+            self.assertEqual((500, 'exc_api_post'), self.cahandler._api_post('url', 'data'))
+        self.assertIn('ERROR:test_a2c:CAhandler._api_post() returned error: exc_api_post', lcm.output)
+
+    @patch.object(requests, 'get')
+    def test_022__api_get(self, mock_req):
+        """ test _api_get() """
+        mockresponse = Mock()
+        mockresponse.status_code = 'status_code'
+        mockresponse.json = lambda: {'foo': 'bar'}
+        mock_req.return_value = mockresponse
+        self.assertEqual(('status_code', {'foo': 'bar'}), self.cahandler._api_get('url'))
+
+    @patch('requests.get')
+    def test_023__api_get(self, mock_req):
+        """ test _api_get() """
+        mockresponse = Mock()
+        mockresponse.status_code = 'status_code'
+        mockresponse.json = "aaaa"
+        mock_req.return_value = mockresponse
+        with self.assertLogs('test_a2c', level='INFO') as lcm:
+            self.assertEqual(('status_code', "'str' object is not callable"), self.cahandler._api_get('url'))
+        self.assertIn("ERROR:test_a2c:CAhandler._api_get() returned error during json parsing: 'str' object is not callable", lcm.output)
+
+    @patch('requests.get')
+    def test_024__api_get(self, mock_req):
+        """ test _api_get() """
+        self.cahandler.api_host = 'api_host'
+        self.cahandler.auth = 'auth'
+        mock_req.side_effect = Exception('exc_api_get')
+        with self.assertLogs('test_a2c', level='INFO') as lcm:
+            self.assertEqual((500, 'exc_api_get'), self.cahandler._api_get('url'))
+        self.assertIn('ERROR:test_a2c:CAhandler._api_get() returned error: exc_api_get', lcm.output)
+
+    @patch('examples.ca_handler.asa_ca_handler.CAhandler._api_get')
+    def test_025__issuers_list(self, mock_get):
+        """ test _issuers_list()"""
+        mock_get.return_value = (200, 'content')
+        self.assertEqual('content', self.cahandler._issuers_list())
+
+    @patch('examples.ca_handler.asa_ca_handler.CAhandler._api_get')
+    def test_026__profiles_list(self, mock_get):
+        """ test _profiles_list()"""
+        self.cahandler.ca_name = 'ca_name'
+        mock_get.return_value = (200, 'content')
+        self.assertEqual('content', self.cahandler._profiles_list())
+
+    @patch('examples.ca_handler.asa_ca_handler.CAhandler._api_get')
+    def test_027__certificates_list(self, mock_get):
+        """ test _profiles_list()"""
+        self.cahandler.ca_name = 'ca_name'
+        mock_get.return_value = (200, 'content')
+        self.assertEqual('content', self.cahandler._certificates_list())
+
+    @patch('examples.ca_handler.asa_ca_handler.CAhandler._api_post')
+    def test_028_cert_status_get(self, mock_req):
+        """ test _profiles_list()"""
+        self.cahandler.ca_name = 'ca_name'
+        mock_req.return_value = ('status_code', {'foo': 'bar'})
+        self.assertEqual({'foo': 'bar', 'code': 'status_code'}, self.cahandler._cert_status_get('cert'))
+
+    @patch('examples.ca_handler.asa_ca_handler.csr_san_get')
+    @patch('examples.ca_handler.asa_ca_handler.csr_cn_get')
+    def test_029__csr_cn_get(self, mock_cn, mock_san):
+        """ test _csr_cn_get() """
+        mock_cn.return_value = 'cn'
+        mock_san.return_value = ['san0', 'san1']
+        self.assertEqual('cn', self.cahandler._csr_cn_get('csr'))
+        self.assertFalse(mock_san.called)
+
+    @patch('examples.ca_handler.asa_ca_handler.csr_san_get')
+    @patch('examples.ca_handler.asa_ca_handler.csr_cn_get')
+    def test_030__csr_cn_get(self, mock_cn, mock_san):
+        """ test _csr_cn_get() """
+        mock_cn.return_value = None
+        mock_san.return_value = ['dns:san0', 'dns:san1']
+        with self.assertLogs('test_a2c', level='INFO') as lcm:
+            self.assertEqual('san0', self.cahandler._csr_cn_get('csr'))
+        self.assertIn('INFO:test_a2c:CAhandler._csr_cn_get(): CN not found in CSR', lcm.output)
+        self.assertIn('INFO:test_a2c:CAhandler._csr_cn_get(): CN not found in CSR. Using first SAN entry as CN: san0', lcm.output)
+        self.assertTrue(mock_san.called)
+
+    @patch('examples.ca_handler.asa_ca_handler.csr_san_get')
+    @patch('examples.ca_handler.asa_ca_handler.csr_cn_get')
+    def test_031__csr_cn_get(self, mock_cn, mock_san):
+        """ test _csr_cn_get() """
+        mock_cn.return_value = None
+        mock_san.return_value = None
+        with self.assertLogs('test_a2c', level='INFO') as lcm:
+            self.assertEqual(None, self.cahandler._csr_cn_get('csr'))
+        self.assertIn('INFO:test_a2c:CAhandler._csr_cn_get(): CN not found in CSR', lcm.output)
+        self.assertIn('ERROR:test_a2c:CAhandler._csr_cn_get(): CN not found in CSR. No SAN entries found', lcm.output)
+        self.assertTrue(mock_san.called)
+
+    @patch('examples.ca_handler.asa_ca_handler.CAhandler._issuers_list')
+    def test_032_issuer_verify(self, mock_list):
+        """ _issuer_verify() """
+        self.cahandler.ca_name = 'ca_name'
+        mock_list.return_value = {'issuers': ['1', '2', 'ca_name']}
+        self.assertFalse(self.cahandler._issuer_verify())
+
+    @patch('examples.ca_handler.asa_ca_handler.CAhandler._issuers_list')
+    def test_033_issuer_verify(self, mock_list):
+        """ _issuer_verify() """
+        self.cahandler.ca_name = 'ca_name'
+        mock_list.return_value = {'issuers': ['1', '2', '3']}
+        with self.assertLogs('test_a2c', level='INFO') as lcm:
+            self.assertEqual('CA ca_name not found', self.cahandler._issuer_verify())
+        self.assertIn('ERROR:test_a2c:CAhandler.enroll(): CA ca_name not found', lcm.output)
+
+    @patch('examples.ca_handler.asa_ca_handler.CAhandler._issuers_list')
+    def test_034_issuer_verify(self, mock_list):
+        """ _issuer_verify() """
+        self.cahandler.ca_name = 'ca_name'
+        mock_list.return_value = {'foo': 'bar'}
+        with self.assertLogs('test_a2c', level='INFO') as lcm:
+            self.assertEqual('Malformed response', self.cahandler._issuer_verify())
+        self.assertIn('ERROR:test_a2c:CAhandler.enroll(): "Malformed response. "issuers" key not found', lcm.output)
+
+    @patch('examples.ca_handler.asa_ca_handler.CAhandler._profiles_list')
+    def test_035_profile_verify(self, mock_list):
+        """ _profile_verify() """
+        self.cahandler.profile_name = 'profile_name'
+        mock_list.return_value = {'profiles': ['1', '2', 'profile_name']}
+        self.assertFalse(self.cahandler._profile_verify())
+
+    @patch('examples.ca_handler.asa_ca_handler.CAhandler._profiles_list')
+    def test_036_profile_verify(self, mock_list):
+        """ _profile_verify() """
+        self.cahandler.profile_name = 'profile_name'
+        mock_list.return_value = {'profiles': ['1', '2', '3']}
+        with self.assertLogs('test_a2c', level='INFO') as lcm:
+            self.assertEqual('Profile profile_name not found', self.cahandler._profile_verify())
+        self.assertIn('ERROR:test_a2c:CAhandler.enroll(): Profile profile_name not found', lcm.output)
+
+    @patch('examples.ca_handler.asa_ca_handler.CAhandler._profiles_list')
+    def test_037_profile_verify(self, mock_list):
+        """ _profile_verify() """
+        self.cahandler.ca_name = 'ca_name'
+        mock_list.return_value = {'foo': 'bar'}
+        with self.assertLogs('test_a2c', level='INFO') as lcm:
+            self.assertEqual('Malformed response', self.cahandler._profile_verify())
+        self.assertIn('ERROR:test_a2c:CAhandler.enroll(): "Malformed response. "profiles" key not found', lcm.output)
+
+    @patch('examples.ca_handler.asa_ca_handler.uts_to_date_utc')
+    @patch('examples.ca_handler.asa_ca_handler.uts_now')
+    def test_038__validity_dates_get(self, mock_now, mock_utc):
+        """ test _validity_dates_get() """
+        mock_now.return_value = 10
+        mock_utc.side_effect = ['date1', 'date2']
+        self.assertEqual(('date1', 'date2'), self.cahandler._validity_dates_get())
+        self.assertTrue(mock_now.called)
+
+    @patch('examples.ca_handler.asa_ca_handler.convert_byte_to_string')
+    @patch('examples.ca_handler.asa_ca_handler.cert_der2pem')
+    @patch('examples.ca_handler.asa_ca_handler.b64_decode')
+    def test_039__pem_cert_chain_generate(self, mock_dec, mock_d2p, mock_b2s):
+        """ test _pem_cert_chain_generate() """
+        mock_b2s.return_value = 'cert'
+        self.assertEqual('certcert', self.cahandler._pem_cert_chain_generate(['cert', 'chain']))
+
+    def test_040__pem_cert_chain_generate(self):
+        """ test _pem_cert_chain_generate() """
+        cert_list = ['MIIF7DCCBFSgAwIBAgIKB/8cQ9wAI3UbITANBgkqhkiG9w0BAQsFADBaMQswCQYDVQQGEwJERTERMA8GA1UECgwIT3BlblhQS0kxDDAKBgNVBAsMA1BLSTEqMCgGA1UEAwwhT3BlblhQS0kgRGVtbyBJc3N1aW5nIENBIDIwMjMwMjA0MB4XDTIzMDIwNTA2NDY0MloXDTI0MDIwNTA2NDY0MlowazETMBEGCgmSJomT8ixkARkWA29yZzEYMBYGCgmSJomT8ixkARkWCE9wZW5YUEtJMR8wHQYKCZImiZPyLGQBGRYPVGVzdCBEZXBsb3ltZW50MRkwFwYDVQQDDBBhY21lMS5keW5hbW9wLmRlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAre1jtb8Xjqr49QH3fWe2kH+yDk3NXfxHyOmKcNcBke68WMRB5Irrdj15JfAsXxu9psLVEOJgvdOLOnUbhN57uBLHwMAC1LH6HruYuCqtbaSezgJIYIEACvtQmIy6BIvigqwX31eLkA7kk7YXeJCnvrr461t/uZkhmaXZM9+G4asSj6fT0ffA7OVVqewDdE+d2VgCjPlH9uqPMOVK2m/AQj+jEVV/IV2znngZmkAsmYi6h2Wg08vEzTMyvhZIEma3xo6M9g9VIsTQP/ETxxhAAgzEQ0Jlz90rOioZK7mkx8xH1fLlhyfX53vqcEbva5evy1YMGEs0XZPYu2B6Oya9WQIDAQABo4ICITCCAh0wgYcGCCsGAQUFBwEBBHsweTBRBggrBgEFBQcwAoZFaHR0cDovL3BraS5leGFtcGxlLmNvbS9kb3dubG9hZC9PcGVuWFBLSV9EZW1vX0lzc3VpbmdfQ0FfMjAyMzAyMDQuY2VyMCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5leGFtcGxlLmNvbS8wHwYDVR0jBBgwFoAU0f8PWcniVXltJeA6q7wYtyJrNFAwDAYDVR0TAQH/BAIwADBWBgNVHR8ETzBNMEugSaBHhkVodHRwOi8vcGtpLmV4YW1wbGUuY29tL2Rvd25sb2FkL09wZW5YUEtJX0RlbW9fSXNzdWluZ19DQV8yMDIzMDIwNC5jcmwwEwYDVR0lBAwwCgYIKwYBBQUHAwEwDgYDVR0PAQH/BAQDAgWgMIGoBgNVHSAEgaAwgZ0wgZoGAyoDBDCBkjArBggrBgEFBQcCARYfaHR0cDovL3BraS5leGFtcGxlLmNvbS9jcHMuaHRtbDArBggrBgEFBQcCARYfaHR0cDovL3BraS5leGFtcGxlLmNvbS9jcHMuaHRtbDA2BggrBgEFBQcCAjAqGihUaGlzIGlzIGEgY29tbWVudCBmb3IgcG9saWN5IG9pZCAxLjIuMy40MBsGA1UdEQQUMBKCEGFjbWUxLmR5bmFtb3AuZGUwHQYDVR0OBBYEFA3AUTV0pg0fsd3Cd6/BskOEB9MVMA0GCSqGSIb3DQEBCwUAA4IBgQB0xnnl6BJDXrbTQr7TdkRPmcCDFUmi8aVTYozbQ8EKxIYEPsfzxOFbSG/wn+4Sjz7HqvzqxyisfTopqWrvpqIhlXOEFMnNYTDO4LzCd81Dcs4czjoIRxRTisgNCvWR9hbeH9HzdRT1UF/c4VxxLEONSsGHksoXa+G4u7XmPwD4dTUIP49Mmj2a28z/viG8KftcjAEo1S7OB+/xyPeVDYrgagMR31a69pI+yuQa0J66O/LJQrzjWf6wHToQErQPcEBtDxY2wx3hROMtdla9lUEU8XLb3e9zByZwOfDhFpw8iYkJx/BUZlsmIKaZSpYVS+0D5LI1R5PENhT/2gRxaA31RiNLK/E8CSU7MMadqImkFLkDHU2x+2SRENwvoOEUAOewjVlhB1pK0r5WEye2lBjl8cUa+8qhIrAOqggApQ7eCQq7v2bL08VxKz5baOhKfLZ9u4MH6q52pnqXmll0W7JXrJSbam5r3YoSelm94VwVyaSkfd+LT4YMAP7GDDvtT6Y=']
+        result = """-----BEGIN CERTIFICATE-----
+MIIF7DCCBFSgAwIBAgIKB/8cQ9wAI3UbITANBgkqhkiG9w0BAQsFADBaMQswCQYD
+VQQGEwJERTERMA8GA1UECgwIT3BlblhQS0kxDDAKBgNVBAsMA1BLSTEqMCgGA1UE
+AwwhT3BlblhQS0kgRGVtbyBJc3N1aW5nIENBIDIwMjMwMjA0MB4XDTIzMDIwNTA2
+NDY0MloXDTI0MDIwNTA2NDY0MlowazETMBEGCgmSJomT8ixkARkWA29yZzEYMBYG
+CgmSJomT8ixkARkWCE9wZW5YUEtJMR8wHQYKCZImiZPyLGQBGRYPVGVzdCBEZXBs
+b3ltZW50MRkwFwYDVQQDDBBhY21lMS5keW5hbW9wLmRlMIIBIjANBgkqhkiG9w0B
+AQEFAAOCAQ8AMIIBCgKCAQEAre1jtb8Xjqr49QH3fWe2kH+yDk3NXfxHyOmKcNcB
+ke68WMRB5Irrdj15JfAsXxu9psLVEOJgvdOLOnUbhN57uBLHwMAC1LH6HruYuCqt
+baSezgJIYIEACvtQmIy6BIvigqwX31eLkA7kk7YXeJCnvrr461t/uZkhmaXZM9+G
+4asSj6fT0ffA7OVVqewDdE+d2VgCjPlH9uqPMOVK2m/AQj+jEVV/IV2znngZmkAs
+mYi6h2Wg08vEzTMyvhZIEma3xo6M9g9VIsTQP/ETxxhAAgzEQ0Jlz90rOioZK7mk
+x8xH1fLlhyfX53vqcEbva5evy1YMGEs0XZPYu2B6Oya9WQIDAQABo4ICITCCAh0w
+gYcGCCsGAQUFBwEBBHsweTBRBggrBgEFBQcwAoZFaHR0cDovL3BraS5leGFtcGxl
+LmNvbS9kb3dubG9hZC9PcGVuWFBLSV9EZW1vX0lzc3VpbmdfQ0FfMjAyMzAyMDQu
+Y2VyMCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5leGFtcGxlLmNvbS8wHwYDVR0j
+BBgwFoAU0f8PWcniVXltJeA6q7wYtyJrNFAwDAYDVR0TAQH/BAIwADBWBgNVHR8E
+TzBNMEugSaBHhkVodHRwOi8vcGtpLmV4YW1wbGUuY29tL2Rvd25sb2FkL09wZW5Y
+UEtJX0RlbW9fSXNzdWluZ19DQV8yMDIzMDIwNC5jcmwwEwYDVR0lBAwwCgYIKwYB
+BQUHAwEwDgYDVR0PAQH/BAQDAgWgMIGoBgNVHSAEgaAwgZ0wgZoGAyoDBDCBkjAr
+BggrBgEFBQcCARYfaHR0cDovL3BraS5leGFtcGxlLmNvbS9jcHMuaHRtbDArBggr
+BgEFBQcCARYfaHR0cDovL3BraS5leGFtcGxlLmNvbS9jcHMuaHRtbDA2BggrBgEF
+BQcCAjAqGihUaGlzIGlzIGEgY29tbWVudCBmb3IgcG9saWN5IG9pZCAxLjIuMy40
+MBsGA1UdEQQUMBKCEGFjbWUxLmR5bmFtb3AuZGUwHQYDVR0OBBYEFA3AUTV0pg0f
+sd3Cd6/BskOEB9MVMA0GCSqGSIb3DQEBCwUAA4IBgQB0xnnl6BJDXrbTQr7TdkRP
+mcCDFUmi8aVTYozbQ8EKxIYEPsfzxOFbSG/wn+4Sjz7HqvzqxyisfTopqWrvpqIh
+lXOEFMnNYTDO4LzCd81Dcs4czjoIRxRTisgNCvWR9hbeH9HzdRT1UF/c4VxxLEON
+SsGHksoXa+G4u7XmPwD4dTUIP49Mmj2a28z/viG8KftcjAEo1S7OB+/xyPeVDYrg
+agMR31a69pI+yuQa0J66O/LJQrzjWf6wHToQErQPcEBtDxY2wx3hROMtdla9lUEU
+8XLb3e9zByZwOfDhFpw8iYkJx/BUZlsmIKaZSpYVS+0D5LI1R5PENhT/2gRxaA31
+RiNLK/E8CSU7MMadqImkFLkDHU2x+2SRENwvoOEUAOewjVlhB1pK0r5WEye2lBjl
+8cUa+8qhIrAOqggApQ7eCQq7v2bL08VxKz5baOhKfLZ9u4MH6q52pnqXmll0W7JX
+rJSbam5r3YoSelm94VwVyaSkfd+LT4YMAP7GDDvtT6Y=
+-----END CERTIFICATE-----
+"""
+        self.assertEqual(result, self.cahandler._pem_cert_chain_generate(cert_list))
+
+    @patch('examples.ca_handler.asa_ca_handler.CAhandler._pem_cert_chain_generate')
+    @patch('examples.ca_handler.asa_ca_handler.CAhandler._api_get')
+    def test_041___issuer_chain_get(self, mock_req, mock_pem):
+        """ test _issuer_chain_get() """
+        mock_req.return_value = ('code', {'certs': ['bar', 'foo']})
+        mock_pem.return_value = 'issuer_chain'
+        self.cahandler.ca_name = 'ca_name'
+        self.assertEqual('issuer_chain', self.cahandler._issuer_chain_get())
+        self.assertTrue(mock_pem.called)
+
+    @patch('examples.ca_handler.asa_ca_handler.CAhandler._pem_cert_chain_generate')
+    @patch('examples.ca_handler.asa_ca_handler.CAhandler._api_get')
+    def test_042___issuer_chain_get(self, mock_req, mock_pem):
+        """ test _issuer_chain_get() """
+        mock_req.return_value = ('code', {'foobar': ['bar', 'foo']})
+        mock_pem.return_value = 'issuer_chain'
+        self.cahandler.ca_name = 'ca_name'
+        self.assertFalse(self.cahandler._issuer_chain_get())
+        self.assertFalse(mock_pem.called)
+
+    @patch('examples.ca_handler.asa_ca_handler.CAhandler._api_post')
+    @patch('examples.ca_handler.asa_ca_handler.convert_byte_to_string')
+    @patch('examples.ca_handler.asa_ca_handler.cert_der2pem')
+    @patch('examples.ca_handler.asa_ca_handler.b64_decode')
+    @patch('examples.ca_handler.asa_ca_handler.CAhandler._validity_dates_get')
+    @patch('examples.ca_handler.asa_ca_handler.CAhandler._csr_cn_get')
+    @patch('examples.ca_handler.asa_ca_handler.csr_pubkey_get')
+    @patch('examples.ca_handler.asa_ca_handler.CAhandler._issuer_chain_get')
+    @patch('examples.ca_handler.asa_ca_handler.CAhandler._issuer_verify')
+    @patch('examples.ca_handler.asa_ca_handler.eab_profile_header_info_check')
+    def test_043_enroll(self, mock_pv, mock_iv, mock_icg, mock_cpg, mockccg, mock_vdg, mock_b64, mock_d2p, mock_b2s, mock_post):
+        """ test enroll() """
+        mock_iv.return_value = None
+        mock_pv.return_value = 'pv_error'
+        mock_icg.return_value = 'issuer_chain'
+        mock_vdg.return_value = ('date1', 'date2')
+        mock_post.return_value = (200, 'cert')
+        mock_b2s.return_value = 'bcert'
+        self.cahandler.header_info_field = 'foo'
+        self.assertEqual(('pv_error', None, None, None), self.cahandler.enroll('csr'))
+        self.assertTrue(mock_pv.called)
+        self.assertFalse(mock_iv.called)
+        self.assertFalse(mock_icg.called)
+        self.assertFalse(mock_cpg.called)
+        self.assertFalse(mockccg.called)
+        self.assertFalse(mock_vdg.called)
+        self.assertFalse(mock_b64.called)
+        self.assertFalse(mock_post.called)
+        self.assertFalse(mock_b2s.called)
+        self.assertFalse(mock_d2p.called)
+
+    @patch('examples.ca_handler.asa_ca_handler.CAhandler._api_post')
+    @patch('examples.ca_handler.asa_ca_handler.convert_byte_to_string')
+    @patch('examples.ca_handler.asa_ca_handler.cert_der2pem')
+    @patch('examples.ca_handler.asa_ca_handler.b64_decode')
+    @patch('examples.ca_handler.asa_ca_handler.CAhandler._validity_dates_get')
+    @patch('examples.ca_handler.asa_ca_handler.CAhandler._csr_cn_get')
+    @patch('examples.ca_handler.asa_ca_handler.csr_pubkey_get')
+    @patch('examples.ca_handler.asa_ca_handler.CAhandler._issuer_chain_get')
+    @patch('examples.ca_handler.asa_ca_handler.CAhandler._profile_verify')
+    @patch('examples.ca_handler.asa_ca_handler.CAhandler._issuer_verify')
+    def test_044_enroll(self, mock_iv, mock_pv, mock_icg, mock_cpg, mockccg, mock_vdg, mock_b64, mock_d2p, mock_b2s, mock_post):
+        """ test enroll() """
+        mock_iv.return_value = None
+        mock_pv.return_value = None
+        mock_icg.return_value = 'issuer_chain'
+        mock_vdg.return_value = ('date1', 'date2')
+        mock_post.return_value = (200, 'cert')
+        mock_b2s.return_value = 'bcert'
+        self.cahandler.header_info_field = 'foo'
+        self.assertEqual((None, 'bcertissuer_chain', 'cert', None), self.cahandler.enroll('csr'))
+        self.assertTrue(mock_iv.called)
+        self.assertTrue(mock_pv.called)
+        self.assertTrue(mock_icg.called)
+        self.assertTrue(mock_cpg.called)
+        self.assertTrue(mockccg.called)
+        self.assertTrue(mock_vdg.called)
+        self.assertTrue(mock_b64.called)
+        self.assertTrue(mock_post.called)
+        self.assertTrue(mock_b2s.called)
+        self.assertTrue(mock_d2p.called)
+
+    @patch('examples.ca_handler.asa_ca_handler.CAhandler._api_post')
+    @patch('examples.ca_handler.asa_ca_handler.convert_byte_to_string')
+    @patch('examples.ca_handler.asa_ca_handler.cert_der2pem')
+    @patch('examples.ca_handler.asa_ca_handler.b64_decode')
+    @patch('examples.ca_handler.asa_ca_handler.CAhandler._validity_dates_get')
+    @patch('examples.ca_handler.asa_ca_handler.CAhandler._csr_cn_get')
+    @patch('examples.ca_handler.asa_ca_handler.csr_pubkey_get')
+    @patch('examples.ca_handler.asa_ca_handler.CAhandler._issuer_chain_get')
+    @patch('examples.ca_handler.asa_ca_handler.CAhandler._profile_verify')
+    @patch('examples.ca_handler.asa_ca_handler.CAhandler._issuer_verify')
+    def test_045_enroll(self, mock_iv, mock_pv, mock_icg, mock_cpg, mockccg, mock_vdg, mock_b64, mock_d2p, mock_b2s, mock_post):
+        """ test enroll() """
+        mock_iv.return_value = None
+        mock_pv.return_value = None
+        mock_icg.return_value = 'issuer_chain'
+        mock_vdg.return_value = ('date1', 'date2')
+        mock_post.return_value = (200, 'cert')
+        mock_b2s.return_value = 'bcert'
+        self.assertEqual((None, 'bcertissuer_chain', 'cert', None), self.cahandler.enroll('csr'))
+        self.assertTrue(mock_iv.called)
+        self.assertTrue(mock_pv.called)
+        self.assertTrue(mock_icg.called)
+        self.assertTrue(mock_cpg.called)
+        self.assertTrue(mockccg.called)
+        self.assertTrue(mock_vdg.called)
+        self.assertTrue(mock_b64.called)
+        self.assertTrue(mock_post.called)
+        self.assertTrue(mock_b2s.called)
+        self.assertTrue(mock_d2p.called)
+
+    @patch('examples.ca_handler.asa_ca_handler.CAhandler._api_post')
+    @patch('examples.ca_handler.asa_ca_handler.convert_byte_to_string')
+    @patch('examples.ca_handler.asa_ca_handler.cert_der2pem')
+    @patch('examples.ca_handler.asa_ca_handler.b64_decode')
+    @patch('examples.ca_handler.asa_ca_handler.CAhandler._validity_dates_get')
+    @patch('examples.ca_handler.asa_ca_handler.CAhandler._csr_cn_get')
+    @patch('examples.ca_handler.asa_ca_handler.csr_pubkey_get')
+    @patch('examples.ca_handler.asa_ca_handler.CAhandler._issuer_chain_get')
+    @patch('examples.ca_handler.asa_ca_handler.CAhandler._profile_verify')
+    @patch('examples.ca_handler.asa_ca_handler.CAhandler._issuer_verify')
+    def test_046_enroll(self, mock_iv, mock_pv, mock_icg, mock_cpg, mockccg, mock_vdg, mock_b64, mock_d2p, mock_b2s, mock_post):
+        """ test enroll() """
+        mock_iv.return_value = 'mock_iv'
+        mock_pv.return_value = None
+        mock_icg.return_value = 'issuer_chain'
+        mock_vdg.return_value = ('date1', 'date2')
+        mock_post.return_value = ('code', 'cert')
+        mock_b2s.return_value = 'bcert'
+        self.assertEqual(('mock_iv', None, None, None), self.cahandler.enroll('csr'))
+        self.assertTrue(mock_iv.called)
+        self.assertFalse(mock_pv.called)
+        self.assertFalse(mock_icg.called)
+        self.assertFalse(mock_cpg.called)
+        self.assertFalse(mockccg.called)
+        self.assertFalse(mock_vdg.called)
+        self.assertFalse(mock_b64.called)
+        self.assertFalse(mock_post.called)
+        self.assertFalse(mock_b2s.called)
+        self.assertFalse(mock_d2p.called)
+
+    @patch('examples.ca_handler.asa_ca_handler.CAhandler._api_post')
+    @patch('examples.ca_handler.asa_ca_handler.convert_byte_to_string')
+    @patch('examples.ca_handler.asa_ca_handler.cert_der2pem')
+    @patch('examples.ca_handler.asa_ca_handler.b64_decode')
+    @patch('examples.ca_handler.asa_ca_handler.CAhandler._validity_dates_get')
+    @patch('examples.ca_handler.asa_ca_handler.CAhandler._csr_cn_get')
+    @patch('examples.ca_handler.asa_ca_handler.csr_pubkey_get')
+    @patch('examples.ca_handler.asa_ca_handler.CAhandler._issuer_chain_get')
+    @patch('examples.ca_handler.asa_ca_handler.CAhandler._profile_verify')
+    @patch('examples.ca_handler.asa_ca_handler.CAhandler._issuer_verify')
+    def test_047_enroll(self, mock_iv, mock_pv, mock_icg, mock_cpg, mockccg, mock_vdg, mock_b64, mock_d2p, mock_b2s, mock_post):
+        """ test enroll() """
+        mock_iv.return_value = None
+        mock_pv.return_value = 'mock_pv'
+        mock_icg.return_value = 'issuer_chain'
+        mock_vdg.return_value = ('date1', 'date2')
+        mock_post.return_value = ('code', 'cert')
+        mock_b2s.return_value = 'bcert'
+        self.assertEqual(('mock_pv', None, None, None), self.cahandler.enroll('csr'))
+        self.assertTrue(mock_iv.called)
+        self.assertTrue(mock_pv.called)
+        self.assertFalse(mock_icg.called)
+        self.assertFalse(mock_cpg.called)
+        self.assertFalse(mockccg.called)
+        self.assertFalse(mock_vdg.called)
+        self.assertFalse(mock_b64.called)
+        self.assertFalse(mock_post.called)
+        self.assertFalse(mock_b2s.called)
+        self.assertFalse(mock_d2p.called)
+
+    @patch('examples.ca_handler.asa_ca_handler.CAhandler._api_post')
+    @patch('examples.ca_handler.asa_ca_handler.convert_byte_to_string')
+    @patch('examples.ca_handler.asa_ca_handler.cert_der2pem')
+    @patch('examples.ca_handler.asa_ca_handler.b64_decode')
+    @patch('examples.ca_handler.asa_ca_handler.CAhandler._validity_dates_get')
+    @patch('examples.ca_handler.asa_ca_handler.CAhandler._csr_cn_get')
+    @patch('examples.ca_handler.asa_ca_handler.csr_pubkey_get')
+    @patch('examples.ca_handler.asa_ca_handler.CAhandler._issuer_chain_get')
+    @patch('examples.ca_handler.asa_ca_handler.CAhandler._profile_verify')
+    @patch('examples.ca_handler.asa_ca_handler.CAhandler._issuer_verify')
+    def test_048_enroll(self, mock_iv, mock_pv, mock_icg, mock_cpg, mockccg, mock_vdg, mock_b64, mock_d2p, mock_b2s, mock_post):
+        """ test enroll() """
+        mock_iv.return_value = None
+        mock_pv.return_value = None
+        mock_icg.return_value = 'issuer_chain'
+        mock_vdg.return_value = ('date1', 'date2')
+        mock_post.return_value = (500, 'cert')
+        mock_b2s.return_value = 'bcert'
+        self.assertEqual(('Enrollment failed', None, None, None), self.cahandler.enroll('csr'))
+        self.assertTrue(mock_iv.called)
+        self.assertTrue(mock_pv.called)
+        self.assertTrue(mock_icg.called)
+        self.assertTrue(mock_cpg.called)
+        self.assertTrue(mockccg.called)
+        self.assertTrue(mock_vdg.called)
+        self.assertFalse(mock_b64.called)
+        self.assertTrue(mock_post.called)
+        self.assertFalse(mock_b2s.called)
+        self.assertFalse(mock_d2p.called)
+
+    @patch('examples.ca_handler.asa_ca_handler.CAhandler._api_post')
+    @patch('examples.ca_handler.asa_ca_handler.convert_byte_to_string')
+    @patch('examples.ca_handler.asa_ca_handler.cert_der2pem')
+    @patch('examples.ca_handler.asa_ca_handler.b64_decode')
+    @patch('examples.ca_handler.asa_ca_handler.CAhandler._validity_dates_get')
+    @patch('examples.ca_handler.asa_ca_handler.CAhandler._csr_cn_get')
+    @patch('examples.ca_handler.asa_ca_handler.csr_pubkey_get')
+    @patch('examples.ca_handler.asa_ca_handler.CAhandler._issuer_chain_get')
+    @patch('examples.ca_handler.asa_ca_handler.CAhandler._profile_verify')
+    @patch('examples.ca_handler.asa_ca_handler.CAhandler._issuer_verify')
+    def test_049_enroll(self, mock_iv, mock_pv, mock_icg, mock_cpg, mockccg, mock_vdg, mock_b64, mock_d2p, mock_b2s, mock_post):
+        """ test enroll() """
+        mock_iv.return_value = None
+        mock_pv.return_value = None
+        mock_icg.return_value = 'issuer_chain'
+        mock_vdg.return_value = ('date1', 'date2')
+        mock_post.return_value = (500, 'cert')
+        mock_b2s.return_value = 'bcert'
+        mock_cpg.return_value = None
+        with self.assertLogs('test_a2c', level='INFO') as lcm:
+            self.assertEqual(('Enrollment failed', None, None, None), self.cahandler.enroll('csr'))
+        self.assertIn('ERROR:test_a2c:CAhandler._enrollment_dic_create(): public key not found', lcm.output)
+        self.assertTrue(mock_iv.called)
+        self.assertTrue(mock_pv.called)
+        self.assertTrue(mock_icg.called)
+        self.assertTrue(mock_cpg.called)
+        self.assertFalse(mockccg.called)
+        self.assertFalse(mock_vdg.called)
+        self.assertFalse(mock_b64.called)
+        self.assertFalse(mock_post.called)
+        self.assertFalse(mock_b2s.called)
+        self.assertFalse(mock_d2p.called)
+
+    @patch('examples.ca_handler.asa_ca_handler.CAhandler._api_post')
+    @patch('examples.ca_handler.asa_ca_handler.cert_ski_get')
+    def test_050_revoke(self, mock_ski, mock_post):
+        """ test revoke() """
+        self.cahandler.ca_name = 'ca_name'
+        mock_ski.return_value = 'serial'
+        mock_post.return_value = ('code', None)
+        self.assertEqual(('code', None, None), self.cahandler.revoke('cert'))
+        self.assertTrue(mock_ski.called)
+        self.assertTrue(mock_post.called)
+
+    @patch('examples.ca_handler.asa_ca_handler.CAhandler._api_post')
+    @patch('examples.ca_handler.asa_ca_handler.cert_ski_get')
+    def test_051_revoke(self, mock_ski, mock_post):
+        """ test revoke() """
+        self.cahandler.ca_name = 'ca_name'
+        mock_ski.return_value = 'mock_ski'
+        mock_post.return_value = ('code', {'message': 'message'})
+        self.assertEqual(('code', 'urn:ietf:params:acme:error:serverInternal', 'message'), self.cahandler.revoke('cert'))
+        self.assertTrue(mock_ski.called)
+        self.assertTrue(mock_post.called)
+
+    @patch('examples.ca_handler.asa_ca_handler.CAhandler._api_post')
+    @patch('examples.ca_handler.asa_ca_handler.cert_ski_get')
+    def test_052_revoke(self, mock_ski, mock_post):
+        """ test revoke() """
+        self.cahandler.ca_name = 'ca_name'
+        mock_ski.return_value = 'ski'
+        mock_post.return_value = ('code', {'Message': 'Message'})
+        self.assertEqual(('code', 'urn:ietf:params:acme:error:serverInternal', 'Message'), self.cahandler.revoke('cert'))
+        self.assertTrue(mock_ski.called)
+        self.assertTrue(mock_post.called)
+
+    @patch('examples.ca_handler.asa_ca_handler.CAhandler._api_post')
+    @patch('examples.ca_handler.asa_ca_handler.cert_ski_get')
+    def test_053_revoke(self, mock_ski, mock_post):
+        """ test revoke() """
+        self.cahandler.ca_name = 'ca_name'
+        mock_ski.return_value = 'ski'
+        mock_post.return_value = ('code', {'foo': 'bar'})
+        self.assertEqual(('code', 'urn:ietf:params:acme:error:serverInternal', 'Unknown error'), self.cahandler.revoke('cert'))
+        self.assertTrue(mock_ski.called)
+        self.assertTrue(mock_post.called)
+
+    @patch.dict('os.environ', {'api_user_var': 'user_var'})
+    def test_054_config_user_load(self):
+        """ test _config_load - load template with user variable """
+        config_dic = {'api_user_variable': 'api_user_var'}
+        self.cahandler._config_user_load(config_dic)
+        self.assertEqual('user_var', self.cahandler.api_user)
+        self.assertFalse(self.cahandler.profile_name)
+
+    @patch.dict('os.environ', {'api_user_var': 'user_var'})
+    def test_055_config_user_load(self):
+        """ test _config_load - load template with user variable """
+        config_dic = {'api_user_variable': 'does_not_exist'}
+        with self.assertLogs('test_a2c', level='INFO') as lcm:
+            self.cahandler._config_user_load(config_dic)
+        self.assertFalse(self.cahandler.api_user)
+        self.assertIn('ERROR:test_a2c:CAhandler._config_user_load() could not load user_variable: does_not_exist', lcm.output)
+        self.assertFalse(self.cahandler.profile_name)
+
+    @patch.dict('os.environ', {'api_user_var': 'user_var'})
+    def test_056_config_user_load(self):
+        """ test _config_load - load template with user variable """
+        config_dic = {'api_user_variable': 'api_user_var', 'api_user': 'api_user'}
+        self.cahandler._config_user_load(config_dic)
+        # with self.assertLogs('test_a2c', level='INFO') as lcm:
+        self.assertEqual('api_user', self.cahandler.api_user)
+        # self.assertIn("foo", lcm.output)
+        self.assertFalse(self.cahandler.profile_name)
+
+    @patch.dict('os.environ', {'api_host_var': 'host_var'})
+    def test_057_config_host_load(self):
+        """ test _config_load - load template with host variable """
+        config_dic = {'api_host_variable': 'api_host_var'}
+        self.cahandler._config_host_load(config_dic)
+        self.assertEqual('host_var', self.cahandler.api_host)
+        self.assertFalse(self.cahandler.profile_name)
+
+    @patch.dict('os.environ', {'api_host_var': 'host_var'})
+    def test_058_config_host_load(self):
+        """ test _config_load - load template with host variable """
+        config_dic = {'api_host_variable': 'does_not_exist'}
+        with self.assertLogs('test_a2c', level='INFO') as lcm:
+            self.cahandler._config_host_load(config_dic)
+        self.assertFalse(self.cahandler.api_host)
+        self.assertIn('ERROR:test_a2c:CAhandler._config_host_load() could not load host_variable: does_not_exist', lcm.output)
+        self.assertFalse(self.cahandler.profile_name)
+
+    @patch.dict('os.environ', {'api_host_var': 'host_var'})
+    def test_059_config_host_load(self):
+        """ test _config_load - load template with host variable """
+        config_dic = {'api_host_variable': 'api_host_var', 'api_host': 'api_host'}
+        self.cahandler._config_host_load(config_dic)
+        # with self.assertLogs('test_a2c', level='INFO') as lcm:
+        self.assertEqual('api_host', self.cahandler.api_host)
+        # self.assertIn("foo", lcm.output)
+        self.assertFalse(self.cahandler.profile_name)
+
+    @patch.dict('os.environ', {'api_key_var': 'key_var'})
+    def test_060_config_key_load(self):
+        """ test _config_load - load template with key variable """
+        config_dic = {'api_key_variable': 'api_key_var'}
+        self.cahandler._config_key_load(config_dic)
+        self.assertEqual('key_var', self.cahandler.api_key)
+        self.assertFalse(self.cahandler.profile_name)
+
+    @patch.dict('os.environ', {'api_key_var': 'key_var'})
+    def test_061_config_key_load(self):
+        """ test _config_load - load template with key variable """
+        config_dic = {'api_key_variable': 'does_not_exist'}
+        with self.assertLogs('test_a2c', level='INFO') as lcm:
+            self.cahandler._config_key_load(config_dic)
+        self.assertFalse(self.cahandler.api_key)
+        self.assertIn('ERROR:test_a2c:CAhandler._config_key_load() could not load key_variable: does_not_exist', lcm.output)
+        self.assertFalse(self.cahandler.profile_name)
+
+    @patch.dict('os.environ', {'api_key_var': 'key_var'})
+    def test_062_config_key_load(self):
+        """ test _config_load - load template with key variable """
+        config_dic = {'api_key_variable': 'api_key_var', 'api_key': 'api_key'}
+        self.cahandler._config_key_load(config_dic)
+        # with self.assertLogs('test_a2c', level='INFO') as lcm:
+        self.assertEqual('api_key', self.cahandler.api_key)
+        # self.assertIn("foo", lcm.output)
+        self.assertFalse(self.cahandler.profile_name)
+
+    @patch.dict('os.environ', {'api_password_var': 'password_var'})
+    def test_063_config_password_load(self):
+        """ test _config_load - load template with password variable """
+        config_dic = {'api_password_variable': 'api_password_var'}
+        self.cahandler._config_password_load(config_dic)
+        self.assertEqual('password_var', self.cahandler.api_password)
+        self.assertFalse(self.cahandler.profile_name)
+
+    @patch.dict('os.environ', {'api_password_var': 'password_var'})
+    def test_064_config_password_load(self):
+        """ test _config_load - load template with password variable """
+        config_dic = {'api_password_variable': 'does_not_exist'}
+        with self.assertLogs('test_a2c', level='INFO') as lcm:
+            self.cahandler._config_password_load(config_dic)
+        self.assertFalse(self.cahandler.api_password)
+        self.assertIn('ERROR:test_a2c:CAhandler._config_password_load() could not load password_variable: does_not_exist', lcm.output)
+        self.assertFalse(self.cahandler.profile_name)
+
+    @patch.dict('os.environ', {'api_password_var': 'password_var'})
+    def test_065_config_password_load(self):
+        """ test _config_load - load template with password variable """
+        config_dic = {'api_password_variable': 'api_password_var', 'api_password': 'api_password'}
+        self.cahandler._config_password_load(config_dic)
+        # with self.assertLogs('test_a2c', level='INFO') as lcm:
+        self.assertEqual('api_password', self.cahandler.api_password)
+        # self.assertIn("foo", lcm.output)
+        self.assertFalse(self.cahandler.profile_name)
+
+    @patch('examples.ca_handler.asa_ca_handler.CAhandler._validity_dates_get')
+    @patch('examples.ca_handler.asa_ca_handler.CAhandler._csr_cn_get')
+    @patch('examples.ca_handler.asa_ca_handler.csr_pubkey_get')
+    def test_066_enrollment_dic_create(self, mock_pkg, mock_ccg, mock_vdg):
+        """ test _enrollment_dic_create()"""
+        mock_pkg.return_value = 'pubkey'
+        mock_ccg.return_value = 'cn'
+        mock_vdg.return_value = ('date1', 'date2')
+        result = {'publicKey': 'pubkey', 'profileName': None, 'issuerName': None, 'cn': 'cn', 'notBefore': 'date1', 'notAfter': 'date2'}
+        self.assertEqual(result, self.cahandler._enrollment_dic_create('csr'))
+
+
+if __name__ == '__main__':
+
+    unittest.main()
diff --git a/test/test_certificate.py b/test/test_certificate.py
index 20a1d697..b8d6d886 100644
--- a/test/test_certificate.py
+++ b/test/test_certificate.py
@@ -45,25 +45,37 @@ def test_001_certificate_store_csr(self, mock_name):
         mock_name.return_value = 'bar'
         self.assertEqual('bar', self.certificate.store_csr('order_name', 'csr', 'header_info'))
 
+    @patch('acme_srv.certificate.cert_aki_get')
+    @patch('acme_srv.certificate.cert_serial_get')
     @patch('acme_srv.certificate.Certificate._renewal_info_get')
-    def test_002_certificate__store_cert(self, mock_renew):
+    def test_002_certificate__store_cert(self, mock_renew, mock_serial, mock_aki):
         """ test Certificate.store_cert() and check if we get something back """
         self.certificate.dbstore.certificate_add.return_value = 'bar'
         mock_renew.return_value = 'renewal_info'
+        mock_serial.return_value = 'serial'
+        mock_aki.return_value = 'aki'
         self.assertEqual('bar', self.certificate._store_cert('cert_name', 'cert', 'raw'))
         self.assertTrue(mock_renew.called)
+        self.assertTrue(mock_serial.called)
+        self.assertTrue(mock_aki.called)
 
+    @patch('acme_srv.certificate.cert_aki_get')
+    @patch('acme_srv.certificate.cert_serial_get')
     @patch('acme_srv.certificate.generate_random_string')
-    def test_003_certificate_store_csr(self, mock_name):
+    def test_003_certificate_store_csr(self, mock_name, mock_serial, mock_aki):
         """ test Certificate.store_csr() with an exception store_csr """
         self.certificate.dbstore.certificate_add.side_effect = Exception('exc_cert_add')
         mock_name.return_value = 'bar'
         with self.assertLogs('test_a2c', level='INFO') as lcm:
             self.assertEqual('bar', self.certificate.store_csr('order_name', 'csr', 'header_info'))
         self.assertIn('CRITICAL:test_a2c:Database error in Certificate.store_csr(): exc_cert_add', lcm.output)
+        self.assertFalse(mock_serial.called)
+        self.assertFalse(mock_aki.called)
 
+    @patch('acme_srv.certificate.cert_aki_get')
+    @patch('acme_srv.certificate.cert_serial_get')
     @patch('acme_srv.certificate.Certificate._renewal_info_get')
-    def test_004_certificate__store_cert(self, mock_renew):
+    def test_004_certificate__store_cert(self, mock_renew, mock_serial, mock_aki):
         """ test Certificate.store_cert() and check if we get something back """
         self.certificate.dbstore.certificate_add.side_effect = Exception('exc_cert_add')
         mock_renew.return_value = 'renewal_info'
@@ -71,6 +83,8 @@ def test_004_certificate__store_cert(self, mock_renew):
             self.assertFalse(self.certificate._store_cert('cert_name', 'cert', 'raw'))
         self.assertIn('CRITICAL:test_a2c:acme2certifier database error in Certificate._store_cert(): exc_cert_add', lcm.output)
         self.assertTrue(mock_renew.called)
+        self.assertTrue(mock_serial.called)
+        self.assertTrue(mock_aki.called)
 
     def test_005_certificate__info(self):
         """ test Certificate.new_get() """
@@ -228,20 +242,42 @@ def test_027_certificate__authorization_check(self, mock_san):
         mock_san.return_value = ['san1.example.com']
         self.assertFalse(self.certificate._authorization_check('order_name', 'cert'))
 
-    def test_028_certificate__revocation_request_validate(self):
+    @patch('acme_srv.certificate.cert_cn_get')
+    @patch('acme_srv.certificate.cert_san_get')
+    def test_028_certificate__authorization_check(self, mock_san, mock_cn):
+        """ test Certificate.authorization_check with lowercase SAN entries and uppercase entries in identifier list"""
+        self.certificate.cn2san_add = True
+        self.certificate.dbstore.order_lookup.return_value = {'identifiers' : '[{"TYPE": "DNS", "VALUE": "SAN1.EXAMPLE.COM"}]'}
+        mock_san.return_value = ['dns:san1.example.com']
+        mock_cn.return_value = []
+        self.assertTrue(self.certificate._authorization_check('order_name', 'cert'))
+        self.assertTrue(mock_cn.called)
+
+    @patch('acme_srv.certificate.cert_cn_get')
+    @patch('acme_srv.certificate.cert_san_get')
+    def test_029_certificate__authorization_check(self, mock_san, mock_cn):
+        """ test Certificate.authorization_check with lowercase SAN entries and uppercase entries in identifier list"""
+        self.certificate.cn2san_add = True
+        self.certificate.dbstore.order_lookup.return_value = {'identifiers' : '[{"type": "dns", "value": "san1.example.com"}]'}
+        mock_san.return_value = []
+        mock_cn.return_value = 'san1.example.com'
+        self.assertTrue(self.certificate._authorization_check('order_name', 'cert'))
+        self.assertTrue(mock_cn.called)
+
+    def test_030_certificate__revocation_request_validate(self):
         """ test Certificate.revocation_request_validate empty payload"""
         payload = {}
         self.assertEqual((400, 'unspecified'), self.certificate._revocation_request_validate('account_name', payload))
 
     @patch('acme_srv.certificate.Certificate._revocation_reason_check')
-    def test_029_certificate__revocation_request_validate(self, mock_revrcheck):
+    def test_031_certificate__revocation_request_validate(self, mock_revrcheck):
         """ test Certificate.revocation_request_validate reason_check returns None"""
         payload = {'reason' : 0}
         mock_revrcheck.return_value = False
         self.assertEqual((400, 'urn:ietf:params:acme:error:badRevocationReason'), self.certificate._revocation_request_validate('account_name', payload))
 
     @patch('acme_srv.certificate.Certificate._revocation_reason_check')
-    def test_030_certificate__revocation_request_validate(self, mock_revrcheck):
+    def test_032_certificate__revocation_request_validate(self, mock_revrcheck):
         """ test Certificate.revocation_request_validate reason_check returns a reason"""
         payload = {'reason' : 0}
         mock_revrcheck.return_value = 'revrcheck'
@@ -250,7 +286,7 @@ def test_030_certificate__revocation_request_validate(self, mock_revrcheck):
     @patch('acme_srv.certificate.Certificate._authorization_check')
     @patch('acme_srv.certificate.Certificate._account_check')
     @patch('acme_srv.certificate.Certificate._revocation_reason_check')
-    def test_031_certificate__revocation_request_validate(self, mock_revrcheck, mock_account, mock_authz):
+    def test_033_certificate__revocation_request_validate(self, mock_revrcheck, mock_account, mock_authz):
         """ test Certificate.revocation_request_validate authz_check failed"""
         payload = {'reason' : 0, 'certificate': 'certificate'}
         mock_revrcheck.return_value = 'revrcheck'
@@ -261,7 +297,7 @@ def test_031_certificate__revocation_request_validate(self, mock_revrcheck, mock
     @patch('acme_srv.certificate.Certificate._authorization_check')
     @patch('acme_srv.certificate.Certificate._account_check')
     @patch('acme_srv.certificate.Certificate._revocation_reason_check')
-    def test_032_certificate__revocation_request_validate(self, mock_revrcheck, mock_account, mock_authz):
+    def test_034_certificate__revocation_request_validate(self, mock_revrcheck, mock_account, mock_authz):
         """ test Certificate.revocation_request_validate authz_check succeed"""
         payload = {'reason' : 0, 'certificate': 'certificate'}
         mock_revrcheck.return_value = 'revrcheck'
@@ -271,7 +307,7 @@ def test_032_certificate__revocation_request_validate(self, mock_revrcheck, mock
 
     @patch('acme_srv.nonce.Nonce.generate_and_add')
     @patch('acme_srv.message.Message.check')
-    def test_033_certificate_revoke(self, mock_mcheck, mock_nnonce):
+    def test_035_certificate_revoke(self, mock_mcheck, mock_nnonce):
         """ test Certificate.revoke with failed message check """
         mock_mcheck.return_value = (400, 'message', 'detail', None, None, 'account_name')
         mock_nnonce.return_value = 'new_nonce'
@@ -280,7 +316,7 @@ def test_033_certificate_revoke(self, mock_mcheck, mock_nnonce):
 
     @patch('acme_srv.nonce.Nonce.generate_and_add')
     @patch('acme_srv.message.Message.check')
-    def test_034_certificate_revoke(self, mock_mcheck, mock_nnonce):
+    def test_036_certificate_revoke(self, mock_mcheck, mock_nnonce):
         """ test Certificate.revoke with incorrect payload """
         mock_mcheck.return_value = (200, 'message', 'detail', None, {}, 'account_name')
         mock_nnonce.return_value = 'new_nonce'
@@ -290,7 +326,7 @@ def test_034_certificate_revoke(self, mock_mcheck, mock_nnonce):
     @patch('acme_srv.nonce.Nonce.generate_and_add')
     @patch('acme_srv.certificate.Certificate._revocation_request_validate')
     @patch('acme_srv.message.Message.check')
-    def test_035_certificate_revoke(self, mock_mcheck, mock_validate, mock_nnonce):
+    def test_037_certificate_revoke(self, mock_mcheck, mock_validate, mock_nnonce):
         """ test Certificate.revoke with failed request validation """
         mock_mcheck.return_value = (200, None, None, None, {'certificate' : 'certificate'}, 'account_name')
         mock_validate.return_value = (400, 'error')
@@ -301,7 +337,7 @@ def test_035_certificate_revoke(self, mock_mcheck, mock_validate, mock_nnonce):
     @patch('acme_srv.nonce.Nonce.generate_and_add')
     @patch('acme_srv.certificate.Certificate._revocation_request_validate')
     @patch('acme_srv.message.Message.check')
-    def test_036_certificate_revoke(self, mock_mcheck, mock_validate, mock_nnonce):
+    def test_038_certificate_revoke(self, mock_mcheck, mock_validate, mock_nnonce):
         """ test Certificate.revoke with sucessful request validation """
         mock_mcheck.return_value = (200, None, None, None, {'certificate' : 'certificate'}, 'account_name')
         mock_validate.return_value = (200, 'reason')
@@ -311,212 +347,212 @@ def test_036_certificate_revoke(self, mock_mcheck, mock_validate, mock_nnonce):
         self.certificate.cahandler.revoke = Mock(return_value=(200, 'message', 'detail'))
         self.assertEqual({'code': 200, 'header': {'Replay-Nonce': 'new_nonce'}}, self.certificate.revoke('content'))
 
-    def test_037_certificate__revocation_reason_check(self):
+    def test_039_certificate__revocation_reason_check(self):
         """ test Certicate.revocation_reason_check() with a valid revocation reason"""
         self.assertEqual('unspecified', self.certificate._revocation_reason_check(0))
 
-    def test_038_certificate__revocation_reason_check(self):
+    def test_040_certificate__revocation_reason_check(self):
         """ test Certicate.revocation_reason_check() with an invalid revocation reason"""
         self.assertFalse(self.certificate._revocation_reason_check(2))
 
-    def test_039_certificate__tnauth_identifier_check(self):
+    def test_041_certificate__tnauth_identifier_check(self):
         """ identifier check empty """
         identifier_dic = []
         self.assertFalse(self.certificate._tnauth_identifier_check(identifier_dic))
 
-    def test_040_certificate__tnauth_identifier_check(self):
+    def test_042_certificate__tnauth_identifier_check(self):
         """ identifier check none input"""
         identifier_dic = None
         self.assertFalse(self.certificate._tnauth_identifier_check(identifier_dic))
 
-    def test_041_certificate__tnauth_identifier_check(self):
+    def test_043_certificate__tnauth_identifier_check(self):
         """ identifier check none input"""
         identifier_dic = 'foo'
         self.assertFalse(self.certificate._tnauth_identifier_check(identifier_dic))
 
-    def test_042_certificate__tnauth_identifier_check(self):
+    def test_044_certificate__tnauth_identifier_check(self):
         """ identifier check one identifier """
         identifier_dic = [{'foo': 'bar'}]
         self.assertFalse(self.certificate._tnauth_identifier_check(identifier_dic))
 
-    def test_043_certificate__tnauth_identifier_check(self):
+    def test_045_certificate__tnauth_identifier_check(self):
         """ identifier check two identifiers """
         identifier_dic = [{'foo': 'bar'}, {'foo': 'bar'}]
         self.assertFalse(self.certificate._tnauth_identifier_check(identifier_dic))
 
-    def test_044_certificate__tnauth_identifier_check(self):
+    def test_046_certificate__tnauth_identifier_check(self):
         """ identifier check hit first identifiers """
         identifier_dic = [{'type': 'bar'}, {'foo': 'bar'}]
         self.assertFalse(self.certificate._tnauth_identifier_check(identifier_dic))
 
-    def test_045_certificate__tnauth_identifier_check(self):
+    def test_047_certificate__tnauth_identifier_check(self):
         """ identifier check hit first identifiers """
         identifier_dic = [{'type': 'TNAUTHLIST'}, {'foo': 'bar'}]
         self.assertTrue(self.certificate._tnauth_identifier_check(identifier_dic))
 
-    def test_046_certificate__tnauth_identifier_check(self):
+    def test_048_certificate__tnauth_identifier_check(self):
         """ identifier check hit first identifiers """
         identifier_dic = [{'type': 'tnauthlist'}, {'foo': 'bar'}]
         self.assertTrue(self.certificate._tnauth_identifier_check(identifier_dic))
 
-    def test_047_certificate__tnauth_identifier_check(self):
+    def test_049_certificate__tnauth_identifier_check(self):
         """ identifier check hit 2nd identifiers """
         identifier_dic = [{'type': 'bar'}, {'type': 'tnauthlist'}]
         self.assertTrue(self.certificate._tnauth_identifier_check(identifier_dic))
 
-    def test_048_certificate__tnauth_identifier_check(self):
+    def test_050_certificate__tnauth_identifier_check(self):
         """ identifier check hit 2nd identifiers """
         identifier_dic = [{'type': 'bar'}, {'type': 'TNAUTHLIST'}]
         self.assertTrue(self.certificate._tnauth_identifier_check(identifier_dic))
 
-    def test_049_certificate__identifer_status_list(self):
+    def test_051_certificate__identifer_status_list(self):
         """ failed check identifiers against san """
         identifier_dic = [{'foo': 'bar'}, {'foo': 'bar'}]
         san_list = ['foo:bar', 'foo:bar']
         self.assertEqual([False, False], self.certificate._identifer_status_list(identifier_dic, san_list))
 
-    def test_050_certificate__identifer_status_list(self):
+    def test_052_certificate__identifer_status_list(self):
         """ failed check no sans """
         identifier_dic = [{'foo': 'bar'}]
         san_list = []
         self.assertEqual([False], self.certificate._identifer_status_list(identifier_dic, san_list))
 
-    def test_051_certificate__identifer_status_list(self):
+    def test_053_certificate__identifer_status_list(self):
         """ failed check no identifiers """
         identifier_dic = []
         san_list = ['foo:bar']
         self.assertEqual([False], self.certificate._identifer_status_list(identifier_dic, san_list))
 
-    def test_052_certificate__identifer_status_list(self):
+    def test_054_certificate__identifer_status_list(self):
         """ failed check no identifiers """
         identifier_dic = []
         san_list = ['bar']
         self.assertEqual([False], self.certificate._identifer_status_list(identifier_dic, san_list))
 
-    def test_053_certificate__identifer_status_list(self):
+    def test_055_certificate__identifer_status_list(self):
         """ succ check no identifiers """
         identifier_dic = [{'type': 'dns', 'value': 'bar'}]
         san_list = ['dns:bar']
         self.assertEqual([True], self.certificate._identifer_status_list(identifier_dic, san_list))
 
-    def test_054_certificate__identifer_status_list(self):
+    def test_056_certificate__identifer_status_list(self):
         """ failed check san in identifier """
         identifier_dic = [{'type': 'dns', 'value': 'bar1'}]
         san_list = ['dns:bar']
         self.assertEqual([False], self.certificate._identifer_status_list(identifier_dic, san_list))
 
-    def test_055_certificate__identifer_status_list(self):
+    def test_057_certificate__identifer_status_list(self):
         """ failed check identifier in san """
         identifier_dic = [{'type': 'dns', 'value': 'bar'}]
         san_list = ['dns:bar1']
         self.assertEqual([False], self.certificate._identifer_status_list(identifier_dic, san_list))
 
-    def test_056_certificate__identifer_status_list(self):
+    def test_058_certificate__identifer_status_list(self):
         """ failed check identifier one identifier two sans"""
         identifier_dic = [{'type': 'dns', 'value': 'bar'}]
         san_list = ['dns:bar', 'dns:bar2']
         self.assertEqual([True, False], self.certificate._identifer_status_list(identifier_dic, san_list))
 
-    def test_057_certificate__identifer_status_list(self):
+    def test_059_certificate__identifer_status_list(self):
         """ failed check identifier two identifier one san"""
         identifier_dic = [{'type': 'dns', 'value': 'bar1'}, {'type': 'dns', 'value': 'bar2'}]
         san_list = ['dns:bar1']
         self.assertEqual([True], self.certificate._identifer_status_list(identifier_dic, san_list))
 
-    def test_058_certificate__identifer_status_list(self):
+    def test_060_certificate__identifer_status_list(self):
         """ failed check identifier both ok"""
         identifier_dic = [{'type': 'dns', 'value': 'bar1'}, {'type': 'dns', 'value': 'bar2'}]
         san_list = ['dns:bar1', 'dns:bar2']
         self.assertEqual([True, True], self.certificate._identifer_status_list(identifier_dic, san_list))
 
-    def test_059_certificate__identifer_status_list(self):
+    def test_061_certificate__identifer_status_list(self):
         """ failed check identifier both ok - wrong order"""
         identifier_dic = [{'type': 'dns', 'value': 'bar1'}, {'type': 'dns', 'value': 'bar2'}]
         san_list = ['dns:bar2', 'dns:bar1']
         self.assertEqual([True, True], self.certificate._identifer_status_list(identifier_dic, san_list))
 
-    def test_060_certificate__identifer_status_list(self):
+    def test_062_certificate__identifer_status_list(self):
         """ failed check identifier first ok 2nd nok"""
         identifier_dic = [{'type': 'dns', 'value': 'bar1'}, {'type': 'dns', 'value': 'bar'}]
         san_list = ['dns:bar1', 'dns:bar2']
         self.assertEqual([True, False], self.certificate._identifer_status_list(identifier_dic, san_list))
 
-    def test_061_certificate__identifer_status_list(self):
+    def test_063_certificate__identifer_status_list(self):
         """ failed check identifier first nook 2nd ok"""
         identifier_dic = [{'type': 'dns', 'value': 'bar1'}, {'type': 'dns', 'value': 'bar2'}]
         san_list = ['dns:bar', 'dns:bar2']
         self.assertEqual([False, True], self.certificate._identifer_status_list(identifier_dic, san_list))
 
-    def test_062_certificate__identifer_tnauth_list(self):
+    def test_064_certificate__identifer_tnauth_list(self):
         """ empty identifier dic but tnauth exists """
         identifier_dic = []
         tnauthlist = 'foo'
         self.assertEqual([False], self.certificate._identifer_tnauth_list(identifier_dic, tnauthlist))
 
-    def test_063_certificate__identifer_tnauth_list(self):
+    def test_065_certificate__identifer_tnauth_list(self):
         """ identifier dic but no tnauth """
         identifier_dic = {'foo': 'bar'}
         tnauthlist = None
         self.assertEqual([False], self.certificate._identifer_tnauth_list(identifier_dic, tnauthlist))
 
-    def test_064_certificate__identifer_tnauth_list(self):
+    def test_066_certificate__identifer_tnauth_list(self):
         """ wrong identifier """
         identifier_dic = {'identifiers': '[{"foo": "bar"}]'}
         tnauthlist = 'foo'
         self.assertEqual([False], self.certificate._identifer_tnauth_list(identifier_dic, tnauthlist))
 
-    def test_065_certificate__identifer_tnauth_list(self):
+    def test_067_certificate__identifer_tnauth_list(self):
         """ wrong type """
         identifier_dic = {'identifiers': '[{"type": "bar"}]'}
         tnauthlist = 'foo'
         self.assertEqual([False], self.certificate._identifer_tnauth_list(identifier_dic, tnauthlist))
 
-    def test_066_certificate__identifer_tnauth_list(self):
+    def test_068_certificate__identifer_tnauth_list(self):
         """ correct type but no value"""
         identifier_dic = {'identifiers': '[{"type": "TnAuThLiSt"}]'}
         tnauthlist = 'foo'
         self.assertEqual([False], self.certificate._identifer_tnauth_list(identifier_dic, tnauthlist))
 
-    def test_067_certificate__identifer_tnauth_list(self):
+    def test_069_certificate__identifer_tnauth_list(self):
         """ correct type but wrong value"""
         identifier_dic = {'identifiers': '[{"type": "TnAuThLiSt", "value": "bar"}]'}
         tnauthlist = 'foo'
         self.assertEqual([False], self.certificate._identifer_tnauth_list(identifier_dic, tnauthlist))
 
-    def test_068_certificate__identifer_tnauth_list(self):
+    def test_070_certificate__identifer_tnauth_list(self):
         """ correct type but wrong value"""
         identifier_dic = {'identifiers': '[{"type": "TnAuThLiSt", "value": "foo"}]'}
         tnauthlist = 'foo'
         self.assertEqual([True], self.certificate._identifer_tnauth_list(identifier_dic, tnauthlist))
 
-    def test_069_certificate__identifer_tnauth_list(self):
+    def test_071_certificate__identifer_tnauth_list(self):
         """ correct type but wrong value"""
         identifier_dic = {'identifiers': '[{"type": "TnAuThLiSt", "value": "foo"}, {"type": "dns", "value": "foo"}]'}
         tnauthlist = 'foo'
         self.assertEqual([True, False], self.certificate._identifer_tnauth_list(identifier_dic, tnauthlist))
 
     @patch('acme_srv.certificate.Certificate._info')
-    def test_070_certificate__csr_check(self, mock_certinfo):
+    def test_072_certificate__csr_check(self, mock_certinfo):
         """ csr-check certname lookup failed """
         mock_certinfo.return_value = {}
         self.assertFalse(self.certificate._csr_check('cert_name', 'csr'))
 
     @patch('acme_srv.certificate.Certificate._info')
-    def test_071_certificate__csr_check(self, mock_certinfo):
+    def test_073_certificate__csr_check(self, mock_certinfo):
         """ csr-check order lookup failed """
         mock_certinfo.return_value = {'order': 'order'}
         self.certificate.dbstore.order_lookup.return_value = {}
         self.assertFalse(self.certificate._csr_check('cert_name', 'csr'))
 
     @patch('acme_srv.certificate.Certificate._info')
-    def test_072_certificate__csr_check(self, mock_certinfo):
+    def test_074_certificate__csr_check(self, mock_certinfo):
         """ csr-check order lookup returns rubbish """
         mock_certinfo.return_value = {'order': 'order'}
         self.certificate.dbstore.order_lookup.return_value = {'foo': 'bar'}
         self.assertFalse(self.certificate._csr_check('cert_name', 'csr'))
 
     @patch('acme_srv.certificate.Certificate._info')
-    def test_073_certificate__csr_check(self, mock_certinfo):
+    def test_075_certificate__csr_check(self, mock_certinfo):
         """ csr-check order lookup returns an identifier """
         mock_certinfo.return_value = {'order': 'order'}
         self.certificate.dbstore.order_lookup.return_value = {'foo': 'bar', 'identifiers': 'bar'}
@@ -524,7 +560,7 @@ def test_073_certificate__csr_check(self, mock_certinfo):
 
     @patch('acme_srv.certificate.Certificate._tnauth_identifier_check')
     @patch('acme_srv.certificate.Certificate._info')
-    def test_074_certificate__csr_check(self, mock_certinfo, mock_tnauthin):
+    def test_076_certificate__csr_check(self, mock_certinfo, mock_tnauthin):
         """ csr-check no tnauth """
         mock_certinfo.return_value = {'order': 'order'}
         mock_tnauthin.return_value = False
@@ -535,7 +571,7 @@ def test_074_certificate__csr_check(self, mock_certinfo, mock_tnauthin):
     @patch('acme_srv.certificate.Certificate._identifer_status_list')
     @patch('acme_srv.certificate.Certificate._tnauth_identifier_check')
     @patch('acme_srv.certificate.Certificate._info')
-    def test_075_certificate__csr_check(self, mock_certinfo, mock_tnauthin, mock_status, mock_san):
+    def test_077_certificate__csr_check(self, mock_certinfo, mock_tnauthin, mock_status, mock_san):
         """ csr-check no tnauth  status true """
         mock_certinfo.return_value = {'order': 'order'}
         mock_san.return_value = ['foo']
@@ -548,7 +584,7 @@ def test_075_certificate__csr_check(self, mock_certinfo, mock_tnauthin, mock_sta
     @patch('acme_srv.certificate.Certificate._identifer_status_list')
     @patch('acme_srv.certificate.Certificate._tnauth_identifier_check')
     @patch('acme_srv.certificate.Certificate._info')
-    def test_076_certificate__csr_check(self, mock_certinfo, mock_tnauthin, mock_status, mock_san):
+    def test_078_certificate__csr_check(self, mock_certinfo, mock_tnauthin, mock_status, mock_san):
         """ csr-check no tnauth  status False """
         mock_certinfo.return_value = {'order': 'order'}
         mock_san.return_value = ['foo']
@@ -561,7 +597,7 @@ def test_076_certificate__csr_check(self, mock_certinfo, mock_tnauthin, mock_sta
     @patch('acme_srv.certificate.Certificate._identifer_status_list')
     @patch('acme_srv.certificate.Certificate._tnauth_identifier_check')
     @patch('acme_srv.certificate.Certificate._info')
-    def test_077_certificate__csr_check(self, mock_certinfo, mock_tnauthin, mock_status, mock_san):
+    def test_079_certificate__csr_check(self, mock_certinfo, mock_tnauthin, mock_status, mock_san):
         """ csr-check no tnauth  status True, False """
         mock_certinfo.return_value = {'order': 'order'}
         mock_san.return_value = ['foo']
@@ -574,7 +610,7 @@ def test_077_certificate__csr_check(self, mock_certinfo, mock_tnauthin, mock_sta
     @patch('acme_srv.certificate.Certificate._identifer_status_list')
     @patch('acme_srv.certificate.Certificate._tnauth_identifier_check')
     @patch('acme_srv.certificate.Certificate._info')
-    def test_078_certificate__csr_check(self, mock_certinfo, mock_tnauthin, mock_status, mock_san):
+    def test_080_certificate__csr_check(self, mock_certinfo, mock_tnauthin, mock_status, mock_san):
         """ csr-check no tnauth  status True, False, True """
         mock_certinfo.return_value = {'order': 'order'}
         mock_san.return_value = ['foo']
@@ -587,7 +623,7 @@ def test_078_certificate__csr_check(self, mock_certinfo, mock_tnauthin, mock_sta
     @patch('acme_srv.certificate.Certificate._identifer_tnauth_list')
     @patch('acme_srv.certificate.Certificate._tnauth_identifier_check')
     @patch('acme_srv.certificate.Certificate._info')
-    def test_079_certificate__csr_check(self, mock_certinfo, mock_tnauthin, mock_status, mock_san):
+    def test_081_certificate__csr_check(self, mock_certinfo, mock_tnauthin, mock_status, mock_san):
         """ csr-check tnauth  but tnauthlist_support off  """
         mock_certinfo.return_value = {'order': 'order'}
         mock_san.return_value = ['foo']
@@ -600,7 +636,7 @@ def test_079_certificate__csr_check(self, mock_certinfo, mock_tnauthin, mock_sta
     @patch('acme_srv.certificate.Certificate._identifer_tnauth_list')
     @patch('acme_srv.certificate.Certificate._tnauth_identifier_check')
     @patch('acme_srv.certificate.Certificate._info')
-    def test_080_certificate__csr_check(self, mock_certinfo, mock_tnauthin, mock_status, mock_san):
+    def test_082_certificate__csr_check(self, mock_certinfo, mock_tnauthin, mock_status, mock_san):
         """ csr-check tnauth  but tnauthlist_support on and returns true  """
         mock_certinfo.return_value = {'order': 'order'}
         mock_san.return_value = ['foo']
@@ -614,7 +650,7 @@ def test_080_certificate__csr_check(self, mock_certinfo, mock_tnauthin, mock_sta
     @patch('acme_srv.certificate.Certificate._identifer_tnauth_list')
     @patch('acme_srv.certificate.Certificate._tnauth_identifier_check')
     @patch('acme_srv.certificate.Certificate._info')
-    def test_081_certificate__csr_check(self, mock_certinfo, mock_tnauthin, mock_status, mock_san):
+    def test_083_certificate__csr_check(self, mock_certinfo, mock_tnauthin, mock_status, mock_san):
         """ csr-check tnauth  but tnauthlist_support on and returns true  """
         mock_certinfo.return_value = {'order': 'order'}
         mock_san.return_value = ['foo']
@@ -628,7 +664,7 @@ def test_081_certificate__csr_check(self, mock_certinfo, mock_tnauthin, mock_sta
     @patch('acme_srv.certificate.Certificate._identifer_tnauth_list')
     @patch('acme_srv.certificate.Certificate._tnauth_identifier_check')
     @patch('acme_srv.certificate.Certificate._info')
-    def test_082_certificate__csr_check(self, mock_certinfo, mock_tnauthin, mock_status, mock_san):
+    def test_084_certificate__csr_check(self, mock_certinfo, mock_tnauthin, mock_status, mock_san):
         """ csr-check tnauth  but tnauthlist_support on and returns True, False  """
         mock_certinfo.return_value = {'order': 'order'}
         mock_san.return_value = ['foo']
@@ -642,7 +678,7 @@ def test_082_certificate__csr_check(self, mock_certinfo, mock_tnauthin, mock_sta
     @patch('acme_srv.certificate.Certificate._identifer_tnauth_list')
     @patch('acme_srv.certificate.Certificate._tnauth_identifier_check')
     @patch('acme_srv.certificate.Certificate._info')
-    def test_083_certificate__csr_check(self, mock_certinfo, mock_tnauthin, mock_status, mock_san):
+    def test_085_certificate__csr_check(self, mock_certinfo, mock_tnauthin, mock_status, mock_san):
         """ csr-check tnauth  but tnauthlist_support on and returns True, False  """
         mock_certinfo.return_value = {'order': 'order'}
         mock_san.return_value = ['foo']
@@ -656,7 +692,7 @@ def test_083_certificate__csr_check(self, mock_certinfo, mock_tnauthin, mock_sta
     @patch('acme_srv.certificate.Certificate._identifer_tnauth_list')
     @patch('acme_srv.certificate.Certificate._tnauth_identifier_check')
     @patch('acme_srv.certificate.Certificate._info')
-    def test_084_certificate__csr_check(self, mock_certinfo, mock_tnauthin, mock_status, mock_san):
+    def test_086_certificate__csr_check(self, mock_certinfo, mock_tnauthin, mock_status, mock_san):
         """ csr-check tnauth  but tnauthlist_support on and returns True, False  """
         mock_certinfo.return_value = {'order': 'order'}
         mock_san.return_value = ['foo']
@@ -668,23 +704,23 @@ def test_084_certificate__csr_check(self, mock_certinfo, mock_tnauthin, mock_sta
             self.assertFalse(self.certificate._csr_check('cert_name', 'csr'))
         self.assertIn('WARNING:test_a2c:Certificate._csr_check() error while parsing csr.\nerror: mock_status', lcm.output)
 
-    def test_085_certificate__authorization_check(self):
+    def test_087_certificate__authorization_check(self):
         """ _authorization_check order lookup failed """
         self.certificate.dbstore.order_lookup.return_value = {}
         self.assertFalse(self.certificate._authorization_check('order_name', 'cert'))
 
-    def test_086_certificate__authorization_check(self):
+    def test_088_certificate__authorization_check(self):
         """ _authorization_check order lookup returns rubbish """
         self.certificate.dbstore.order_lookup.return_value = {'foo': 'bar'}
         self.assertFalse(self.certificate._authorization_check('order_name', 'cert'))
 
-    def test_087_certificate__authorization_check(self):
+    def test_089_certificate__authorization_check(self):
         """ _authorization_check order lookup returns an identifier """
         self.certificate.dbstore.order_lookup.return_value = {'foo': 'bar', 'identifiers': 'bar'}
         self.assertFalse(self.certificate._authorization_check('order_name', 'cert'))
 
     @patch('acme_srv.certificate.Certificate._tnauth_identifier_check')
-    def test_088_certificate__authorization_check(self, mock_tnauthin):
+    def test_090_certificate__authorization_check(self, mock_tnauthin):
         """ _authorization_check no tnauth """
         mock_tnauthin.return_value = False
         self.certificate.dbstore.order_lookup.return_value = {'foo': 'bar', 'identifiers': 'bar'}
@@ -693,7 +729,7 @@ def test_088_certificate__authorization_check(self, mock_tnauthin):
     @patch('acme_srv.certificate.cert_san_get')
     @patch('acme_srv.certificate.Certificate._identifer_status_list')
     @patch('acme_srv.certificate.Certificate._tnauth_identifier_check')
-    def test_089_certificate__authorization_check(self, mock_tnauthin, mock_status, mock_san):
+    def test_091_certificate__authorization_check(self, mock_tnauthin, mock_status, mock_san):
         """ _authorization_check no tnauth  status true """
         mock_san.return_value = ['foo']
         mock_tnauthin.return_value = False
@@ -704,7 +740,7 @@ def test_089_certificate__authorization_check(self, mock_tnauthin, mock_status,
     @patch('acme_srv.certificate.cert_san_get')
     @patch('acme_srv.certificate.Certificate._identifer_status_list')
     @patch('acme_srv.certificate.Certificate._tnauth_identifier_check')
-    def test_090_certificate__authorization_check(self, mock_tnauthin, mock_status, mock_san):
+    def test_092_certificate__authorization_check(self, mock_tnauthin, mock_status, mock_san):
         """ _authorization_check no tnauth  status true """
         mock_san.return_value = ['foo']
         mock_tnauthin.return_value = False
@@ -715,7 +751,7 @@ def test_090_certificate__authorization_check(self, mock_tnauthin, mock_status,
     @patch('acme_srv.certificate.cert_san_get')
     @patch('acme_srv.certificate.Certificate._identifer_status_list')
     @patch('acme_srv.certificate.Certificate._tnauth_identifier_check')
-    def test_091_certificate__authorization_check(self, mock_tnauthin, mock_status, mock_san):
+    def test_093_certificate__authorization_check(self, mock_tnauthin, mock_status, mock_san):
         """ _authorization_check no tnauth  status False """
         mock_san.return_value = ['foo']
         mock_tnauthin.return_value = False
@@ -726,7 +762,7 @@ def test_091_certificate__authorization_check(self, mock_tnauthin, mock_status,
     @patch('acme_srv.certificate.cert_san_get')
     @patch('acme_srv.certificate.Certificate._identifer_status_list')
     @patch('acme_srv.certificate.Certificate._tnauth_identifier_check')
-    def test_092_certificate__authorization_check(self, mock_tnauthin, mock_status, mock_san):
+    def test_094_certificate__authorization_check(self, mock_tnauthin, mock_status, mock_san):
         """ _authorization_check no tnauth  status True, False """
         mock_san.return_value = ['foo']
         mock_tnauthin.return_value = False
@@ -737,7 +773,7 @@ def test_092_certificate__authorization_check(self, mock_tnauthin, mock_status,
     @patch('acme_srv.certificate.cert_san_get')
     @patch('acme_srv.certificate.Certificate._identifer_status_list')
     @patch('acme_srv.certificate.Certificate._tnauth_identifier_check')
-    def test_093_certificate__authorization_check(self, mock_tnauthin, mock_status, mock_san):
+    def test_095_certificate__authorization_check(self, mock_tnauthin, mock_status, mock_san):
         """ _authorization_check no tnauth  status True, False, True """
         mock_san.return_value = ['foo']
         mock_tnauthin.return_value = False
@@ -748,7 +784,7 @@ def test_093_certificate__authorization_check(self, mock_tnauthin, mock_status,
     @patch('acme_srv.certificate.cert_san_get')
     @patch('acme_srv.certificate.Certificate._identifer_tnauth_list')
     @patch('acme_srv.certificate.Certificate._tnauth_identifier_check')
-    def test_094_certificate__authorization_check(self, mock_tnauthin, mock_status, mock_san):
+    def test_096_certificate__authorization_check(self, mock_tnauthin, mock_status, mock_san):
         """ _authorization_check tnauth  but tnauthlist_support off  """
         mock_san.return_value = ['foo']
         mock_tnauthin.return_value = True
@@ -759,7 +795,7 @@ def test_094_certificate__authorization_check(self, mock_tnauthin, mock_status,
     @patch('acme_srv.certificate.cert_extensions_get')
     @patch('acme_srv.certificate.Certificate._identifer_tnauth_list')
     @patch('acme_srv.certificate.Certificate._tnauth_identifier_check')
-    def test_095_certificate__authorization_check(self, mock_tnauthin, mock_status, mock_san):
+    def test_097_certificate__authorization_check(self, mock_tnauthin, mock_status, mock_san):
         """ _authorization_check tnauth  but tnauthlist_support on and returns true  """
         mock_san.return_value = ['foo']
         mock_tnauthin.return_value = True
@@ -771,7 +807,7 @@ def test_095_certificate__authorization_check(self, mock_tnauthin, mock_status,
     @patch('acme_srv.certificate.cert_extensions_get')
     @patch('acme_srv.certificate.Certificate._identifer_tnauth_list')
     @patch('acme_srv.certificate.Certificate._tnauth_identifier_check')
-    def test_096_certificate__authorization_check(self, mock_tnauthin, mock_status, mock_san):
+    def test_098_certificate__authorization_check(self, mock_tnauthin, mock_status, mock_san):
         """ _authorization_check tnauth  but tnauthlist_support on and returns true  """
         mock_san.return_value = ['foo']
         mock_tnauthin.return_value = True
@@ -783,7 +819,7 @@ def test_096_certificate__authorization_check(self, mock_tnauthin, mock_status,
     @patch('acme_srv.certificate.cert_extensions_get')
     @patch('acme_srv.certificate.Certificate._identifer_tnauth_list')
     @patch('acme_srv.certificate.Certificate._tnauth_identifier_check')
-    def test_097_certificate__authorization_check(self, mock_tnauthin, mock_status, mock_san):
+    def test_099_certificate__authorization_check(self, mock_tnauthin, mock_status, mock_san):
         """ _authorization_check tnauth  but tnauthlist_support on and returns True, False  """
         mock_san.return_value = ['foo']
         mock_tnauthin.return_value = True
@@ -795,7 +831,7 @@ def test_097_certificate__authorization_check(self, mock_tnauthin, mock_status,
     @patch('acme_srv.certificate.cert_extensions_get')
     @patch('acme_srv.certificate.Certificate._identifer_tnauth_list')
     @patch('acme_srv.certificate.Certificate._tnauth_identifier_check')
-    def test_098_certificate__authorization_check(self, mock_tnauthin, mock_status, mock_san):
+    def test_100_certificate__authorization_check(self, mock_tnauthin, mock_status, mock_san):
         """ _authorization_check tnauth  but tnauthlist_support on and returns True, False  """
         mock_san.return_value = ['foo']
         mock_tnauthin.return_value = True
@@ -805,7 +841,7 @@ def test_098_certificate__authorization_check(self, mock_tnauthin, mock_status,
         self.assertFalse(self.certificate._authorization_check('cert_name', 'cert'))
 
     @patch('acme_srv.certificate.Certificate._csr_check')
-    def test_099_certificate_enroll_and_store(self, mock_csr):
+    def test_101_certificate_enroll_and_store(self, mock_csr):
         """ Certificate.enroll_and_store() csr_check failed """
         mock_csr.return_value = False
         certificate_name = 'cert_name'
@@ -815,7 +851,7 @@ def test_099_certificate_enroll_and_store(self, mock_csr):
     @patch('acme_srv.threadwithreturnvalue.ThreadWithReturnValue.join')
     @patch('acme_srv.threadwithreturnvalue.ThreadWithReturnValue.start')
     @patch('acme_srv.certificate.Certificate._csr_check')
-    def test_100_certificate_enroll_and_store(self, mock_csr, tr_start, tr_join):
+    def test_102_certificate_enroll_and_store(self, mock_csr, tr_start, tr_join):
         """ Certificate.enroll_and_store() csr_check successful - timeout during enrollment """
         mock_csr.return_value = True
         tr_start.return_value = True
@@ -827,7 +863,7 @@ def test_100_certificate_enroll_and_store(self, mock_csr, tr_start, tr_join):
     @patch('acme_srv.threadwithreturnvalue.ThreadWithReturnValue.join')
     @patch('acme_srv.threadwithreturnvalue.ThreadWithReturnValue.start')
     @patch('acme_srv.certificate.Certificate._csr_check')
-    def test_101_certificate_enroll_and_store(self, mock_csr, tr_start, tr_join):
+    def test_103_certificate_enroll_and_store(self, mock_csr, tr_start, tr_join):
         """ Certificate.enroll_and_store() csr_check successful - enrollment returns something useful """
         mock_csr.return_value = True
         tr_start.return_value = True
@@ -839,7 +875,7 @@ def test_101_certificate_enroll_and_store(self, mock_csr, tr_start, tr_join):
     @patch('acme_srv.threadwithreturnvalue.ThreadWithReturnValue.join')
     @patch('acme_srv.threadwithreturnvalue.ThreadWithReturnValue.start')
     @patch('acme_srv.certificate.Certificate._csr_check')
-    def test_102_certificate_enroll_and_store(self, mock_csr, tr_start, tr_join):
+    def test_104_certificate_enroll_and_store(self, mock_csr, tr_start, tr_join):
         """ Certificate.enroll_and_store() csr_check successful - enrollment returns something unexpected """
         mock_csr.return_value = True
         tr_start.return_value = True
@@ -854,7 +890,7 @@ def test_102_certificate_enroll_and_store(self, mock_csr, tr_start, tr_join):
     @patch('acme_srv.certificate.Certificate._order_update')
     @patch('acme_srv.certificate.Certificate._store_cert')
     @patch('acme_srv.certificate.Certificate._store_cert_error')
-    def test_103_certificate_enroll_and_store(self, mock_store_err, mock_store, mock_oupd, mock_chk):
+    def test_105_certificate_enroll_and_store(self, mock_store_err, mock_store, mock_oupd, mock_chk):
         """ Certificate.enroll_and_store() enrollment failed without polling_identifier """
         # self.certificate.dbstore.order_update.return_value = 'foo'
         mock_store_err.return_value = True
@@ -877,7 +913,7 @@ def test_103_certificate_enroll_and_store(self, mock_store_err, mock_store, mock
     @patch('acme_srv.certificate.Certificate._order_update')
     @patch('acme_srv.certificate.Certificate._store_cert')
     @patch('acme_srv.certificate.Certificate._store_cert_error')
-    def test_104_certificate_enroll_and_store(self, mock_store_err, mock_store, mock_oupd, mock_chk):
+    def test_106_certificate_enroll_and_store(self, mock_store_err, mock_store, mock_oupd, mock_chk):
         """ Certificate.enroll_and_store() enrollment failed with polling_identifier - no order update """
         mock_store_err.return_value = True
         mock_store.return_value = True
@@ -899,7 +935,7 @@ def test_104_certificate_enroll_and_store(self, mock_store_err, mock_store, mock
     @patch('acme_srv.certificate.Certificate._order_update')
     @patch('acme_srv.certificate.Certificate._store_cert')
     @patch('acme_srv.certificate.Certificate._store_cert_error')
-    def test_105_certificate_enroll_and_store(self, mock_store_err, mock_store, mock_oupd, mock_chk):
+    def test_107_certificate_enroll_and_store(self, mock_store_err, mock_store, mock_oupd, mock_chk):
         """ Certificate.enroll_and_store() enrollment failed - exception in store_cert_error"""
         self.certificate.dbstore.order_update.return_value = 'foo'
         mock_store_err.side_effect = Exception('ex_cert_error_store')
@@ -910,7 +946,7 @@ def test_105_certificate_enroll_and_store(self, mock_store_err, mock_store, mock
         csr = 'csr'
         with self.assertLogs('test_a2c', level='INFO') as lcm:
             self.assertEqual((None, 'error', 'poll_identifier'), self.certificate._enroll_and_store(certificate_name, csr))
-        self.assertIn('CRITICAL:test_a2c:acme2certifier database error in Certificate._enroll_and_store() _store_cert_error: ex_cert_error_store', lcm.output)
+        self.assertIn('CRITICAL:test_a2c:acme2certifier database error in Certificate._enrollerror_handler() _store_cert_error: ex_cert_error_store', lcm.output)
         self.assertIn('ERROR:test_a2c:acme2certifier enrollment error: error', lcm.output)
         self.assertFalse(mock_chk.called)
         self.assertFalse(mock_oupd.called)
@@ -923,7 +959,7 @@ def test_105_certificate_enroll_and_store(self, mock_store_err, mock_store, mock
     @patch('acme_srv.certificate.cert_dates_get')
     @patch('acme_srv.certificate.Certificate._store_cert')
     @patch('acme_srv.certificate.Certificate._store_cert_error')
-    def test_106_certificate_enroll_and_store(self, mock_store_err, mock_store, mock_dates, mock_oupd, mock_chk):
+    def test_108_certificate_enroll_and_store(self, mock_store_err, mock_store, mock_dates, mock_oupd, mock_chk):
         """ Certificate.enroll_and_store() enrollment succhessful with polling_identifier"""
         mock_store_err.return_value = True
         mock_store.return_value = True
@@ -946,7 +982,7 @@ def test_106_certificate_enroll_and_store(self, mock_store_err, mock_store, mock
     @patch('acme_srv.certificate.cert_dates_get')
     @patch('acme_srv.certificate.Certificate._store_cert')
     @patch('acme_srv.certificate.Certificate._store_cert_error')
-    def test_107_certificate_enroll_and_store(self, mock_store_err, mock_store, mock_dates, mock_oupd, mock_chk):
+    def test_109_certificate_enroll_and_store(self, mock_store_err, mock_store, mock_dates, mock_oupd, mock_chk):
         """ Certificate.enroll_and_store() enrollment succhessful without polling_identifier"""
         mock_store_err.return_value = True
         mock_store.return_value = True
@@ -969,7 +1005,7 @@ def test_107_certificate_enroll_and_store(self, mock_store_err, mock_store, mock
     @patch('acme_srv.certificate.cert_dates_get')
     @patch('acme_srv.certificate.Certificate._store_cert')
     @patch('acme_srv.certificate.Certificate._store_cert_error')
-    def test_108_certificate_enroll_and_store(self, mock_store_err, mock_store, mock_dates, mock_oupd, mock_chk):
+    def test_110_certificate_enroll_and_store(self, mock_store_err, mock_store, mock_dates, mock_oupd, mock_chk):
         """ Certificate.enroll_and_store() enrollment succhessful _store_cert returns None """
         mock_store_err.return_value = True
         mock_store.return_value = None
@@ -992,7 +1028,7 @@ def test_108_certificate_enroll_and_store(self, mock_store_err, mock_store, mock
     @patch('acme_srv.certificate.cert_dates_get')
     @patch('acme_srv.certificate.Certificate._store_cert')
     @patch('acme_srv.certificate.Certificate._store_cert_error')
-    def test_109_certificate_enroll_and_store(self, mock_store_err, mock_store, mock_dates, mock_oupd, mock_chk):
+    def test_111_certificate_enroll_and_store(self, mock_store_err, mock_store, mock_dates, mock_oupd, mock_chk):
         """ Certificate.enroll_and_store() enrollment Exception in store_cert """
         mock_store_err.return_value = True
         mock_store.side_effect = Exception('ex_cert_store')
@@ -1004,7 +1040,7 @@ def test_109_certificate_enroll_and_store(self, mock_store_err, mock_store, mock
         csr = 'csr'
         with self.assertLogs('test_a2c', level='INFO') as lcm:
             self.assertEqual((None, None, None), self.certificate._enroll_and_store(certificate_name, csr))
-        self.assertIn('CRITICAL:test_a2c:acme2certifier database error in Certificate._enroll_and_store(): ex_cert_store', lcm.output)
+        self.assertIn('CRITICAL:test_a2c:acme2certifier database error in Certificate._store(): ex_cert_store', lcm.output)
         self.assertFalse(mock_chk.called)
         self.assertTrue(mock_dates.called)
         self.assertTrue(mock_store.called)
@@ -1017,7 +1053,7 @@ def test_109_certificate_enroll_and_store(self, mock_store_err, mock_store, mock
     @patch('acme_srv.certificate.cert_dates_get')
     @patch('acme_srv.certificate.Certificate._store_cert')
     @patch('acme_srv.certificate.Certificate._store_cert_error')
-    def test_110_certificate_enroll_and_store(self, mock_store_err, mock_store, mock_dates, mock_oupd, mock_chk):
+    def test_112_certificate_enroll_and_store(self, mock_store_err, mock_store, mock_dates, mock_oupd, mock_chk):
         """ Certificate.enroll_and_store()  _cert_reusage_check successful """
         self.certificate.cert_reusage_timeframe = 86400
         mock_chk.return_value = (None, 'certificate', 'certificate_raw', 'poll_identifier')
@@ -1042,7 +1078,7 @@ def test_110_certificate_enroll_and_store(self, mock_store_err, mock_store, mock
     @patch('acme_srv.certificate.cert_dates_get')
     @patch('acme_srv.certificate.Certificate._store_cert')
     @patch('acme_srv.certificate.Certificate._store_cert_error')
-    def test_111_certificate_enroll_and_store(self, mock_store_err, mock_store, mock_dates, mock_oupd, mock_chk):
+    def test_113_certificate_enroll_and_store(self, mock_store_err, mock_store, mock_dates, mock_oupd, mock_chk):
         """ Certificate.enroll_and_store()  _cert_reusage_check no cert """
         self.certificate.cert_reusage_timeframe = 86400
         mock_chk.return_value = (None, None, 'certificate_raw', 'poll_identifier')
@@ -1067,7 +1103,7 @@ def test_111_certificate_enroll_and_store(self, mock_store_err, mock_store, mock
     @patch('acme_srv.certificate.cert_dates_get')
     @patch('acme_srv.certificate.Certificate._store_cert')
     @patch('acme_srv.certificate.Certificate._store_cert_error')
-    def test_112_certificate_enroll_and_store(self, mock_store_err, mock_store, mock_dates, mock_oupd, mock_chk):
+    def test_114_certificate_enroll_and_store(self, mock_store_err, mock_store, mock_dates, mock_oupd, mock_chk):
         """ Certificate.enroll_and_store()  _cert_reusage_check no cert_raw """
         self.certificate.cert_reusage_timeframe = 86400
         mock_chk.return_value = (None, 'certificate', None, 'poll_identifier')
@@ -1092,7 +1128,7 @@ def test_112_certificate_enroll_and_store(self, mock_store_err, mock_store, mock
     @patch('acme_srv.certificate.cert_dates_get')
     @patch('acme_srv.certificate.Certificate._store_cert')
     @patch('acme_srv.certificate.Certificate._store_cert_error')
-    def test_113_certificate_enroll_and_store(self, mock_store_err, mock_store, mock_dates, mock_oupd, mock_chk):
+    def test_115_certificate_enroll_and_store(self, mock_store_err, mock_store, mock_dates, mock_oupd, mock_chk):
         """ Certificate.enroll_and_store()  _cert_reusage_check no cert and no cert_raw """
         self.certificate.cert_reusage_timeframe = 86400
         mock_chk.return_value = (None, None, None, 'poll_identifier')
@@ -1117,7 +1153,7 @@ def test_113_certificate_enroll_and_store(self, mock_store_err, mock_store, mock
     @patch('acme_srv.certificate.cert_dates_get')
     @patch('acme_srv.certificate.Certificate._store_cert')
     @patch('acme_srv.certificate.Certificate._store_cert_error')
-    def test_114_certificate_enroll_and_store(self, mock_store_err, mock_store, mock_dates, mock_oupd, mock_chk):
+    def test_116_certificate_enroll_and_store(self, mock_store_err, mock_store, mock_dates, mock_oupd, mock_chk):
         """ Certificate.enroll_and_store() enrollment hooks successful """
         hooks_module = importlib.import_module('examples.hooks.skeleton_hooks')
         self.certificate.hooks = hooks_module.Hooks(self.logger)
@@ -1148,7 +1184,7 @@ def test_114_certificate_enroll_and_store(self, mock_store_err, mock_store, mock
     @patch('acme_srv.certificate.cert_dates_get')
     @patch('acme_srv.certificate.Certificate._store_cert')
     @patch('acme_srv.certificate.Certificate._store_cert_error')
-    def test_115_certificate_enroll_and_store(self, mock_store_err, mock_store, mock_dates, mock_oupd, mock_chk):
+    def test_117_certificate_enroll_and_store(self, mock_store_err, mock_store, mock_dates, mock_oupd, mock_chk):
         """ Certificate.enroll_and_store() enrollment pre_hook exception """
         hooks_module = importlib.import_module('examples.hooks.skeleton_hooks')
         self.certificate.hooks = hooks_module.Hooks(self.logger)
@@ -1165,7 +1201,7 @@ def test_115_certificate_enroll_and_store(self, mock_store_err, mock_store, mock
         csr = 'csr'
         with self.assertLogs('test_a2c', level='INFO') as lcm:
             self.assertEqual((None, 'pre_hook_error', 'ex_pre_hook'), self.certificate._enroll_and_store(certificate_name, csr))
-        self.assertIn('ERROR:test_a2c:Certificate._enroll_and_store(): pre_hook exception: ex_pre_hook', lcm.output)
+        self.assertIn('ERROR:test_a2c:Certificate._pre_hooks_process(): pre_hook exception: ex_pre_hook', lcm.output)
         self.assertFalse(mock_chk.called)
         self.assertFalse(mock_dates.called)
         self.assertFalse(mock_store.called)
@@ -1181,7 +1217,7 @@ def test_115_certificate_enroll_and_store(self, mock_store_err, mock_store, mock
     @patch('acme_srv.certificate.cert_dates_get')
     @patch('acme_srv.certificate.Certificate._store_cert')
     @patch('acme_srv.certificate.Certificate._store_cert_error')
-    def test_116_certificate_enroll_and_store(self, mock_store_err, mock_store, mock_dates, mock_oupd, mock_chk):
+    def test_118_certificate_enroll_and_store(self, mock_store_err, mock_store, mock_dates, mock_oupd, mock_chk):
         """ Certificate.enroll_and_store() enrollment pre_hook exception / ingore_pre_hook_failure is set to true """
         hooks_module = importlib.import_module('examples.hooks.skeleton_hooks')
         self.certificate.hooks = hooks_module.Hooks(self.logger)
@@ -1199,7 +1235,8 @@ def test_116_certificate_enroll_and_store(self, mock_store_err, mock_store, mock
         csr = 'csr'
         with self.assertLogs('test_a2c', level='INFO') as lcm:
             self.assertEqual((True, None, None), self.certificate._enroll_and_store(certificate_name, csr))
-        self.assertIn('ERROR:test_a2c:Certificate._enroll_and_store(): pre_hook exception: ex_pre_hook', lcm.output)
+        self.assertIn('ERROR:test_a2c:Certificate._pre_hooks_process(): pre_hook exception: ex_pre_hook', lcm.output)
+        self.assertIn('ERROR:test_a2c:Certificate._store()', lcm.output)
         self.assertFalse(mock_chk.called)
         self.assertTrue(mock_dates.called)
         self.assertTrue(mock_store.called)
@@ -1215,7 +1252,7 @@ def test_116_certificate_enroll_and_store(self, mock_store_err, mock_store, mock
     @patch('acme_srv.certificate.cert_dates_get')
     @patch('acme_srv.certificate.Certificate._store_cert')
     @patch('acme_srv.certificate.Certificate._store_cert_error')
-    def test_117_certificate_enroll_and_store(self, mock_store_err, mock_store, mock_dates, mock_oupd, mock_chk):
+    def test_119_certificate_enroll_and_store(self, mock_store_err, mock_store, mock_dates, mock_oupd, mock_chk):
         """ Certificate.enroll_and_store() enrollment pre_hook exception  / ingore_pre_hook_failure is set to false """
         hooks_module = importlib.import_module('examples.hooks.skeleton_hooks')
         self.certificate.hooks = hooks_module.Hooks(self.logger)
@@ -1233,7 +1270,7 @@ def test_117_certificate_enroll_and_store(self, mock_store_err, mock_store, mock
         csr = 'csr'
         with self.assertLogs('test_a2c', level='INFO') as lcm:
             self.assertEqual((None, 'pre_hook_error', 'ex_pre_hook'), self.certificate._enroll_and_store(certificate_name, csr))
-        self.assertIn('ERROR:test_a2c:Certificate._enroll_and_store(): pre_hook exception: ex_pre_hook', lcm.output)
+        self.assertIn('ERROR:test_a2c:Certificate._pre_hooks_process(): pre_hook exception: ex_pre_hook', lcm.output)
         self.assertFalse(mock_chk.called)
         self.assertFalse(mock_dates.called)
         self.assertFalse(mock_store.called)
@@ -1249,7 +1286,7 @@ def test_117_certificate_enroll_and_store(self, mock_store_err, mock_store, mock
     @patch('acme_srv.certificate.cert_dates_get')
     @patch('acme_srv.certificate.Certificate._store_cert')
     @patch('acme_srv.certificate.Certificate._store_cert_error')
-    def test_118_certificate_enroll_and_store(self, mock_store_err, mock_store, mock_dates, mock_oupd, mock_chk):
+    def test_120_certificate_enroll_and_store(self, mock_store_err, mock_store, mock_dates, mock_oupd, mock_chk):
         """ Certificate.enroll_and_store() enrollment success_hook exception """
         hooks_module = importlib.import_module('examples.hooks.skeleton_hooks')
         self.certificate.hooks = hooks_module.Hooks(self.logger)
@@ -1266,7 +1303,7 @@ def test_118_certificate_enroll_and_store(self, mock_store_err, mock_store, mock
         csr = 'csr'
         with self.assertLogs('test_a2c', level='INFO') as lcm:
             self.assertEqual((None, 'success_hook_error', 'ex_success_hook'), self.certificate._enroll_and_store(certificate_name, csr))
-        self.assertIn('ERROR:test_a2c:Certificate._enroll_and_store: success_hook exception: ex_success_hook', lcm.output)
+        self.assertIn('ERROR:test_a2c:Certificate._store: success_hook exception: ex_success_hook', lcm.output)
         self.assertFalse(mock_chk.called)
         self.assertTrue(mock_dates.called)
         self.assertTrue(mock_store.called)
@@ -1282,7 +1319,7 @@ def test_118_certificate_enroll_and_store(self, mock_store_err, mock_store, mock
     @patch('acme_srv.certificate.cert_dates_get')
     @patch('acme_srv.certificate.Certificate._store_cert')
     @patch('acme_srv.certificate.Certificate._store_cert_error')
-    def test_119_certificate_enroll_and_store(self, mock_store_err, mock_store, mock_dates, mock_oupd, mock_chk):
+    def test_121_certificate_enroll_and_store(self, mock_store_err, mock_store, mock_dates, mock_oupd, mock_chk):
         """ Certificate.enroll_and_store() enrollment success_hook exception   / ignore_success_hook_failure is set to False """
         hooks_module = importlib.import_module('examples.hooks.skeleton_hooks')
         self.certificate.hooks = hooks_module.Hooks(self.logger)
@@ -1300,7 +1337,7 @@ def test_119_certificate_enroll_and_store(self, mock_store_err, mock_store, mock
         csr = 'csr'
         with self.assertLogs('test_a2c', level='INFO') as lcm:
             self.assertEqual((None, 'success_hook_error', 'ex_success_hook'), self.certificate._enroll_and_store(certificate_name, csr))
-        self.assertIn('ERROR:test_a2c:Certificate._enroll_and_store: success_hook exception: ex_success_hook', lcm.output)
+        self.assertIn('ERROR:test_a2c:Certificate._store: success_hook exception: ex_success_hook', lcm.output)
         self.assertFalse(mock_chk.called)
         self.assertTrue(mock_dates.called)
         self.assertTrue(mock_store.called)
@@ -1316,7 +1353,7 @@ def test_119_certificate_enroll_and_store(self, mock_store_err, mock_store, mock
     @patch('acme_srv.certificate.cert_dates_get')
     @patch('acme_srv.certificate.Certificate._store_cert')
     @patch('acme_srv.certificate.Certificate._store_cert_error')
-    def test_120_certificate_enroll_and_store(self, mock_store_err, mock_store, mock_dates, mock_oupd, mock_chk):
+    def test_122_certificate_enroll_and_store(self, mock_store_err, mock_store, mock_dates, mock_oupd, mock_chk):
         """ Certificate.enroll_and_store() enrollment success_hook exception   / ignore_success_hook_failure is set to True """
         hooks_module = importlib.import_module('examples.hooks.skeleton_hooks')
         self.certificate.hooks = hooks_module.Hooks(self.logger)
@@ -1334,7 +1371,7 @@ def test_120_certificate_enroll_and_store(self, mock_store_err, mock_store, mock
         csr = 'csr'
         with self.assertLogs('test_a2c', level='INFO') as lcm:
             self.assertEqual((True, None, None), self.certificate._enroll_and_store(certificate_name, csr))
-        self.assertIn('ERROR:test_a2c:Certificate._enroll_and_store: success_hook exception: ex_success_hook', lcm.output)
+        self.assertIn('ERROR:test_a2c:Certificate._store: success_hook exception: ex_success_hook', lcm.output)
         self.assertFalse(mock_chk.called)
         self.assertTrue(mock_dates.called)
         self.assertTrue(mock_store.called)
@@ -1350,7 +1387,7 @@ def test_120_certificate_enroll_and_store(self, mock_store_err, mock_store, mock
     @patch('acme_srv.certificate.cert_dates_get')
     @patch('acme_srv.certificate.Certificate._store_cert')
     @patch('acme_srv.certificate.Certificate._store_cert_error')
-    def test_121_certificate_enroll_and_store(self, mock_store_err, mock_store, mock_dates, mock_oupd, mock_chk):
+    def test_123_certificate_enroll_and_store(self, mock_store_err, mock_store, mock_dates, mock_oupd, mock_chk):
         """ Certificate.enroll_and_store() enrollment post_hook exception """
         hooks_module = importlib.import_module('examples.hooks.skeleton_hooks')
         self.certificate.hooks = hooks_module.Hooks(self.logger)
@@ -1367,7 +1404,7 @@ def test_121_certificate_enroll_and_store(self, mock_store_err, mock_store, mock
         csr = 'csr'
         with self.assertLogs('test_a2c', level='INFO') as lcm:
             self.assertEqual((True, None, None), self.certificate._enroll_and_store(certificate_name, csr))
-        self.assertIn('ERROR:test_a2c:Certificate._enroll_and_store(): post_hook exception: ex_post_hook', lcm.output)
+        self.assertIn('ERROR:test_a2c:Certificate._post_hooks_process(): post_hook exception: ex_post_hook', lcm.output)
         self.assertFalse(mock_chk.called)
         self.assertTrue(mock_dates.called)
         self.assertTrue(mock_store.called)
@@ -1383,7 +1420,7 @@ def test_121_certificate_enroll_and_store(self, mock_store_err, mock_store, mock
     @patch('acme_srv.certificate.cert_dates_get')
     @patch('acme_srv.certificate.Certificate._store_cert')
     @patch('acme_srv.certificate.Certificate._store_cert_error')
-    def test_122_certificate_enroll_and_store(self, mock_store_err, mock_store, mock_dates, mock_oupd, mock_chk):
+    def test_124_certificate_enroll_and_store(self, mock_store_err, mock_store, mock_dates, mock_oupd, mock_chk):
         """ Certificate.enroll_and_store() enrollment post_hook exception / ignore_post_hook_failure is set to True """
         hooks_module = importlib.import_module('examples.hooks.skeleton_hooks')
         self.certificate.hooks = hooks_module.Hooks(self.logger)
@@ -1401,7 +1438,7 @@ def test_122_certificate_enroll_and_store(self, mock_store_err, mock_store, mock
         csr = 'csr'
         with self.assertLogs('test_a2c', level='INFO') as lcm:
             self.assertEqual((True, None, None), self.certificate._enroll_and_store(certificate_name, csr))
-        self.assertIn('ERROR:test_a2c:Certificate._enroll_and_store(): post_hook exception: ex_post_hook', lcm.output)
+        self.assertIn('ERROR:test_a2c:Certificate._post_hooks_process(): post_hook exception: ex_post_hook', lcm.output)
         self.assertFalse(mock_chk.called)
         self.assertTrue(mock_dates.called)
         self.assertTrue(mock_store.called)
@@ -1417,7 +1454,7 @@ def test_122_certificate_enroll_and_store(self, mock_store_err, mock_store, mock
     @patch('acme_srv.certificate.cert_dates_get')
     @patch('acme_srv.certificate.Certificate._store_cert')
     @patch('acme_srv.certificate.Certificate._store_cert_error')
-    def test_123_certificate_enroll_and_store(self, mock_store_err, mock_store, mock_dates, mock_oupd, mock_chk):
+    def test_125_certificate_enroll_and_store(self, mock_store_err, mock_store, mock_dates, mock_oupd, mock_chk):
         """ Certificate.enroll_and_store() enrollment post_hook exception / ignore_post_hook_failure is set to False """
         hooks_module = importlib.import_module('examples.hooks.skeleton_hooks')
         self.certificate.hooks = hooks_module.Hooks(self.logger)
@@ -1435,7 +1472,7 @@ def test_123_certificate_enroll_and_store(self, mock_store_err, mock_store, mock
         csr = 'csr'
         with self.assertLogs('test_a2c', level='INFO') as lcm:
             self.assertEqual((None, 'post_hook_error', 'ex_post_hook'), self.certificate._enroll_and_store(certificate_name, csr))
-        self.assertIn('ERROR:test_a2c:Certificate._enroll_and_store(): post_hook exception: ex_post_hook', lcm.output)
+        self.assertIn('ERROR:test_a2c:Certificate._post_hooks_process(): post_hook exception: ex_post_hook', lcm.output)
         self.assertFalse(mock_chk.called)
         self.assertTrue(mock_dates.called)
         self.assertTrue(mock_store.called)
@@ -1446,44 +1483,44 @@ def test_123_certificate_enroll_and_store(self, mock_store_err, mock_store, mock
         self.assertTrue(self.certificate.hooks.success_hook.called)
         self.assertTrue(self.certificate.hooks.post_hook.called)
 
-    def test_124_certificate__invalidation_check(self):
+    def test_126_certificate__invalidation_check(self):
         """ test Certificate._invalidation_check() - empty dict """
         cert_entry = {}
         timestamp = 1596240000
         self.assertEqual((True, {}), self.certificate._invalidation_check(cert_entry, timestamp))
 
-    def test_125_certificate__invalidation_check(self):
+    def test_127_certificate__invalidation_check(self):
         """ test Certificate._invalidation_check() - wrong dict """
         cert_entry = {'foo': 'bar'}
         timestamp = 1596240000
         self.assertEqual((True, {'foo': 'bar'}), self.certificate._invalidation_check(cert_entry, timestamp))
 
-    def test_126_certificate__invalidation_check(self):
+    def test_128_certificate__invalidation_check(self):
         """ test Certificate._invalidation_check() - certname in but rest ist wrong """
         cert_entry = {'name': 'certname', 'foo': 'bar'}
         timestamp = 1596240000
         self.assertEqual((False, {'name': 'certname', 'foo': 'bar'}), self.certificate._invalidation_check(cert_entry, timestamp))
 
-    def test_127_certificate__invalidation_check(self):
+    def test_129_certificate__invalidation_check(self):
         """ test Certificate._invalidation_check() - non zero expiry date """
         cert_entry = {'name': 'certname', 'expire_uts': 10}
         timestamp = 1596240000
         self.assertEqual((True, {'expire_uts': 10, 'name': 'certname'}), self.certificate._invalidation_check(cert_entry, timestamp))
 
-    def test_128_certificate__invalidation_check(self):
+    def test_130_certificate__invalidation_check(self):
         """ test Certificate._invalidation_check() - expire_uts zero but no cert_raw """
         cert_entry = {'name': 'certname', 'expire_uts': 0}
         timestamp = 1596240000
         self.assertEqual((True, {'expire_uts': 0, 'name': 'certname'}), self.certificate._invalidation_check(cert_entry, timestamp))
 
-    def test_129_certificate__invalidation_check(self):
+    def test_131_certificate__invalidation_check(self):
         """ test Certificate._invalidation_check() - expire_uts zero but no cert_raw """
         cert_entry = {'name': 'certname', 'expire_uts': 0, 'cert_raw': 'cert_raw'}
         timestamp = 1596240000
         self.assertEqual((False, {'expire_uts': 0, 'name': 'certname', 'cert_raw': 'cert_raw'}), self.certificate._invalidation_check(cert_entry, timestamp))
 
     @patch('acme_srv.certificate.cert_dates_get')
-    def test_130_certificate__invalidation_check(self, mock_dates):
+    def test_132_certificate__invalidation_check(self, mock_dates):
         """ test Certificate._invalidation_check() - with expiry date lower than timestamp """
         cert_entry = {'name': 'certname', 'expire_uts': 0, 'cert_raw': 'cert_raw'}
         mock_dates.return_value = (10, 1596200000)
@@ -1491,7 +1528,7 @@ def test_130_certificate__invalidation_check(self, mock_dates):
         self.assertEqual((True, {'expire_uts': 1596200000, 'issue_uts': 10, 'name': 'certname', 'cert_raw': 'cert_raw'}), self.certificate._invalidation_check(cert_entry, timestamp))
 
     @patch('acme_srv.certificate.cert_dates_get')
-    def test_131_certificate__invalidation_check(self, mock_dates):
+    def test_133_certificate__invalidation_check(self, mock_dates):
         """ test Certificate._invalidation_check() - with expiry date at timestamp """
         cert_entry = {'name': 'certname', 'expire_uts': 0, 'cert_raw': 'cert_raw'}
         mock_dates.return_value = (10, 1596240000)
@@ -1499,21 +1536,21 @@ def test_131_certificate__invalidation_check(self, mock_dates):
         self.assertEqual((False, {'expire_uts': 0, 'name': 'certname', 'cert_raw': 'cert_raw'}), self.certificate._invalidation_check(cert_entry, timestamp))
 
     @patch('acme_srv.certificate.cert_dates_get')
-    def test_132_certificate__invalidation_check(self, mock_dates):
+    def test_134_certificate__invalidation_check(self, mock_dates):
         """ test Certificate._invalidation_check() - with expiry date higher than timestamp """
         cert_entry = {'name': 'certname', 'expire_uts': 0, 'cert_raw': 'cert_raw'}
         mock_dates.return_value = (10, 1596250000)
         timestamp = 1596240000
         self.assertEqual((False, {'expire_uts': 0, 'name': 'certname', 'cert_raw': 'cert_raw'}), self.certificate._invalidation_check(cert_entry, timestamp))
 
-    def test_133_certificate__invalidation_check(self):
+    def test_135_certificate__invalidation_check(self):
         """ test Certificate._invalidation_check() - without created_at date """
         cert_entry = {'name': 'certname', 'expire_uts': 0, 'csr': 'csr'}
         timestamp = 1596240000
         self.assertEqual((False, {'expire_uts': 0, 'name': 'certname', 'csr': 'csr'}), self.certificate._invalidation_check(cert_entry, timestamp))
 
     @patch('acme_srv.certificate.date_to_uts_utc')
-    def test_134_certificate__invalidation_check(self, mock_date):
+    def test_136_certificate__invalidation_check(self, mock_date):
         """ test Certificate._invalidation_check() - with zero created_at date """
         cert_entry = {'name': 'certname', 'expire_uts': 0, 'csr': 'csr', 'created_at': 'created_at'}
         mock_date.return_value = 0
@@ -1521,7 +1558,7 @@ def test_134_certificate__invalidation_check(self, mock_date):
         self.assertEqual((False, {'expire_uts': 0, 'name': 'certname', 'csr': 'csr', 'created_at': 'created_at'}), self.certificate._invalidation_check(cert_entry, timestamp))
 
     @patch('acme_srv.certificate.date_to_uts_utc')
-    def test_135_certificate__invalidation_check(self, mock_date):
+    def test_137_certificate__invalidation_check(self, mock_date):
         """ test Certificate._invalidation_check() - with zero created_at date lower than threshold"""
         cert_entry = {'name': 'certname', 'expire_uts': 0, 'csr': 'csr', 'created_at': 'created_at'}
         mock_date.return_value = 1591240000
@@ -1529,39 +1566,41 @@ def test_135_certificate__invalidation_check(self, mock_date):
         self.assertEqual((True, {'expire_uts': 0, 'name': 'certname', 'csr': 'csr', 'created_at': 'created_at'}), self.certificate._invalidation_check(cert_entry, timestamp))
 
     @patch('acme_srv.certificate.date_to_uts_utc')
-    def test_136_certificate__invalidation_check(self, mock_date):
+    def test_138_certificate__invalidation_check(self, mock_date):
         """ test Certificate._invalidation_check() - with zero created_at higher than threshold """
         cert_entry = {'name': 'certname', 'expire_uts': 0, 'csr': 'csr', 'created_at': 'created_at'}
         mock_date.return_value = 1596220000
         timestamp = 1596240000
         self.assertEqual((False, {'expire_uts': 0, 'name': 'certname', 'csr': 'csr', 'created_at': 'created_at'}), self.certificate._invalidation_check(cert_entry, timestamp))
 
-    def test_137_certificate__invalidation_check(self):
+    def test_139_certificate__invalidation_check(self):
         """ test Certificate._invalidation_check() - removed by in cert """
         cert_entry = {'name': 'certname', 'cert': 'removed by foo-bar', 'foo': 'bar'}
         timestamp = 159624000
         self.assertEqual((False, {'name': 'certname', 'cert': 'removed by foo-bar', 'foo': 'bar'}), self.certificate._invalidation_check(cert_entry, timestamp))
 
-    def test_138_certificate__invalidation_check(self):
+    def test_140_certificate__invalidation_check(self):
         """ test Certificate._invalidation_check() - removed by in cert """
         cert_entry = {'name': 'certname', 'cert': 'removed by foo-bar', 'foo': 'bar'}
         timestamp = 159624000
         self.assertEqual((True, {'name': 'certname', 'cert': 'removed by foo-bar', 'foo': 'bar'}), self.certificate._invalidation_check(cert_entry, timestamp, True))
 
-    def test_139_certificate__invalidation_check(self):
+    def test_141_certificate__invalidation_check(self):
         """ test Certificate._invalidation_check() - removed by in cert but in upper-cases """
         cert_entry = {'name': 'certname', 'cert': 'ReMoved By foo-bar', 'foo': 'bar'}
         timestamp = 159624000
         self.assertEqual((False, {'name': 'certname', 'cert': 'ReMoved By foo-bar', 'foo': 'bar'}), self.certificate._invalidation_check(cert_entry, timestamp))
 
-    def test_140_certificate__invalidation_check(self):
+    def test_142_certificate__invalidation_check(self):
         """ test Certificate._invalidation_check() - cert None """
         cert_entry = {'name': 'certname', 'cert': None, 'foo': 'bar'}
         timestamp = 159624000
         self.assertEqual((False, {'name': 'certname', 'cert': None, 'foo': 'bar'}), self.certificate._invalidation_check(cert_entry, timestamp))
 
+    @patch('acme_srv.certificate.cert_aki_get')
+    @patch('acme_srv.certificate.cert_serial_get')
     @patch('acme_srv.certificate.Certificate._renewal_info_get')
-    def test_141_certificate_poll(self, mock_renew):
+    def test_143_certificate_poll(self, mock_renew, mock_serial, mock_aki):
         """ test Certificate.poll - dbstore.order_update() raises an exception  """
         self.certificate.dbstore.order_update.side_effect = Exception('exc_cert_poll')
         ca_handler_module = importlib.import_module('examples.ca_handler.skeleton_ca_handler')
@@ -1572,8 +1611,10 @@ def test_141_certificate_poll(self, mock_renew):
             self.certificate.poll('certificate_name', 'poll_identifier', 'csr', 'order_name')
         self.assertIn('CRITICAL:test_a2c:acme2certifier database error in Certificate.poll(): exc_cert_poll', lcm.output)
         self.assertTrue(mock_renew.called)
+        self.assertTrue(mock_serial.called)
+        self.assertTrue(mock_aki.called)
 
-    def test_142_certificate_poll(self):
+    def test_144_certificate_poll(self):
         """ test Certificate.poll - dbstore.order_update() raises an exception  and certreq rejected """
         self.certificate.dbstore.order_update.side_effect = Exception('exc_cert_poll')
         ca_handler_module = importlib.import_module('examples.ca_handler.skeleton_ca_handler')
@@ -1583,8 +1624,10 @@ def test_142_certificate_poll(self):
             self.certificate.poll('certificate_name', 'poll_identifier', 'csr', 'order_name')
         self.assertIn('CRITICAL:test_a2c:acme2certifier database error in Certificate.poll(): exc_cert_poll', lcm.output)
 
+    @patch('acme_srv.certificate.cert_aki_get')
+    @patch('acme_srv.certificate.cert_serial_get')
     @patch('acme_srv.certificate.Certificate._renewal_info_get')
-    def test_143_certificate__store_cert(self, mock_renew):
+    def test_145_certificate__store_cert(self, mock_renew, mock_serial, mock_aki):
         """ test Certificate.store_cert() - dbstore.certificate_add raises an exception  """
         self.certificate.dbstore.certificate_add.side_effect = Exception('exc_cert_add')
         mock_renew.return_value = 'renewal_info'
@@ -1592,22 +1635,24 @@ def test_143_certificate__store_cert(self, mock_renew):
             self.certificate._store_cert('cert_name', 'cert', 'raw')
         self.assertIn('CRITICAL:test_a2c:acme2certifier database error in Certificate._store_cert(): exc_cert_add', lcm.output)
         self.assertTrue(mock_renew.called)
+        self.assertTrue(mock_serial.called)
+        self.assertTrue(mock_aki.called)
 
-    def test_144_certificate__store_cert_error(self):
+    def test_146_certificate__store_cert_error(self):
         """ test Certificate.store_cert_error() - dbstore.certificate_add raises an exception  """
         self.certificate.dbstore.certificate_add.side_effect = Exception('exc_cert_add_error')
         with self.assertLogs('test_a2c', level='INFO') as lcm:
             self.certificate._store_cert_error('cert_name', 'error', 'poll')
         self.assertIn('CRITICAL:test_a2c:acme2certifier database error in Certificate._store_cert(): exc_cert_add_error', lcm.output)
 
-    def test_145_certificate__account_check(self):
+    def test_147_certificate__account_check(self):
         """ test Certificate._account_check() - dbstore.certificate_account_check raises an exception  """
         self.certificate.dbstore.certificate_account_check.side_effect = Exception('exc_acc_chk')
         with self.assertLogs('test_a2c', level='INFO') as lcm:
             self.certificate._account_check('account_name', 'cert')
         self.assertIn('CRITICAL:test_a2c:acme2certifier database error in Certificate._account_check(): exc_acc_chk', lcm.output)
 
-    def test_146_certificate__authorization_check(self):
+    def test_148_certificate__authorization_check(self):
         """ test Certificate._authorization_check() - dbstore.certificate_account_check raises an exception  """
         self.certificate.dbstore.order_lookup.side_effect = Exception('exc_authz_chk')
         with self.assertLogs('test_a2c', level='INFO') as lcm:
@@ -1615,7 +1660,7 @@ def test_146_certificate__authorization_check(self):
         self.assertIn('CRITICAL:test_a2c:acme2certifier database error in Certificate._authorization_check(): exc_authz_chk', lcm.output)
 
     @patch('acme_srv.certificate.Certificate._info')
-    def test_147_certificate__csr_check(self, mock_certinfo):
+    def test_149_certificate__csr_check(self, mock_certinfo):
         """ csr-check - dbstore.order_lookup() raises an exception """
         mock_certinfo.return_value = {'order': 'order'}
         self.certificate.dbstore.order_lookup.side_effect = Exception('exc_csr_chk')
@@ -1624,7 +1669,7 @@ def test_147_certificate__csr_check(self, mock_certinfo):
         self.assertIn('CRITICAL:test_a2c:acme2certifier database error in Certificate._csr_check(): exc_csr_chk', lcm.output)
         # self.certificate.dbstore.order_lookup.side_effect = []
 
-    def test_148_certificate__info(self):
+    def test_150_certificate__info(self):
         """ test Certificate._info - dbstore.certificate_lookup() raises an exception  """
         self.certificate.dbstore.certificate_lookup.side_effect = Exception('exc_cert_info')
         with self.assertLogs('test_a2c', level='INFO') as lcm:
@@ -1632,7 +1677,7 @@ def test_148_certificate__info(self):
         self.assertIn('CRITICAL:test_a2c:acme2certifier database error in Certificate._info(): exc_cert_info', lcm.output)
 
     @patch('acme_srv.certificate.uts_now')
-    def test_149__cert_reusage_check(self, mock_uts):
+    def test_151__cert_reusage_check(self, mock_uts):
         """ test Certificate._cert_reusage_check() - one certificate returned """
         self.certificate.cert_reusage_timeframe = 86400
         mock_uts.return_value = 90000
@@ -1641,7 +1686,7 @@ def test_149__cert_reusage_check(self, mock_uts):
         self.assertEqual((None, 'cert1', 'cert_raw1', 'reused certificate from id: 1'), self.certificate._cert_reusage_check('csr'))
 
     @patch('acme_srv.certificate.uts_now')
-    def test_150__cert_reusage_check(self, mock_uts):
+    def test_152__cert_reusage_check(self, mock_uts):
         """ test Certificate._cert_reusage_check() - two certificates found """
         self.certificate.cert_reusage_timeframe = 86400
         mock_uts.return_value = 90000
@@ -1653,7 +1698,7 @@ def test_150__cert_reusage_check(self, mock_uts):
         self.assertEqual((None, 'cert2', 'cert_raw2', 'reused certificate from id: 2'), self.certificate._cert_reusage_check('csr'))
 
     @patch('acme_srv.certificate.uts_now')
-    def test_151__cert_reusage_check(self, mock_uts):
+    def test_153__cert_reusage_check(self, mock_uts):
         """ test Certificate._cert_reusage_check() - three certificates found """
         self.certificate.cert_reusage_timeframe = 86400
         mock_uts.return_value = 90000
@@ -1666,7 +1711,7 @@ def test_151__cert_reusage_check(self, mock_uts):
         self.assertEqual((None, 'cert3', 'cert_raw3', 'reused certificate from id: 3'), self.certificate._cert_reusage_check('csr'))
 
     @patch('acme_srv.certificate.uts_now')
-    def test_152__cert_reusage_check(self, mock_uts):
+    def test_154__cert_reusage_check(self, mock_uts):
         """ test Certificate._cert_reusage_check() - three certificates found in wrong order """
         self.certificate.cert_reusage_timeframe = 86400
         mock_uts.return_value = 90000
@@ -1679,7 +1724,7 @@ def test_152__cert_reusage_check(self, mock_uts):
         self.assertEqual((None, 'cert3', 'cert_raw3', 'reused certificate from id: 3'), self.certificate._cert_reusage_check('csr'))
 
     @patch('acme_srv.certificate.uts_now')
-    def test_153__cert_reusage_check(self, mock_uts):
+    def test_155__cert_reusage_check(self, mock_uts):
         """ test Certificate._cert_reusage_check() - three certificates found latest certificate exipred """
         self.certificate.cert_reusage_timeframe = 86400
         mock_uts.return_value = 90000
@@ -1692,7 +1737,7 @@ def test_153__cert_reusage_check(self, mock_uts):
         self.assertEqual((None, 'cert2', 'cert_raw2', 'reused certificate from id: 2'), self.certificate._cert_reusage_check('csr'))
 
     @patch('acme_srv.certificate.uts_now')
-    def test_154__cert_reusage_check(self, mock_uts):
+    def test_156__cert_reusage_check(self, mock_uts):
         """ test Certificate._cert_reusage_check() - three certificates found - last certificate empty cert field """
         self.certificate.cert_reusage_timeframe = 86400
         mock_uts.return_value = 90000
@@ -1705,7 +1750,7 @@ def test_154__cert_reusage_check(self, mock_uts):
         self.assertEqual((None, 'cert2', 'cert_raw2', 'reused certificate from id: 2'), self.certificate._cert_reusage_check('csr'))
 
     @patch('acme_srv.certificate.uts_now')
-    def test_155__cert_reusage_check(self, mock_uts):
+    def test_157__cert_reusage_check(self, mock_uts):
         """ test Certificate._cert_reusage_check() - three certificates found - last certificate empty cert_raw field """
         self.certificate.cert_reusage_timeframe = 86400
         mock_uts.return_value = 90000
@@ -1718,7 +1763,7 @@ def test_155__cert_reusage_check(self, mock_uts):
         self.assertEqual((None, 'cert2', 'cert_raw2', 'reused certificate from id: 2'), self.certificate._cert_reusage_check('csr'))
 
     @patch('acme_srv.certificate.uts_now')
-    def test_156__cert_reusage_check(self, mock_uts):
+    def test_158__cert_reusage_check(self, mock_uts):
         """ test Certificate._cert_reusage_check() - three certificates found - last certificate empty 'created_add' """
         self.certificate.cert_reusage_timeframe = 86400
         mock_uts.return_value = 90000
@@ -1733,7 +1778,7 @@ def test_156__cert_reusage_check(self, mock_uts):
             self.assertIn('ERROR:test_a2c:acme2certifier date_to_uts_utc() error in Certificate._cert_reusage_check(): id:3/created_at:', lcm.output)
 
     @patch('acme_srv.certificate.uts_now')
-    def test_157__cert_reusage_check(self, mock_uts):
+    def test_159__cert_reusage_check(self, mock_uts):
         """ test Certificate._cert_reusage_check() - three certificates found last certificate out of range """
         self.certificate.cert_reusage_timeframe = 43200
         mock_uts.return_value = 100000
@@ -1746,7 +1791,7 @@ def test_157__cert_reusage_check(self, mock_uts):
         self.assertEqual((None, 'cert2', 'cert_raw2', 'reused certificate from id: 2'), self.certificate._cert_reusage_check('csr'))
 
     @patch('acme_srv.certificate.uts_now')
-    def test_158__cert_reusage_check(self, mock_uts):
+    def test_160__cert_reusage_check(self, mock_uts):
         """ test Certificate._cert_reusage_check() - no match """
         self.certificate.cert_reusage_timeframe = 86400
         mock_uts.return_value = 200000
@@ -1759,7 +1804,7 @@ def test_158__cert_reusage_check(self, mock_uts):
         self.assertEqual((None, None, None, None), self.certificate._cert_reusage_check('csr'))
 
     @patch('acme_srv.certificate.Certificate._invalidation_check')
-    def test_159_certificate_cleanup(self, mock_chk):
+    def test_161_certificate_cleanup(self, mock_chk):
         """ test Certificate.cleanup - dbstore.certificate_add() raises an exception  """
         mock_chk.return_value = (True, {'name': 'name', 'expire_uts': 1543640400, 'issue_uts': 1543640400, 'cert_raw': 'cert_raw'})
         self.certificate.dbstore.certificates_search.return_value = [{'name', 'name'},]
@@ -1769,7 +1814,7 @@ def test_159_certificate_cleanup(self, mock_chk):
         self.assertIn('CRITICAL:test_a2c:acme2certifier database error in Certificate.cleanup() add: exc_cert_cleanup1', lcm.output)
 
     @patch('acme_srv.certificate.Certificate._invalidation_check')
-    def test_160_certificate_cleanup(self, mock_chk):
+    def test_162_certificate_cleanup(self, mock_chk):
         """ test Certificate.cleanup - dbstore.certificate_delete() raises an exception  """
         mock_chk.return_value = (True, {'id': 2, 'name': 'name', 'expire_uts': 1543640400, 'issue_uts': 1543640400, 'cert_raw': 'cert_raw'})
         self.certificate.dbstore.certificates_search.return_value = [{'name', 'name'},]
@@ -1778,7 +1823,7 @@ def test_160_certificate_cleanup(self, mock_chk):
             self.certificate.cleanup(1543640400, True)
         self.assertIn('CRITICAL:test_a2c:acme2certifier database error in Certificate.cleanup() delete: exc_cert_cleanup2', lcm.output)
 
-    def test_161_certificate_cleanup(self):
+    def test_163_certificate_cleanup(self):
         """ test Certificate.cleanup - dbstore.certificates_search() raises an exception  """
         self.certificate.dbstore.certificates_search.side_effect = Exception('exc_cert_cleanup')
         with self.assertLogs('test_a2c', level='INFO') as lcm:
@@ -1786,7 +1831,7 @@ def test_161_certificate_cleanup(self):
         self.assertIn('CRITICAL:test_a2c:acme2certifier database error in Certificate.cleanup() search: exc_cert_cleanup', lcm.output)
 
     @patch('acme_srv.certificate.uts_now')
-    def test_162__cert_reusage_check(self, mock_uts):
+    def test_164__cert_reusage_check(self, mock_uts):
         """ test Certificate._cert_reusage_check() - one certificate returned """
         self.certificate.cert_reusage_timeframe = 86400
         mock_uts.return_value = 90000
@@ -1795,8 +1840,9 @@ def test_162__cert_reusage_check(self, mock_uts):
             self.assertEqual((None, None, None, None), self.certificate._cert_reusage_check('csr'))
         self.assertIn('CRITICAL:test_a2c:acme2certifier database error in Certificate._cert_reusage_check(): ex_cert_reusage', lcm.output)
 
+    @patch('acme_srv.certificate.ca_handler_load')
     @patch('acme_srv.certificate.load_config')
-    def test_163_config_load(self, mock_load_cfg):
+    def test_165_config_load(self, mock_load_cfg, mock_handler):
         """ test _config_load empty dictionary """
         mock_load_cfg.return_value = {}
         self.certificate._config_load()
@@ -1807,7 +1853,7 @@ def test_163_config_load(self, mock_load_cfg):
         self.assertFalse(self.certificate.ignore_success_hook_failure)
 
     @patch('acme_srv.certificate.load_config')
-    def test_164_config_load(self, mock_load_cfg):
+    def test_166_config_load(self, mock_load_cfg):
         """ test _config_load missing ca_handler """
         mock_load_cfg.return_value = {}
         with self.assertLogs('test_a2c', level='INFO') as lcm:
@@ -1818,8 +1864,9 @@ def test_164_config_load(self, mock_load_cfg):
         self.assertTrue(self.certificate.ignore_post_hook_failure)
         self.assertFalse(self.certificate.ignore_success_hook_failure)
 
+    @patch('acme_srv.certificate.ca_handler_load')
     @patch('acme_srv.certificate.load_config')
-    def test_165_config_load(self, mock_load_cfg):
+    def test_167_config_load(self, mock_load_cfg, mock_hand):
         """ test _config_load missing ca_handler """
         parser = configparser.ConfigParser()
         parser['Order'] = {'tnauthlist_support': False}
@@ -1830,9 +1877,11 @@ def test_165_config_load(self, mock_load_cfg):
         self.assertFalse(self.certificate.ignore_pre_hook_failure)
         self.assertTrue(self.certificate.ignore_post_hook_failure)
         self.assertFalse(self.certificate.ignore_success_hook_failure)
+        self.assertFalse(self.certificate.cn2san_add)
 
+    @patch('acme_srv.certificate.ca_handler_load')
     @patch('acme_srv.certificate.load_config')
-    def test_166_config_load(self, mock_load_cfg):
+    def test_168_config_load(self, mock_load_cfg, mock_hand):
         """ test _config_load missing ca_handler """
         parser = configparser.ConfigParser()
         parser['Order'] = {'tnauthlist_support': True}
@@ -1843,10 +1892,11 @@ def test_166_config_load(self, mock_load_cfg):
         self.assertFalse(self.certificate.ignore_pre_hook_failure)
         self.assertTrue(self.certificate.ignore_post_hook_failure)
         self.assertFalse(self.certificate.ignore_success_hook_failure)
+        self.assertFalse(self.certificate.cn2san_add)
 
     @patch('acme_srv.certificate.ca_handler_load')
     @patch('acme_srv.certificate.load_config')
-    def test_167_config_load(self, mock_load_cfg, mock_handler):
+    def test_169_config_load(self, mock_load_cfg, mock_handler):
         """ test _config_load missing ca_handler """
         parser = configparser.ConfigParser()
         parser['CAhandler'] = {'handler_file': 'foo'}
@@ -1859,10 +1909,28 @@ def test_167_config_load(self, mock_load_cfg, mock_handler):
         self.assertFalse(self.certificate.ignore_pre_hook_failure)
         self.assertTrue(self.certificate.ignore_post_hook_failure)
         self.assertFalse(self.certificate.ignore_success_hook_failure)
+        self.assertFalse(self.certificate.cn2san_add)
+
+    @patch('acme_srv.certificate.ca_handler_load')
+    @patch('acme_srv.certificate.load_config')
+    def test_170_config_load(self, mock_load_cfg, mock_handler):
+        """ test _config_load missing ca_handler """
+        parser = configparser.ConfigParser()
+        parser['CAhandler'] = {'handler_file': 'examples/ca_handler/asa_ca_handler.py'}
+        mock_load_cfg.return_value = parser
+        mock_handler.return_value = None
+        with self.assertLogs('test_a2c', level='INFO') as lcm:
+            self.certificate._config_load()
+        self.assertIn('CRITICAL:test_a2c:Certificate._config_load(): No ca_handler loaded', lcm.output)
+        self.assertFalse(self.certificate.hooks)
+        self.assertFalse(self.certificate.ignore_pre_hook_failure)
+        self.assertTrue(self.certificate.ignore_post_hook_failure)
+        self.assertFalse(self.certificate.ignore_success_hook_failure)
+        self.assertTrue(self.certificate.cn2san_add)
 
-    @patch('importlib.import_module')
+    @patch('acme_srv.certificate.ca_handler_load')
     @patch('acme_srv.certificate.load_config')
-    def test_168_config_load(self, mock_load_cfg, mock_imp):
+    def test_171_config_load(self, mock_load_cfg, mock_imp):
         """ test _config_load missing ca_handler """
         parser = configparser.ConfigParser()
         parser['CAhandler'] = {'handler_file': 'foo'}
@@ -1874,9 +1942,11 @@ def test_168_config_load(self, mock_load_cfg, mock_imp):
         self.assertFalse(self.certificate.ignore_pre_hook_failure)
         self.assertTrue(self.certificate.ignore_post_hook_failure)
         self.assertFalse(self.certificate.ignore_success_hook_failure)
+        self.assertFalse(self.certificate.cn2san_add)
 
+    @patch('acme_srv.certificate.ca_handler_load')
     @patch('acme_srv.certificate.load_config')
-    def test_169_config_load(self, mock_load_cfg):
+    def test_172_config_load(self, mock_load_cfg, mock_handler):
         """ test _config_load missing ca_handler """
         parser = configparser.ConfigParser()
         parser['Directory'] = {'foo': 'bar', 'url_prefix': 'url_prefix'}
@@ -1888,10 +1958,11 @@ def test_169_config_load(self, mock_load_cfg):
         self.assertFalse(self.certificate.ignore_pre_hook_failure)
         self.assertTrue(self.certificate.ignore_post_hook_failure)
         self.assertFalse(self.certificate.ignore_success_hook_failure)
+        self.assertFalse(self.certificate.cn2san_add)
 
-    @patch('importlib.import_module')
+    @patch('acme_srv.certificate.ca_handler_load')
     @patch('acme_srv.certificate.load_config')
-    def test_170_config_load(self, mock_load_cfg, mock_imp):
+    def test_173_config_load(self, mock_load_cfg, mock_imp):
         """ test _config_load  ca_handler but no handler_file """
         parser = configparser.ConfigParser()
         parser['CAhandler'] = {'foo': 'bar'}
@@ -1905,9 +1976,11 @@ def test_170_config_load(self, mock_load_cfg, mock_imp):
         self.assertFalse(self.certificate.ignore_pre_hook_failure)
         self.assertTrue(self.certificate.ignore_post_hook_failure)
         self.assertFalse(self.certificate.ignore_success_hook_failure)
+        self.assertFalse(self.certificate.cn2san_add)
 
+    @patch('acme_srv.certificate.ca_handler_load')
     @patch('acme_srv.certificate.load_config')
-    def test_171_config_load(self, mock_load_cfg):
+    def test_174_config_load(self, mock_load_cfg, mock_handler):
         """ test _config_load no cert_reusage_timeframe """
         parser = configparser.ConfigParser()
         parser['Certificate'] = {'foo': 'bar'}
@@ -1919,9 +1992,11 @@ def test_171_config_load(self, mock_load_cfg):
         self.assertFalse(self.certificate.ignore_pre_hook_failure)
         self.assertTrue(self.certificate.ignore_post_hook_failure)
         self.assertFalse(self.certificate.ignore_success_hook_failure)
+        self.assertFalse(self.certificate.cn2san_add)
 
+    @patch('acme_srv.certificate.ca_handler_load')
     @patch('acme_srv.certificate.load_config')
-    def test_172_config_load(self, mock_load_cfg):
+    def test_175_config_load(self, mock_load_cfg, mock_handler):
         """ test _config_load cert_reusage_timeframe 120 """
         parser = configparser.ConfigParser()
         parser['Certificate'] = {'cert_reusage_timeframe': 1200}
@@ -1932,9 +2007,11 @@ def test_172_config_load(self, mock_load_cfg):
         self.assertFalse(self.certificate.ignore_pre_hook_failure)
         self.assertTrue(self.certificate.ignore_post_hook_failure)
         self.assertFalse(self.certificate.ignore_success_hook_failure)
+        self.assertFalse(self.certificate.cn2san_add)
 
+    @patch('acme_srv.certificate.ca_handler_load')
     @patch('acme_srv.certificate.load_config')
-    def test_173_config_load(self, mock_load_cfg):
+    def test_176_config_load(self, mock_load_cfg, mock_handler):
         """ test _config_load cert_reusage_timeframe 0 """
         parser = configparser.ConfigParser()
         parser['Certificate'] = {'cert_reusage_timeframe': 0}
@@ -1945,9 +2022,11 @@ def test_173_config_load(self, mock_load_cfg):
         self.assertFalse(self.certificate.ignore_pre_hook_failure)
         self.assertTrue(self.certificate.ignore_post_hook_failure)
         self.assertFalse(self.certificate.ignore_success_hook_failure)
+        self.assertFalse(self.certificate.cn2san_add)
 
+    @patch('acme_srv.certificate.ca_handler_load')
     @patch('acme_srv.certificate.load_config')
-    def test_174_config_load(self, mock_load_cfg):
+    def test_177_config_load(self, mock_load_cfg, mock_handler):
         """ test _config_load cert_reusage_timeframe text """
         parser = configparser.ConfigParser()
         parser['Certificate'] = {'cert_reusage_timeframe': 'aaa'}
@@ -1960,9 +2039,11 @@ def test_174_config_load(self, mock_load_cfg):
         self.assertFalse(self.certificate.ignore_pre_hook_failure)
         self.assertTrue(self.certificate.ignore_post_hook_failure)
         self.assertFalse(self.certificate.ignore_success_hook_failure)
+        self.assertFalse(self.certificate.cn2san_add)
 
+    @patch('acme_srv.certificate.ca_handler_load')
     @patch('acme_srv.certificate.load_config')
-    def test_175_config_load(self, mock_load_cfg):
+    def test_178_config_load(self, mock_load_cfg, mock_handler):
         """ test _config_load enrollment_timeout 120 """
         parser = configparser.ConfigParser()
         parser['Certificate'] = {'enrollment_timeout': 120}
@@ -1973,9 +2054,11 @@ def test_175_config_load(self, mock_load_cfg):
         self.assertFalse(self.certificate.ignore_pre_hook_failure)
         self.assertTrue(self.certificate.ignore_post_hook_failure)
         self.assertFalse(self.certificate.ignore_success_hook_failure)
+        self.assertFalse(self.certificate.cn2san_add)
 
+    @patch('acme_srv.certificate.ca_handler_load')
     @patch('acme_srv.certificate.load_config')
-    def test_176_config_load(self, mock_load_cfg):
+    def test_179_config_load(self, mock_load_cfg, mock_handler):
         """ test _config_load certificate text """
         parser = configparser.ConfigParser()
         parser['Certificate'] = {'enrollment_timeout': 'aaa'}
@@ -1988,10 +2071,12 @@ def test_176_config_load(self, mock_load_cfg):
         self.assertFalse(self.certificate.ignore_pre_hook_failure)
         self.assertTrue(self.certificate.ignore_post_hook_failure)
         self.assertFalse(self.certificate.ignore_success_hook_failure)
+        self.assertFalse(self.certificate.cn2san_add)
 
+    @patch('acme_srv.certificate.ca_handler_load')
     @patch('acme_srv.certificate.hooks_load')
     @patch('acme_srv.certificate.load_config')
-    def test_177_config_load(self, mock_load_cfg, mock_hooks):
+    def test_180_config_load(self, mock_load_cfg, mock_hooks, mock_handler):
         """ test _config_load hooks_load() returns None """
         parser = configparser.ConfigParser()
         parser['Certificate'] = {'enrollment_timeout': 120}
@@ -2003,10 +2088,12 @@ def test_177_config_load(self, mock_load_cfg, mock_hooks):
         self.assertFalse(self.certificate.ignore_pre_hook_failure)
         self.assertTrue(self.certificate.ignore_post_hook_failure)
         self.assertFalse(self.certificate.ignore_success_hook_failure)
+        self.assertFalse(self.certificate.cn2san_add)
 
+    @patch('acme_srv.certificate.ca_handler_load')
     @patch('acme_srv.certificate.hooks_load')
     @patch('acme_srv.certificate.load_config')
-    def test_178_config_load(self, mock_load_cfg, mock_hooks):
+    def test_181_config_load(self, mock_load_cfg, mock_hooks, mock_handler):
         """ test _config_load hooks_load() returns module """
         parser = configparser.ConfigParser()
         parser['Certificate'] = {'enrollment_timeout': 120}
@@ -2018,10 +2105,11 @@ def test_178_config_load(self, mock_load_cfg, mock_hooks):
         self.assertFalse(self.certificate.ignore_pre_hook_failure)
         self.assertTrue(self.certificate.ignore_post_hook_failure)
         self.assertFalse(self.certificate.ignore_success_hook_failure)
+        self.assertFalse(self.certificate.cn2san_add)
 
     @patch('acme_srv.certificate.hooks_load')
     @patch('acme_srv.certificate.load_config')
-    def test_179_config_load(self, mock_load_cfg, mock_hooks):
+    def test_182_config_load(self, mock_load_cfg, mock_hooks):
         """ test _config_load hooks_load() returns non-module object """
         parser = configparser.ConfigParser()
         parser['Certificate'] = {'enrollment_timeout': 120}
@@ -2035,10 +2123,11 @@ def test_179_config_load(self, mock_load_cfg, mock_hooks):
         self.assertFalse(self.certificate.ignore_pre_hook_failure)
         self.assertTrue(self.certificate.ignore_post_hook_failure)
         self.assertFalse(self.certificate.ignore_success_hook_failure)
+        self.assertFalse(self.certificate.cn2san_add)
 
     @patch('acme_srv.certificate.hooks_load')
     @patch('acme_srv.certificate.load_config')
-    def test_180_config_load(self, mock_load_cfg, mock_hooks):
+    def test_183_config_load(self, mock_load_cfg, mock_hooks):
         """ test _config_load ignore_pre_hook_failure False """
         parser = configparser.ConfigParser()
         parser['Hooks'] = {'ignore_pre_hook_failure': False}
@@ -2052,10 +2141,11 @@ def test_180_config_load(self, mock_load_cfg, mock_hooks):
         self.assertFalse(self.certificate.ignore_pre_hook_failure)
         self.assertTrue(self.certificate.ignore_post_hook_failure)
         self.assertFalse(self.certificate.ignore_success_hook_failure)
+        self.assertFalse(self.certificate.cn2san_add)
 
     @patch('acme_srv.certificate.hooks_load')
     @patch('acme_srv.certificate.load_config')
-    def test_181_config_load(self, mock_load_cfg, mock_hooks):
+    def test_184_config_load(self, mock_load_cfg, mock_hooks):
         """ test _config_load ignore_pre_hook_failure True """
         parser = configparser.ConfigParser()
         parser['Hooks'] = {'ignore_pre_hook_failure': True}
@@ -2069,10 +2159,11 @@ def test_181_config_load(self, mock_load_cfg, mock_hooks):
         self.assertTrue(self.certificate.ignore_pre_hook_failure)
         self.assertTrue(self.certificate.ignore_post_hook_failure)
         self.assertFalse(self.certificate.ignore_success_hook_failure)
+        self.assertFalse(self.certificate.cn2san_add)
 
     @patch('acme_srv.certificate.hooks_load')
     @patch('acme_srv.certificate.load_config')
-    def test_182_config_load(self, mock_load_cfg, mock_hooks):
+    def test_185_config_load(self, mock_load_cfg, mock_hooks):
         """ test _config_load ignore_post_hook_failure False """
         parser = configparser.ConfigParser()
         parser['Hooks'] = {'ignore_post_hook_failure': False}
@@ -2086,10 +2177,11 @@ def test_182_config_load(self, mock_load_cfg, mock_hooks):
         self.assertFalse(self.certificate.ignore_pre_hook_failure)
         self.assertFalse(self.certificate.ignore_post_hook_failure)
         self.assertFalse(self.certificate.ignore_success_hook_failure)
+        self.assertFalse(self.certificate.cn2san_add)
 
     @patch('acme_srv.certificate.hooks_load')
     @patch('acme_srv.certificate.load_config')
-    def test_183_config_load(self, mock_load_cfg, mock_hooks):
+    def test_186_config_load(self, mock_load_cfg, mock_hooks):
         """ test _config_load ignore_post_hook_failure True """
         parser = configparser.ConfigParser()
         parser['Hooks'] = {'ignore_post_hook_failure': True}
@@ -2106,7 +2198,7 @@ def test_183_config_load(self, mock_load_cfg, mock_hooks):
 
     @patch('acme_srv.certificate.hooks_load')
     @patch('acme_srv.certificate.load_config')
-    def test_184_config_load(self, mock_load_cfg, mock_hooks):
+    def test_187_config_load(self, mock_load_cfg, mock_hooks):
         """ test _config_load ignore_success_hook_failure False """
         parser = configparser.ConfigParser()
         parser['Hooks'] = {'ignore_success_hook_failure': False}
@@ -2120,10 +2212,11 @@ def test_184_config_load(self, mock_load_cfg, mock_hooks):
         self.assertFalse(self.certificate.ignore_pre_hook_failure)
         self.assertTrue(self.certificate.ignore_post_hook_failure)
         self.assertFalse(self.certificate.ignore_success_hook_failure)
+        self.assertFalse(self.certificate.cn2san_add)
 
     @patch('acme_srv.certificate.hooks_load')
     @patch('acme_srv.certificate.load_config')
-    def test_185_config_load(self, mock_load_cfg, mock_hooks):
+    def test_188_config_load(self, mock_load_cfg, mock_hooks):
         """ test _config_load ignore_success_hook_failure True """
         parser = configparser.ConfigParser()
         parser['Hooks'] = {'ignore_success_hook_failure': True}
@@ -2137,9 +2230,10 @@ def test_185_config_load(self, mock_load_cfg, mock_hooks):
         self.assertFalse(self.certificate.ignore_pre_hook_failure)
         self.assertTrue(self.certificate.ignore_post_hook_failure)
         self.assertTrue(self.certificate.ignore_success_hook_failure)
+        self.assertFalse(self.certificate.cn2san_add)
 
     @patch('acme_srv.certificate.cert_san_get')
-    def test_186_certificate__authorization_check(self, mock_san):
+    def test_189_certificate__authorization_check(self, mock_san):
         """ test Certificate.authorization_check - cert_san_get raises exception) """
         self.certificate.dbstore.order_lookup.side_effect = None
         self.certificate.dbstore.order_lookup.return_value = {'identifiers' : 'test'}
@@ -2150,7 +2244,7 @@ def test_186_certificate__authorization_check(self, mock_san):
 
     @patch('acme_srv.certificate.Certificate._identifer_status_list')
     @patch('acme_srv.certificate.cert_san_get')
-    def test_187_certificate__authorization_check(self, mock_san, mock_statlist):
+    def test_190_certificate__authorization_check(self, mock_san, mock_statlist):
         """ test Certificate.authorization_check - cert_san_get raises exception) """
         self.certificate.dbstore.order_lookup.side_effect = None
         self.certificate.dbstore.order_lookup.return_value = {'identifiers' : 'test'}
@@ -2162,7 +2256,7 @@ def test_187_certificate__authorization_check(self, mock_san, mock_statlist):
 
     @patch('acme_srv.certificate.Certificate._tnauth_identifier_check')
     @patch('acme_srv.certificate.cert_extensions_get')
-    def test_188_certificate__authorization_check(self, mock_certext, mock_tnin):
+    def test_191_certificate__authorization_check(self, mock_certext, mock_tnin):
         """ test Certificate.authorization_check cert_extensions_get raises exception) """
         self.certificate.dbstore.order_lookup.side_effect = None
         self.certificate.dbstore.order_lookup.return_value = {'identifiers' : 'test'}
@@ -2176,7 +2270,7 @@ def test_188_certificate__authorization_check(self, mock_certext, mock_tnin):
     @patch('acme_srv.certificate.Certificate._identifer_tnauth_list')
     @patch('acme_srv.certificate.Certificate._tnauth_identifier_check')
     @patch('acme_srv.certificate.cert_extensions_get')
-    def test_189_certificate__authorization_check(self, mock_certext, mock_tnin, mock_tnlist):
+    def test_192_certificate__authorization_check(self, mock_certext, mock_tnin, mock_tnlist):
         """ test Certificate.authorization_check _identifer_tnauth_list raises exception) """
         self.certificate.dbstore.order_lookup.side_effect = None
         self.certificate.dbstore.order_lookup.return_value = {'identifiers' : 'test'}
@@ -2189,13 +2283,13 @@ def test_189_certificate__authorization_check(self, mock_certext, mock_tnin, moc
         self.assertIn('WARNING:test_a2c:Certificate._authorization_check() error while loading parsing certifcate. Error: tnauth_in_exc', lcm.output)
 
     @patch('acme_srv.certificate.Certificate.certlist_search')
-    def test_190_dates_update(self, mock_search):
+    def test_193_dates_update(self, mock_search):
         """ dates update """
         mock_search.return_value = [{'foo': 'bar'}, {'foo1': 'bar1'}]
         self.certificate.dates_update()
 
     @patch('acme_srv.certificate.Certificate.certlist_search')
-    def test_191_dates_update(self, mock_search):
+    def test_194_dates_update(self, mock_search):
         """ dates update """
         mock_search.return_value = [{'issue_uts': 0, 'expire_uts': 0, 'cert_raw': 'cert_raw'}, {'foo1': 'bar1'}]
         self.certificate.dates_update()
@@ -2203,7 +2297,7 @@ def test_191_dates_update(self, mock_search):
     @patch('acme_srv.certificate.Certificate._store_cert')
     @patch('acme_srv.certificate.cert_dates_get')
     @patch('acme_srv.certificate.Certificate.certlist_search')
-    def test_192_dates_update(self, mock_search, mock_dates_get, mock_store):
+    def test_195_dates_update(self, mock_search, mock_dates_get, mock_store):
         """ dates update with a none zero issue-uts """
         mock_search.return_value = [{'issue_uts': 2, 'expire_uts': 0, 'cert_raw': 'cert_raw', 'name': 'name', 'cert': 'cert'}, {'foo1': 'bar1'}]
         mock_dates_get.return_value = (42, 42)
@@ -2214,7 +2308,7 @@ def test_192_dates_update(self, mock_search, mock_dates_get, mock_store):
     @patch('acme_srv.certificate.Certificate._store_cert')
     @patch('acme_srv.certificate.cert_dates_get')
     @patch('acme_srv.certificate.Certificate.certlist_search')
-    def test_193_dates_update(self, mock_search, mock_dates_get, mock_store):
+    def test_196_dates_update(self, mock_search, mock_dates_get, mock_store):
         """ dates update with a none zero expire-uts """
         mock_search.return_value = [{'issue_uts': 0, 'expire_uts': 2, 'cert_raw': 'cert_raw', 'name': 'name', 'cert': 'cert'}, {'foo1': 'bar1'}]
         mock_dates_get.return_value = (42, 42)
@@ -2225,7 +2319,7 @@ def test_193_dates_update(self, mock_search, mock_dates_get, mock_store):
     @patch('acme_srv.certificate.Certificate._store_cert')
     @patch('acme_srv.certificate.cert_dates_get')
     @patch('acme_srv.certificate.Certificate.certlist_search')
-    def test_194_dates_update(self, mock_search, mock_dates_get, mock_store):
+    def test_197_dates_update(self, mock_search, mock_dates_get, mock_store):
         """ dates update call _cert_store """
         mock_search.return_value = [{'issue_uts': 0, 'expire_uts': 0, 'cert_raw': 'cert_raw', 'name': 'name', 'cert': 'cert'}, {'foo1': 'bar1'}]
         mock_dates_get.return_value = (42, 42)
@@ -2236,7 +2330,7 @@ def test_194_dates_update(self, mock_search, mock_dates_get, mock_store):
     @patch('acme_srv.certificate.Certificate._store_cert')
     @patch('acme_srv.certificate.cert_dates_get')
     @patch('acme_srv.certificate.Certificate.certlist_search')
-    def test_195_dates_update(self, mock_search, mock_dates_get, mock_store):
+    def test_198_dates_update(self, mock_search, mock_dates_get, mock_store):
         """ dates update call _cert_store """
         mock_search.return_value = [{'issue_uts': 0, 'expire_uts': 0, 'cert_raw': 'cert_raw', 'name': 'name', 'cert': 'cert'}, {'foo1': 'bar1'}]
         mock_dates_get.return_value = (42, 0)
@@ -2247,7 +2341,7 @@ def test_195_dates_update(self, mock_search, mock_dates_get, mock_store):
     @patch('acme_srv.certificate.Certificate._store_cert')
     @patch('acme_srv.certificate.cert_dates_get')
     @patch('acme_srv.certificate.Certificate.certlist_search')
-    def test_196_dates_update(self, mock_search, mock_dates_get, mock_store):
+    def test_199_dates_update(self, mock_search, mock_dates_get, mock_store):
         """ dates update call _cert_store """
         mock_search.return_value = [{'issue_uts': 0, 'expire_uts': 0, 'cert_raw': 'cert_raw', 'name': 'name', 'cert': 'cert'}, {'foo1': 'bar1'}]
         mock_dates_get.return_value = (0, 42)
@@ -2258,7 +2352,7 @@ def test_196_dates_update(self, mock_search, mock_dates_get, mock_store):
     @patch('acme_srv.certificate.Certificate._store_cert')
     @patch('acme_srv.certificate.cert_dates_get')
     @patch('acme_srv.certificate.Certificate.certlist_search')
-    def test_197_dates_update(self, mock_search, mock_dates_get, mock_store):
+    def test_200_dates_update(self, mock_search, mock_dates_get, mock_store):
         """ dates update do not call _cert_store bcs cert_dates_get return 0/0 """
         mock_search.return_value = [{'issue_uts': 0, 'expire_uts': 0, 'cert_raw': 'cert_raw', 'name': 'name', 'cert': 'cert'}, {'foo1': 'bar1'}]
         mock_dates_get.return_value = (0, 0)
@@ -2266,14 +2360,14 @@ def test_197_dates_update(self, mock_search, mock_dates_get, mock_store):
         self.assertTrue(mock_dates_get.called)
         self.assertFalse(mock_store.called)
 
-    def test_198_order_update(self):
+    def test_201_order_update(self):
         """ test Certificate._order_update - dbstore.order_update() raises an exception  """
         self.certificate.dbstore.order_update.side_effect = Exception('exc_order_upd')
         with self.assertLogs('test_a2c', level='INFO') as lcm:
             self.certificate._order_update({'url': 'url'})
         self.assertIn('CRITICAL:test_a2c:acme2certifier database error in Certificate._order_update(): exc_order_upd', lcm.output)
 
-    def test_199_certificate_certlist_search(self):
+    def test_202_certificate_certlist_search(self):
         """ test Certificate.certlist_search - dbstore.certificates_search() raises an exception  """
         self.certificate.dbstore.certificates_search.side_effect = Exception('exc_certlist_search')
         with self.assertLogs('test_a2c', level='INFO') as lcm:
@@ -2282,7 +2376,7 @@ def test_199_certificate_certlist_search(self):
 
     @patch('acme_srv.certificate.certid_asn1_get')
     @patch('acme_srv.certificate.pembundle_to_list')
-    def test_200_renewal_info_get(self, mock_p2l, mock_certid):
+    def test_203_renewal_info_get(self, mock_p2l, mock_certid):
         """ _renewal_info_get() """
         mock_certid.return_value = 'certid'
         self.assertEqual('certid', self.certificate._renewal_info_get('cert'))
diff --git a/test/test_certifier_handler.py b/test/test_certifier_handler.py
index 73523349..a2c5f8b2 100644
--- a/test/test_certifier_handler.py
+++ b/test/test_certifier_handler.py
@@ -5,8 +5,9 @@
 import unittest
 import sys
 import os
-from unittest.mock import patch, Mock
+from unittest.mock import patch, Mock, MagicMock
 import requests
+import configparser
 
 sys.path.insert(0, '.')
 sys.path.insert(1, '..')
@@ -502,23 +503,20 @@ def test_047__cert_get(self, mock_caget, mock_post):
         mock_post.return_value = {'mock': 'post'}
         self.assertEqual({'mock': 'post'}, self.cahandler._cert_get('csr'))
 
-    @patch('examples.ca_handler.certifier_ca_handler.CAhandler._profile_id_get')
     @patch('examples.ca_handler.certifier_ca_handler.CAhandler._api_post')
     @patch('examples.ca_handler.certifier_ca_handler.CAhandler._ca_get_properties')
-    def test_048__cert_get(self, mock_caget, mock_post, mock_profile):
+    def test_048__cert_get(self, mock_caget, mock_post):
         """ CAhandler._ca_get_properties() _ca_get_properties does returns "href" key """
         self.cahandler.api_host = 'api_host'
         self.cahandler.profile_id = 100
         self.cahandler.header_info_field = 'header_info_field'
-        mock_profile.return_value = '101'
         mock_caget.return_value = {'href': 'href'}
         mock_post.return_value = {'mock': 'post'}
         self.assertEqual({'mock': 'post'}, self.cahandler._cert_get('csr'))
-        self.assertTrue(mock_profile.called)
-        self.assertEqual('101', self.cahandler.profile_id, )
+        self.assertEqual(100, self.cahandler.profile_id)
 
     @patch('requests.get')
-    def test_048__cert_get_properties(self, mock_req):
+    def test_049__cert_get_properties(self, mock_req):
         """ CAhandler._cert_get_properties() all good """
         self.cahandler.api_host = 'api_host'
         self.cahandler.auth = 'auth'
@@ -528,7 +526,7 @@ def test_048__cert_get_properties(self, mock_req):
         self.assertEqual({'foo': 'bar'}, self.cahandler._cert_get_properties('serial', 'link'))
 
     @patch('requests.get')
-    def test_049__cert_get_properties(self, mock_get):
+    def test_050__cert_get_properties(self, mock_get):
         """ CAhandler._cert_get_properties() all good """
         self.cahandler.api_host = 'api_host'
         self.cahandler.auth = 'auth'
@@ -537,24 +535,24 @@ def test_049__cert_get_properties(self, mock_get):
             self.assertEqual({'status': 500, 'message': 'exc_api_get', 'statusMessage': 'Internal Server Error'}, self.cahandler._cert_get_properties('serial', 'link'))
         self.assertIn('ERROR:test_a2c:CAhandler._cert_get_properties() returned error: exc_api_get', lcm.output)
 
-    def test_050_poll(self):
+    def test_051_poll(self):
         """ CAhandler.poll() poll_identifier is none """
         self.assertEqual((None, None, None, None, False), self.cahandler.poll('cert_name', None, 'csr'))
 
     @patch('examples.ca_handler.certifier_ca_handler.CAhandler._request_poll')
-    def test_051_poll(self, mock_poll):
+    def test_052_poll(self, mock_poll):
         """ CAhandler.poll() poll_identifier is none """
         mock_poll.return_value = ('error', 'cert_bundle', 'cert_raw', 'poll_identifier', 'rejected')
         self.assertEqual(('error', 'cert_bundle', 'cert_raw', 'poll_identifier', 'rejected'), self.cahandler.poll('cert_name', 'poll_identifier', 'csr'))
 
-    def test_052__loop_poll(self):
+    def test_053__loop_poll(self):
         """ CAhandler._loop_poll() - no request url"""
         request_url = None
         self.assertEqual((None, None, None, None), self.cahandler._loop_poll(request_url))
 
     @patch('time.sleep')
     @patch('requests.get')
-    def test_053__loop_poll(self, mock_get, mock_sleep):
+    def test_054__loop_poll(self, mock_get, mock_sleep):
         """ CAhandler._loop_poll() - nothing come back from request get"""
         self.cahandler.polling_timeout = 5
         self.cahandler.timeout = 0
@@ -567,7 +565,7 @@ def test_053__loop_poll(self, mock_get, mock_sleep):
 
     @patch('time.sleep')
     @patch('requests.get')
-    def test_054__loop_poll(self, mock_get, mock_sleep):
+    def test_055__loop_poll(self, mock_get, mock_sleep):
         """ CAhandler._loop_poll() - no status returned from  request get"""
         self.cahandler.polling_timeout = 5
         self.cahandler.timeout = 0
@@ -579,7 +577,7 @@ def test_054__loop_poll(self, mock_get, mock_sleep):
         self.assertEqual((None, None, None, 'request_url'), self.cahandler._loop_poll(request_url))
 
     @patch('requests.get')
-    def test_055__loop_poll(self, mock_get):
+    def test_056__loop_poll(self, mock_get):
         """ CAhandler._loop_poll() - status "rejected" returned from  request get"""
         self.cahandler.polling_timeout = 6
         self.cahandler.timeout = 0
@@ -591,7 +589,7 @@ def test_055__loop_poll(self, mock_get):
 
     @patch('time.sleep')
     @patch('requests.get')
-    def test_056__loop_poll(self, mock_get, mock_sleep):
+    def test_057__loop_poll(self, mock_get, mock_sleep):
         """ CAhandler._loop_poll() - status "accepted" returned from  request get but no certificate in"""
         self.cahandler.polling_timeout = 6
         self.cahandler.timeout = 0
@@ -604,7 +602,7 @@ def test_056__loop_poll(self, mock_get, mock_sleep):
 
     @patch('time.sleep')
     @patch('requests.get')
-    def test_057__loop_poll(self, mock_get, mock_sleep):
+    def test_058__loop_poll(self, mock_get, mock_sleep):
         """ CAhandler._loop_poll() - status "accepted" returned from  request "certifiate" in but no "certificateBase64" in 2dn request """
         self.cahandler.polling_timeout = 6
         self.cahandler.timeout = 0
@@ -617,7 +615,7 @@ def test_057__loop_poll(self, mock_get, mock_sleep):
 
     @patch('examples.ca_handler.certifier_ca_handler.CAhandler._pem_cert_chain_generate')
     @patch('requests.get')
-    def test_058__loop_poll(self, mock_get, mock_chain):
+    def test_059__loop_poll(self, mock_get, mock_chain):
         """ CAhandler._loop_poll() - status "accepted" returned from  request "certifiate" in but no "certificateBase64" in 2dn request """
         self.cahandler.polling_timeout = 6
         self.cahandler.timeout = 0
@@ -629,32 +627,32 @@ def test_058__loop_poll(self, mock_get, mock_chain):
         self.assertEqual((None, 'foo', 'certificateBase64', None), self.cahandler._loop_poll(request_url))
 
     @patch('examples.ca_handler.certifier_ca_handler.CAhandler._cert_get')
-    def test_059_enroll(self, mock_certget):
+    def test_060_enroll(self, mock_certget):
         """ CAhandler.enroll() _cert_get returns None """
         mock_certget.return_value = {}
         self.assertEqual(('internal error', None, None, None), self.cahandler.enroll('csr'))
 
     @patch('examples.ca_handler.certifier_ca_handler.CAhandler._cert_get')
-    def test_060_enroll(self, mock_certget):
+    def test_061_enroll(self, mock_certget):
         """ CAhandler.enroll() _cert_get returns wrong information """
         mock_certget.return_value = {'foo': 'bar'}
         self.assertEqual(('no certificate information found', None, None, None), self.cahandler.enroll('csr'))
 
     @patch('examples.ca_handler.certifier_ca_handler.CAhandler._cert_get')
-    def test_061_enroll(self, mock_certget):
+    def test_062_enroll(self, mock_certget):
         """ CAhandler.enroll() _cert_get returns status without error message """
         mock_certget.return_value = {'foo': 'bar', 'status': 'foo'}
-        self.assertEqual(('unknown errror', None, None, None), self.cahandler.enroll('csr'))
+        self.assertEqual(('unknown error', None, None, None), self.cahandler.enroll('csr'))
 
     @patch('examples.ca_handler.certifier_ca_handler.CAhandler._cert_get')
-    def test_062_enroll(self, mock_certget):
+    def test_063_enroll(self, mock_certget):
         """ CAhandler.enroll() _cert_get returns status with error message """
         mock_certget.return_value = {'foo': 'bar', 'status': 'foo', 'message': 'message'}
         self.assertEqual(('message', None, None, None), self.cahandler.enroll('csr'))
 
     @patch('examples.ca_handler.certifier_ca_handler.CAhandler._pem_cert_chain_generate')
     @patch('examples.ca_handler.certifier_ca_handler.CAhandler._cert_get')
-    def test_063_enroll(self, mock_certget, mock_chain):
+    def test_064_enroll(self, mock_certget, mock_chain):
         """ CAhandler.enroll() _cert_get returns certb64 """
         mock_certget.return_value = {'foo': 'bar', 'certificateBase64': 'certificateBase64'}
         mock_chain.return_value = 'mock_chain'
@@ -662,27 +660,80 @@ def test_063_enroll(self, mock_certget, mock_chain):
 
     @patch('examples.ca_handler.certifier_ca_handler.CAhandler._loop_poll')
     @patch('examples.ca_handler.certifier_ca_handler.CAhandler._cert_get')
-    def test_064_enroll(self, mock_certget, mock_loop):
+    def test_065_enroll(self, mock_certget, mock_loop):
         """ CAhandler.enroll() _cert_get returns certb64 """
         mock_certget.return_value = {'foo': 'bar', 'href': 'href'}
         mock_loop.return_value = ('error', 'cert_bundle', 'cert_raw', 'poll_identifier')
         self.assertEqual(('error', 'cert_bundle', 'cert_raw', 'poll_identifier'), self.cahandler.enroll('csr'))
 
+    @patch('examples.ca_handler.certifier_ca_handler.eab_profile_header_info_check')
+    @patch('examples.ca_handler.certifier_ca_handler.CAhandler._loop_poll')
+    @patch('examples.ca_handler.certifier_ca_handler.CAhandler._cert_get')
+    def test_066_enroll(self, mock_certget, mock_loop, mock_prof):
+        """ CAhandler.enroll() _cert_get returns certb64 """
+        mock_certget.return_value = {'foo': 'bar', 'href': 'href'}
+        mock_loop.return_value = ('error', 'cert_bundle', 'cert_raw', 'poll_identifier')
+        mock_prof.return_value = None
+        self.assertEqual(('error', 'cert_bundle', 'cert_raw', 'poll_identifier'), self.cahandler.enroll('csr'))
+        self.assertTrue(mock_prof.called)
+
+    @patch('examples.ca_handler.certifier_ca_handler.eab_profile_header_info_check')
+    @patch('examples.ca_handler.certifier_ca_handler.CAhandler._loop_poll')
+    @patch('examples.ca_handler.certifier_ca_handler.CAhandler._cert_get')
+    def test_067_enroll(self, mock_certget, mock_loop, mock_prof):
+        """ CAhandler.enroll() _cert_get returns certb64 """
+        mock_certget.return_value = {'foo': 'bar', 'href': 'href'}
+        mock_loop.return_value = ('error', 'cert_bundle', 'cert_raw', 'poll_identifier')
+        mock_prof.return_value = None
+        self.cahandler.eab_profiling = True
+        self.cahandler.header_info_field = 'header_info_field'
+        self.assertEqual(('error', 'cert_bundle', 'cert_raw', 'poll_identifier'), self.cahandler.enroll('csr'))
+        self.assertTrue(mock_prof.called)
+
+    @patch('examples.ca_handler.certifier_ca_handler.eab_profile_header_info_check')
+    @patch('examples.ca_handler.certifier_ca_handler.CAhandler._loop_poll')
+    @patch('examples.ca_handler.certifier_ca_handler.CAhandler._cert_get')
+    def test_068_enroll(self, mock_certget, mock_loop, mock_prof):
+        """ CAhandler.enroll() _cert_get returns certb64 """
+        mock_certget.return_value = {'foo': 'bar', 'href': 'href'}
+        mock_loop.return_value = ('error', 'cert_bundle', 'cert_raw', 'poll_identifier')
+        self.cahandler.eab_profiling = True
+        self.cahandler.header_info_field = 'header_info_field'
+        mock_prof.return_value = 'prof_error'
+        self.assertEqual(('prof_error', None, None, None), self.cahandler.enroll('csr'))
+        self.assertTrue(mock_prof.called)
+        self.assertFalse(mock_certget.called)
+
+    @patch('examples.ca_handler.certifier_ca_handler.eab_profile_header_info_check')
+    @patch('examples.ca_handler.certifier_ca_handler.CAhandler._loop_poll')
+    @patch('examples.ca_handler.certifier_ca_handler.CAhandler._cert_get')
+    def test_069_enroll(self, mock_certget, mock_loop, mock_prof):
+        """ CAhandler.enroll() _cert_get returns certb64 """
+        mock_certget.return_value = {'foo': 'bar', 'href': 'href'}
+        mock_loop.return_value = ('error', 'cert_bundle', 'cert_raw', 'poll_identifier')
+        self.cahandler.eab_profiling = False
+        self.cahandler.header_info_field = 'header_info_field'
+        mock_prof.return_value = None
+        self.assertEqual(('error', 'cert_bundle', 'cert_raw', 'poll_identifier'), self.cahandler.enroll('csr'))
+        self.assertTrue(mock_prof.called)
+        self.assertTrue(mock_certget.called)
+        self.assertEqual(self.cahandler.profile_id, None)
+
     @patch('examples.ca_handler.certifier_ca_handler.CAhandler._ca_get_properties')
-    def test_065_revoke(self, mock_getca):
+    def test_070_revoke(self, mock_getca):
         """ CAhandler.revoke() _ca_get_properties returns nothing """
         mock_getca.return_value = {}
         self.assertEqual((404, 'urn:ietf:params:acme:error:serverInternal', 'CA could not be found'), self.cahandler.revoke('cert'))
 
     @patch('examples.ca_handler.certifier_ca_handler.CAhandler._ca_get_properties')
-    def test_066_revoke(self, mock_getca):
+    def test_071_revoke(self, mock_getca):
         """ CAhandler.revoke() _ca_get_properties returns wrong information """
         mock_getca.return_value = {'foo': 'bar'}
         self.assertEqual((404, 'urn:ietf:params:acme:error:serverInternal', 'CA could not be found'), self.cahandler.revoke('cert'))
 
     @patch('examples.ca_handler.certifier_ca_handler.cert_serial_get')
     @patch('examples.ca_handler.certifier_ca_handler.CAhandler._ca_get_properties')
-    def test_067_revoke(self, mock_getca, mock_serial):
+    def test_072_revoke(self, mock_getca, mock_serial):
         """ CAhandler.revoke() _ca_get_properties cert_serial_get failed """
         mock_getca.return_value = {'foo': 'bar', 'href': 'href'}
         mock_serial.return_value = None
@@ -691,7 +742,7 @@ def test_067_revoke(self, mock_getca, mock_serial):
     @patch('examples.ca_handler.certifier_ca_handler.CAhandler._cert_get_properties')
     @patch('examples.ca_handler.certifier_ca_handler.cert_serial_get')
     @patch('examples.ca_handler.certifier_ca_handler.CAhandler._ca_get_properties')
-    def test_068_revoke(self, mock_getca, mock_serial, mock_getcert):
+    def test_073_revoke(self, mock_getca, mock_serial, mock_getcert):
         """ CAhandler.revoke() _ca_get_properties get_cert_properties failed """
         mock_getca.return_value = {'foo': 'bar', 'href': 'href'}
         mock_serial.return_value = 123
@@ -701,7 +752,7 @@ def test_068_revoke(self, mock_getca, mock_serial, mock_getcert):
     @patch('examples.ca_handler.certifier_ca_handler.CAhandler._cert_get_properties')
     @patch('examples.ca_handler.certifier_ca_handler.cert_serial_get')
     @patch('examples.ca_handler.certifier_ca_handler.CAhandler._ca_get_properties')
-    def test_069_revoke(self, mock_getca, mock_serial, mock_getcert):
+    def test_074_revoke(self, mock_getca, mock_serial, mock_getcert):
         """ CAhandler.revoke() _ca_get_properties get_cert_properties returns wrong information """
         mock_getca.return_value = {'foo': 'bar', 'href': 'href'}
         mock_serial.return_value = 123
@@ -711,7 +762,7 @@ def test_069_revoke(self, mock_getca, mock_serial, mock_getcert):
     @patch('examples.ca_handler.certifier_ca_handler.CAhandler._cert_get_properties')
     @patch('examples.ca_handler.certifier_ca_handler.cert_serial_get')
     @patch('examples.ca_handler.certifier_ca_handler.CAhandler._ca_get_properties')
-    def test_070_revoke(self, mock_getca, mock_serial, mock_getcert):
+    def test_075_revoke(self, mock_getca, mock_serial, mock_getcert):
         """ CAhandler.revoke() _ca_get_properties get_cert_properties empty cert_list """
         mock_getca.return_value = {'foo': 'bar', 'href': 'href'}
         mock_serial.return_value = 123
@@ -721,7 +772,7 @@ def test_070_revoke(self, mock_getca, mock_serial, mock_getcert):
     @patch('examples.ca_handler.certifier_ca_handler.CAhandler._cert_get_properties')
     @patch('examples.ca_handler.certifier_ca_handler.cert_serial_get')
     @patch('examples.ca_handler.certifier_ca_handler.CAhandler._ca_get_properties')
-    def test_071_revoke(self, mock_getca, mock_serial, mock_getcert):
+    def test_076_revoke(self, mock_getca, mock_serial, mock_getcert):
         """ CAhandler.revoke() _ca_get_properties get_cert_properties returns cert_list with wrong information """
         mock_getca.return_value = {'foo': 'bar', 'href': 'href'}
         mock_serial.return_value = 123
@@ -732,7 +783,7 @@ def test_071_revoke(self, mock_getca, mock_serial, mock_getcert):
     @patch('examples.ca_handler.certifier_ca_handler.CAhandler._cert_get_properties')
     @patch('examples.ca_handler.certifier_ca_handler.cert_serial_get')
     @patch('examples.ca_handler.certifier_ca_handler.CAhandler._ca_get_properties')
-    def test_072_revoke(self, mock_getca, mock_serial, mock_getcert, mock_post):
+    def test_077_revoke(self, mock_getca, mock_serial, mock_getcert, mock_post):
         """ CAhandler.revoke() _ca_get_properties get_cert_properties returns cert_list revocation successful """
         mock_getca.return_value = {'foo': 'bar', 'href': 'href'}
         mock_serial.return_value = 123
@@ -744,7 +795,7 @@ def test_072_revoke(self, mock_getca, mock_serial, mock_getcert, mock_post):
     @patch('examples.ca_handler.certifier_ca_handler.CAhandler._cert_get_properties')
     @patch('examples.ca_handler.certifier_ca_handler.cert_serial_get')
     @patch('examples.ca_handler.certifier_ca_handler.CAhandler._ca_get_properties')
-    def test_073_revoke(self, mock_getca, mock_serial, mock_getcert, mock_post):
+    def test_078_revoke(self, mock_getca, mock_serial, mock_getcert, mock_post):
         """ CAhandler.revoke() _ca_get_properties get_cert_properties returns href. revocation returns status without message """
         mock_getca.return_value = {'foo': 'bar', 'href': 'href'}
         mock_serial.return_value = 123
@@ -756,7 +807,7 @@ def test_073_revoke(self, mock_getca, mock_serial, mock_getcert, mock_post):
     @patch('examples.ca_handler.certifier_ca_handler.CAhandler._cert_get_properties')
     @patch('examples.ca_handler.certifier_ca_handler.cert_serial_get')
     @patch('examples.ca_handler.certifier_ca_handler.CAhandler._ca_get_properties')
-    def test_074_revoke(self, mock_getca, mock_serial, mock_getcert, mock_post):
+    def test_079_revoke(self, mock_getca, mock_serial, mock_getcert, mock_post):
         """ CAhandler.revoke() _ca_get_properties get_cert_properties returns href. revocation returns status with message """
         mock_getca.return_value = {'foo': 'bar', 'href': 'href'}
         mock_serial.return_value = 123
@@ -764,7 +815,7 @@ def test_074_revoke(self, mock_getca, mock_serial, mock_getcert, mock_post):
         mock_post.return_value = {'foo': 'bar', 'status': 'status', 'message': 'message'}
         self.assertEqual((400, 'urn:ietf:params:acme:error:alreadyRevoked', 'message'), self.cahandler.revoke('cert'))
 
-    def test_075_trigger(self):
+    def test_080_trigger(self):
         """ CAhandler.trigger() - no payload given """
         payload = None
         self.assertEqual(('No payload given', None, None), self.cahandler.trigger(payload))
@@ -773,7 +824,7 @@ def test_075_trigger(self):
     @patch('examples.ca_handler.certifier_ca_handler.cert_pem2der')
     @patch('examples.ca_handler.certifier_ca_handler.b64_decode')
     @patch('examples.ca_handler.certifier_ca_handler.b64_encode')
-    def test_076_trigger(self, mock_b64dec, mock_b64enc, mock_p2d, mock_caprop):
+    def test_081_trigger(self, mock_b64dec, mock_b64enc, mock_p2d, mock_caprop):
         """ CAhandler.trigger() - payload  but ca_lookup failed"""
         payload = 'foo'
         mock_b64dec.return_value = 'foodecode'
@@ -786,7 +837,7 @@ def test_076_trigger(self, mock_b64dec, mock_b64enc, mock_p2d, mock_caprop):
     @patch('examples.ca_handler.certifier_ca_handler.cert_pem2der')
     @patch('examples.ca_handler.certifier_ca_handler.b64_decode')
     @patch('examples.ca_handler.certifier_ca_handler.b64_encode')
-    def test_077_trigger(self, mock_b64dec, mock_b64enc, mock_p2d, mock_caprop, mock_serial):
+    def test_082_trigger(self, mock_b64dec, mock_b64enc, mock_p2d, mock_caprop, mock_serial):
         """ CAhandler.trigger() - payload serial number lookup failed"""
         payload = 'foo'
         mock_b64dec.return_value = 'foodecode'
@@ -801,7 +852,7 @@ def test_077_trigger(self, mock_b64dec, mock_b64enc, mock_p2d, mock_caprop, mock
     @patch('examples.ca_handler.certifier_ca_handler.cert_pem2der')
     @patch('examples.ca_handler.certifier_ca_handler.b64_decode')
     @patch('examples.ca_handler.certifier_ca_handler.b64_encode')
-    def test_078_trigger(self, mock_b64dec, mock_b64enc, mock_p2d, mock_caprop, mock_serial, mock_certprop):
+    def test_083_trigger(self, mock_b64dec, mock_b64enc, mock_p2d, mock_caprop, mock_serial, mock_certprop):
         """ CAhandler.trigger() - payload serial number lookup failed"""
         payload = 'foo'
         mock_b64dec.return_value = 'foodecode'
@@ -818,7 +869,7 @@ def test_078_trigger(self, mock_b64dec, mock_b64enc, mock_p2d, mock_caprop, mock
     @patch('examples.ca_handler.certifier_ca_handler.cert_pem2der')
     @patch('examples.ca_handler.certifier_ca_handler.b64_decode')
     @patch('examples.ca_handler.certifier_ca_handler.b64_encode')
-    def test_079_trigger(self, mock_b64dec, mock_b64enc, mock_p2d, mock_caprop, mock_serial, mock_certprop, mock_chain):
+    def test_084_trigger(self, mock_b64dec, mock_b64enc, mock_p2d, mock_caprop, mock_serial, mock_certprop, mock_chain):
         """ CAhandler.trigger() - payload serial number lookup failed"""
         payload = 'foo'
         mock_b64dec.return_value = 'foodecode'
@@ -836,7 +887,7 @@ def test_079_trigger(self, mock_b64dec, mock_b64enc, mock_p2d, mock_caprop, mock
     @patch('examples.ca_handler.certifier_ca_handler.cert_pem2der')
     @patch('examples.ca_handler.certifier_ca_handler.b64_decode')
     @patch('examples.ca_handler.certifier_ca_handler.b64_encode')
-    def test_080_trigger(self, mock_b64dec, mock_b64enc, mock_p2d, mock_caprop, mock_serial, mock_certprop, mock_chain):
+    def test_085_trigger(self, mock_b64dec, mock_b64enc, mock_p2d, mock_caprop, mock_serial, mock_certprop, mock_chain):
         """ CAhandler.trigger() - payload serial number lookup failed"""
         payload = 'foo'
         mock_b64dec.return_value = 'foodecode'
@@ -847,23 +898,23 @@ def test_080_trigger(self, mock_b64dec, mock_b64enc, mock_p2d, mock_caprop, mock
         mock_chain.return_value = 'chain'
         self.assertEqual((None, 'chain', 'foodecode'), self.cahandler.trigger(payload))
 
-    def test_081__pem_cert_chain_generate(self):
+    def test_086__pem_cert_chain_generate(self):
         """ _pem_cert_chain_generate - empty cert_dic """
         cert_dic = {}
         self.assertFalse(self.cahandler._pem_cert_chain_generate(cert_dic))
 
-    def test_082__pem_cert_chain_generate(self):
+    def test_087__pem_cert_chain_generate(self):
         """ _pem_cert_chain_generate - wrong dic """
         cert_dic = {'foo': 'bar'}
         self.assertFalse(self.cahandler._pem_cert_chain_generate(cert_dic))
 
-    def test_083__pem_cert_chain_generate(self):
+    def test_088__pem_cert_chain_generate(self):
         """ _pem_cert_chain_generate - certificateBase64 in dict """
         cert_dic = {'certificateBase64': 'certificateBase64'}
         self.assertEqual('-----BEGIN CERTIFICATE-----\ncertificateBase64\n-----END CERTIFICATE-----\n', self.cahandler._pem_cert_chain_generate(cert_dic))
 
     @patch('requests.get')
-    def test_084__pem_cert_chain_generate(self, mock_get):
+    def test_089__pem_cert_chain_generate(self, mock_get):
         """ _pem_cert_chain_generate - issuer in dict without certificateBase64 """
         cert_dic = {'issuer': 'issuer'}
         mockresponse = Mock()
@@ -872,7 +923,7 @@ def test_084__pem_cert_chain_generate(self, mock_get):
         self.assertFalse(self.cahandler._pem_cert_chain_generate(cert_dic))
 
     @patch('requests.get')
-    def test_085__pem_cert_chain_generate(self, mock_get):
+    def test_090__pem_cert_chain_generate(self, mock_get):
         """ _pem_cert_chain_generate - request returns "certificates" but no active """
         cert_dic = {'issuer': 'issuer', 'certificateBase64': 'certificateBase641'}
         mockresponse1 = Mock()
@@ -883,7 +934,7 @@ def test_085__pem_cert_chain_generate(self, mock_get):
         self.assertEqual('-----BEGIN CERTIFICATE-----\ncertificateBase641\n-----END CERTIFICATE-----\n', self.cahandler._pem_cert_chain_generate(cert_dic))
 
     @patch('requests.get')
-    def test_086__pem_cert_chain_generate(self, mock_get):
+    def test_091__pem_cert_chain_generate(self, mock_get):
         """ _pem_cert_chain_generate - request returns certificate and active, 2nd request is bogus """
         cert_dic = {'issuer': 'issuer', 'certificateBase64': 'certificateBase641'}
         mockresponse1 = Mock()
@@ -894,7 +945,7 @@ def test_086__pem_cert_chain_generate(self, mock_get):
         self.assertEqual('-----BEGIN CERTIFICATE-----\ncertificateBase641\n-----END CERTIFICATE-----\n', self.cahandler._pem_cert_chain_generate(cert_dic))
 
     @patch('requests.get')
-    def test_087__pem_cert_chain_generate(self, mock_get):
+    def test_092__pem_cert_chain_generate(self, mock_get):
         """ _pem_cert_chain_generate - request returns certificate two certs """
         cert_dic = {'issuer': 'issuer', 'certificateBase64': 'certificateBase641'}
         mockresponse1 = Mock()
@@ -907,7 +958,7 @@ def test_087__pem_cert_chain_generate(self, mock_get):
         self.assertEqual('-----BEGIN CERTIFICATE-----\ncertificateBase641\n-----END CERTIFICATE-----\n-----BEGIN CERTIFICATE-----\ncertificateBase642\n-----END CERTIFICATE-----\n', self.cahandler._pem_cert_chain_generate(cert_dic))
 
     @patch('requests.get')
-    def test_088__pem_cert_chain_generate(self, mock_get):
+    def test_093__pem_cert_chain_generate(self, mock_get):
         """ _pem_cert_chain_generate - request returns certificate three certs """
         cert_dic = {'issuer': 'issuer', 'certificateBase64': 'certificateBase641'}
         mockresponse1 = Mock()
@@ -924,7 +975,7 @@ def test_088__pem_cert_chain_generate(self, mock_get):
         self.assertEqual('-----BEGIN CERTIFICATE-----\ncertificateBase641\n-----END CERTIFICATE-----\n-----BEGIN CERTIFICATE-----\ncertificateBase642\n-----END CERTIFICATE-----\n-----BEGIN CERTIFICATE-----\ncertificateBase643\n-----END CERTIFICATE-----\n', self.cahandler._pem_cert_chain_generate(cert_dic))
 
     @patch('requests.get')
-    def test_089__pem_cert_chain_generate(self, mock_get):
+    def test_094__pem_cert_chain_generate(self, mock_get):
         """ _pem_cert_chain_generate - issuerCa in """
         cert_dic = {'issuerCa': 'issuerCa', 'certificateBase64': 'certificateBase641'}
         mockresponse1 = Mock()
@@ -934,12 +985,12 @@ def test_089__pem_cert_chain_generate(self, mock_get):
         mock_get.side_effect = [mockresponse1, mockresponse2]
         self.assertEqual('-----BEGIN CERTIFICATE-----\ncertificateBase641\n-----END CERTIFICATE-----\n', self.cahandler._pem_cert_chain_generate(cert_dic))
 
-    def test_090__enter__(self):
+    def test_095__enter__(self):
         """ test __enter__ """
         self.cahandler.__enter__()
 
     @patch('requests.get')
-    def test_091_request_poll(self, mock_get):
+    def test_096_request_poll(self, mock_get):
         """ test request poll request returned exception """
         mock_get.side_effect = Exception('exc_api_get')
         result = ('"status" field not found in response.', None, None, 'url', False)
@@ -948,7 +999,7 @@ def test_091_request_poll(self, mock_get):
         self.assertIn('ERROR:test_a2c:CAhandler._request.poll() returned: exc_api_get', lcm.output)
 
     @patch('requests.get')
-    def test_092_request_poll(self, mock_get):
+    def test_097_request_poll(self, mock_get):
         """ test request poll request returned unknown status """
         mockresponse = Mock()
         mockresponse.json = lambda: {'status': 'unknown'}
@@ -957,7 +1008,7 @@ def test_092_request_poll(self, mock_get):
         self.assertEqual(result, self.cahandler._request_poll('url'))
 
     @patch('requests.get')
-    def test_093_request_poll(self, mock_get):
+    def test_098_request_poll(self, mock_get):
         """ test request poll request returned status rejected """
         mockresponse = Mock()
         mockresponse.json = lambda: {'status': 'rejected'}
@@ -966,7 +1017,7 @@ def test_093_request_poll(self, mock_get):
         self.assertEqual(result, self.cahandler._request_poll('url'))
 
     @patch('requests.get')
-    def test_094_request_poll(self, mock_get):
+    def test_099_request_poll(self, mock_get):
         """ test request poll request returned status accepted but no certinformation in """
         mockresponse = Mock()
         mockresponse.json = lambda: {'status': 'accepted', 'foo': 'bar'}
@@ -975,7 +1026,7 @@ def test_094_request_poll(self, mock_get):
         self.assertEqual(result, self.cahandler._request_poll('url'))
 
     @patch('requests.get')
-    def test_095_request_poll(self, mock_get):
+    def test_100_request_poll(self, mock_get):
         """ test request poll request returned status accepted but no certinformation in """
         mockresponse = Mock()
         mockresponse.json = lambda: {'status': 'accepted', 'certificate': 'certificate'}
@@ -985,7 +1036,7 @@ def test_095_request_poll(self, mock_get):
 
     @patch('examples.ca_handler.certifier_ca_handler.CAhandler._pem_cert_chain_generate')
     @patch('requests.get')
-    def test_096_request_poll(self, mock_get, mock_pemgen):
+    def test_101_request_poll(self, mock_get, mock_pemgen):
         """ test request poll request returned status accepted but no certinformation in """
         mockresponse = Mock()
         mockresponse.json = lambda: {'status': 'accepted', 'certificate': 'certificate', 'certificateBase64': 'certificateBase64'}
@@ -994,42 +1045,6 @@ def test_096_request_poll(self, mock_get, mock_pemgen):
         result = (None, 'bundle', 'certificateBase64', 'url', False)
         self.assertEqual(result, self.cahandler._request_poll('url'))
 
-    @patch('examples.ca_handler.certifier_ca_handler.header_info_get')
-    def test_096_profile_id_get(self, mock_header):
-        """ test _profile_id_get()"""
-        mock_header.return_value = [{'header_info': '{"header_field": "profileID=101 lego-cli/4.14.2 xenolf-acme/4.14.2 (release; linux; amd64)"}'}]
-        self.cahandler.header_info_field = 'header_field'
-        self.assertEqual('101', self.cahandler._profile_id_get('csr'))
-
-    @patch('examples.ca_handler.certifier_ca_handler.header_info_get')
-    def test_097_profile_id_get(self, mock_header):
-        """ test _profile_id_get()"""
-        mock_header.return_value = [{'header_info': 'header_info'}]
-        self.cahandler.header_info_field = 'header_field'
-        with self.assertLogs('test_a2c', level='INFO') as lcm:
-            self.assertFalse(self.cahandler._profile_id_get('csr'))
-        self.assertIn('ERROR:test_a2c:CAhandler._profile_id_get() could not parse profile_id: Expecting value: line 1 column 1 (char 0)', lcm.output)
-
-    def test_098_config_headerinfo_get(self):
-        """ test config_headerinfo_get()"""
-        config_dic = {'Order': {'header_info_list': '["foo", "bar", "foobar"]'}}
-        self.cahandler._config_headerinfo_get(config_dic)
-        self.assertEqual( 'foo', self.cahandler.header_info_field)
-
-    def test_099_config_headerinfo_get(self):
-        """ test config_headerinfo_get()"""
-        config_dic = {'Order': {'header_info_list': '["foo"]'}}
-        self.cahandler._config_headerinfo_get(config_dic)
-        self.assertEqual( 'foo', self.cahandler.header_info_field)
-
-    def test_100_config_headerinfo_get(self):
-        """ test config_headerinfo_get()"""
-        config_dic = {'Order': {'header_info_list': 'foo'}}
-        with self.assertLogs('test_a2c', level='INFO') as lcm:
-            self.cahandler._config_headerinfo_get(config_dic)
-        self.assertFalse(self.cahandler.header_info_field)
-        self.assertIn('WARNING:test_a2c:Order._config_orderconfig_load() header_info_list failed with error: Expecting value: line 1 column 1 (char 0)', lcm.output)
-
 if __name__ == '__main__':
 
     if os.path.exists('acme_test.db'):
diff --git a/test/test_challenge.py b/test/test_challenge.py
index 7a207553..2e6ac685 100644
--- a/test/test_challenge.py
+++ b/test/test_challenge.py
@@ -397,21 +397,24 @@ def test_042_challenge__validate_tkauth_challenge(self):
         """ test Chalölenge.validate_tkauth_challenge() """
         self.assertEqual((True, False), self.challenge._validate_tkauth_challenge('cert_name', 'type', 'fqdn', 'token', 'jwk_thumbprint', 'payload'))
 
-    def test_043_challenge__check(self):
+    @patch('time.sleep')
+    def test_043_challenge__check(self, mock_sleep):
         """ challenge check with incorrect challenge-dictionary """
         # self.challenge.dbstore.challenge_lookup.return_value = {'token' : 'token', 'type' : 'http-01', 'status' : 'pending'}
         self.challenge.dbstore.challenge_lookup.return_value = {}
         self.assertEqual((False, False), self.challenge._check('name', 'payload'))
 
-    def test_044_challenge__check(self):
+    @patch('time.sleep')
+    def test_044_challenge__check(self, mock_sleep):
         """ challenge check with without jwk return """
         self.challenge.dbstore.challenge_lookup.return_value = {'authorization__value' : 'authorization__value', 'type' : 'type', 'token' : 'token', 'authorization__order__account__name' : 'authorization__order__account__name'}
         self.challenge.dbstore.jwk_load.return_value = None
         self.assertEqual((False, False), self.challenge._check('name', 'payload'))
 
+    @patch('time.sleep')
     @patch('acme_srv.challenge.Challenge._validate_alpn_challenge')
     @patch('acme_srv.challenge.jwk_thumbprint_get')
-    def test_045_challenge__check(self, mock_jwk, mock_chall):
+    def test_045_challenge__check(self, mock_jwk, mock_chall, mock_sleep):
         """ challenge check with with failed tls-alpn challenge - for loop returns data during 1st iteration """
         self.challenge.dbstore.challenge_lookup.return_value = {'authorization__type' : 'authorization__type', 'authorization__value' : 'authorization__value', 'type' : 'tls-alpn-01', 'token' : 'token', 'authorization__order__account__name' : 'authorization__order__account__name'}
         self.challenge.dbstore.jwk_load.return_value = 'pub_key'
@@ -420,9 +423,10 @@ def test_045_challenge__check(self, mock_jwk, mock_chall):
         self.assertEqual((False, 'foo'), self.challenge._check('name', 'payload'))
         self.assertTrue(mock_chall.called)
 
+    @patch('time.sleep')
     @patch('acme_srv.challenge.Challenge._validate_alpn_challenge')
     @patch('acme_srv.challenge.jwk_thumbprint_get')
-    def test_046_challenge__check(self, mock_jwk, mock_chall):
+    def test_046_challenge__check(self, mock_jwk, mock_chall, mock_sleep):
         """ challenge check with with failed tls-alpn challenge - - for loop returns data during 2nd iteration """
         self.challenge.dbstore.challenge_lookup.return_value = {'authorization__type' : 'authorization__type', 'authorization__value' : 'authorization__value', 'type' : 'tls-alpn-01', 'token' : 'token', 'authorization__order__account__name' : 'authorization__order__account__name'}
         self.challenge.dbstore.jwk_load.return_value = 'pub_key'
@@ -431,9 +435,10 @@ def test_046_challenge__check(self, mock_jwk, mock_chall):
         self.assertEqual((False, 'foo'), self.challenge._check('name', 'payload'))
         self.assertTrue(mock_chall.called)
 
+    @patch('time.sleep')
     @patch('acme_srv.challenge.Challenge._validate_alpn_challenge')
     @patch('acme_srv.challenge.jwk_thumbprint_get')
-    def test_047_challenge__check(self, mock_jwk, mock_chall):
+    def test_047_challenge__check(self, mock_jwk, mock_chall, mock_sleep):
         """ challenge check with with failed tls-alpn challenge - - for loop returns data during 6th iteration """
         self.challenge.dbstore.challenge_lookup.return_value = {'authorization__type' : 'authorization__type', 'authorization__value' : 'authorization__value', 'type' : 'tls-alpn-01', 'token' : 'token', 'authorization__order__account__name' : 'authorization__order__account__name'}
         self.challenge.dbstore.jwk_load.return_value = 'pub_key'
@@ -442,9 +447,10 @@ def test_047_challenge__check(self, mock_jwk, mock_chall):
         self.assertEqual((False, False), self.challenge._check('name', 'payload'))
         self.assertTrue(mock_chall.called)
 
+    @patch('time.sleep')
     @patch('acme_srv.challenge.Challenge._validate_alpn_challenge')
     @patch('acme_srv.challenge.jwk_thumbprint_get')
-    def test_048_challenge__check(self, mock_jwk, mock_chall):
+    def test_048_challenge__check(self, mock_jwk, mock_chall, mock_sleep):
         """ challenge check with with succ tls-alpn challenge """
         self.challenge.dbstore.challenge_lookup.return_value = {'authorization__type' : 'authorization__type', 'authorization__value' : 'authorization__value', 'type' : 'tls-alpn-01', 'token' : 'token', 'authorization__order__account__name' : 'authorization__order__account__name'}
         self.challenge.dbstore.jwk_load.return_value = 'pub_key'
@@ -453,9 +459,10 @@ def test_048_challenge__check(self, mock_jwk, mock_chall):
         self.assertEqual((True, 'foo'), self.challenge._check('name', 'payload'))
         self.assertTrue(mock_chall.called)
 
+    @patch('time.sleep')
     @patch('acme_srv.challenge.Challenge._validate_http_challenge')
     @patch('acme_srv.challenge.jwk_thumbprint_get')
-    def test_049_challenge__check(self, mock_jwk, mock_chall):
+    def test_049_challenge__check(self, mock_jwk, mock_chall, mock_sleep):
         """ challenge check with with failed http challenge - for loop returns data during 1st iteration """
         self.challenge.dbstore.challenge_lookup.return_value = {'authorization__type' : 'authorization__type', 'authorization__value' : 'authorization__value', 'type' : 'http-01', 'token' : 'token', 'authorization__order__account__name' : 'authorization__order__account__name'}
         self.challenge.dbstore.jwk_load.return_value = 'pub_key'
@@ -463,9 +470,10 @@ def test_049_challenge__check(self, mock_jwk, mock_chall):
         mock_jwk.return_value = 'jwk_thumbprint'
         self.assertEqual((False, 'foo'), self.challenge._check('name', 'payload'))
 
+    @patch('time.sleep')
     @patch('acme_srv.challenge.Challenge._validate_http_challenge')
     @patch('acme_srv.challenge.jwk_thumbprint_get')
-    def test_050_challenge__check(self, mock_jwk, mock_chall):
+    def test_050_challenge__check(self, mock_jwk, mock_chall, mock_sleep):
         """ challenge check with with failed http challenge - for loop returns data during 2nd iteration """
         self.challenge.dbstore.challenge_lookup.return_value = {'authorization__type' : 'authorization__type', 'authorization__value' : 'authorization__value', 'type' : 'http-01', 'token' : 'token', 'authorization__order__account__name' : 'authorization__order__account__name'}
         self.challenge.dbstore.jwk_load.return_value = 'pub_key'
@@ -473,9 +481,10 @@ def test_050_challenge__check(self, mock_jwk, mock_chall):
         mock_jwk.return_value = 'jwk_thumbprint'
         self.assertEqual((False, 'foo'), self.challenge._check('name', 'payload'))
 
+    @patch('time.sleep')
     @patch('acme_srv.challenge.Challenge._validate_http_challenge')
     @patch('acme_srv.challenge.jwk_thumbprint_get')
-    def test_051_challenge__check(self, mock_jwk, mock_chall):
+    def test_051_challenge__check(self, mock_jwk, mock_chall, mock_sleep):
         """ challenge check with with succ http challenge - for loop returns data during 1st iteration """
         self.challenge.dbstore.challenge_lookup.return_value = {'authorization__type' : 'authorization__type', 'authorization__value' : 'authorization__value', 'type' : 'http-01', 'token' : 'token', 'authorization__order__account__name' : 'authorization__order__account__name'}
         self.challenge.dbstore.jwk_load.return_value = 'pub_key'
@@ -483,9 +492,10 @@ def test_051_challenge__check(self, mock_jwk, mock_chall):
         mock_jwk.return_value = 'jwk_thumbprint'
         self.assertEqual((True, 'foo'), self.challenge._check('name', 'payload'))
 
+    @patch('time.sleep')
     @patch('acme_srv.challenge.Challenge._validate_http_challenge')
     @patch('acme_srv.challenge.jwk_thumbprint_get')
-    def test_052_challenge__check(self, mock_jwk, mock_chall):
+    def test_052_challenge__check(self, mock_jwk, mock_chall, mock_sleep):
         """ challenge check with with succ http challenge - for loop returns data during 2nd iteration """
         self.challenge.dbstore.challenge_lookup.return_value = {'authorization__type' : 'authorization__type', 'authorization__value' : 'authorization__value', 'type' : 'http-01', 'token' : 'token', 'authorization__order__account__name' : 'authorization__order__account__name'}
         self.challenge.dbstore.jwk_load.return_value = 'pub_key'
@@ -493,9 +503,10 @@ def test_052_challenge__check(self, mock_jwk, mock_chall):
         mock_jwk.return_value = 'jwk_thumbprint'
         self.assertEqual((True, 'foo'), self.challenge._check('name', 'payload'))
 
+    @patch('time.sleep')
     @patch('acme_srv.challenge.Challenge._validate_dns_challenge')
     @patch('acme_srv.challenge.jwk_thumbprint_get')
-    def test_053_challenge__check(self, mock_jwk, mock_chall):
+    def test_053_challenge__check(self, mock_jwk, mock_chall, mock_sleep):
         """ challenge check with with failed dns challenge  - for loop returns data during 1st iteration """
         self.challenge.dbstore.challenge_lookup.return_value = {'authorization__type' : 'authorization__type', 'authorization__value' : 'authorization__value', 'type' : 'dns-01', 'token' : 'token', 'authorization__order__account__name' : 'authorization__order__account__name'}
         self.challenge.dbstore.jwk_load.return_value = 'pub_key'
@@ -503,9 +514,10 @@ def test_053_challenge__check(self, mock_jwk, mock_chall):
         mock_jwk.return_value = 'jwk_thumbprint'
         self.assertEqual((True, 'foo'), self.challenge._check('name', 'payload'))
 
+    @patch('time.sleep')
     @patch('acme_srv.challenge.Challenge._validate_dns_challenge')
     @patch('acme_srv.challenge.jwk_thumbprint_get')
-    def test_054_challenge__check(self, mock_jwk, mock_chall):
+    def test_054_challenge__check(self, mock_jwk, mock_chall, mock_sleep):
         """ challenge check with with failed dns challenge  - for loop returns data during 2nd iteration """
         self.challenge.dbstore.challenge_lookup.return_value = {'authorization__type' : 'authorization__type', 'authorization__value' : 'authorization__value', 'type' : 'dns-01', 'token' : 'token', 'authorization__order__account__name' : 'authorization__order__account__name'}
         self.challenge.dbstore.jwk_load.return_value = 'pub_key'
@@ -513,9 +525,10 @@ def test_054_challenge__check(self, mock_jwk, mock_chall):
         mock_jwk.return_value = 'jwk_thumbprint'
         self.assertEqual((True, 'foo'), self.challenge._check('name', 'payload'))
 
+    @patch('time.sleep')
     @patch('acme_srv.challenge.Challenge._validate_dns_challenge')
     @patch('acme_srv.challenge.jwk_thumbprint_get')
-    def test_055_challenge__check(self, mock_jwk, mock_chall):
+    def test_055_challenge__check(self, mock_jwk, mock_chall, mock_sleep):
         """ challenge check with with succ http challenge - for loop returns data during 1st iteration """
         self.challenge.dbstore.challenge_lookup.return_value = {'authorization__type' : 'authorization__type', 'authorization__value' : 'authorization__value', 'type' : 'dns-01', 'token' : 'token', 'authorization__order__account__name' : 'authorization__order__account__name'}
         self.challenge.dbstore.jwk_load.return_value = 'pub_key'
@@ -523,9 +536,10 @@ def test_055_challenge__check(self, mock_jwk, mock_chall):
         mock_jwk.return_value = 'jwk_thumbprint'
         self.assertTrue((False, 'foo'), self.challenge._check('name', 'payload'))
 
+    @patch('time.sleep')
     @patch('acme_srv.challenge.Challenge._validate_dns_challenge')
     @patch('acme_srv.challenge.jwk_thumbprint_get')
-    def test_056_challenge__check(self, mock_jwk, mock_chall):
+    def test_056_challenge__check(self, mock_jwk, mock_chall, mock_sleep):
         """ challenge check with with succ http challenge  - for loop returns data during 2nd iteration """
         self.challenge.dbstore.challenge_lookup.return_value = {'authorization__type' : 'authorization__type', 'authorization__value' : 'authorization__value', 'type' : 'dns-01', 'token' : 'token', 'authorization__order__account__name' : 'authorization__order__account__name'}
         self.challenge.dbstore.jwk_load.return_value = 'pub_key'
@@ -533,9 +547,10 @@ def test_056_challenge__check(self, mock_jwk, mock_chall):
         mock_jwk.return_value = 'jwk_thumbprint'
         self.assertTrue((False, 'foo'), self.challenge._check('name', 'payload'))
 
+    @patch('time.sleep')
     @patch('acme_srv.challenge.Challenge._validate_tkauth_challenge')
     @patch('acme_srv.challenge.jwk_thumbprint_get')
-    def test_057_challenge__check(self, mock_jwk, mock_chall):
+    def test_057_challenge__check(self, mock_jwk, mock_chall, mock_sleep):
         """ challenge check with with failed tkauth challenge tnauthlist_support not configured """
         self.challenge.dbstore.challenge_lookup.return_value = {'authorization__type' : 'authorization__type', 'authorization__value' : 'authorization__value', 'type' : 'tkauth-01', 'token' : 'token', 'authorization__order__account__name' : 'authorization__order__account__name'}
         self.challenge.dbstore.jwk_load.return_value = 'pub_key'
@@ -546,9 +561,10 @@ def test_057_challenge__check(self, mock_jwk, mock_chall):
         self.assertFalse(mock_chall.called)
         self.assertIn('ERROR:test_a2c:unknown challenge type "tkauth-01". Setting check result to False', lcm.output)
 
+    @patch('time.sleep')
     @patch('acme_srv.challenge.Challenge._validate_tkauth_challenge')
     @patch('acme_srv.challenge.jwk_thumbprint_get')
-    def test_058_challenge__check(self, mock_jwk, mock_chall):
+    def test_058_challenge__check(self, mock_jwk, mock_chall, mock_sleep):
         """ challenge check with with failed tkauth challenge tnauthlist_support True - for loop returns data during 1st iteration """
         self.challenge.dbstore.challenge_lookup.return_value = {'authorization__type' : 'authorization__type', 'authorization__value' : 'authorization__value', 'type' : 'tkauth-01', 'token' : 'token', 'authorization__order__account__name' : 'authorization__order__account__name'}
         self.challenge.dbstore.jwk_load.return_value = 'pub_key'
@@ -558,9 +574,10 @@ def test_058_challenge__check(self, mock_jwk, mock_chall):
         self.assertEqual((False, 'foo'), self.challenge._check('name', 'payload'))
         self.assertTrue(mock_chall.called)
 
+    @patch('time.sleep')
     @patch('acme_srv.challenge.Challenge._validate_tkauth_challenge')
     @patch('acme_srv.challenge.jwk_thumbprint_get')
-    def test_059_challenge__check(self, mock_jwk, mock_chall):
+    def test_059_challenge__check(self, mock_jwk, mock_chall, mock_sleep):
         """ challenge check with with failed tkauth challenge tnauthlist_support True - for loop returns data during 2nd iteration """
         self.challenge.dbstore.challenge_lookup.return_value = {'authorization__type' : 'authorization__type', 'authorization__value' : 'authorization__value', 'type' : 'tkauth-01', 'token' : 'token', 'authorization__order__account__name' : 'authorization__order__account__name'}
         self.challenge.dbstore.jwk_load.return_value = 'pub_key'
@@ -570,9 +587,10 @@ def test_059_challenge__check(self, mock_jwk, mock_chall):
         self.assertEqual((False, 'foo'), self.challenge._check('name', 'payload'))
         self.assertTrue(mock_chall.called)
 
+    @patch('time.sleep')
     @patch('acme_srv.challenge.Challenge._validate_tkauth_challenge')
     @patch('acme_srv.challenge.jwk_thumbprint_get')
-    def test_060_challenge__check(self, mock_jwk, mock_chall):
+    def test_060_challenge__check(self, mock_jwk, mock_chall, mock_sleep):
         """ challenge check with with succ tkauth challenge and tnauthlist_support unset """
         self.challenge.dbstore.challenge_lookup.return_value = {'authorization__type' : 'authorization__type', 'authorization__value' : 'authorization__value', 'type' : 'tkauth-01', 'token' : 'token', 'authorization__order__account__name' : 'authorization__order__account__name'}
         self.challenge.dbstore.jwk_load.return_value = 'pub_key'
@@ -582,9 +600,10 @@ def test_060_challenge__check(self, mock_jwk, mock_chall):
         self.assertEqual((False, True), self.challenge._check('name', 'payload'))
         self.assertFalse(mock_chall.called)
 
+    @patch('time.sleep')
     @patch('acme_srv.challenge.Challenge._validate_tkauth_challenge')
     @patch('acme_srv.challenge.jwk_thumbprint_get')
-    def test_061_challenge__check(self, mock_jwk, mock_chall):
+    def test_061_challenge__check(self, mock_jwk, mock_chall, mock_sleep):
         """ challenge check with with succ tkauth challenge and tnauthlist support set - for loop returns data during 1st iteration """
         self.challenge.dbstore.challenge_lookup.return_value = {'authorization__type' : 'authorization__type', 'authorization__value' : 'authorization__value', 'type' : 'tkauth-01', 'token' : 'token', 'authorization__order__account__name' : 'authorization__order__account__name'}
         self.challenge.dbstore.jwk_load.return_value = 'pub_key'
@@ -593,9 +612,10 @@ def test_061_challenge__check(self, mock_jwk, mock_chall):
         mock_jwk.return_value = 'jwk_thumbprint'
         self.assertEqual((True, 'foo'), self.challenge._check('name', 'payload'))
 
+    @patch('time.sleep')
     @patch('acme_srv.challenge.Challenge._validate_tkauth_challenge')
     @patch('acme_srv.challenge.jwk_thumbprint_get')
-    def test_062_challenge__check(self, mock_jwk, mock_chall):
+    def test_062_challenge__check(self, mock_jwk, mock_chall, mock_sleep):
         """ challenge check with with succ tkauth challenge and tnauthlist support set - for loop returns data during 2nd iteration """
         self.challenge.dbstore.challenge_lookup.return_value = {'authorization__type' : 'authorization__type', 'authorization__value' : 'authorization__value', 'type' : 'tkauth-01', 'token' : 'token', 'authorization__order__account__name' : 'authorization__order__account__name'}
         self.challenge.dbstore.jwk_load.return_value = 'pub_key'
@@ -1229,17 +1249,5 @@ def test_119_challengeset_get(self, mock_chsearch, mock_val, mock_set):
         self.assertFalse(mock_set.called)
         self.assertFalse(mock_val.called)
 
-    #@patch('acme_srv.challenge.Challenge.new_set')
-    #@patch('acme_srv.challenge.Challenge._existing_challenge_validate')
-    #@patch('acme_srv.challenge.Challenge._challengelist_search')
-    #def test_097_challengeset_get(self, mock_chsearch, mock_val, mock_set):
-    #    """ test challengeset_get - challenge_list returned autzstatus pending """
-    #    mock_chsearch.return_value = [{'name': 'name1', 'foo': 'bar'}]
-    #    mock_val.return_value = True
-    #    mock_set.return_value = 'new_set'
-    #    self.assertEqual([{'foo': 'bar'}], self.challenge.challengeset_get('authz_name', 'pending', 'token', 'tnauth'))
-    #    self.assertFalse(mock_set.called)
-    #    self.assertTrue(mock_val.called)
-
 if __name__ == '__main__':
     unittest.main()
diff --git a/test/test_digicert.py b/test/test_digicert.py
new file mode 100644
index 00000000..a2bd402c
--- /dev/null
+++ b/test/test_digicert.py
@@ -0,0 +1,776 @@
+#!/usr/bin/python
+# -*- coding: utf-8 -*-
+""" unittests for openxpki_ca_handler """
+# pylint: disable=C0415, R0904, W0212
+import sys
+import os
+import unittest
+from unittest.mock import patch, Mock, MagicMock
+import requests
+import base64
+from OpenSSL import crypto
+
+sys.path.insert(0, '.')
+sys.path.insert(1, '..')
+
+class FakeDBStore(object):
+    """ face DBStore class needed for mocking """
+    # pylint: disable=W0107, R0903
+    pass
+
+class TestACMEHandler(unittest.TestCase):
+    """ test class for cgi_handler """
+
+    def setUp(self):
+        """ setup unittest """
+        models_mock = MagicMock()
+        models_mock.acme_srv.db_handler.DBstore.return_value = FakeDBStore
+        modules = {'acme_srv.db_handler': models_mock}
+        patch.dict('sys.modules', modules).start()
+        import logging
+        from examples.ca_handler.digicert_ca_handler import CAhandler
+        logging.basicConfig(level=logging.CRITICAL)
+        self.logger = logging.getLogger('test_a2c')
+        self.cahandler = CAhandler(False, self.logger)
+        self.dir_path = os.path.dirname(os.path.realpath(__file__))
+
+    def test_001_default(self):
+        """ default test which always passes """
+        self.assertEqual('foo', 'foo')
+
+    @patch('examples.ca_handler.digicert_ca_handler.CAhandler._config_load')
+    def test_002__enter__(self, mock_cfg):
+        """ test enter  called """
+        mock_cfg.return_value = True
+        self.cahandler.__enter__()
+        self.assertTrue(mock_cfg.called)
+
+    @patch('examples.ca_handler.digicert_ca_handler.CAhandler._config_load')
+    def test_003__enter__(self, mock_cfg):
+        """ test enter api hosts defined """
+        mock_cfg.return_value = True
+        self.cahandler.api_key = 'api_key'
+        self.cahandler.__enter__()
+        self.assertFalse(mock_cfg.called)
+
+    def test_004_poll(self):
+        """ test polling """
+        self.assertEqual(('Method not implemented.', None, None, 'poll_identifier', False), self.cahandler.poll('cert_name', 'poll_identifier', 'csr'))
+
+    def test_005_trigger(self):
+        """ test polling """
+        self.assertEqual(('Method not implemented.', None, None), self.cahandler.trigger('payload'))
+
+    @patch('examples.ca_handler.digicert_ca_handler.allowed_domainlist_check')
+    def test_006_allowed_domainlist_check(self, mock_adc):
+        """ test allowed_domainlist_check """
+        self.cahandler.allowed_domainlist = False
+        self.assertFalse(self.cahandler._allowed_domainlist_check('csr'))
+        self.assertFalse(mock_adc.called)
+
+    @patch('examples.ca_handler.digicert_ca_handler.allowed_domainlist_check')
+    def test_007_allowed_domainlist_check(self, mock_adc):
+        """ test allowed_domainlist_check """
+        self.cahandler.allowed_domainlist = ["test.com"]
+        mock_adc.return_value = True
+        self.assertFalse(self.cahandler._allowed_domainlist_check('csr'))
+        self.assertTrue(mock_adc.called)
+
+    @patch('examples.ca_handler.digicert_ca_handler.allowed_domainlist_check')
+    def test_008_allowed_domainlist_check(self, mock_adc):
+        """ test allowed_domainlist_check """
+        self.cahandler.allowed_domainlist = ["test.com"]
+        mock_adc.return_value = False
+        self.assertEqual('Either CN or SANs are not allowed by configuration', self.cahandler._allowed_domainlist_check('csr'))
+        self.assertTrue(mock_adc.called)
+
+    @patch.object(requests, 'post')
+    def test_009__api_post(self, mock_req):
+        """ test _api_post() """
+        mockresponse = Mock()
+        mockresponse.status_code = 'status_code'
+        mockresponse.json = lambda: {'foo': 'bar'}
+        mock_req.return_value = mockresponse
+        self.assertEqual(('status_code', {'foo': 'bar'}), self.cahandler._api_post('url', 'data'))
+
+    @patch('requests.post')
+    def test_010__api_post(self, mock_req):
+        """ test _api_post() """
+        mockresponse = Mock()
+        mockresponse.status_code = 'status_code'
+        mockresponse.json = "aaaa"
+        mock_req.return_value = mockresponse
+        with self.assertLogs('test_a2c', level='INFO') as lcm:
+            self.assertEqual(('status_code', "'str' object is not callable"), self.cahandler._api_post('url', 'data'))
+        self.assertIn("ERROR:test_a2c:request_operation returned error during json parsing: 'str' object is not callable", lcm.output)
+
+    @patch('requests.post')
+    def test_011__api_post(self, mock_req):
+        """ test _api_post() """
+        mockresponse = Mock()
+        mockresponse.status_code = 'status_code'
+        mockresponse.text = None
+        mock_req.return_value = mockresponse
+        self.assertEqual(('status_code', None), self.cahandler._api_post('url', 'data'))
+
+    @patch('requests.post')
+    def test_012__api_post(self, mock_req):
+        """ test _api_post(= """
+        self.cahandler.api_host = 'api_host'
+        self.cahandler.auth = 'auth'
+        mock_req.side_effect = Exception('exc_api_post')
+        with self.assertLogs('test_a2c', level='INFO') as lcm:
+            self.assertEqual((500, 'exc_api_post'), self.cahandler._api_post('url', 'data'))
+        self.assertIn('ERROR:test_a2c:request_operation returned error: exc_api_post', lcm.output)
+
+    @patch.object(requests, 'get')
+    def test_013__api_get(self, mock_req):
+        """ test _api_get() """
+        mockresponse = Mock()
+        mockresponse.status_code = 'status_code'
+        mockresponse.json = lambda: {'foo': 'bar'}
+        mock_req.return_value = mockresponse
+        self.assertEqual(('status_code', {'foo': 'bar'}), self.cahandler._api_get('url'))
+
+    @patch('requests.get')
+    def test_014__api_get(self, mock_req):
+        """ test _api_get() """
+        mockresponse = Mock()
+        mockresponse.status_code = 'status_code'
+        mockresponse.json = "aaaa"
+        mock_req.return_value = mockresponse
+        with self.assertLogs('test_a2c', level='INFO') as lcm:
+            self.assertEqual(('status_code', "'str' object is not callable"), self.cahandler._api_get('url'))
+        self.assertIn("ERROR:test_a2c:request_operation returned error during json parsing: 'str' object is not callable", lcm.output)
+
+    @patch('requests.get')
+    def test_015__api_get(self, mock_req):
+        """ test _api_get() """
+        self.cahandler.api_host = 'api_host'
+        self.cahandler.auth = 'auth'
+        mock_req.side_effect = Exception('exc_api_get')
+        with self.assertLogs('test_a2c', level='INFO') as lcm:
+            self.assertEqual((500, 'exc_api_get'), self.cahandler._api_get('url'))
+        self.assertIn('ERROR:test_a2c:request_operation returned error: exc_api_get', lcm.output)
+
+    @patch.object(requests, 'put')
+    def test_016__api_put(self, mock_req):
+        """ test _api_put() """
+        mockresponse = Mock()
+        mockresponse.status_code = 'status_code'
+        mockresponse.json = lambda: {'foo': 'bar'}
+        mock_req.return_value = mockresponse
+        self.assertEqual(('status_code', {'foo': 'bar'}), self.cahandler._api_put('url', 'data'))
+
+    @patch('requests.put')
+    def test_017__api_put(self, mock_req):
+        """ test _api_put() """
+        mockresponse = Mock()
+        mockresponse.status_code = 'status_code'
+        mockresponse.json = "aaaa"
+        mock_req.return_value = mockresponse
+        with self.assertLogs('test_a2c', level='INFO') as lcm:
+            self.assertEqual(('status_code', "'str' object is not callable"), self.cahandler._api_put('url', 'data'))
+        self.assertIn("ERROR:test_a2c:request_operation returned error during json parsing: 'str' object is not callable", lcm.output)
+
+    @patch('requests.put')
+    def test_018__api_put(self, mock_req):
+        """ test _api_put() """
+        mockresponse = Mock()
+        mockresponse.status_code = 'status_code'
+        mockresponse.text = None
+        mock_req.return_value = mockresponse
+        self.assertEqual(('status_code', None), self.cahandler._api_put('url', 'data'))
+
+    @patch('requests.put')
+    def test_019__api_put(self, mock_req):
+        """ test _api_put() """
+        self.cahandler.api_host = 'api_host'
+        self.cahandler.auth = 'auth'
+        mock_req.side_effect = Exception('exc_api_put')
+        with self.assertLogs('test_a2c', level='INFO') as lcm:
+            self.assertEqual((500, 'exc_api_put'), self.cahandler._api_put('url', 'data'))
+        self.assertIn('ERROR:test_a2c:request_operation returned error: exc_api_put', lcm.output)
+
+    def test_020__config_check(self):
+        """ test _config_check() """
+        self.cahandler.api_url = 'api_url'
+        self.assertEqual('api_key parameter in missing in config file', self.cahandler._config_check())
+
+    def test_021__config_check(self):
+        """ test _config_check() """
+        self.cahandler.api_url = 'api_url'
+        self.cahandler.api_key = 'api_key'
+        self.assertEqual('organization_name parameter in missing in config file', self.cahandler._config_check())
+
+    def test_022__config_check(self):
+        """ test _config_check() """
+        self.cahandler.api_url = 'api_url'
+        self.cahandler.api_key = 'api_key'
+        self.cahandler.organization_name = 'organization_name'
+        self.assertFalse(self.cahandler._config_check())
+
+    @patch('examples.ca_handler.digicert_ca_handler.config_headerinfo_load')
+    @patch('examples.ca_handler.digicert_ca_handler.config_eab_profile_load')
+    @patch('examples.ca_handler.digicert_ca_handler.load_config')
+    def test_023_config_load(self, mock_load, mock_eab, mock_hdl):
+        """ test _config_load() """
+        mock_load.return_value = {'foo': 'bar'}
+        mock_eab.return_value = True, 'eab'
+        mock_hdl.return_value = 'hdl'
+        self.cahandler._config_load()
+        self.assertTrue(mock_load.called)
+        self.assertEqual('https://www.digicert.com/services/v2/', self.cahandler.api_url)
+        self.assertFalse(self.cahandler.api_key)
+        self.assertEqual('ssl_basic', self.cahandler.cert_type)
+        self.assertEqual('sha256', self.cahandler.signature_hash)
+        self.assertEqual(1, self.cahandler.order_validity)
+        self.assertEqual(10, self.cahandler.request_timeout)
+        self.assertFalse(self.cahandler.organization_name)
+        self.assertFalse(self.cahandler.organization_id)
+        self.assertFalse(self.cahandler.allowed_domainlist)
+        self.assertTrue(self.cahandler.eab_profiling)
+        self.assertEqual('eab', self.cahandler.eab_handler)
+        self.assertEqual('hdl', self.cahandler.header_info_field)
+
+    @patch('examples.ca_handler.digicert_ca_handler.config_headerinfo_load')
+    @patch('examples.ca_handler.digicert_ca_handler.config_eab_profile_load')
+    @patch('examples.ca_handler.digicert_ca_handler.load_config')
+    def test_024_config_load(self, mock_load, mock_eab, mock_hdl):
+        """ test _config_load() """
+        mock_load.return_value = {'foo': 'bar', 'CAhandler': {'api_url': 'api_url'}}
+        mock_eab.return_value = True, 'eab'
+        mock_hdl.return_value = 'hdl'
+        self.cahandler._config_load()
+        self.assertTrue(mock_load.called)
+        self.assertEqual('api_url', self.cahandler.api_url)
+        self.assertFalse(self.cahandler.api_key)
+        self.assertEqual('ssl_basic', self.cahandler.cert_type)
+        self.assertEqual('sha256', self.cahandler.signature_hash)
+        self.assertEqual(1, self.cahandler.order_validity)
+        self.assertEqual(10, self.cahandler.request_timeout)
+        self.assertFalse(self.cahandler.organization_name)
+        self.assertFalse(self.cahandler.organization_id)
+        self.assertFalse(self.cahandler.allowed_domainlist)
+        self.assertTrue(self.cahandler.eab_profiling)
+        self.assertEqual('eab', self.cahandler.eab_handler)
+        self.assertEqual('hdl', self.cahandler.header_info_field)
+
+    @patch('examples.ca_handler.digicert_ca_handler.config_headerinfo_load')
+    @patch('examples.ca_handler.digicert_ca_handler.config_eab_profile_load')
+    @patch('examples.ca_handler.digicert_ca_handler.load_config')
+    def test_025_config_load(self, mock_load, mock_eab, mock_hdl):
+        """ test _config_load() """
+        mock_load.return_value = {'foo': 'bar', 'CAhandler': {'api_key': 'api_key'}}
+        mock_eab.return_value = True, 'eab'
+        mock_hdl.return_value = 'hdl'
+        self.cahandler._config_load()
+        self.assertTrue(mock_load.called)
+        self.assertEqual('https://www.digicert.com/services/v2/', self.cahandler.api_url)
+        self.assertEqual('api_key', self.cahandler.api_key)
+        self.assertEqual('ssl_basic', self.cahandler.cert_type)
+        self.assertEqual('sha256', self.cahandler.signature_hash)
+        self.assertEqual(1, self.cahandler.order_validity)
+        self.assertEqual(10, self.cahandler.request_timeout)
+        self.assertFalse(self.cahandler.organization_name)
+        self.assertFalse(self.cahandler.organization_id)
+        self.assertFalse(self.cahandler.allowed_domainlist)
+        self.assertTrue(self.cahandler.eab_profiling)
+        self.assertEqual('eab', self.cahandler.eab_handler)
+        self.assertEqual('hdl', self.cahandler.header_info_field)
+
+    @patch('examples.ca_handler.digicert_ca_handler.config_headerinfo_load')
+    @patch('examples.ca_handler.digicert_ca_handler.config_eab_profile_load')
+    @patch('examples.ca_handler.digicert_ca_handler.load_config')
+    def test_026_config_load(self, mock_load, mock_eab, mock_hdl):
+        """ test _config_load() """
+        mock_load.return_value = {'foo': 'bar', 'CAhandler': {'signature_hash': 'signature_hash'}}
+        mock_eab.return_value = True, 'eab'
+        mock_hdl.return_value = 'hdl'
+        self.cahandler._config_load()
+        self.assertTrue(mock_load.called)
+        self.assertEqual('https://www.digicert.com/services/v2/', self.cahandler.api_url)
+        self.assertFalse(self.cahandler.api_key)
+        self.assertEqual('ssl_basic', self.cahandler.cert_type)
+        self.assertEqual('signature_hash', self.cahandler.signature_hash)
+        self.assertEqual(1, self.cahandler.order_validity)
+        self.assertEqual(10, self.cahandler.request_timeout)
+        self.assertFalse(self.cahandler.organization_name)
+        self.assertFalse(self.cahandler.organization_id)
+        self.assertFalse(self.cahandler.allowed_domainlist)
+        self.assertTrue(self.cahandler.eab_profiling)
+        self.assertEqual('eab', self.cahandler.eab_handler)
+        self.assertEqual('hdl', self.cahandler.header_info_field)
+
+    @patch('examples.ca_handler.digicert_ca_handler.config_headerinfo_load')
+    @patch('examples.ca_handler.digicert_ca_handler.config_eab_profile_load')
+    @patch('examples.ca_handler.digicert_ca_handler.load_config')
+    def test_027_config_load(self, mock_load, mock_eab, mock_hdl):
+        """ test _config_load() """
+        mock_load.return_value = {'foo': 'bar', 'CAhandler': {'cert_type': 'cert_type'}}
+        mock_eab.return_value = True, 'eab'
+        mock_hdl.return_value = 'hdl'
+        self.cahandler._config_load()
+        self.assertTrue(mock_load.called)
+        self.assertEqual('https://www.digicert.com/services/v2/', self.cahandler.api_url)
+        self.assertFalse(self.cahandler.api_key)
+        self.assertEqual('cert_type', self.cahandler.cert_type)
+        self.assertEqual('sha256', self.cahandler.signature_hash)
+        self.assertEqual(1, self.cahandler.order_validity)
+        self.assertEqual(10, self.cahandler.request_timeout)
+        self.assertFalse(self.cahandler.organization_name)
+        self.assertFalse(self.cahandler.organization_id)
+        self.assertFalse(self.cahandler.allowed_domainlist)
+        self.assertTrue(self.cahandler.eab_profiling)
+        self.assertEqual('eab', self.cahandler.eab_handler)
+        self.assertEqual('hdl', self.cahandler.header_info_field)
+
+    @patch('examples.ca_handler.digicert_ca_handler.config_headerinfo_load')
+    @patch('examples.ca_handler.digicert_ca_handler.config_eab_profile_load')
+    @patch('examples.ca_handler.digicert_ca_handler.load_config')
+    def test_028_config_load(self, mock_load, mock_eab, mock_hdl):
+        """ test _config_load() """
+        mock_load.return_value = {'foo': 'bar', 'CAhandler': {'order_validity': 2}}
+        mock_eab.return_value = True, 'eab'
+        mock_hdl.return_value = 'hdl'
+        self.cahandler._config_load()
+        self.assertTrue(mock_load.called)
+        self.assertEqual('https://www.digicert.com/services/v2/', self.cahandler.api_url)
+        self.assertFalse(self.cahandler.api_key)
+        self.assertEqual('ssl_basic', self.cahandler.cert_type)
+        self.assertEqual('sha256', self.cahandler.signature_hash)
+        self.assertEqual(2, self.cahandler.order_validity)
+        self.assertEqual(10, self.cahandler.request_timeout)
+        self.assertFalse(self.cahandler.organization_name)
+        self.assertFalse(self.cahandler.organization_id)
+        self.assertFalse(self.cahandler.allowed_domainlist)
+        self.assertTrue(self.cahandler.eab_profiling)
+        self.assertEqual('eab', self.cahandler.eab_handler)
+        self.assertEqual('hdl', self.cahandler.header_info_field)
+
+    @patch('examples.ca_handler.digicert_ca_handler.config_headerinfo_load')
+    @patch('examples.ca_handler.digicert_ca_handler.config_eab_profile_load')
+    @patch('examples.ca_handler.digicert_ca_handler.load_config')
+    def test_029_config_load(self, mock_load, mock_eab, mock_hdl):
+        """ test _config_load() """
+        mock_load.return_value = {'foo': 'bar', 'CAhandler': {'request_timeout': 20}}
+        mock_eab.return_value = True, 'eab'
+        mock_hdl.return_value = 'hdl'
+        self.cahandler._config_load()
+        self.assertTrue(mock_load.called)
+        self.assertEqual('https://www.digicert.com/services/v2/', self.cahandler.api_url)
+        self.assertFalse(self.cahandler.api_key)
+        self.assertEqual('ssl_basic', self.cahandler.cert_type)
+        self.assertEqual('sha256', self.cahandler.signature_hash)
+        self.assertEqual(1, self.cahandler.order_validity)
+        self.assertEqual(20, self.cahandler.request_timeout)
+        self.assertFalse(self.cahandler.organization_name)
+        self.assertFalse(self.cahandler.organization_id)
+        self.assertFalse(self.cahandler.allowed_domainlist)
+        self.assertTrue(self.cahandler.eab_profiling)
+        self.assertEqual('eab', self.cahandler.eab_handler)
+        self.assertEqual('hdl', self.cahandler.header_info_field)
+
+    @patch('examples.ca_handler.digicert_ca_handler.config_headerinfo_load')
+    @patch('examples.ca_handler.digicert_ca_handler.config_eab_profile_load')
+    @patch('examples.ca_handler.digicert_ca_handler.load_config')
+    def test_030_config_load(self, mock_load, mock_eab, mock_hdl):
+        """ test _config_load() """
+        mock_load.return_value = {'foo': 'bar', 'CAhandler': {'organization_name': 'organization_name'}}
+        mock_eab.return_value = True, 'eab'
+        mock_hdl.return_value = 'hdl'
+        self.cahandler._config_load()
+        self.assertTrue(mock_load.called)
+        self.assertEqual('https://www.digicert.com/services/v2/', self.cahandler.api_url)
+        self.assertFalse(self.cahandler.api_key)
+        self.assertEqual('ssl_basic', self.cahandler.cert_type)
+        self.assertEqual('sha256', self.cahandler.signature_hash)
+        self.assertEqual(1, self.cahandler.order_validity)
+        self.assertEqual(10, self.cahandler.request_timeout)
+        self.assertEqual('organization_name', self.cahandler.organization_name)
+        self.assertFalse(self.cahandler.organization_id)
+        self.assertFalse(self.cahandler.allowed_domainlist)
+        self.assertTrue(self.cahandler.eab_profiling)
+        self.assertEqual('eab', self.cahandler.eab_handler)
+        self.assertEqual('hdl', self.cahandler.header_info_field)
+
+    @patch('examples.ca_handler.digicert_ca_handler.config_headerinfo_load')
+    @patch('examples.ca_handler.digicert_ca_handler.config_eab_profile_load')
+    @patch('examples.ca_handler.digicert_ca_handler.load_config')
+    def test_031_config_load(self, mock_load, mock_eab, mock_hdl):
+        """ test _config_load() """
+        mock_load.return_value = {'foo': 'bar', 'CAhandler': {'organization_id': 'organization_id'}}
+        mock_eab.return_value = True, 'eab'
+        mock_hdl.return_value = 'hdl'
+        self.cahandler._config_load()
+        self.assertTrue(mock_load.called)
+        self.assertEqual('https://www.digicert.com/services/v2/', self.cahandler.api_url)
+        self.assertFalse(self.cahandler.api_key)
+        self.assertEqual('ssl_basic', self.cahandler.cert_type)
+        self.assertEqual('sha256', self.cahandler.signature_hash)
+        self.assertEqual(1, self.cahandler.order_validity)
+        self.assertEqual(10, self.cahandler.request_timeout)
+        self.assertFalse(self.cahandler.organization_name)
+        self.assertEqual('organization_id', self.cahandler.organization_id)
+        self.assertFalse(self.cahandler.allowed_domainlist)
+        self.assertTrue(self.cahandler.eab_profiling)
+        self.assertEqual('eab', self.cahandler.eab_handler)
+        self.assertEqual('hdl', self.cahandler.header_info_field)
+
+    @patch('examples.ca_handler.digicert_ca_handler.config_headerinfo_load')
+    @patch('examples.ca_handler.digicert_ca_handler.config_eab_profile_load')
+    @patch('examples.ca_handler.digicert_ca_handler.load_config')
+    def test_032_config_load(self, mock_load, mock_eab, mock_hdl):
+        """ test _config_load() """
+        mock_load.return_value = {'foo': 'bar', 'CAhandler': {'allowed_domainlist': '["foo", "bar"]'}}
+        mock_eab.return_value = True, 'eab'
+        mock_hdl.return_value = 'hdl'
+        self.cahandler._config_load()
+        self.assertTrue(mock_load.called)
+        self.assertEqual('https://www.digicert.com/services/v2/', self.cahandler.api_url)
+        self.assertFalse(self.cahandler.api_key)
+        self.assertEqual('ssl_basic', self.cahandler.cert_type)
+        self.assertEqual('sha256', self.cahandler.signature_hash)
+        self.assertEqual(1, self.cahandler.order_validity)
+        self.assertEqual(10, self.cahandler.request_timeout)
+        self.assertFalse(self.cahandler.organization_name)
+        self.assertFalse(self.cahandler.organization_id)
+        self.assertEqual(['foo', 'bar'], self.cahandler.allowed_domainlist)
+        self.assertTrue(self.cahandler.eab_profiling)
+        self.assertEqual('eab', self.cahandler.eab_handler)
+        self.assertEqual('hdl', self.cahandler.header_info_field)
+
+    @patch('examples.ca_handler.digicert_ca_handler.config_headerinfo_load')
+    @patch('examples.ca_handler.digicert_ca_handler.config_eab_profile_load')
+    @patch('examples.ca_handler.digicert_ca_handler.load_config')
+    def test_033_config_load(self, mock_load, mock_eab, mock_hdl):
+        """ test _config_load() """
+        mock_load.return_value = {'foo': 'bar', 'CAhandler': {'allowed_domainlist': '["foo"]'}}
+        mock_eab.return_value = True, 'eab'
+        mock_hdl.return_value = 'hdl'
+        self.cahandler._config_load()
+        self.assertTrue(mock_load.called)
+        self.assertEqual('https://www.digicert.com/services/v2/', self.cahandler.api_url)
+        self.assertFalse(self.cahandler.api_key)
+        self.assertEqual('ssl_basic', self.cahandler.cert_type)
+        self.assertEqual('sha256', self.cahandler.signature_hash)
+        self.assertEqual(1, self.cahandler.order_validity)
+        self.assertEqual(10, self.cahandler.request_timeout)
+        self.assertFalse(self.cahandler.organization_name)
+        self.assertFalse(self.cahandler.organization_id)
+        self.assertEqual(['foo'], self.cahandler.allowed_domainlist)
+        self.assertTrue(self.cahandler.eab_profiling)
+        self.assertEqual('eab', self.cahandler.eab_handler)
+        self.assertEqual('hdl', self.cahandler.header_info_field)
+
+    @patch('examples.ca_handler.digicert_ca_handler.config_headerinfo_load')
+    @patch('examples.ca_handler.digicert_ca_handler.config_eab_profile_load')
+    @patch('examples.ca_handler.digicert_ca_handler.load_config')
+    def test_034_config_load(self, mock_load, mock_eab, mock_hdl):
+        """ test _config_load() """
+        mock_load.return_value = {'foo': 'bar', 'CAhandler': {'allowed_domainlist': "foo"}}
+        mock_eab.return_value = True, 'eab'
+        mock_hdl.return_value = 'hdl'
+        self.cahandler._config_load()
+        self.assertTrue(mock_load.called)
+        self.assertEqual('https://www.digicert.com/services/v2/', self.cahandler.api_url)
+        self.assertFalse(self.cahandler.api_key)
+        self.assertEqual('ssl_basic', self.cahandler.cert_type)
+        self.assertEqual('sha256', self.cahandler.signature_hash)
+        self.assertEqual(1, self.cahandler.order_validity)
+        self.assertEqual(10, self.cahandler.request_timeout)
+        self.assertFalse(self.cahandler.organization_name)
+        self.assertFalse(self.cahandler.organization_id)
+        self.assertEqual('failed to parse', self.cahandler.allowed_domainlist)
+        self.assertTrue(self.cahandler.eab_profiling)
+        self.assertEqual('eab', self.cahandler.eab_handler)
+        self.assertEqual('hdl', self.cahandler.header_info_field)
+
+    @patch('examples.ca_handler.digicert_ca_handler.CAhandler._organiation_id_get')
+    @patch('examples.ca_handler.digicert_ca_handler.CAhandler._api_post')
+    def test_035_order_send(self, mock_post, mock_orgid):
+        """ test _order_send() """
+        mock_post.return_value = ('code', 'content')
+        self.cahandler.organization_id = 'organization_id'
+        self.assertEqual(('code', 'content'), self.cahandler._order_send('csr', 'cn'))
+        self.assertFalse(mock_orgid.called)
+
+    @patch('examples.ca_handler.digicert_ca_handler.CAhandler._organiation_id_get')
+    @patch('examples.ca_handler.digicert_ca_handler.CAhandler._api_post')
+    def test_036_order_send(self, mock_post, mock_orgid):
+        """ test _order_send() """
+        mock_post.return_value = ('code', 'content')
+        self.assertEqual((500, 'organisation_id is missing'), self.cahandler._order_send('csr', 'cn'))
+        self.assertFalse(mock_orgid.called)
+
+    @patch('examples.ca_handler.digicert_ca_handler.CAhandler._organiation_id_get')
+    @patch('examples.ca_handler.digicert_ca_handler.CAhandler._api_post')
+    def test_037_order_send(self, mock_post, mock_orgid):
+        """ test _order_send() """
+        mock_post.return_value = ('code', 'content')
+        self.cahandler.eab_profiling = True
+        self.cahandler.api_key = 'api_key'
+        self.cahandler.organization_name = 'organization_name'
+        self.cahandler.organization_id = 'organization_id'
+        self.assertEqual(('code', 'content'), self.cahandler._order_send('csr', 'cn'))
+        self.assertTrue(mock_orgid.called)
+
+    @patch('examples.ca_handler.digicert_ca_handler.CAhandler._organiation_id_get')
+    @patch('examples.ca_handler.digicert_ca_handler.CAhandler._api_post')
+    def test_038_order_send(self, mock_post, mock_orgid):
+        """ test _order_send() """
+        mock_post.return_value = ('code', 'content')
+        self.cahandler.eab_profiling = True
+        self.cahandler.api_key = 'api_key'
+        self.cahandler.organization_name = 'organization_name'
+        self.cahandler.organization_id = None
+        mock_orgid.return_value = 1
+        self.assertEqual(('code', 'content'), self.cahandler._order_send('csr', 'cn'))
+        self.assertTrue(mock_orgid.called)
+
+    @patch('examples.ca_handler.digicert_ca_handler.CAhandler._organiation_id_get')
+    @patch('examples.ca_handler.digicert_ca_handler.CAhandler._api_post')
+    def test_039_order_send(self, mock_post, mock_orgid):
+        """ test _order_send() """
+        mock_post.return_value = ('code', 'content')
+        self.cahandler.api_key = 'api_key'
+        self.cahandler.organization_name = 'organization_name'
+        self.cahandler.organization_id = None
+        mock_orgid.return_value = 1
+        self.assertEqual(('code', 'content'), self.cahandler._order_send('csr', 'cn'))
+        self.assertTrue(mock_orgid.called)
+
+    @patch('examples.ca_handler.digicert_ca_handler.CAhandler._organiation_id_get')
+    @patch('examples.ca_handler.digicert_ca_handler.CAhandler._api_post')
+    def test_040_order_send(self, mock_post, mock_orgid):
+        """ test _order_send() """
+        mock_post.return_value = ('code', 'content')
+        self.cahandler.api_key = 'api_key'
+        self.cahandler.organization_name = None
+        self.cahandler.organization_id = None
+        mock_orgid.return_value = 1
+        self.assertEqual((500, 'organisation_id is missing'), self.cahandler._order_send('csr', 'cn'))
+        self.assertFalse(mock_orgid.called)
+
+    @patch('examples.ca_handler.digicert_ca_handler.CAhandler._organiation_id_get')
+    @patch('examples.ca_handler.digicert_ca_handler.CAhandler._api_post')
+    def test_041_order_send(self, mock_post, mock_orgid):
+        """ test _order_send() """
+        mock_post.return_value = ('code', 'content')
+        self.cahandler.api_key = None
+        self.cahandler.organization_name = 'organization_name'
+        self.cahandler.organization_id = None
+        mock_orgid.return_value = 1
+        self.assertEqual((500, 'organisation_id is missing'), self.cahandler._order_send('csr', 'cn'))
+        self.assertFalse(mock_orgid.called)
+
+    @patch('examples.ca_handler.digicert_ca_handler.cert_pem2der')
+    @patch('examples.ca_handler.digicert_ca_handler.b64_encode')
+    def test_042_order_response_parse(self, mock_b64, mock_pem2der):
+        """ test _order_parse() """
+        content_dic = {'id': 'id', 'certificate_chain': [{'pem': 'pem1'}, {'pem': 'pem2'}, {'pem': 'pem3'}]}
+        mock_b64.return_value = 'b64'
+        self.assertEqual(('pem1\npem2\npem3\n', 'b64', 'id'), self.cahandler._order_response_parse(content_dic))
+
+    @patch('examples.ca_handler.digicert_ca_handler.cert_pem2der')
+    @patch('examples.ca_handler.digicert_ca_handler.b64_encode')
+    def test_043_order_response_parse(self, mock_b64, mock_pem2der):
+        """ test _order_parse() """
+        content_dic = {'id': 'id', 'cert_chain': [{'pem': 'pem1'}, {'pem': 'pem2'}, {'pem': 'pem3'}]}
+        mock_b64.return_value = 'b64'
+        with self.assertLogs('test_a2c', level='INFO') as lcm:
+            self.assertEqual((None, None, None), self.cahandler._order_response_parse(content_dic))
+        self.assertIn('ERROR:test_a2c:CAhandler._order_response_parse() failed: no certificate_chain in response', lcm.output)
+
+    @patch('examples.ca_handler.digicert_ca_handler.cert_pem2der')
+    @patch('examples.ca_handler.digicert_ca_handler.b64_encode')
+    def test_044_order_response_parse(self, mock_b64, mock_pem2der):
+        """ test _order_parse() """
+        content_dic = {'id': 'id', 'certificate_chain': [{'pem': 'pem1'}, {'_pem': 'pem2'}, {'pem': 'pem3'}]}
+        mock_b64.return_value = 'b64'
+        with self.assertLogs('test_a2c', level='INFO') as lcm:
+            self.assertEqual(('pem1\npem3\n', 'b64', 'id'), self.cahandler._order_response_parse(content_dic))
+        self.assertIn('ERROR:test_a2c:CAhandler._order_response_parse() failed: no pem in certificate_chain', lcm.output)
+
+    @patch('examples.ca_handler.digicert_ca_handler.cert_pem2der')
+    @patch('examples.ca_handler.digicert_ca_handler.b64_encode')
+    def test_045_order_response_parse(self, mock_b64, mock_pem2der):
+        """ test _order_parse() """
+        content_dic = {'_id': 'id', 'certificate_chain': [{'pem': 'pem1'}, {'pem': 'pem2'}, {'pem': 'pem3'}]}
+        mock_b64.return_value = 'b64'
+        with self.assertLogs('test_a2c', level='INFO') as lcm:
+            self.assertEqual(('pem1\npem2\npem3\n', 'b64', None), self.cahandler._order_response_parse(content_dic))
+        self.assertIn('ERROR:test_a2c:CAhandler._order_response_parse() polling_identifier generation failed: no id in response', lcm.output)
+
+    @patch('examples.ca_handler.digicert_ca_handler.CAhandler._api_get')
+    def test_046_organiation_id_get(self, mock_get):
+        """ test _organiation_id_get() """
+        mock_get.return_value = (500, {'id': 'id'})
+        self.cahandler.organization_name = 'organization_name'
+        with self.assertLogs('test_a2c', level='INFO') as lcm:
+            self.cahandler._organiation_id_get()
+        self.assertIn('ERROR:test_a2c:CAhandler._organiation_id_get() failed', lcm.output)
+        self.assertFalse(self.cahandler.organization_id)
+
+    @patch('examples.ca_handler.digicert_ca_handler.CAhandler._api_get')
+    def test_047_organiation_id_get(self, mock_get):
+        """ test _organiation_id_get() """
+        mock_get.return_value = (200, {'organizations': [{'name': 'name1', 'id': 'id1'}, {'name': 'name2', 'id': 'id2'}, {'name': 'name3', 'id': 'id3'}]})
+        self.cahandler.organization_name = 'name1'
+        self.assertEqual('id1', self.cahandler._organiation_id_get())
+
+    @patch('examples.ca_handler.digicert_ca_handler.CAhandler._api_get')
+    def test_048_organiation_id_get(self, mock_get):
+        """ test _organiation_id_get() """
+        mock_get.return_value = (200, {'organizations': [{'name': 'name1', 'id': 'id1'}, {'name': 'name2', 'id': 'id2'}, {'name': 'name3', 'id': 'id3'}]})
+        self.cahandler.organization_name = 'name2'
+        self.assertEqual('id2', self.cahandler._organiation_id_get())
+
+    @patch('examples.ca_handler.digicert_ca_handler.eab_profile_header_info_check')
+    @patch('examples.ca_handler.digicert_ca_handler.CAhandler._allowed_domainlist_check')
+    def test_049_csr_check(self, mock_dlchk, mock_ehichk):
+        """ test _csr_check() """
+        mock_dlchk.return_value = 'mock_dlchk'
+        mock_ehichk.return_value = 'mock_hichk'
+
+        self.assertEqual('mock_dlchk', self.cahandler._csr_check('csr'))
+
+    @patch('examples.ca_handler.digicert_ca_handler.eab_profile_header_info_check')
+    @patch('examples.ca_handler.digicert_ca_handler.CAhandler._allowed_domainlist_check')
+    def test_050_csr_check(self, mock_dlchk, mock_ehichk):
+        """ test _csr_check() """
+        mock_dlchk.return_value = False
+        mock_ehichk.return_value = 'mock_hichk'
+        self.assertEqual('mock_hichk', self.cahandler._csr_check('csr'))
+
+    @patch('examples.ca_handler.digicert_ca_handler.eab_profile_header_info_check')
+    @patch('examples.ca_handler.digicert_ca_handler.CAhandler._allowed_domainlist_check')
+    def test_051_csr_check(self, mock_dlchk, mock_ehichk):
+        """ test _csr_check() """
+        mock_dlchk.return_value = False
+        mock_ehichk.return_value = False
+        self.assertFalse(self.cahandler._csr_check('csr'))
+
+    @patch('examples.ca_handler.digicert_ca_handler.CAhandler._order_response_parse')
+    @patch('examples.ca_handler.digicert_ca_handler.CAhandler._order_send')
+    @patch('examples.ca_handler.digicert_ca_handler.csr_cn_lookup')
+    @patch('examples.ca_handler.digicert_ca_handler.CAhandler._csr_check')
+    @patch('examples.ca_handler.digicert_ca_handler.CAhandler._config_check')
+    def test_052_enroll(self, mock_cfgchk, mock_csrchk, mock_cnget, mock_ordersend, mock_orderparse):
+        """ test enroll() """
+        mock_cfgchk.return_value = 'mock_cfgchk'
+        mock_csrchk.return_value = 'mock_csrchk'
+        mock_cnget.return_value = 'cn'
+        mock_ordersend.return_value = ('code', 'content')
+        mock_orderparse.return_value = ('pem', 'b64', 'id')
+        self.assertEqual(('mock_cfgchk', None, None, None), self.cahandler.enroll('csr'))
+        self.assertTrue(mock_cfgchk.called)
+        self.assertFalse(mock_csrchk.called)
+        self.assertFalse(mock_cnget.called)
+        self.assertFalse(mock_ordersend.called)
+        self.assertFalse(mock_orderparse.called)
+
+    @patch('examples.ca_handler.digicert_ca_handler.CAhandler._order_response_parse')
+    @patch('examples.ca_handler.digicert_ca_handler.CAhandler._order_send')
+    @patch('examples.ca_handler.digicert_ca_handler.csr_cn_lookup')
+    @patch('examples.ca_handler.digicert_ca_handler.CAhandler._csr_check')
+    @patch('examples.ca_handler.digicert_ca_handler.CAhandler._config_check')
+    def test_053_enroll(self, mock_cfgchk, mock_csrchk, mock_cnget, mock_ordersend, mock_orderparse):
+        """ test enroll() """
+        mock_cfgchk.return_value = False
+        mock_csrchk.return_value = 'mock_csrchk'
+        mock_cnget.return_value = 'cn'
+        mock_ordersend.return_value = ('code', 'content')
+        mock_orderparse.return_value = ('pem', 'b64', 'id')
+        self.assertEqual(('mock_csrchk', None, None, None), self.cahandler.enroll('csr'))
+        self.assertTrue(mock_cfgchk.called)
+        self.assertTrue(mock_csrchk.called)
+        self.assertFalse(mock_cnget.called)
+        self.assertFalse(mock_ordersend.called)
+        self.assertFalse(mock_orderparse.called)
+
+    @patch('examples.ca_handler.digicert_ca_handler.CAhandler._order_response_parse')
+    @patch('examples.ca_handler.digicert_ca_handler.CAhandler._order_send')
+    @patch('examples.ca_handler.digicert_ca_handler.csr_cn_lookup')
+    @patch('examples.ca_handler.digicert_ca_handler.CAhandler._csr_check')
+    @patch('examples.ca_handler.digicert_ca_handler.CAhandler._config_check')
+    def test_054_enroll(self, mock_cfgchk, mock_csrchk, mock_cnget, mock_ordersend, mock_orderparse):
+        """ test enroll() """
+        mock_cfgchk.return_value = False
+        mock_csrchk.return_value = False
+        mock_cnget.return_value = 'cn'
+        mock_ordersend.return_value = ('code', 'content')
+        mock_orderparse.return_value = ('pem', 'b64', 'id')
+        self.assertEqual(('Error during order creation: code - content', None, None, None), self.cahandler.enroll('csr'))
+        self.assertTrue(mock_cfgchk.called)
+        self.assertTrue(mock_csrchk.called)
+        self.assertTrue(mock_cnget.called)
+        self.assertTrue(mock_ordersend.called)
+        self.assertFalse(mock_orderparse.called)
+
+    @patch('examples.ca_handler.digicert_ca_handler.CAhandler._order_response_parse')
+    @patch('examples.ca_handler.digicert_ca_handler.CAhandler._order_send')
+    @patch('examples.ca_handler.digicert_ca_handler.csr_cn_lookup')
+    @patch('examples.ca_handler.digicert_ca_handler.CAhandler._csr_check')
+    @patch('examples.ca_handler.digicert_ca_handler.CAhandler._config_check')
+    def test_055_enroll(self, mock_cfgchk, mock_csrchk, mock_cnget, mock_ordersend, mock_orderparse):
+        """ test enroll() """
+        mock_cfgchk.return_value = False
+        mock_csrchk.return_value = False
+        mock_cnget.return_value = 'cn'
+        mock_ordersend.return_value = ('code', {'errors': [{'code': 'code', 'message': 'content'}]})
+        mock_orderparse.return_value = ('pem', 'b64', 'id')
+        self.assertEqual(("Error during order creation: code - [{'code': 'code', 'message': 'content'}]", None, None, None), self.cahandler.enroll('csr'))
+        self.assertTrue(mock_cfgchk.called)
+        self.assertTrue(mock_csrchk.called)
+        self.assertTrue(mock_cnget.called)
+        self.assertTrue(mock_ordersend.called)
+        self.assertFalse(mock_orderparse.called)
+
+    @patch('examples.ca_handler.digicert_ca_handler.CAhandler._order_response_parse')
+    @patch('examples.ca_handler.digicert_ca_handler.CAhandler._order_send')
+    @patch('examples.ca_handler.digicert_ca_handler.csr_cn_lookup')
+    @patch('examples.ca_handler.digicert_ca_handler.CAhandler._csr_check')
+    @patch('examples.ca_handler.digicert_ca_handler.CAhandler._config_check')
+    def test_056_enroll(self, mock_cfgchk, mock_csrchk, mock_cnget, mock_ordersend, mock_orderparse):
+        """ test enroll() """
+        mock_cfgchk.return_value = False
+        mock_csrchk.return_value = False
+        mock_cnget.return_value = 'cn'
+        mock_ordersend.return_value = (200, 'content')
+        mock_orderparse.return_value = ('pem', 'b64', 'id')
+        self.assertEqual((False, 'pem', 'b64', 'id'), self.cahandler.enroll('csr'))
+        self.assertTrue(mock_cfgchk.called)
+        self.assertTrue(mock_csrchk.called)
+        self.assertTrue(mock_cnget.called)
+        self.assertTrue(mock_ordersend.called)
+        self.assertTrue(mock_orderparse.called)
+
+    @patch('examples.ca_handler.digicert_ca_handler.CAhandler._api_put')
+    @patch('examples.ca_handler.digicert_ca_handler.cert_serial_get')
+    def test_057_revoke(self, mock_serial, mock_put):
+        """ test revoke() """
+        mock_serial.return_value = 'serial'
+        mock_put.return_value = ('code', 'content')
+        self.assertEqual(('code', None, 'content'), self.cahandler.revoke('cert'))
+
+    @patch('examples.ca_handler.digicert_ca_handler.CAhandler._api_put')
+    @patch('examples.ca_handler.digicert_ca_handler.cert_serial_get')
+    def test_058_revoke(self, mock_serial, mock_put):
+        """ test revoke() """
+        mock_serial.return_value = None
+        mock_put.return_value = ('code', 'content')
+        self.assertEqual((500, None, 'Failed to parse certificate serial'), self.cahandler.revoke('cert'))
+
+    @patch('examples.ca_handler.digicert_ca_handler.CAhandler._api_put')
+    @patch('examples.ca_handler.digicert_ca_handler.cert_serial_get')
+    def test_059_revoke(self, mock_serial, mock_put):
+        """ test revoke() """
+        mock_serial.return_value = 'serial'
+        mock_put.return_value = (204, 'content')
+        self.assertEqual((200, None, 'content'), self.cahandler.revoke('cert'))
+
+
+if __name__ == '__main__':
+
+    unittest.main()
diff --git a/test/test_directory.py b/test/test_directory.py
index 501170aa..6b6f8d1c 100644
--- a/test/test_directory.py
+++ b/test/test_directory.py
@@ -122,8 +122,43 @@ def test_012_directory_directory_get(self):
         self.assertTrue(output_dic.items() <= result.items())
         self.assertEqual('NOK', result['meta']['db_check'])
 
+    def test_013_directory_directory_get(self):
+        """ test Directory.get_directory() method and check for "meta" tag in output"""
+        self.directory.home = 'home'
+        self.directory.version = '0.1'
+        output_dic = {'meta': {'home': 'home', 'author': 'grindsa <grindelsack@gmail.com>', 'name': 'acme2certifier', 'version': '0.1'}}
+        self.assertTrue(output_dic.items() <= self.directory.directory_get().items())
+
+    def test_014_directory_directory_get(self):
+        """ test Directory.get_directory() method and check for "meta" tag in output"""
+        self.directory.home = 'home'
+        self.directory.version = '0.1'
+        output_dic = {'home': 'home', 'author': 'grindsa <grindelsack@gmail.com>', 'name': 'acme2certifier', 'version': '0.1'}
+        self.assertEqual(output_dic, self.directory.directory_get()['meta'])
+
+    def test_015_directory_directory_get(self):
+        """ test Directory.get_directory() method and check for "meta" tag in output"""
+        self.directory.home = 'home'
+        self.directory.version = '0.1'
+        self.directory.suppress_product_information = True
+        output_dic = {'home': 'home'}
+        self.assertEqual(output_dic, self.directory.directory_get()['meta'])
+
+    def test_016_directory_directory_get(self):
+        """ test Directory.get_directory() method and check for "meta" tag in output"""
+        self.directory.suppress_product_information = True
+        output_dic = {}
+        self.assertEqual(output_dic, self.directory.directory_get()['meta'])
+
+    def test_017_directory_directory_get(self):
+        """ test Directory.get_directory() method and check for "meta" tag in output"""
+        self.directory.suppress_product_information = False
+        self.directory.version = '0.1'
+        output_dic = {'home': 'https://github.com/grindsa/acme2certifier', 'author': 'grindsa <grindelsack@gmail.com>', 'name': 'acme2certifier', 'version': '0.1'}
+        self.assertEqual(output_dic, self.directory.directory_get()['meta'])
+
     @patch('acme_srv.directory.load_config')
-    def test_013_config_load(self, mock_load_cfg):
+    def test_018_config_load(self, mock_load_cfg):
         """ test _config_load empty config """
         parser = configparser.ConfigParser()
         # parser['Account'] = {'foo': 'bar'}
@@ -135,7 +170,7 @@ def test_013_config_load(self, mock_load_cfg):
         self.assertFalse(self.directory.db_check)
 
     @patch('acme_srv.directory.load_config')
-    def test_014_config_load(self, mock_load_cfg):
+    def test_019_config_load(self, mock_load_cfg):
         """ test _config_load with unknown values config """
         parser = configparser.ConfigParser()
         parser['Account'] = {'foo': 'bar'}
@@ -147,7 +182,7 @@ def test_014_config_load(self, mock_load_cfg):
         self.assertFalse(self.directory.db_check)
 
     @patch('acme_srv.directory.load_config')
-    def test_015_config_load(self, mock_load_cfg):
+    def test_020_config_load(self, mock_load_cfg):
         """ test _config_load with unknown values config """
         parser = configparser.ConfigParser()
         parser['Directory'] = {'foo': 'bar'}
@@ -159,7 +194,7 @@ def test_015_config_load(self, mock_load_cfg):
         self.assertFalse(self.directory.db_check)
 
     @patch('acme_srv.directory.load_config')
-    def test_016_config_load(self, mock_load_cfg):
+    def test_021_config_load(self, mock_load_cfg):
         """ test _config_load supress version number """
         parser = configparser.ConfigParser()
         parser['Directory'] = {'supress_version': True}
@@ -171,7 +206,7 @@ def test_016_config_load(self, mock_load_cfg):
         self.assertFalse(self.directory.db_check)
 
     @patch('acme_srv.directory.load_config')
-    def test_017_config_load(self, mock_load_cfg):
+    def test_022_config_load(self, mock_load_cfg):
         """ test _config_load tos url """
         parser = configparser.ConfigParser()
         parser['Directory'] = {'tos_url': 'tos_url'}
@@ -183,7 +218,7 @@ def test_017_config_load(self, mock_load_cfg):
         self.assertFalse(self.directory.db_check)
 
     @patch('acme_srv.directory.load_config')
-    def test_018_config_load(self, mock_load_cfg):
+    def test_023_config_load(self, mock_load_cfg):
         """ test _config_load eab """
         parser = configparser.ConfigParser()
         parser['EABhandler'] = {'eab_handler_file': 'eab_handler_file'}
@@ -197,7 +232,7 @@ def test_018_config_load(self, mock_load_cfg):
         self.assertFalse(self.directory.db_check)
 
     @patch('acme_srv.directory.load_config')
-    def test_019_config_load(self, mock_load_cfg):
+    def test_024_config_load(self, mock_load_cfg):
         """ test _config_load all parameters set """
         parser = configparser.ConfigParser()
         parser['EABhandler'] = {'eab_handler_file': 'eab_handler_file'}
@@ -210,7 +245,7 @@ def test_019_config_load(self, mock_load_cfg):
         self.assertFalse(self.directory.db_check)
 
     @patch('acme_srv.directory.load_config')
-    def test_020_config_load(self, mock_load_cfg):
+    def test_025_config_load(self, mock_load_cfg):
         """ test _config_load eab """
         parser = configparser.ConfigParser()
         parser['Directory'] = {'url_prefix': 'url_prefix'}
@@ -223,7 +258,7 @@ def test_020_config_load(self, mock_load_cfg):
         self.assertFalse(self.directory.db_check)
 
     @patch('acme_srv.directory.load_config')
-    def test_021_config_load(self, mock_load_cfg):
+    def test_026_config_load(self, mock_load_cfg):
         """ test _config_load eab """
         parser = configparser.ConfigParser()
         parser['Directory'] = {'db_check': True}
@@ -233,9 +268,10 @@ def test_021_config_load(self, mock_load_cfg):
         self.assertFalse(self.directory.tos_url)
         self.assertFalse(self.directory.eab)
         self.assertTrue(self.directory.db_check)
+        self.assertEqual(False, self.directory.suppress_product_information)
 
     @patch('acme_srv.directory.load_config')
-    def test_022_config_load(self, mock_load_cfg):
+    def test_027_config_load(self, mock_load_cfg):
         """ test _config_load eab """
         parser = configparser.ConfigParser()
         parser['Directory'] = {'db_check': False}
@@ -245,9 +281,66 @@ def test_022_config_load(self, mock_load_cfg):
         self.assertFalse(self.directory.tos_url)
         self.assertFalse(self.directory.eab)
         self.assertFalse(self.directory.db_check)
+        self.assertEqual('https://github.com/grindsa/acme2certifier', self.directory.home)
+        self.assertEqual(False, self.directory.suppress_product_information)
+
+    @patch('acme_srv.directory.load_config')
+    def test_028_config_load(self, mock_load_cfg):
+        """ test _config_load eab """
+        parser = configparser.ConfigParser()
+        parser['Directory'] = {'home': 'home'}
+        mock_load_cfg.return_value = parser
+        self.directory._config_load()
+        self.assertFalse(self.directory.supress_version)
+        self.assertFalse(self.directory.tos_url)
+        self.assertFalse(self.directory.eab)
+        self.assertFalse(self.directory.db_check)
+        self.assertEqual('home', self.directory.home)
+        self.assertEqual(False, self.directory.suppress_product_information)
+
+    @patch('acme_srv.directory.load_config')
+    def test_029_config_load(self, mock_load_cfg):
+        """ test _config_load eab """
+        parser = configparser.ConfigParser()
+        parser['Directory'] = {'suppress_product_information': True}
+        mock_load_cfg.return_value = parser
+        self.directory._config_load()
+        self.assertFalse(self.directory.supress_version)
+        self.assertFalse(self.directory.tos_url)
+        self.assertFalse(self.directory.eab)
+        self.assertFalse(self.directory.db_check)
+        self.assertEqual(True, self.directory.suppress_product_information)
+
+    @patch('acme_srv.directory.load_config')
+    def test_030_config_load(self, mock_load_cfg):
+        """ test _config_load eab """
+        parser = configparser.ConfigParser()
+        parser['Directory'] = {'suppress_product_information': False}
+        mock_load_cfg.return_value = parser
+        self.directory._config_load()
+        self.assertFalse(self.directory.supress_version)
+        self.assertFalse(self.directory.tos_url)
+        self.assertFalse(self.directory.eab)
+        self.assertFalse(self.directory.db_check)
+        self.assertEqual(False, self.directory.suppress_product_information)
+
+    @patch('acme_srv.directory.load_config')
+    def test_031_config_load(self, mock_load_cfg):
+        """ test _config_load eab """
+        parser = configparser.ConfigParser()
+        parser['Directory'] = {'suppress_product_information': 'aa'}
+        mock_load_cfg.return_value = parser
+        with self.assertLogs('test_a2c', level='INFO') as lcm:
+            self.directory._config_load()
+        self.assertFalse(self.directory.supress_version)
+        self.assertFalse(self.directory.tos_url)
+        self.assertFalse(self.directory.eab)
+        self.assertFalse(self.directory.db_check)
+        self.assertEqual(False, self.directory.suppress_product_information)
+        self.assertIn('ERROR:test_a2c:Directory._config_load() suppress_product_information not set: Not a boolean: aa', lcm.output)
 
     @patch('acme_srv.directory.Directory._config_load')
-    def test_023__enter__(self, mock_cfg):
+    def test_032__enter__(self, mock_cfg):
         """ test enter """
         mock_cfg.return_value = True
         self.directory.__enter__()
diff --git a/test/test_eabfile_handler.py b/test/test_eabfile_handler.py
index 22bd62b6..fa983de2 100644
--- a/test/test_eabfile_handler.py
+++ b/test/test_eabfile_handler.py
@@ -103,16 +103,16 @@ def test_011_mac_key_get(self, mock_csv):
     def test_012_mac_key_get(self, mock_csv):
         """ test mac_key_get check break after first match """
         self.eabhandler.key_file = 'file'
-        mock_csv.return_value = [{'eab_kid': 'kid', 'eab_mac': 'mac'}, {'eab_kid': 'kid', 'eab_mac': 'mac2'}]
-        self.assertEqual('mac', self.eabhandler.mac_key_get('kid'))
+        mock_csv.return_value = [{'eab_kid': 'kid1', 'eab_mac': 'mac1'}, {'eab_kid': 'kid2', 'eab_mac': 'mac2'}]
+        self.assertEqual('mac1', self.eabhandler.mac_key_get('kid1'))
 
     @patch('csv.DictReader')
     @patch("builtins.open", mock_open(read_data='foo'), create=True)
     def test_013_mac_key_get(self, mock_csv):
         """ test mac_key_get match in the 2nd record """
         self.eabhandler.key_file = 'file'
-        mock_csv.return_value = [{'eab_kid': 'kid1', 'eab_mac': 'mac'}, {'eab_kid': 'kid', 'eab_mac': 'mac2'}]
-        self.assertEqual('mac2', self.eabhandler.mac_key_get('kid'))
+        mock_csv.return_value = [{'eab_kid': 'kid1', 'eab_mac': 'mac1'}, {'eab_kid': 'kid2', 'eab_mac': 'mac2'}]
+        self.assertEqual('mac2', self.eabhandler.mac_key_get('kid2'))
 
     @patch('csv.DictReader')
     @patch("builtins.open", mock_open(read_data='foo'), create=True)
@@ -138,7 +138,7 @@ def test_016_mac_key_get(self, mock_csv):
         mock_csv.side_effect = Exception('ex_mock_csv')
         with self.assertLogs('test_a2c', level='INFO') as lcm:
             self.assertFalse(self.eabhandler.mac_key_get('kid'))
-        self.assertIn('ERROR:test_a2c:EABhandler.mac_key_get() error: ex_mock_csv', lcm.output)
+        self.assertIn('ERROR:test_a2c:EABhandler.key_file_load() error: ex_mock_csv', lcm.output)
 
 if __name__ == '__main__':
 
diff --git a/test/test_eabjson_handler.py b/test/test_eabjson_handler.py
index c9626af1..bb96eddf 100644
--- a/test/test_eabjson_handler.py
+++ b/test/test_eabjson_handler.py
@@ -106,7 +106,7 @@ def test_012_mac_key_get(self, mock_json):
         mock_json.side_effect = Exception('ex_json_load')
         with self.assertLogs('test_a2c', level='INFO') as lcm:
             self.assertFalse(self.eabhandler.mac_key_get('kid'))
-        self.assertIn('ERROR:test_a2c:EABhandler.mac_key_get() error: ex_json_load', lcm.output)
+        self.assertIn('ERROR:test_a2c:EABhandler.key_file_load() error: ex_json_load', lcm.output)
 
 if __name__ == '__main__':
 
diff --git a/test/test_eabkid_profile_handler.py b/test/test_eabkid_profile_handler.py
new file mode 100644
index 00000000..9f1b7088
--- /dev/null
+++ b/test/test_eabkid_profile_handler.py
@@ -0,0 +1,374 @@
+#!/usr/bin/python
+# -*- coding: utf-8 -*-
+""" unittests for acme2certifier """
+# pylint: disable= C0415, W0212
+import unittest
+import sys
+import os
+from OpenSSL import crypto
+from unittest.mock import patch, Mock, MagicMock, mock_open
+import requests
+
+sys.path.insert(0, '.')
+sys.path.insert(1, '..')
+
+
+class TestACMEHandler(unittest.TestCase):
+    """ test class for cgi_handler """
+
+    def setUp(self):
+        """ setup unittest """
+        import logging
+        logging.basicConfig(level=logging.CRITICAL)
+        self.logger = logging.getLogger('test_a2c')
+        from examples.eab_handler.kid_profile_handler import EABhandler
+        self.eabhandler = EABhandler(self.logger)
+        self.dir_path = os.path.dirname(os.path.realpath(__file__))
+
+    def test_001_default(self):
+        """ default test which always passes """
+        self.assertEqual('foo', 'foo')
+
+    @patch('examples.eab_handler.kid_profile_handler.EABhandler._config_load')
+    def test_002__enter__(self, mock_cfg):
+        """ test enter  called """
+        mock_cfg.return_value = True
+        self.eabhandler.__enter__()
+        self.assertTrue(mock_cfg.called)
+
+    @patch('examples.eab_handler.kid_profile_handler.load_config')
+    def test_003_config_load(self, mock_load_cfg):
+        """ test _config_load - empty dictionary """
+        mock_load_cfg.return_value = {}
+        self.eabhandler._config_load()
+        self.assertFalse(self.eabhandler.key_file)
+
+    @patch('examples.eab_handler.kid_profile_handler.load_config')
+    def test_004_config_load(self, mock_load_cfg):
+        """ test _config_load - bogus values """
+        mock_load_cfg.return_value = {'foo': 'bar'}
+        self.eabhandler._config_load()
+        self.assertFalse(self.eabhandler.key_file)
+
+    @patch('examples.eab_handler.kid_profile_handler.load_config')
+    def test_005_config_load(self, mock_load_cfg):
+        """ test _config_load - bogus values """
+        mock_load_cfg.return_value = {'EABhandler': {'foo': 'bar'}}
+        self.eabhandler._config_load()
+        self.assertFalse(self.eabhandler.key_file)
+
+    @patch('examples.eab_handler.kid_profile_handler.load_config')
+    def test_006_config_load(self, mock_load_cfg):
+        """ test _config_load - bogus values """
+        mock_load_cfg.return_value = {'EABhandler': {'key_file': 'key_file'}}
+        self.eabhandler._config_load()
+        self.assertEqual('key_file', self.eabhandler.key_file)
+
+    def test_007_mac_key_get(self):
+        """ test mac_key_get without file specified """
+        self.assertFalse(self.eabhandler.mac_key_get(None))
+
+    @patch("builtins.open", mock_open(read_data='foo'), create=True)
+    def test_008_mac_key_get(self):
+        """ test mac_key_get with file but no kid """
+        self.eabhandler.key_file = 'file'
+        self.assertFalse(self.eabhandler.mac_key_get(None))
+
+    @patch('examples.eab_handler.kid_profile_handler.EABhandler.keyfile_content_load')
+    @patch("builtins.open", mock_open(read_data='foo'), create=True)
+    def test_009_mac_key_get(self, mock_json):
+        """ test mac_key_get json reader return bogus values """
+        self.eabhandler.key_file = 'file'
+        mock_json.return_value = {'foo', 'bar'}
+        self.assertFalse(self.eabhandler.mac_key_get('kid'))
+
+    @patch('examples.eab_handler.kid_profile_handler.EABhandler.keyfile_content_load')
+    @patch("builtins.open", mock_open(read_data='foo'), create=True)
+    def test_010_mac_key_get(self, mock_json):
+        """ test mac_key_get json match """
+        self.eabhandler.key_file = 'file'
+        mock_json.return_value = {'kid': {'hmac': 'mac', 'foo': 'bar'}}
+        self.assertEqual('mac', self.eabhandler.mac_key_get('kid'))
+
+    @patch('examples.eab_handler.kid_profile_handler.EABhandler.keyfile_content_load')
+    @patch("builtins.open", mock_open(read_data='foo'), create=True)
+    def test_011_mac_key_get(self, mock_json):
+        """ test mac_key_get json no match """
+        self.eabhandler.key_file = 'file'
+        mock_json.return_value = {'kid1': 'mac'}
+        self.assertFalse(self.eabhandler.mac_key_get('kid'))
+
+    @patch('examples.eab_handler.kid_profile_handler.EABhandler.keyfile_content_load')
+    @patch("builtins.open", mock_open(read_data='foo'), create=True)
+    def test_012_mac_key_get(self, mock_json):
+        """ test mac_key_get json load exception """
+        self.eabhandler.key_file = 'file'
+        mock_json.side_effect = Exception('ex_json_load')
+        with self.assertLogs('test_a2c', level='INFO') as lcm:
+            self.assertFalse(self.eabhandler.mac_key_get('kid'))
+        self.assertIn('ERROR:test_a2c:EABhandler.mac_key_get() error: ex_json_load', lcm.output)
+
+    @patch('json.load')
+    @patch("builtins.open", mock_open(read_data='foo'), create=True)
+    def test_013_mac_key_get(self, mock_json):
+        """ test mac_key_get json match """
+        self.eabhandler.key_file = 'file'
+        mock_json.return_value = {'kid': {'foo': 'bar'}}
+        self.assertFalse(self.eabhandler.mac_key_get('kid'))
+
+    def test_014_wllist_check(self):
+        """ CAhandler._wllist_check failed check as empty entry"""
+        list_ = ['bar.foo$', 'foo.bar$']
+        entry = None
+        self.assertFalse(self.eabhandler._wllist_check(entry, list_))
+
+    def test_015_wllist_check(self):
+        """ CAhandler._wllist_check check against empty list"""
+        list_ = []
+        entry = 'host.bar.foo'
+        self.assertTrue(self.eabhandler._wllist_check(entry, list_))
+
+    def test_016_wllist_check(self):
+        """ CAhandler._wllist_check successful check against 1st element of a list"""
+        list_ = ['bar.foo$', 'foo.bar$']
+        entry = 'host.bar.foo'
+        self.assertTrue(self.eabhandler._wllist_check(entry, list_))
+
+    def test_017_wllist_check(self):
+        """ CAhandler._wllist_check unsuccessful as endcheck failed"""
+        list_ = ['bar.foo$', 'foo.bar$']
+        entry = 'host.bar.foo.bar_'
+        self.assertFalse(self.eabhandler._wllist_check(entry, list_))
+
+    def test_018_wllist_check(self):
+        """ CAhandler._wllist_check successful without $"""
+        list_ = ['bar.foo', 'foo.bar$']
+        entry = 'host.bar.foo.bar_'
+        self.assertTrue(self.eabhandler._wllist_check(entry, list_))
+
+    def test_019_wllist_check(self):
+        """ CAhandler._wllist_check wildcard check"""
+        list_ = ['bar.foo$', 'foo.bar$']
+        entry = '*.bar.foo'
+        self.assertTrue(self.eabhandler._wllist_check(entry, list_))
+
+    def test_020_wllist_check(self):
+        """ CAhandler._wllist_check failed wildcard check"""
+        list_ = ['bar.foo$', 'foo.bar$']
+        entry = '*.bar.foo_'
+        self.assertFalse(self.eabhandler._wllist_check(entry, list_))
+
+    def test_021_wllist_check(self):
+        """ CAhandler._wllist_check not end check"""
+        list_ = ['bar.foo$', 'foo.bar$']
+        entry = 'bar.foo gna'
+        self.assertFalse(self.eabhandler._wllist_check(entry, list_))
+
+    def test_022_wllist_check(self):
+        """ CAhandler._wllist_check $ at the end"""
+        list_ = ['bar.foo$', 'foo.bar$']
+        entry = 'bar.foo$'
+        self.assertFalse(self.eabhandler._wllist_check(entry, list_))
+
+    def test_023_wllist_check(self):
+        """ CAhandler._wllist_check check against empty list flip"""
+        list_ = []
+        entry = 'host.bar.foo'
+        self.assertFalse(self.eabhandler._wllist_check(entry, list_, True))
+
+    def test_024_wllist_check(self):
+        """ CAhandler._wllist_check flip successful check """
+        list_ = ['bar.foo$', 'foo.bar$']
+        entry = 'host.bar.foo'
+        self.assertFalse(self.eabhandler._wllist_check(entry, list_, True))
+
+    def test_025_wllist_check(self):
+        """ CAhandler._wllist_check flip unsuccessful check"""
+        list_ = ['bar.foo$', 'foo.bar$']
+        entry = 'host.bar.foo'
+        self.assertFalse(self.eabhandler._wllist_check(entry, list_, True))
+
+    def test_026_wllist_check(self):
+        """ CAhandler._wllist_check unsuccessful whildcard check"""
+        list_ = ['foo.bar$', r'\*.bar.foo']
+        entry = 'host.bar.foo'
+        self.assertFalse(self.eabhandler._wllist_check(entry, list_))
+
+    def test_027_wllist_check(self):
+        """ CAhandler._wllist_check successful whildcard check"""
+        list_ = ['foo.bar$', r'\*.bar.foo']
+        entry = '*.bar.foo'
+        self.assertTrue(self.eabhandler._wllist_check(entry, list_))
+
+    def test_028_wllist_check(self):
+        """ CAhandler._wllist_check successful whildcard in list but not in string """
+        list_ = ['foo.bar$', '*.bar.foo']
+        entry = 'foo.bar.foo'
+        self.assertTrue(self.eabhandler._wllist_check(entry, list_))
+
+    @patch('examples.eab_handler.kid_profile_handler.csr_san_get')
+    def test_029_chk_san_lists_get(self, mock_san):
+        """ CAhandler._chk_san_lists_get() """
+        csr = 'csr'
+        mock_san.return_value = ['dns:foo.bar', 'dns:bar.foo']
+        self.assertEqual((['foo.bar', 'bar.foo'], []), self.eabhandler._chk_san_lists_get(csr))
+
+    @patch('examples.eab_handler.kid_profile_handler.csr_san_get')
+    def test_030_chk_san_lists_get(self, mock_san):
+        """ CAhandler._chk_san_lists_get() """
+        csr = 'csr'
+        mock_san.return_value = ['dns:foo.bar', 'bar.foo']
+        with self.assertLogs('test_a2c', level='INFO') as lcm:
+            self.assertEqual((['foo.bar'], [False]), self.eabhandler._chk_san_lists_get(csr))
+        self.assertIn('INFO:test_a2c:EABhandler._csr_check(): san_list parsing failed at entry: bar.foo', lcm.output)
+
+    @patch('examples.eab_handler.kid_profile_handler.csr_san_get')
+    def test_031_chk_san_lists_get(self, mock_san):
+        """ CAhandler._chk_san_lists_get() """
+        csr = 'csr'
+        mock_san.return_value = None
+        self.assertEqual(([], []), self.eabhandler._chk_san_lists_get(csr))
+
+    @patch('examples.eab_handler.kid_profile_handler.csr_cn_get')
+    def test_032_cn_add(self, mock_cnget):
+        """ CAhandler._cn_add() """
+        csr = 'csr'
+        san_list = ['foo.bar', 'bar.foo']
+        mock_cnget.return_value = 'foobar.bar'
+        self.assertEqual(['foo.bar', 'bar.foo', 'foobar.bar'], self.eabhandler._cn_add(csr, san_list))
+
+    @patch('examples.eab_handler.kid_profile_handler.csr_cn_get')
+    def test_033_cn_add(self, mock_cnget):
+        """ CAhandler._cn_add() """
+        csr = 'csr'
+        san_list = ['foo.bar', 'bar.foo']
+        mock_cnget.return_value = 'bar.foo'
+        self.assertEqual(['foo.bar', 'bar.foo'], self.eabhandler._cn_add(csr, san_list))
+
+    @patch("builtins.open", mock_open(read_data='{"foo": "bar"}'), create=True)
+    def test_034_key_file_load(self):
+        """ CAhandler._cn_add() """
+        self.eabhandler.key_file = 'file'
+        self.assertEqual({'foo': 'bar'}, self.eabhandler.key_file_load())
+
+    @patch("builtins.open", mock_open(read_data='foobar:\n  foo: foobar'), create=True)
+    def test_035_key_file_load(self):
+        """ CAhandler._key_file_load() """
+        self.eabhandler.key_file = 'file'
+        with self.assertLogs('test_a2c', level='INFO') as lcm:
+            self.assertEqual({'foobar': {'foo': 'foobar'}}, self.eabhandler.key_file_load())
+        self.assertIn('ERROR:test_a2c:EABhandler.keyfile_content_load(): error: Expecting value: line 1 column 1 (char 0)', lcm.output)
+
+    @patch("builtins.open", mock_open(read_data='{"foo": "bar"}'), create=True)
+    def test_036_key_file_load(self):
+        """ CAhandler._key_file_load() """
+        with self.assertLogs('test_a2c', level='INFO') as lcm:
+            self.assertFalse(self.eabhandler.key_file_load())
+        self.assertIn('ERROR:test_a2c:EABhandler.key_file_load() no key_file specified', lcm.output)
+
+    @patch("builtins.open", mock_open(read_data='foobar: ='), create=True)
+    def test_037_key_file_load(self):
+        """ CAhandler._key_file_load() """
+        self.eabhandler.key_file = 'file'
+        with self.assertLogs('test_a2c', level='INFO') as lcm:
+            self.assertFalse(self.eabhandler.key_file_load())
+        self.assertIn('ERROR:test_a2c:EABhandler.keyfile_content_load(): error: Expecting value: line 1 column 1 (char 0)', lcm.output)
+        self.assertIn("ERROR:test_a2c:EABhandler.keyfile_content_load(): error: could not determine a constructor for the tag \'tag:yaml.org,2002:value\'\n  in \"<unicode string>\", line 1, column 9:\n    foobar: =\n            ^", lcm.output)
+
+    @patch('examples.eab_handler.kid_profile_handler.EABhandler.keyfile_content_load')
+    @patch("builtins.open", mock_open(read_data='{"foo": "bar"}'), create=True)
+    def test_038_key_file_load(self, mock_load):
+        """ CAhandler._key_file_load() """
+        self.eabhandler.key_file = 'file'
+        mock_load.side_effect = Exception('ex_load')
+        with self.assertLogs('test_a2c', level='INFO') as lcm:
+            self.assertFalse(self.eabhandler.key_file_load())
+        self.assertIn('ERROR:test_a2c:EABhandler.key_file_load() error: ex_load', lcm.output)
+
+    @patch('examples.eab_handler.kid_profile_handler.EABhandler._wllist_check')
+    @patch('examples.eab_handler.kid_profile_handler.EABhandler._cn_add')
+    @patch('examples.eab_handler.kid_profile_handler.EABhandler._chk_san_lists_get')
+    def test_039_allowed_domains_check(self, mock_san, mock_cn, mock_wlc):
+        """ test EABhanlder._allowed_domains_check() """
+        mock_san.return_value = (['foo'], [])
+        mock_cn.return_value = ['foo', 'bar']
+        mock_wlc.side_effect = [True, True]
+        self.assertFalse(self.eabhandler.allowed_domains_check('csr', ['domain', 'list']))
+
+    @patch('examples.eab_handler.kid_profile_handler.EABhandler._wllist_check')
+    @patch('examples.eab_handler.kid_profile_handler.EABhandler._cn_add')
+    @patch('examples.eab_handler.kid_profile_handler.EABhandler._chk_san_lists_get')
+    def test_040_allowed_domains_check(self, mock_san, mock_cn, mock_wlc):
+        """ test EABhanlder._allowed_domains_check() """
+        mock_san.return_value = (['foo'], [False])
+        mock_cn.return_value = ['foo', 'bar']
+        mock_wlc.side_effect = [True, True]
+        self.assertEqual('Either CN or SANs are not allowed by profile', self.eabhandler.allowed_domains_check('csr', ['domain', 'list']))
+
+    @patch('examples.eab_handler.kid_profile_handler.EABhandler._wllist_check')
+    @patch('examples.eab_handler.kid_profile_handler.EABhandler._cn_add')
+    @patch('examples.eab_handler.kid_profile_handler.EABhandler._chk_san_lists_get')
+    def test_041_allowed_domains_check(self, mock_san, mock_cn, mock_wlc):
+        """ test EABhanlder._allowed_domains_check() """
+        mock_san.return_value = (['foo'], [])
+        mock_cn.return_value = ['foo', 'bar']
+        mock_wlc.side_effect = [False, True]
+        self.assertEqual('Either CN or SANs are not allowed by profile', self.eabhandler.allowed_domains_check('csr', ['domain', 'list']))
+
+    @patch('examples.eab_handler.kid_profile_handler.EABhandler.key_file_load')
+    def test_042_eab_profile_get(self, mock_prof):
+        """ test EABhandler._eab_profile_get() """
+        mock_prof.return_value = {'eab_kid': {'cahandler': {'foo_parameter': 'bar_parameter'}}}
+        models_mock = MagicMock()
+        models_mock.DBstore().certificate_lookup.return_value = {'foo': 'bar', 'order__account__eab_kid': 'eab_kid'}
+        modules = {'acme_srv.db_handler': models_mock}
+        patch.dict('sys.modules', modules).start()
+        self.assertEqual({'foo_parameter': 'bar_parameter'}, self.eabhandler.eab_profile_get('csr'))
+
+
+    @patch('examples.eab_handler.kid_profile_handler.EABhandler.key_file_load')
+    def test_043_eab_profile_get(self, mock_prof):
+        """ test EABhandler._eab_profile_get() """
+        mock_prof.return_value = {'eab_kid': {'cahandler1': {'foo_parameter': 'bar_parameter'}}}
+        models_mock = MagicMock()
+        models_mock.DBstore().certificate_lookup.return_value = {'foo': 'bar', 'order__account__eab_kid': 'eab_kid'}
+        modules = {'acme_srv.db_handler': models_mock}
+        patch.dict('sys.modules', modules).start()
+        self.assertFalse(self.eabhandler.eab_profile_get('csr'))
+
+    @patch('examples.eab_handler.kid_profile_handler.EABhandler.key_file_load')
+    def test_044_eab_profile_get(self, mock_prof):
+        """ test EABhandler._eab_profile_get() """
+        mock_prof.return_value = {'eab_kid': {'cahandler': {'foo_parameter': 'bar_parameter'}}}
+        models_mock = MagicMock()
+        models_mock.DBstore().certificate_lookup.return_value = {'foo': 'bar', '1order__account__eab_kid': 'eab_kid'}
+        modules = {'acme_srv.db_handler': models_mock}
+        patch.dict('sys.modules', modules).start()
+        self.assertFalse(self.eabhandler.eab_profile_get('csr'))
+
+    @patch('examples.eab_handler.kid_profile_handler.EABhandler.key_file_load')
+    def test_045_eab_profile_get(self, mock_prof):
+        """ test EABhandler._eab_profile_get() """
+        mock_prof.return_value = {'eab_kid': {'cahandler': {'foo_parameter': 'bar_parameter'}}}
+        models_mock = MagicMock()
+        models_mock.DBstore().certificate_lookup.return_value = {'foo': 'bar', 'order__account__eab_kid': 'eab_kid1'}
+        modules = {'acme_srv.db_handler': models_mock}
+        patch.dict('sys.modules', modules).start()
+        self.assertFalse(self.eabhandler.eab_profile_get('csr'))
+
+    @patch('examples.eab_handler.kid_profile_handler.EABhandler.key_file_load')
+    def test_046_eab_profile_get(self, mock_prof):
+        """ test EABhandler._eab_profile_get() """
+        mock_prof.return_value = {'eab_kid': {'cahandler': {'foo_parameter': 'bar_parameter'}}}
+        models_mock = MagicMock()
+        models_mock.DBstore().certificate_lookup.side_effect = Exception('ex_db_lookup')
+        modules = {'acme_srv.db_handler': models_mock}
+        patch.dict('sys.modules', modules).start()
+        with self.assertLogs('test_a2c', level='INFO') as lcm:
+            self.assertFalse(self.eabhandler.eab_profile_get('csr'))
+        self.assertIn('ERROR:test_a2c:EABhandler._eab_profile_get() database error: ex_db_lookup', lcm.output)
+
+
+if __name__ == '__main__':
+
+    unittest.main()
diff --git a/test/test_entrust.py b/test/test_entrust.py
new file mode 100644
index 00000000..48b7bea8
--- /dev/null
+++ b/test/test_entrust.py
@@ -0,0 +1,1215 @@
+#!/usr/bin/python
+# -*- coding: utf-8 -*-
+""" unittests for openxpki_ca_handler """
+# pylint: disable=C0415, R0904, W0212
+import sys
+import os
+import unittest
+from unittest.mock import patch, mock_open, Mock, MagicMock
+import requests
+import base64
+from OpenSSL import crypto
+
+sys.path.insert(0, '.')
+sys.path.insert(1, '..')
+
+class FakeDBStore(object):
+    """ face DBStore class needed for mocking """
+    # pylint: disable=W0107, R0903
+    pass
+
+class TestACMEHandler(unittest.TestCase):
+    """ test class for cgi_handler """
+
+    def setUp(self):
+        """ setup unittest """
+        models_mock = MagicMock()
+        models_mock.acme_srv.db_handler.DBstore.return_value = FakeDBStore
+        modules = {'acme_srv.db_handler': models_mock}
+        patch.dict('sys.modules', modules).start()
+        import logging
+        from examples.ca_handler.entrust_ca_handler import CAhandler
+        logging.basicConfig(level=logging.CRITICAL)
+        self.logger = logging.getLogger('test_a2c')
+        self.cahandler = CAhandler(False, self.logger)
+        self.dir_path = os.path.dirname(os.path.realpath(__file__))
+
+    def test_001_default(self):
+        """ default test which always passes """
+        self.assertEqual('foo', 'foo')
+
+    @patch('examples.ca_handler.entrust_ca_handler.CAhandler._config_load')
+    def test_002__enter__(self, mock_cfg):
+        """ test enter  called """
+        mock_cfg.return_value = True
+        self.cahandler.__enter__()
+        self.assertTrue(mock_cfg.called)
+
+    @patch('examples.ca_handler.entrust_ca_handler.CAhandler._config_load')
+    def test_003__enter__(self, mock_cfg):
+        """ test enter api hosts defined """
+        mock_cfg.return_value = True
+        self.cahandler.session = 'session'
+        self.cahandler.__enter__()
+        self.assertFalse(mock_cfg.called)
+
+    def test_004_poll(self):
+        """ test polling """
+        self.assertEqual(('Method not implemented.', None, None, 'poll_identifier', False), self.cahandler.poll('cert_name', 'poll_identifier', 'csr'))
+
+    def test_005_trigger(self):
+        """ test polling """
+        self.assertEqual(('Method not implemented.', None, None), self.cahandler.trigger('payload'))
+
+    @patch('examples.ca_handler.entrust_ca_handler.allowed_domainlist_check')
+    def test_006_allowed_domainlist_check(self, mock_adc):
+        """ test allowed_domainlist_check """
+        self.cahandler.allowed_domainlist = False
+        self.assertFalse(self.cahandler._allowed_domainlist_check('csr'))
+        self.assertFalse(mock_adc.called)
+
+    @patch('examples.ca_handler.entrust_ca_handler.allowed_domainlist_check')
+    def test_007_allowed_domainlist_check(self, mock_adc):
+        """ test allowed_domainlist_check """
+        self.cahandler.allowed_domainlist = ["test.com"]
+        mock_adc.return_value = True
+        self.assertFalse(self.cahandler._allowed_domainlist_check('csr'))
+        self.assertTrue(mock_adc.called)
+
+    @patch('examples.ca_handler.entrust_ca_handler.allowed_domainlist_check')
+    def test_008_allowed_domainlist_check(self, mock_adc):
+        """ test allowed_domainlist_check """
+        self.cahandler.allowed_domainlist = ["test.com"]
+        mock_adc.return_value = False
+        self.assertEqual('Either CN or SANs are not allowed by configuration', self.cahandler._allowed_domainlist_check('csr'))
+        self.assertTrue(mock_adc.called)
+
+    def test_009__api_post(self):
+        """ test _api_post() """
+        mockresponse = Mock()
+        mockresponse2 = Mock()
+        mockresponse2.status_code = 'status_code'
+        mockresponse2.text = 'foo'
+        mockresponse2.json = lambda: {'foo': 'bar'}
+        mockresponse = Mock()
+        mockresponse.post.side_effect = [mockresponse2]
+        self.cahandler.session = mockresponse
+        self.assertEqual(('status_code', {'foo': 'bar'}), self.cahandler._api_post('url', 'data'))
+
+    def test_010__api_post(self):
+        """ test _api_post() """
+        mockresponse2 = Mock()
+        mockresponse2.status_code = 'status_code'
+        mockresponse2.text = 'foo'
+        mockresponse2.json.side_effect = Exception('ex_json')
+        mockresponse = Mock()
+        mockresponse.post.side_effect = [mockresponse2]
+        self.cahandler.session = mockresponse
+        with self.assertLogs('test_a2c', level='INFO') as lcm:
+            self.assertEqual(('status_code', 'ex_json'), self.cahandler._api_post('url', 'data'))
+        self.assertIn('ERROR:test_a2c:request_operation returned error during json parsing: ex_json', lcm.output)
+
+    def test_011__api_post(self):
+        """ test _api_post() """
+        mockresponse2 = Mock()
+        mockresponse2.status_code = 'status_code'
+        mockresponse2.text = None
+        mockresponse2.json = lambda: {'foo': 'bar'}
+        mockresponse = Mock()
+        mockresponse.post.side_effect = [mockresponse2]
+        self.cahandler.session = mockresponse
+        self.assertEqual(('status_code', None), self.cahandler._api_post('url', 'data'))
+
+    def test_012__api_post(self):
+        """ test _api_post(= """
+        mockresponse = Mock()
+        mockresponse.post.side_effect = [Exception('exc_api_post')]
+        self.cahandler.session = mockresponse
+        with self.assertLogs('test_a2c', level='INFO') as lcm:
+            self.assertEqual((500, 'exc_api_post'), self.cahandler._api_post('url', 'data'))
+        self.assertIn('ERROR:test_a2c:request_operation returned error: exc_api_post', lcm.output)
+
+    def test_013__api_get(self):
+        """ test _api_get() """
+        mockresponse2 = Mock()
+        mockresponse2.status_code = 'status_code'
+        mockresponse2.text = 'foo'
+        mockresponse2.json = lambda: {'foo': 'bar'}
+        mockresponse = Mock()
+        mockresponse.get.side_effect = [mockresponse2]
+        self.cahandler.session = mockresponse
+        self.assertEqual(('status_code', {'foo': 'bar'}), self.cahandler._api_get('url'))
+
+    def test_014__api_get(self):
+        """ test _api_get() """
+        mockresponse2 = Mock()
+        mockresponse2.status_code = 'status_code'
+        mockresponse2.text = 'foo'
+        mockresponse2.json.side_effect = Exception('ex_json')
+        mockresponse = Mock()
+        mockresponse.get.side_effect = [mockresponse2]
+        self.cahandler.session = mockresponse
+        with self.assertLogs('test_a2c', level='INFO') as lcm:
+            self.assertEqual(('status_code', 'ex_json'), self.cahandler._api_get('url'))
+        self.assertIn('ERROR:test_a2c:request_operation returned error during json parsing: ex_json', lcm.output)
+
+    def test_015__api_get(self):
+        """ test _api_get() """
+        mockresponse = Mock()
+        mockresponse.get.side_effect = [Exception('exc_api_get')]
+        self.cahandler.session = mockresponse
+        with self.assertLogs('test_a2c', level='INFO') as lcm:
+            self.assertEqual((500, 'exc_api_get'), self.cahandler._api_get('url'))
+        self.assertIn('ERROR:test_a2c:request_operation returned error: exc_api_get', lcm.output)
+
+    def test_016__api_put(self):
+        """ test _api_put() """
+        mockresponse = Mock()
+        mockresponse2 = Mock()
+        mockresponse2.status_code = 'status_code'
+        mockresponse2.text = 'foo'
+        mockresponse2.json = lambda: {'foo': 'bar'}
+        mockresponse = Mock()
+        mockresponse.put.side_effect = [mockresponse2]
+        self.cahandler.session = mockresponse
+        self.assertEqual(('status_code', {'foo': 'bar'}), self.cahandler._api_put('url', 'data'))
+
+    def test_017__api_put(self):
+        """ test _api_put() """
+        mockresponse2 = Mock()
+        mockresponse2.status_code = 'status_code'
+        mockresponse2.text = 'foo'
+        mockresponse2.json.side_effect = Exception('ex_json')
+        mockresponse = Mock()
+        mockresponse.put.side_effect = [mockresponse2]
+        self.cahandler.session = mockresponse
+        with self.assertLogs('test_a2c', level='INFO') as lcm:
+            self.assertEqual(('status_code', 'ex_json'), self.cahandler._api_put('url', 'data'))
+        self.assertIn('ERROR:test_a2c:request_operation returned error during json parsing: ex_json', lcm.output)
+
+    def test_018__api_put(self):
+        """ test _api_put() """
+        mockresponse2 = Mock()
+        mockresponse2.status_code = 'foo'
+        mockresponse2.text = None
+        mockresponse2.json = lambda: {'foo': 'bar'}
+        mockresponse = Mock()
+        mockresponse.put.side_effect = [mockresponse2]
+        self.cahandler.session = mockresponse
+        self.assertEqual(('foo', None), self.cahandler._api_put('url', 'data'))
+
+    def test_019__api_put(self):
+        """ test _api_put() """
+        mockresponse = Mock()
+        mockresponse.put.side_effect = Exception('exc_api_put')
+        self.cahandler.session = mockresponse
+        with self.assertLogs('test_a2c', level='INFO') as lcm:
+            self.assertEqual((500, 'exc_api_put'), self.cahandler._api_put('url', 'data'))
+        self.assertIn('ERROR:test_a2c:request_operation returned error: exc_api_put', lcm.output)
+
+    @patch('examples.ca_handler.entrust_ca_handler.CAhandler._api_get')
+    def test_020_certificates_get_from_serial(self, mock_api):
+        """ test certificates_get_from_serial """
+        mock_api.return_value = (200, {'certificates': ['foo', 'bar']})
+        self.assertEqual(['foo', 'bar'], self.cahandler._certificates_get_from_serial('serial'))
+
+    @patch('examples.ca_handler.entrust_ca_handler.CAhandler._api_get')
+    def test_021_certificates_get_from_serial(self, mock_api):
+        """ test certificates_get_from_serial """
+        mock_api.return_value = (300, {'certificates': ['foo', 'bar']})
+        with self.assertLogs('test_a2c', level='INFO') as lcm:
+            self.assertFalse(self.cahandler._certificates_get_from_serial('serial'))
+        self.assertIn('ERROR:test_a2c:CAhandler._certificates_get_from_serial() for serial failed with code: 300', lcm.output)
+
+    @patch('examples.ca_handler.entrust_ca_handler.CAhandler._api_get')
+    def test_022_certificates_get_from_serial(self, mock_api):
+        """ test certificates_get_from_serial """
+        mock_api.return_value = (200, {'certificates1': ['foo', 'bar']})
+        with self.assertLogs('test_a2c', level='INFO') as lcm:
+            self.assertFalse(self.cahandler._certificates_get_from_serial('serial'))
+        self.assertIn('ERROR:test_a2c:CAhandler._certificates_get_from_serial() for serial failed with code: 200', lcm.output)
+
+    @patch('examples.ca_handler.entrust_ca_handler.CAhandler._api_get')
+    def test_023_certificates_get_from_serial(self, mock_api):
+        """ test certificates_get_from_serial """
+        mock_api.return_value = (200, {'certificates': ['foo', 'bar']})
+        with self.assertLogs('test_a2c', level='INFO') as lcm:
+            self.assertEqual(['foo', 'bar'], self.cahandler._certificates_get_from_serial('0serial'))
+        self.assertIn('INFO:test_a2c:CAhandler._certificates_get_from_serial() remove leading zeros from serial number', lcm.output)
+
+    @patch('examples.ca_handler.entrust_ca_handler.config_headerinfo_load')
+    @patch('examples.ca_handler.entrust_ca_handler.config_eab_profile_load')
+    @patch('examples.ca_handler.entrust_ca_handler.CAhandler._config_root_load')
+    @patch('examples.ca_handler.entrust_ca_handler.CAhandler._config_session_load')
+    @patch('examples.ca_handler.entrust_ca_handler.load_config')
+    def test_024_config_load(self, mock_load, mock_session, mock_root, mock_eab, mock_header):
+        """ test load_config() """
+        mock_load.return_value = {'foo': 'bar'}
+        mock_eab.return_value = (True, 'handler')
+        mock_header.return_value = 'hil'
+        self.cahandler._config_load()
+        self.assertFalse(mock_session.called)
+        self.assertFalse(mock_root.called)
+        self.assertTrue(mock_eab.called)
+        self.assertTrue(mock_header.called)
+        self.assertEqual('https://api.entrust.net/enterprise/v2', self.cahandler.api_url)
+        self.assertEqual(10, self.cahandler.request_timeout)
+        self.assertEqual('handler', self.cahandler.eab_handler)
+        self.assertTrue(self.cahandler.eab_profiling)
+        self.assertEqual(365, self.cahandler.cert_validity_days)
+        self.assertFalse(self.cahandler.username)
+        self.assertFalse(self.cahandler.password)
+        self.assertFalse(self.cahandler.organization_name)
+        self.assertEqual('STANDARD_SSL', self.cahandler.certtype)
+        self.assertFalse(self.cahandler.allowed_domainlist)
+        self.assertEqual('hil', self.cahandler.header_info_field)
+
+    @patch('examples.ca_handler.entrust_ca_handler.config_headerinfo_load')
+    @patch('examples.ca_handler.entrust_ca_handler.config_eab_profile_load')
+    @patch('examples.ca_handler.entrust_ca_handler.CAhandler._config_root_load')
+    @patch('examples.ca_handler.entrust_ca_handler.CAhandler._config_session_load')
+    @patch('examples.ca_handler.entrust_ca_handler.load_config')
+    def test_025_config_load(self, mock_load, mock_session, mock_root, mock_eab, mock_header):
+        """ test load_config() """
+        mock_load.return_value = {'CAhandler': {'foo': 'bar'}}
+        mock_eab.return_value = (True, 'handler')
+        mock_header.return_value = 'hil'
+        self.cahandler._config_load()
+        self.assertTrue(mock_session.called)
+        self.assertTrue(mock_root.called)
+        self.assertTrue(mock_eab.called)
+        self.assertTrue(mock_header.called)
+        self.assertEqual('https://api.entrust.net/enterprise/v2', self.cahandler.api_url)
+        self.assertEqual(10, self.cahandler.request_timeout)
+        self.assertEqual('handler', self.cahandler.eab_handler)
+        self.assertTrue(self.cahandler.eab_profiling)
+        self.assertEqual(365, self.cahandler.cert_validity_days)
+        self.assertFalse(self.cahandler.username)
+        self.assertFalse(self.cahandler.password)
+        self.assertFalse(self.cahandler.organization_name)
+        self.assertEqual('STANDARD_SSL', self.cahandler.certtype)
+        self.assertFalse(self.cahandler.allowed_domainlist)
+        self.assertEqual('hil', self.cahandler.header_info_field)
+
+    @patch('examples.ca_handler.entrust_ca_handler.config_headerinfo_load')
+    @patch('examples.ca_handler.entrust_ca_handler.config_eab_profile_load')
+    @patch('examples.ca_handler.entrust_ca_handler.CAhandler._config_root_load')
+    @patch('examples.ca_handler.entrust_ca_handler.CAhandler._config_session_load')
+    @patch('examples.ca_handler.entrust_ca_handler.load_config')
+    def test_026_config_load(self, mock_load, mock_session, mock_root, mock_eab, mock_header):
+        """ test load_config() """
+        mock_load.return_value = {'CAhandler': {'api_url': 'api_url', 'foo': 'bar'}}
+        mock_eab.return_value = (True, 'handler')
+        mock_header.return_value = 'hil'
+        self.cahandler._config_load()
+        self.assertTrue(mock_session.called)
+        self.assertTrue(mock_root.called)
+        self.assertTrue(mock_eab.called)
+        self.assertTrue(mock_header.called)
+        self.assertEqual('api_url', self.cahandler.api_url)
+        self.assertEqual(10, self.cahandler.request_timeout)
+        self.assertEqual('handler', self.cahandler.eab_handler)
+        self.assertTrue(self.cahandler.eab_profiling)
+        self.assertEqual(365, self.cahandler.cert_validity_days)
+        self.assertFalse(self.cahandler.username)
+        self.assertFalse(self.cahandler.password)
+        self.assertFalse(self.cahandler.organization_name)
+        self.assertEqual('STANDARD_SSL', self.cahandler.certtype)
+        self.assertFalse(self.cahandler.allowed_domainlist)
+        self.assertEqual('hil', self.cahandler.header_info_field)
+
+    @patch('examples.ca_handler.entrust_ca_handler.config_headerinfo_load')
+    @patch('examples.ca_handler.entrust_ca_handler.config_eab_profile_load')
+    @patch('examples.ca_handler.entrust_ca_handler.CAhandler._config_root_load')
+    @patch('examples.ca_handler.entrust_ca_handler.CAhandler._config_session_load')
+    @patch('examples.ca_handler.entrust_ca_handler.load_config')
+    def test_027_config_load(self, mock_load, mock_session, mock_root, mock_eab, mock_header):
+        """ test load_config() """
+        mock_load.return_value = {'CAhandler': {'request_timeout': '15', 'foo': 'bar'}}
+        mock_eab.return_value = (True, 'handler')
+        mock_header.return_value = 'hil'
+        self.cahandler._config_load()
+        self.assertTrue(mock_session.called)
+        self.assertTrue(mock_root.called)
+        self.assertTrue(mock_eab.called)
+        self.assertTrue(mock_header.called)
+        self.assertEqual('https://api.entrust.net/enterprise/v2', self.cahandler.api_url)
+        self.assertEqual(15, self.cahandler.request_timeout)
+        self.assertEqual('handler', self.cahandler.eab_handler)
+        self.assertTrue(self.cahandler.eab_profiling)
+        self.assertEqual(365, self.cahandler.cert_validity_days)
+        self.assertFalse(self.cahandler.username)
+        self.assertFalse(self.cahandler.password)
+        self.assertFalse(self.cahandler.organization_name)
+        self.assertEqual('STANDARD_SSL', self.cahandler.certtype)
+        self.assertFalse(self.cahandler.allowed_domainlist)
+        self.assertEqual('hil', self.cahandler.header_info_field)
+
+    @patch('examples.ca_handler.entrust_ca_handler.config_headerinfo_load')
+    @patch('examples.ca_handler.entrust_ca_handler.config_eab_profile_load')
+    @patch('examples.ca_handler.entrust_ca_handler.CAhandler._config_root_load')
+    @patch('examples.ca_handler.entrust_ca_handler.CAhandler._config_session_load')
+    @patch('examples.ca_handler.entrust_ca_handler.load_config')
+    def test_028_config_load(self, mock_load, mock_session, mock_root, mock_eab, mock_header):
+        """ test load_config() """
+        mock_load.return_value = {'CAhandler': {'request_timeout': 'aa', 'foo': 'bar'}}
+        mock_eab.return_value = (True, 'handler')
+        mock_header.return_value = 'hil'
+        with self.assertLogs('test_a2c', level='INFO') as lcm:
+            self.cahandler._config_load()
+        self.assertIn("ERROR:test_a2c:CAhandler._config_load(): failed to parse request_timeout invalid literal for int() with base 10: 'aa'", lcm.output)
+        self.assertTrue(mock_session.called)
+        self.assertTrue(mock_root.called)
+        self.assertTrue(mock_eab.called)
+        self.assertTrue(mock_header.called)
+        self.assertEqual('https://api.entrust.net/enterprise/v2', self.cahandler.api_url)
+        self.assertEqual(10, self.cahandler.request_timeout)
+        self.assertEqual('handler', self.cahandler.eab_handler)
+        self.assertTrue(self.cahandler.eab_profiling)
+        self.assertEqual(365, self.cahandler.cert_validity_days)
+        self.assertFalse(self.cahandler.username)
+        self.assertFalse(self.cahandler.password)
+        self.assertFalse(self.cahandler.organization_name)
+        self.assertEqual('STANDARD_SSL', self.cahandler.certtype)
+        self.assertFalse(self.cahandler.allowed_domainlist)
+        self.assertEqual('hil', self.cahandler.header_info_field)
+
+    @patch('examples.ca_handler.entrust_ca_handler.config_headerinfo_load')
+    @patch('examples.ca_handler.entrust_ca_handler.config_eab_profile_load')
+    @patch('examples.ca_handler.entrust_ca_handler.CAhandler._config_root_load')
+    @patch('examples.ca_handler.entrust_ca_handler.CAhandler._config_session_load')
+    @patch('examples.ca_handler.entrust_ca_handler.load_config')
+    def test_029_config_load(self, mock_load, mock_session, mock_root, mock_eab, mock_header):
+        """ test load_config() """
+        mock_load.return_value = {'CAhandler': {'cert_validity_days': '10', 'foo': 'bar'}}
+        mock_eab.return_value = (True, 'handler')
+        mock_header.return_value = 'hil'
+        self.cahandler._config_load()
+        self.assertTrue(mock_session.called)
+        self.assertTrue(mock_root.called)
+        self.assertTrue(mock_eab.called)
+        self.assertTrue(mock_header.called)
+        self.assertEqual('https://api.entrust.net/enterprise/v2', self.cahandler.api_url)
+        self.assertEqual(10, self.cahandler.request_timeout)
+        self.assertEqual('handler', self.cahandler.eab_handler)
+        self.assertTrue(self.cahandler.eab_profiling)
+        self.assertEqual(10, self.cahandler.cert_validity_days)
+        self.assertFalse(self.cahandler.username)
+        self.assertFalse(self.cahandler.password)
+        self.assertFalse(self.cahandler.organization_name)
+        self.assertEqual('STANDARD_SSL', self.cahandler.certtype)
+        self.assertFalse(self.cahandler.allowed_domainlist)
+        self.assertEqual('hil', self.cahandler.header_info_field)
+
+    @patch('examples.ca_handler.entrust_ca_handler.config_headerinfo_load')
+    @patch('examples.ca_handler.entrust_ca_handler.config_eab_profile_load')
+    @patch('examples.ca_handler.entrust_ca_handler.CAhandler._config_root_load')
+    @patch('examples.ca_handler.entrust_ca_handler.CAhandler._config_session_load')
+    @patch('examples.ca_handler.entrust_ca_handler.load_config')
+    def test_030_config_load(self, mock_load, mock_session, mock_root, mock_eab, mock_header):
+        """ test load_config() """
+        mock_load.return_value = {'CAhandler': {'cert_validity_days': 'aa', 'foo': 'bar'}}
+        mock_eab.return_value = (True, 'handler')
+        mock_header.return_value = 'hil'
+        with self.assertLogs('test_a2c', level='INFO') as lcm:
+            self.cahandler._config_load()
+        self.assertIn("ERROR:test_a2c:CAhandler._config_load(): failed to parse cert_validity_days invalid literal for int() with base 10: 'aa'", lcm.output)
+        self.assertTrue(mock_session.called)
+        self.assertTrue(mock_root.called)
+        self.assertTrue(mock_eab.called)
+        self.assertTrue(mock_header.called)
+        self.assertEqual('https://api.entrust.net/enterprise/v2', self.cahandler.api_url)
+        self.assertEqual(10, self.cahandler.request_timeout)
+        self.assertEqual('handler', self.cahandler.eab_handler)
+        self.assertTrue(self.cahandler.eab_profiling)
+        self.assertEqual(365, self.cahandler.cert_validity_days)
+        self.assertFalse(self.cahandler.username)
+        self.assertFalse(self.cahandler.password)
+        self.assertFalse(self.cahandler.organization_name)
+        self.assertEqual('STANDARD_SSL', self.cahandler.certtype)
+        self.assertFalse(self.cahandler.allowed_domainlist)
+        self.assertEqual('hil', self.cahandler.header_info_field)
+
+    @patch('examples.ca_handler.entrust_ca_handler.config_headerinfo_load')
+    @patch('examples.ca_handler.entrust_ca_handler.config_eab_profile_load')
+    @patch('examples.ca_handler.entrust_ca_handler.CAhandler._config_root_load')
+    @patch('examples.ca_handler.entrust_ca_handler.CAhandler._config_session_load')
+    @patch('examples.ca_handler.entrust_ca_handler.load_config')
+    def test_031_config_load(self, mock_load, mock_session, mock_root, mock_eab, mock_header):
+        """ test load_config() """
+        mock_load.return_value = {'CAhandler': {'username': 'username', 'foo': 'bar'}}
+        mock_eab.return_value = (True, 'handler')
+        mock_header.return_value = 'hil'
+        self.cahandler._config_load()
+        self.assertTrue(mock_session.called)
+        self.assertTrue(mock_root.called)
+        self.assertTrue(mock_eab.called)
+        self.assertTrue(mock_header.called)
+        self.assertEqual('https://api.entrust.net/enterprise/v2', self.cahandler.api_url)
+        self.assertEqual(10, self.cahandler.request_timeout)
+        self.assertEqual('handler', self.cahandler.eab_handler)
+        self.assertTrue(self.cahandler.eab_profiling)
+        self.assertEqual(365, self.cahandler.cert_validity_days)
+        self.assertEqual('username', self.cahandler.username)
+        self.assertFalse(self.cahandler.password)
+        self.assertFalse(self.cahandler.organization_name)
+        self.assertEqual('STANDARD_SSL', self.cahandler.certtype)
+        self.assertFalse(self.cahandler.allowed_domainlist)
+        self.assertEqual('hil', self.cahandler.header_info_field)
+
+    @patch('examples.ca_handler.entrust_ca_handler.config_headerinfo_load')
+    @patch('examples.ca_handler.entrust_ca_handler.config_eab_profile_load')
+    @patch('examples.ca_handler.entrust_ca_handler.CAhandler._config_root_load')
+    @patch('examples.ca_handler.entrust_ca_handler.CAhandler._config_session_load')
+    @patch('examples.ca_handler.entrust_ca_handler.load_config')
+    def test_032_config_load(self, mock_load, mock_session, mock_root, mock_eab, mock_header):
+        """ test load_config() """
+        mock_load.return_value = {'CAhandler': {'password': 'password', 'foo': 'bar'}}
+        mock_eab.return_value = (True, 'handler')
+        mock_header.return_value = 'hil'
+        self.cahandler._config_load()
+        self.assertTrue(mock_session.called)
+        self.assertTrue(mock_root.called)
+        self.assertTrue(mock_eab.called)
+        self.assertTrue(mock_header.called)
+        self.assertEqual('https://api.entrust.net/enterprise/v2', self.cahandler.api_url)
+        self.assertEqual(10, self.cahandler.request_timeout)
+        self.assertEqual('handler', self.cahandler.eab_handler)
+        self.assertTrue(self.cahandler.eab_profiling)
+        self.assertEqual(365, self.cahandler.cert_validity_days)
+        self.assertFalse(self.cahandler.username)
+        self.assertEqual('password', self.cahandler.password)
+        self.assertFalse(self.cahandler.organization_name)
+        self.assertEqual('STANDARD_SSL', self.cahandler.certtype)
+        self.assertFalse(self.cahandler.allowed_domainlist)
+        self.assertEqual('hil', self.cahandler.header_info_field)
+
+    @patch('examples.ca_handler.entrust_ca_handler.config_headerinfo_load')
+    @patch('examples.ca_handler.entrust_ca_handler.config_eab_profile_load')
+    @patch('examples.ca_handler.entrust_ca_handler.CAhandler._config_root_load')
+    @patch('examples.ca_handler.entrust_ca_handler.CAhandler._config_session_load')
+    @patch('examples.ca_handler.entrust_ca_handler.load_config')
+    def test_033_config_load(self, mock_load, mock_session, mock_root, mock_eab, mock_header):
+        """ test load_config() """
+        mock_load.return_value = {'CAhandler': {'organization_name': 'organization_name', 'foo': 'bar'}}
+        mock_eab.return_value = (True, 'handler')
+        mock_header.return_value = 'hil'
+        self.cahandler._config_load()
+        self.assertTrue(mock_session.called)
+        self.assertTrue(mock_root.called)
+        self.assertTrue(mock_eab.called)
+        self.assertTrue(mock_header.called)
+        self.assertEqual('https://api.entrust.net/enterprise/v2', self.cahandler.api_url)
+        self.assertEqual(10, self.cahandler.request_timeout)
+        self.assertEqual('handler', self.cahandler.eab_handler)
+        self.assertTrue(self.cahandler.eab_profiling)
+        self.assertEqual(365, self.cahandler.cert_validity_days)
+        self.assertFalse(self.cahandler.username)
+        self.assertFalse(self.cahandler.password)
+        self.assertEqual('organization_name', self.cahandler.organization_name)
+        self.assertEqual('STANDARD_SSL', self.cahandler.certtype)
+        self.assertFalse(self.cahandler.allowed_domainlist)
+        self.assertEqual('hil', self.cahandler.header_info_field)
+
+    @patch('examples.ca_handler.entrust_ca_handler.config_headerinfo_load')
+    @patch('examples.ca_handler.entrust_ca_handler.config_eab_profile_load')
+    @patch('examples.ca_handler.entrust_ca_handler.CAhandler._config_root_load')
+    @patch('examples.ca_handler.entrust_ca_handler.CAhandler._config_session_load')
+    @patch('examples.ca_handler.entrust_ca_handler.load_config')
+    def test_034_config_load(self, mock_load, mock_session, mock_root, mock_eab, mock_header):
+        """ test load_config() """
+        mock_load.return_value = {'CAhandler': {'certtype': 'certtype', 'foo': 'bar'}}
+        mock_eab.return_value = (True, 'handler')
+        mock_header.return_value = 'hil'
+        self.cahandler._config_load()
+        self.assertTrue(mock_session.called)
+        self.assertTrue(mock_root.called)
+        self.assertTrue(mock_eab.called)
+        self.assertTrue(mock_header.called)
+        self.assertEqual('https://api.entrust.net/enterprise/v2', self.cahandler.api_url)
+        self.assertEqual(10, self.cahandler.request_timeout)
+        self.assertEqual('handler', self.cahandler.eab_handler)
+        self.assertTrue(self.cahandler.eab_profiling)
+        self.assertEqual(365, self.cahandler.cert_validity_days)
+        self.assertFalse(self.cahandler.username)
+        self.assertFalse(self.cahandler.password)
+        self.assertFalse(self.cahandler.organization_name)
+        self.assertEqual('certtype', self.cahandler.certtype)
+        self.assertFalse(self.cahandler.allowed_domainlist)
+        self.assertEqual('hil', self.cahandler.header_info_field)
+
+    @patch('examples.ca_handler.entrust_ca_handler.config_headerinfo_load')
+    @patch('examples.ca_handler.entrust_ca_handler.config_eab_profile_load')
+    @patch('examples.ca_handler.entrust_ca_handler.CAhandler._config_root_load')
+    @patch('examples.ca_handler.entrust_ca_handler.CAhandler._config_session_load')
+    @patch('examples.ca_handler.entrust_ca_handler.load_config')
+    def test_035_config_load(self, mock_load, mock_session, mock_root, mock_eab, mock_header):
+        """ test load_config() """
+        mock_load.return_value = {'CAhandler': {'allowed_domainlist': '["foo", "bar"]', 'foo': 'bar'}}
+        mock_eab.return_value = (True, 'handler')
+        mock_header.return_value = 'hil'
+        self.cahandler._config_load()
+        self.assertTrue(mock_session.called)
+        self.assertTrue(mock_root.called)
+        self.assertTrue(mock_eab.called)
+        self.assertTrue(mock_header.called)
+        self.assertEqual('https://api.entrust.net/enterprise/v2', self.cahandler.api_url)
+        self.assertEqual(10, self.cahandler.request_timeout)
+        self.assertEqual('handler', self.cahandler.eab_handler)
+        self.assertTrue(self.cahandler.eab_profiling)
+        self.assertEqual(365, self.cahandler.cert_validity_days)
+        self.assertFalse(self.cahandler.username)
+        self.assertFalse(self.cahandler.password)
+        self.assertFalse(self.cahandler.organization_name)
+        self.assertEqual('STANDARD_SSL', self.cahandler.certtype)
+        self.assertEqual(['foo', 'bar'], self.cahandler.allowed_domainlist)
+        self.assertEqual('hil', self.cahandler.header_info_field)
+
+    @patch('examples.ca_handler.entrust_ca_handler.config_headerinfo_load')
+    @patch('examples.ca_handler.entrust_ca_handler.config_eab_profile_load')
+    @patch('examples.ca_handler.entrust_ca_handler.CAhandler._config_root_load')
+    @patch('examples.ca_handler.entrust_ca_handler.CAhandler._config_session_load')
+    @patch('examples.ca_handler.entrust_ca_handler.load_config')
+    def test_036_config_load(self, mock_load, mock_session, mock_root, mock_eab, mock_header):
+        """ test load_config() """
+        mock_load.return_value = {'CAhandler': {'allowed_domainlist': 'bar', 'foo': 'bar'}}
+        mock_eab.return_value = (True, 'handler')
+        mock_header.return_value = 'hil'
+        self.cahandler._config_load()
+        self.assertTrue(mock_session.called)
+        self.assertTrue(mock_root.called)
+        self.assertTrue(mock_eab.called)
+        self.assertTrue(mock_header.called)
+        self.assertEqual('https://api.entrust.net/enterprise/v2', self.cahandler.api_url)
+        self.assertEqual(10, self.cahandler.request_timeout)
+        self.assertEqual('handler', self.cahandler.eab_handler)
+        self.assertTrue(self.cahandler.eab_profiling)
+        self.assertEqual(365, self.cahandler.cert_validity_days)
+        self.assertFalse(self.cahandler.username)
+        self.assertFalse(self.cahandler.password)
+        self.assertFalse(self.cahandler.organization_name)
+        self.assertEqual('STANDARD_SSL', self.cahandler.certtype)
+        self.assertEqual('failed to parse', self.cahandler.allowed_domainlist)
+        self.assertEqual('hil', self.cahandler.header_info_field)
+
+    @patch.dict('os.environ', {'cert_passphrase_var': 'user_var'})
+    def test_037_config_passphrase_load(self):
+        """ test _config_load - load template with user variable """
+        config_dic = {'CAhandler': {'cert_passphrase_variable': 'cert_passphrase_var'}}
+        self.cahandler._config_passphrase_load(config_dic)
+        self.assertEqual('user_var', self.cahandler.cert_passphrase)
+
+    @patch.dict('os.environ', {'cert_passphrase_var': 'user_var'})
+    def test_038_config_passphrase_load(self):
+        """ test _config_load - load template with user variable """
+        config_dic = {'CAhandler': {'cert_passphrase_variable': 'does_not_exist'}}
+        with self.assertLogs('test_a2c', level='INFO') as lcm:
+            self.cahandler._config_passphrase_load(config_dic)
+        self.assertFalse(self.cahandler.cert_passphrase)
+        self.assertIn("ERROR:test_a2c:CAhandler._config_passphrase_load() could not load cert_passphrase_variable:'does_not_exist'", lcm.output)
+
+    @patch.dict('os.environ', {'cert_passphrase_var': 'user_var'})
+    def test_039_config_passphrase_load(self):
+        """ test _config_load - load template with user variable """
+        config_dic = {'CAhandler': {'cert_passphrase_variable': 'cert_passphrase_var', 'cert_passphrase': 'cert_passphrase'}}
+        with self.assertLogs('test_a2c', level='INFO') as lcm:
+            self.cahandler._config_passphrase_load(config_dic)
+        self.assertIn('INFO:test_a2c:CAhandler._config_load() overwrite cert_passphrase', lcm.output)
+        self.assertEqual('cert_passphrase', self.cahandler.cert_passphrase)
+
+    @patch("builtins.open", mock_open(read_data='cert'), create=True)
+    @patch('os.path.isfile')
+    def test_040_config_root_load(self, mock_file):
+        """ _config_root_load() """
+        mock_file.return_value = True
+        config_dic = {'CAhandler': {'entrust_root_cert': 'root_cert'}}
+        self.cahandler._config_root_load(config_dic)
+        self.assertEqual('cert', self.cahandler.entrust_root_cert)
+
+    @patch("builtins.open", mock_open(read_data='cert'), create=True)
+    @patch('os.path.isfile')
+    def test_041_config_root_load(self, mock_file):
+        """ _config_root_load() """
+        mock_file.return_value = False
+        config_dic = {'CAhandler': {'entrust_root_cert': 'root_cert'}}
+        with self.assertLogs('test_a2c', level='INFO') as lcm:
+            self.cahandler._config_root_load(config_dic)
+        self.assertIn('ERROR:test_a2c:CAhandler._config_root_load(): root CA file configured but not not found. Using default one.', lcm.output)
+        self.assertIn('290IENlcnRpZmljYXRpb24g', self.cahandler.entrust_root_cert)
+
+    @patch("builtins.open", mock_open(read_data='cert'), create=True)
+    @patch('os.path.isfile')
+    def test_042_config_root_load(self, mock_file):
+        """ _config_root_load() """
+        mock_file.return_value = False
+        config_dic = {'CAhandler': {'unk': 'root_cert'}}
+        self.cahandler._config_root_load(config_dic)
+        self.assertIn('290IENlcnRpZmljYXRpb24g', self.cahandler.entrust_root_cert)
+
+    @patch('examples.ca_handler.entrust_ca_handler.CAhandler._config_passphrase_load')
+    def test_043_config_session_load(self, mock_sl):
+        """ _config_session_load() """
+        config_dic = {'CAhandler': {'client_cert': 'client_cert', 'client_key': 'client_key'}}
+        self.cahandler._config_session_load(config_dic)
+        self.assertFalse(mock_sl.called)
+        self.assertTrue(self.cahandler.session)
+
+    @patch('examples.ca_handler.entrust_ca_handler.requests.Session')
+    @patch('examples.ca_handler.entrust_ca_handler.Pkcs12Adapter')
+    @patch('examples.ca_handler.entrust_ca_handler.CAhandler._config_passphrase_load')
+    def test_044_config_session_load(self, mock_sl, mock_pkcs12, mock_session):
+        """ _config_session_load() """
+        config_dic = {'CAhandler': {'client_cert': 'client_cert'}}
+        mock_session.return_value.__enter__.return_value = Mock()
+        self.cahandler.cert_passphrase = 'cert_passphrase'
+        self.cahandler._config_session_load(config_dic)
+        self.assertTrue(mock_sl.called)
+        self.assertTrue(self.cahandler.session)
+        self.assertTrue(mock_pkcs12.called)
+
+    @patch('examples.ca_handler.entrust_ca_handler.requests.Session')
+    @patch('examples.ca_handler.entrust_ca_handler.Pkcs12Adapter')
+    @patch('examples.ca_handler.entrust_ca_handler.CAhandler._config_passphrase_load')
+    def test_045_config_session_load(self, mock_sl, mock_pkcs12, mock_session):
+        """ _config_session_load() """
+        config_dic = {'CAhandler': {'foo': 'client_cert'}}
+        with self.assertLogs('test_a2c', level='INFO') as lcm:
+            self.cahandler._config_session_load(config_dic)
+        self.assertTrue(mock_sl.called)
+        self.assertTrue(self.cahandler.session)
+        self.assertIn('WARNING:test_a2c:CAhandler._config_load() configuration might be incomplete: "client_cert. "client_key" or "client_passphrase[_variable] parameter is missing in config file', lcm.output)
+        self.assertFalse(mock_pkcs12.called)
+
+    @patch('examples.ca_handler.entrust_ca_handler.CAhandler._domains_get')
+    @patch('examples.ca_handler.entrust_ca_handler.CAhandler._organizations_get')
+    def test_046_org_domain_cfg_check(self, mock_org, mock_domain):
+        """ test _org_domain_cfg_check()"""
+        mock_org.return_value = []
+        with self.assertLogs('test_a2c', level='INFO') as lcm:
+            self.assertEqual('Organization None not found in Entrust API', self.cahandler._org_domain_cfg_check())
+        self.assertTrue(mock_org.called)
+        self.assertFalse(mock_domain.called)
+
+    @patch('examples.ca_handler.entrust_ca_handler.CAhandler._domains_get')
+    @patch('examples.ca_handler.entrust_ca_handler.CAhandler._organizations_get')
+    def test_047_org_domain_cfg_check(self, mock_org, mock_domain):
+        """ test _org_domain_cfg_check()"""
+        mock_org.return_value = {'foo': 1, 'bar': 2}
+        with self.assertLogs('test_a2c', level='INFO') as lcm:
+            self.assertEqual('Organization None not found in Entrust API', self.cahandler._org_domain_cfg_check())
+        self.assertTrue(mock_org.called)
+        self.assertFalse(mock_domain.called)
+
+    @patch('examples.ca_handler.entrust_ca_handler.CAhandler._domains_get')
+    @patch('examples.ca_handler.entrust_ca_handler.CAhandler._organizations_get')
+    def test_048_org_domain_cfg_check(self, mock_org, mock_domain):
+        """ test _org_domain_cfg_check()"""
+        mock_org.return_value = {'foo': 1, 'bar': 2}
+        mock_domain.return_value = ['foo1', 'foo2']
+        self.cahandler.organization_name = 'foo1'
+        with self.assertLogs('test_a2c', level='INFO') as lcm:
+            self.assertEqual('Organization foo1 not found in Entrust API', self.cahandler._org_domain_cfg_check())
+        self.assertTrue(mock_org.called)
+        self.assertFalse(mock_domain.called)
+
+    @patch('examples.ca_handler.entrust_ca_handler.CAhandler._domains_get')
+    @patch('examples.ca_handler.entrust_ca_handler.CAhandler._organizations_get')
+    def test_049_org_domain_cfg_check(self, mock_org, mock_domain):
+        """ test _org_domain_cfg_check()"""
+        mock_org.return_value = {'foo': 1, 'bar': 2}
+        mock_domain.return_value = ['foo1', 'foo2']
+        self.cahandler.organization_name = 'foo'
+        self.assertFalse(self.cahandler._org_domain_cfg_check())
+        self.assertTrue(mock_org.called)
+        self.assertTrue(mock_domain.called)
+        self.assertEqual(['foo1', 'foo2'], self.cahandler.allowed_domainlist)
+
+    @patch('examples.ca_handler.entrust_ca_handler.CAhandler._domains_get')
+    @patch('examples.ca_handler.entrust_ca_handler.CAhandler._organizations_get')
+    def test_050_org_domain_cfg_check(self, mock_org, mock_domain):
+        """ test _org_domain_cfg_check()"""
+        mock_org.return_value = {'foo': 1, 'bar': 2}
+        mock_domain.return_value = ['foo1', 'foo2']
+        self.cahandler.organization_name = 'foo'
+        self.cahandler.allowed_domainlist = ['foo3', 'foo4']
+        self.assertFalse(self.cahandler._org_domain_cfg_check())
+        self.assertTrue(mock_org.called)
+        self.assertTrue(mock_domain.called)
+        self.assertEqual(['foo3', 'foo4'], self.cahandler.allowed_domainlist)
+
+    @patch('examples.ca_handler.entrust_ca_handler.CAhandler._api_get')
+    def test_051__organizations_get(self, mock_api):
+        """ test _organizations_get() """
+        mock_api.return_value = (500, 'foo')
+        self.cahandler.organization_name = 'organization_name'
+        with self.assertLogs('test_a2c', level='INFO') as lcm:
+            self.cahandler._organizations_get()
+        self.assertIn('ERROR:test_a2c:CAhandler._organizations_get(): malformed response', lcm.output)
+
+    @patch('examples.ca_handler.entrust_ca_handler.CAhandler._api_get')
+    def test_052__organizations_get(self, mock_api):
+        """ test _organizations_get() """
+        input_dic = {'organizations': [{'verificationStatus': 'APPROVED', 'name': 'foo', 'clientId': 1}, {'verificationStatus': 'APPROVED', 'name': 'bar', 'clientId': 2}]}
+        mock_api.return_value = (200, input_dic)
+        self.cahandler.organization_name = 'organization_name'
+        self.assertEqual({'foo': 1, 'bar': 2}, self.cahandler._organizations_get())
+
+    @patch('examples.ca_handler.entrust_ca_handler.CAhandler._api_get')
+    def test_053__organizations_get(self, mock_api):
+        """ test _organizations_get() """
+        input_dic = {'organizations': [{'verificationStatus': 'NOTAPPROVED', 'name': 'foo', 'clientId': 1}, {'verificationStatus': 'APPROVED', 'name': 'bar', 'clientId': 2}]}
+        mock_api.return_value = (200, input_dic)
+        self.cahandler.organization_name = 'organization_name'
+        self.assertEqual({'bar': 2}, self.cahandler._organizations_get())
+
+    @patch('examples.ca_handler.entrust_ca_handler.CAhandler._api_get')
+    def test_054__organizations_get(self, mock_api):
+        """ test _organizations_get() """
+        input_dic = {'organizations': [{'name': 'foo', 'clientId': 1}, {'verificationStatus': 'APPROVED', 'name': 'bar', 'clientId': 2}]}
+        mock_api.return_value = (200, input_dic)
+        self.cahandler.organization_name = 'organization_name'
+        self.assertEqual({'bar': 2}, self.cahandler._organizations_get())
+
+    @patch('examples.ca_handler.entrust_ca_handler.CAhandler._api_get')
+    def test_055__organizations_get(self, mock_api):
+        """ test _organizations_get() """
+        input_dic = {'organizations': [{'verificationStatus': 'APPROVED', '_name': 'foo', '_clientId': 1}, {'verificationStatus': 'APPROVED', 'name': 'bar', 'clientId': 2}]}
+        mock_api.return_value = (200, input_dic)
+        self.cahandler.organization_name = 'organization_name'
+        self.assertEqual({'bar': 2}, self.cahandler._organizations_get())
+
+    @patch('examples.ca_handler.entrust_ca_handler.CAhandler._api_get')
+    def test_056__domains_get(self, mock_api):
+        """ test _organizations_get() """
+        mock_api.return_value = (500, 'foo')
+        with self.assertLogs('test_a2c', level='INFO') as lcm:
+            self.cahandler._domains_get(1)
+        self.assertIn('ERROR:test_a2c:CAhandler._domains_get(): malformed response', lcm.output)
+
+    @patch('examples.ca_handler.entrust_ca_handler.CAhandler._api_get')
+    def test_057__domains_get(self, mock_api):
+        """ test _organizations_get() """
+        input_dic = {'domains': [{'verificationStatus': 'APPROVED', 'domainName': 'foo.bar', 'clientId': 1}, {'verificationStatus': 'APPROVED', 'domainName': 'bar.foo', 'clientId': 2}]}
+        mock_api.return_value = (200, input_dic)
+        self.assertEqual(['foo.bar', 'bar.foo'], self.cahandler._domains_get(1))
+
+    @patch('examples.ca_handler.entrust_ca_handler.CAhandler._api_get')
+    def test_058__domains_get(self, mock_api):
+        """ test _organizations_get() """
+        input_dic = {'domains': [{'verificationStatus': 'NOTAPPROVED', 'domainName': 'foo.bar', 'clientId': 1}, {'verificationStatus': 'APPROVED', 'domainName': 'bar.foo', 'clientId': 2}]}
+        mock_api.return_value = (200, input_dic)
+        self.assertEqual(['bar.foo'], self.cahandler._domains_get(1))
+
+
+    @patch('examples.ca_handler.entrust_ca_handler.CAhandler._api_get')
+    def test_059__domains_get(self, mock_api):
+        """ test _organizations_get() """
+        input_dic = {'domains': [{'Status': 'APPROVED', 'domainName': 'foo.bar', 'clientId': 1}, {'verificationStatus': 'APPROVED', 'domainName': 'bar.foo', 'clientId': 2}]}
+        mock_api.return_value = (200, input_dic)
+        self.assertEqual(['bar.foo'], self.cahandler._domains_get(1))
+
+    @patch('examples.ca_handler.entrust_ca_handler.CAhandler._api_get')
+    def test_060__domains_get(self, mock_api):
+        """ test _organizations_get() """
+        input_dic = {'domains': [{'verificationStatus': 'APPROVED', 'Name': 'foo.bar', 'clientId': 1}, {'verificationStatus': 'APPROVED', 'domainName': 'bar.foo', 'clientId': 2}]}
+        mock_api.return_value = (200, input_dic)
+        self.assertEqual(['bar.foo'], self.cahandler._domains_get(1))
+
+    @patch('examples.ca_handler.entrust_ca_handler.CAhandler._api_get')
+    def test_061_credential_check(self, mock_api):
+        """ test _organizations_get() """
+        mock_api.return_value = (500, 'foo')
+        self.assertEqual('Connection to Entrust API failed: foo', self.cahandler.credential_check())
+
+    @patch('examples.ca_handler.entrust_ca_handler.CAhandler._api_get')
+    def test_062_credential_check(self, mock_api):
+        """ test _organizations_get() """
+        mock_api.return_value = (200, 'foo')
+        self.assertFalse(self.cahandler.credential_check())
+
+    def test_063_oonfig_check(self):
+        """ test _config_check() """
+        self.cahandler.api_url = None
+        with self.assertLogs('test_a2c', level='INFO') as lcm:
+            self.cahandler._config_check()
+        self.assertIn('ERROR:test_a2c:CAhandler._config_check() ended with error: api_url parameter in missing in config file', lcm.output)
+
+    def test_064_oonfig_check(self):
+        """ test _config_check() """
+        self.cahandler.api_url = 'api_url'
+        with self.assertLogs('test_a2c', level='INFO') as lcm:
+            self.cahandler._config_check()
+        self.assertIn('ERROR:test_a2c:CAhandler._config_check() ended with error: username parameter in missing in config file', lcm.output)
+
+    def test_065_oonfig_check(self):
+        """ test _config_check() """
+        self.cahandler.api_url = 'api_url'
+        self.cahandler.username = 'username'
+        with self.assertLogs('test_a2c', level='INFO') as lcm:
+            self.cahandler._config_check()
+        self.assertIn('ERROR:test_a2c:CAhandler._config_check() ended with error: password parameter in missing in config file', lcm.output)
+
+    def test_066_oonfig_check(self):
+        """ test _config_check() """
+        self.cahandler.api_url = 'api_url'
+        self.cahandler.username = 'username'
+        self.cahandler.password = 'password'
+        with self.assertLogs('test_a2c', level='INFO') as lcm:
+            self.cahandler._config_check()
+        self.assertIn('ERROR:test_a2c:CAhandler._config_check() ended with error: organization_name parameter in missing in config file', lcm.output)
+
+    def test_067_oonfig_check(self):
+        """ test _config_check() """
+        self.cahandler.api_url = 'api_url'
+        self.cahandler.username = 'username'
+        self.cahandler.password = 'password'
+        self.cahandler.organization_name = 'organization_name'
+        self.assertFalse(self.cahandler._config_check())
+
+    @patch('examples.ca_handler.entrust_ca_handler.CAhandler._allowed_domainlist_check')
+    @patch('examples.ca_handler.entrust_ca_handler.CAhandler._org_domain_cfg_check')
+    @patch('examples.ca_handler.entrust_ca_handler.CAhandler.credential_check')
+    @patch('examples.ca_handler.entrust_ca_handler.CAhandler._config_check')
+    @patch('examples.ca_handler.entrust_ca_handler.eab_profile_header_info_check')
+    def test_068_enroll_check(self, mock_eab, mock_config, mock_credential, mock_org, mock_domain):
+        """ test _enroll_check() """
+        mock_eab.return_value = 'mock_eab_error'
+        mock_config.return_value = 'mock_config_error'
+        mock_credential.return_value = 'mock_credential_error'
+        mock_org.return_value = 'mock_org_error'
+        mock_domain.return_value = 'mock_domain_error'
+        self.assertEqual('mock_eab_error', self.cahandler._enroll_check('csr'))
+        self.assertTrue(mock_eab.called)
+        self.assertFalse(mock_config.called)
+        self.assertFalse(mock_credential.called)
+        self.assertFalse(mock_org.called)
+        self.assertFalse(mock_domain.called)
+
+    @patch('examples.ca_handler.entrust_ca_handler.CAhandler._allowed_domainlist_check')
+    @patch('examples.ca_handler.entrust_ca_handler.CAhandler._org_domain_cfg_check')
+    @patch('examples.ca_handler.entrust_ca_handler.CAhandler.credential_check')
+    @patch('examples.ca_handler.entrust_ca_handler.CAhandler._config_check')
+    @patch('examples.ca_handler.entrust_ca_handler.eab_profile_header_info_check')
+    def test_069_enroll_check(self, mock_eab, mock_config, mock_credential, mock_org, mock_domain):
+        """ test _enroll_check() """
+        mock_eab.return_value = False
+        mock_config.return_value = 'mock_config_error'
+        mock_credential.return_value = 'mock_credential_error'
+        mock_org.return_value = 'mock_org_error'
+        mock_domain.return_value = 'mock_domain_error'
+        self.assertEqual('mock_config_error', self.cahandler._enroll_check('csr'))
+        self.assertTrue(mock_eab.called)
+        self.assertTrue(mock_config.called)
+        self.assertFalse(mock_credential.called)
+        self.assertFalse(mock_org.called)
+        self.assertFalse(mock_domain.called)
+
+    @patch('examples.ca_handler.entrust_ca_handler.CAhandler._allowed_domainlist_check')
+    @patch('examples.ca_handler.entrust_ca_handler.CAhandler._org_domain_cfg_check')
+    @patch('examples.ca_handler.entrust_ca_handler.CAhandler.credential_check')
+    @patch('examples.ca_handler.entrust_ca_handler.CAhandler._config_check')
+    @patch('examples.ca_handler.entrust_ca_handler.eab_profile_header_info_check')
+    def test_070_enroll_check(self, mock_eab, mock_config, mock_credential, mock_org, mock_domain):
+        """ test _enroll_check() """
+        mock_eab.return_value = False
+        mock_config.return_value = False
+        mock_credential.return_value = 'mock_credential_error'
+        mock_org.return_value = 'mock_org_error'
+        mock_domain.return_value = 'mock_domain_error'
+        self.assertEqual('mock_credential_error', self.cahandler._enroll_check('csr'))
+        self.assertTrue(mock_eab.called)
+        self.assertTrue(mock_config.called)
+        self.assertTrue(mock_credential.called)
+        self.assertFalse(mock_org.called)
+        self.assertFalse(mock_domain.called)
+
+    @patch('examples.ca_handler.entrust_ca_handler.CAhandler._allowed_domainlist_check')
+    @patch('examples.ca_handler.entrust_ca_handler.CAhandler._org_domain_cfg_check')
+    @patch('examples.ca_handler.entrust_ca_handler.CAhandler.credential_check')
+    @patch('examples.ca_handler.entrust_ca_handler.CAhandler._config_check')
+    @patch('examples.ca_handler.entrust_ca_handler.eab_profile_header_info_check')
+    def test_071_enroll_check(self, mock_eab, mock_config, mock_credential, mock_org, mock_domain):
+        """ test _enroll_check() """
+        mock_eab.return_value = False
+        mock_config.return_value = False
+        mock_credential.return_value = False
+        mock_org.return_value = 'mock_org_error'
+        mock_domain.return_value = 'mock_domain_error'
+        self.assertEqual('mock_org_error', self.cahandler._enroll_check('csr'))
+        self.assertTrue(mock_eab.called)
+        self.assertTrue(mock_config.called)
+        self.assertTrue(mock_credential.called)
+        self.assertTrue(mock_org.called)
+        self.assertFalse(mock_domain.called)
+
+    @patch('examples.ca_handler.entrust_ca_handler.CAhandler._allowed_domainlist_check')
+    @patch('examples.ca_handler.entrust_ca_handler.CAhandler._org_domain_cfg_check')
+    @patch('examples.ca_handler.entrust_ca_handler.CAhandler.credential_check')
+    @patch('examples.ca_handler.entrust_ca_handler.CAhandler._config_check')
+    @patch('examples.ca_handler.entrust_ca_handler.eab_profile_header_info_check')
+    def test_072_enroll_check(self, mock_eab, mock_config, mock_credential, mock_org, mock_domain):
+        """ test _enroll_check() """
+        mock_eab.return_value = False
+        mock_config.return_value = False
+        mock_credential.return_value = False
+        mock_org.return_value = False
+        mock_domain.return_value = 'mock_domain_error'
+        self.assertEqual('mock_domain_error', self.cahandler._enroll_check('csr'))
+        self.assertTrue(mock_eab.called)
+        self.assertTrue(mock_config.called)
+        self.assertTrue(mock_credential.called)
+        self.assertTrue(mock_org.called)
+        self.assertTrue(mock_domain.called)
+
+    @patch('examples.ca_handler.entrust_ca_handler.CAhandler._certificates_get_from_serial')
+    @patch('examples.ca_handler.entrust_ca_handler.cert_serial_get')
+    @patch('examples.ca_handler.entrust_ca_handler.header_info_get')
+    def test_073__trackingid_get(self, mock_header, mock_serial, mock_cert):
+        """ test _trackingid_get() """
+        mock_header.return_value = [{'poll_identifier': 'tracking_id'}, {'poll_identifier': 'tracking_id2'}]
+        self.assertEqual('tracking_id', self.cahandler._trackingid_get('csr'))
+        self.assertFalse(mock_serial.called)
+        self.assertFalse(mock_cert.called)
+
+
+    @patch('examples.ca_handler.entrust_ca_handler.CAhandler._certificates_get_from_serial')
+    @patch('examples.ca_handler.entrust_ca_handler.cert_serial_get')
+    @patch('examples.ca_handler.entrust_ca_handler.header_info_get')
+    def test_074__trackingid_get(self, mock_header, mock_serial, mock_cert):
+        """ test _trackingid_get() """
+        mock_header.return_value = [{'identifier': 'tracking_id1'}, {'poll_identifier': 'tracking_id2'}]
+        self.assertEqual('tracking_id2', self.cahandler._trackingid_get('csr'))
+        self.assertFalse(mock_serial.called)
+        self.assertFalse(mock_cert.called)
+
+    @patch('examples.ca_handler.entrust_ca_handler.CAhandler._certificates_get_from_serial')
+    @patch('examples.ca_handler.entrust_ca_handler.cert_serial_get')
+    @patch('examples.ca_handler.entrust_ca_handler.header_info_get')
+    def test_075__trackingid_get(self, mock_header, mock_serial, mock_cert):
+        """ test _trackingid_get() """
+        mock_header.return_value = []
+        mock_serial.return_value = 'serial'
+        mock_cert.return_value = [{'trackingId': 'tracking_id'}]
+        self.assertEqual('tracking_id', self.cahandler._trackingid_get('csr'))
+        self.assertTrue(mock_serial.called)
+        self.assertTrue(mock_cert.called)
+
+    @patch('examples.ca_handler.entrust_ca_handler.CAhandler._certificates_get_from_serial')
+    @patch('examples.ca_handler.entrust_ca_handler.cert_serial_get')
+    @patch('examples.ca_handler.entrust_ca_handler.header_info_get')
+    def test_076__trackingid_get(self, mock_header, mock_serial, mock_cert):
+        """ test _trackingid_get() """
+        mock_header.return_value = []
+        mock_serial.return_value = 'serial'
+        mock_cert.return_value = [{'id': 'tracking_id'}]
+        self.assertFalse(self.cahandler._trackingid_get('csr'))
+        self.assertTrue(mock_serial.called)
+        self.assertTrue(mock_cert.called)
+
+    @patch('examples.ca_handler.entrust_ca_handler.CAhandler._certificates_get_from_serial')
+    @patch('examples.ca_handler.entrust_ca_handler.cert_serial_get')
+    @patch('examples.ca_handler.entrust_ca_handler.header_info_get')
+    def test_077__trackingid_get(self, mock_header, mock_serial, mock_cert):
+        """ test _trackingid_get() """
+        mock_header.return_value = []
+        mock_serial.return_value = 'serial'
+        mock_cert.return_value = [{'id': 'tracking_id1'}, {'trackingId': 'tracking_id2'}]
+        self.assertEqual('tracking_id2', self.cahandler._trackingid_get('csr'))
+        self.assertTrue(mock_serial.called)
+        self.assertTrue(mock_cert.called)
+
+    @patch('examples.ca_handler.entrust_ca_handler.b64_encode')
+    @patch('examples.ca_handler.entrust_ca_handler.cert_pem2der')
+    def test_078_response_parse(self, mock_der, mock_enc):
+        """ test _rsponse_parse() """
+        mock_der.return_value = 'cert_data'
+        mock_enc.return_value = 'mock_enc'
+        self.cahandler.entrust_root_cert = 'root_cert'
+        response = {"trackingId": "trackingId", 'endEntityCert': 'endEntityCert', 'chainCerts': ['foo1', 'foo2']}
+        self.assertEqual(('foo1\nfoo2\nroot_cert\n', 'mock_enc', 'trackingId'), self.cahandler._response_parse(response))
+        self.assertTrue(mock_der.called)
+        self.assertTrue(mock_enc.called)
+
+    @patch('examples.ca_handler.entrust_ca_handler.b64_encode')
+    @patch('examples.ca_handler.entrust_ca_handler.cert_pem2der')
+    def test_079_response_parse(self, mock_der, mock_enc):
+        """ test _rsponse_parse() """
+        mock_der.return_value = 'cert_data'
+        mock_enc.return_value = 'mock_enc'
+        self.cahandler.entrust_root_cert = 'root_cert'
+        response = {"falsetrackingId": "trackingId", 'endEntityCert': 'endEntityCert', 'chainCerts': ['foo1', 'foo2']}
+        self.assertEqual(('foo1\nfoo2\nroot_cert\n', 'mock_enc', None), self.cahandler._response_parse(response))
+        self.assertTrue(mock_der.called)
+        self.assertTrue(mock_enc.called)
+
+    @patch('examples.ca_handler.entrust_ca_handler.b64_encode')
+    @patch('examples.ca_handler.entrust_ca_handler.cert_pem2der')
+    def test_080_response_parse(self, mock_der, mock_enc):
+        """ test _rsponse_parse() """
+        mock_der.return_value = 'cert_data'
+        mock_enc.return_value = 'mock_enc'
+        self.cahandler.entrust_root_cert = 'root_cert'
+        response = {"trackingId": "trackingId", 'endEntityCert': 'endEntityCert', 'Certs': ['foo1', 'foo2']}
+        self.assertEqual((None, None, 'trackingId'), self.cahandler._response_parse(response))
+        self.assertFalse(mock_der.called)
+        self.assertFalse(mock_enc.called)
+
+    @patch('examples.ca_handler.entrust_ca_handler.b64_encode')
+    @patch('examples.ca_handler.entrust_ca_handler.cert_pem2der')
+    def test_081_response_parse(self, mock_der, mock_enc):
+        """ test _rsponse_parse() """
+        mock_der.return_value = 'cert_data'
+        mock_enc.return_value = 'mock_enc'
+        self.cahandler.entrust_root_cert = 'root_cert'
+        response = {"trackingId": "trackingId", 'EntityCert': 'endEntityCert', 'chainCerts': ['foo1', 'foo2']}
+        self.assertEqual((None, None, 'trackingId'), self.cahandler._response_parse(response))
+        self.assertFalse(mock_der.called)
+        self.assertFalse(mock_enc.called)
+
+    @patch('examples.ca_handler.entrust_ca_handler.b64_encode')
+    @patch('examples.ca_handler.entrust_ca_handler.cert_pem2der')
+    def test_082_response_parse(self, mock_der, mock_enc):
+        """ test _rsponse_parse() """
+        mock_der.return_value = 'cert_data'
+        mock_enc.return_value = 'mock_enc'
+        self.cahandler.entrust_root_cert = 'root_cert'
+        response = {"trackingId": "trackingId", 'endEntityCert': 'endEntityCert', 'chainCerts': []}
+        self.assertEqual(('root_cert\n', 'mock_enc', 'trackingId'), self.cahandler._response_parse(response))
+        self.assertTrue(mock_der.called)
+        self.assertTrue(mock_enc.called)
+
+    @patch('examples.ca_handler.entrust_ca_handler.CAhandler._response_parse')
+    @patch('examples.ca_handler.entrust_ca_handler.csr_cn_lookup')
+    @patch('examples.ca_handler.entrust_ca_handler.CAhandler._api_post')
+    def test_083_enroll(self, mock_req, mock_cn, mock_parse):
+        """ test _enroll() """
+        mock_cn.return_value = 'cn'
+        mock_req.return_value = (201, 'response')
+        mock_parse.return_value = ('cert_bundle', 'cert_raw', 'poll_indentifier')
+        self.assertEqual((None, 'cert_bundle', 'cert_raw', 'poll_indentifier'), self.cahandler._enroll('csr'))
+        self.assertTrue(mock_cn.called)
+        self.assertTrue(mock_req.called)
+        self.assertTrue(mock_parse.called)
+
+    @patch('examples.ca_handler.entrust_ca_handler.CAhandler._response_parse')
+    @patch('examples.ca_handler.entrust_ca_handler.csr_cn_lookup')
+    @patch('examples.ca_handler.entrust_ca_handler.CAhandler._api_post')
+    def test_084_enroll(self, mock_req, mock_cn, mock_parse):
+        """ test _enroll() """
+        mock_cn.return_value = 'cn'
+        mock_req.return_value = (404, 'response')
+        mock_parse.return_value = ('cert_bundle', 'cert_raw', 'poll_indentifier')
+        self.assertEqual(('Error during order creation: 404 - response', None, None, None), self.cahandler._enroll('csr'))
+        self.assertTrue(mock_cn.called)
+        self.assertTrue(mock_req.called)
+        self.assertFalse(mock_parse.called)
+
+    @patch('examples.ca_handler.entrust_ca_handler.CAhandler._response_parse')
+    @patch('examples.ca_handler.entrust_ca_handler.csr_cn_lookup')
+    @patch('examples.ca_handler.entrust_ca_handler.CAhandler._api_post')
+    def test_085_enroll(self, mock_req, mock_cn, mock_parse):
+        """ test _enroll() """
+        mock_cn.return_value = 'cn'
+        mock_req.return_value = (404, {'errors': 'response, response2'})
+        mock_parse.return_value = ('cert_bundle', 'cert_raw', 'poll_indentifier')
+        self.assertEqual(('Error during order creation: 404 - response, response2', None, None, None), self.cahandler._enroll('csr'))
+        self.assertTrue(mock_cn.called)
+        self.assertTrue(mock_req.called)
+        self.assertFalse(mock_parse.called)
+
+    @patch('examples.ca_handler.entrust_ca_handler.CAhandler._enroll')
+    @patch('examples.ca_handler.entrust_ca_handler.CAhandler._enroll_check')
+    def test_086_enroll(self, mock_chk, mock_enroll):
+        """ test enroll() """
+        mock_chk.return_value = None
+        mock_enroll.return_value = ('mock_err', 'mock_bundle', 'mock_raw', 'mock_poll')
+        self.assertEqual(('mock_err', 'mock_bundle', 'mock_raw', 'mock_poll'), self.cahandler.enroll('csr'))
+
+    @patch('examples.ca_handler.entrust_ca_handler.CAhandler._enroll')
+    @patch('examples.ca_handler.entrust_ca_handler.CAhandler._enroll_check')
+    def test_087_enroll(self, mock_chk, mock_enroll):
+        """ test enroll() """
+        mock_chk.return_value = 'mock_chk'
+        mock_enroll.return_value = ('mock_err', 'mock_bundle', 'mock_raw', 'mock_poll')
+        self.assertEqual(('mock_chk', None, None, None), self.cahandler.enroll('csr'))
+
+    @patch('examples.ca_handler.entrust_ca_handler.CAhandler._api_post')
+    @patch('examples.ca_handler.entrust_ca_handler.CAhandler._trackingid_get')
+    def test_088_revoke(self, mock_track, mock_req):
+        """ test revoke() """
+        mock_track.return_value = 'tracking_id'
+        mock_req.return_value = (200, 'response')
+        self.assertEqual((200, 'Certificate revoked', None), self.cahandler.revoke('csr'))
+
+    @patch('examples.ca_handler.entrust_ca_handler.CAhandler._api_post')
+    @patch('examples.ca_handler.entrust_ca_handler.CAhandler._trackingid_get')
+    def test_089_revoke(self, mock_track, mock_req):
+        """ test revoke() """
+        mock_track.return_value = 'tracking_id'
+        mock_req.return_value = (500, 'response')
+        self.assertEqual((500, 'urn:ietf:params:acme:error:serverInternal', 'response'), self.cahandler.revoke('csr'))
+
+    @patch('examples.ca_handler.entrust_ca_handler.CAhandler._api_post')
+    @patch('examples.ca_handler.entrust_ca_handler.CAhandler._trackingid_get')
+    def test_090_revoke(self, mock_track, mock_req):
+        """ test revoke() """
+        mock_track.return_value = None
+        mock_req.return_value = (200, 'response')
+        self.assertEqual((500, 'urn:ietf:params:acme:error:serverInternal', 'Failed to get tracking id'), self.cahandler.revoke('csr'))
+
+    @patch('examples.ca_handler.entrust_ca_handler.CAhandler._api_get')
+    def test_091_certificates_get(self, mock_req):
+        """ test certificates_get() """
+        mock_req.return_value = (500, 'response')
+        with self.assertLogs('test_a2c', level='INFO') as lcm:
+            self.assertFalse(self.cahandler.certificates_get())
+        self.assertIn('ERROR:test_a2c:CAhandler.certificates_get() failed with code: 500', lcm.output)
+
+    @patch('examples.ca_handler.entrust_ca_handler.CAhandler._api_get')
+    def test_092_certificates_get(self, mock_req):
+        """ test certificates_get() """
+        content = {'certificates': [1, 2, 3, 4], 'summary': {'total': 4}}
+        mock_req.return_value = (200, content)
+        with self.assertLogs('test_a2c', level='INFO') as lcm:
+            self.assertEqual([1, 2, 3, 4], self.cahandler.certificates_get())
+        self.assertIn('INFO:test_a2c:fetching certs offset: 0, limit: 200, total: 1, buffered: 0', lcm.output)
+
+    @patch('examples.ca_handler.entrust_ca_handler.CAhandler._api_get')
+    def test_093_certificates_get(self, mock_req):
+        """ test certificates_get() """
+        response1 = (200, {'certificates': [1, 2, 3, 4], 'summary': {'total': 8}})
+        response2 = (200, {'certificates': [5, 6, 7, 8]})
+        mock_req.side_effect = [response1, response2]
+        with self.assertLogs('test_a2c', level='INFO') as lcm:
+            self.assertEqual([1, 2, 3, 4, 5, 6, 7, 8], self.cahandler.certificates_get())
+        self.assertIn('INFO:test_a2c:fetching certs offset: 0, limit: 200, total: 1, buffered: 0', lcm.output)
+        self.assertIn('INFO:test_a2c:fetching certs offset: 200, limit: 200, total: 8, buffered: 4', lcm.output)
+
+    @patch('examples.ca_handler.entrust_ca_handler.CAhandler._api_get')
+    def test_094_certificates_get(self, mock_req):
+        """ test certificates_get() """
+        response1 = (200, {'certificates': [1, 2, 3, 4]})
+        response2 = (200, {'certificates': [5, 6, 7, 8]})
+        mock_req.side_effect = [response1, response2]
+        with self.assertRaises(Exception) as err:
+            self.assertFalse(self.cahandler.certificates_get())
+        self.assertEqual('Certificates lookup failed: did not get any total value', str(err.exception))
+
+    @patch('examples.ca_handler.entrust_ca_handler.CAhandler._api_get')
+    def test_095_certificates_get(self, mock_req):
+        """ test certificates_get() """
+        response1 = (200, {'certificates': [1, 2, 3, 4], 'summary': {'total': 9}})
+        response2 = (200, {'certificates': [5, 6, 7, 8]})
+        response3 = (200, {'certificates': [5, 6, 7, 8]})
+        mock_req.side_effect = [response1, response2, response3]
+        with self.assertLogs('test_a2c', level='INFO') as lcm:
+            self.assertEqual([1, 2, 3, 4, 5, 6, 7, 8], self.cahandler.certificates_get())
+        self.assertIn('INFO:test_a2c:fetching certs offset: 0, limit: 200, total: 1, buffered: 0', lcm.output)
+        self.assertIn('INFO:test_a2c:fetching certs offset: 200, limit: 200, total: 9, buffered: 4', lcm.output)
+        self.assertIn('INFO:test_a2c:fetching certs offset: 400, limit: 200, total: 9, buffered: 8', lcm.output)
+        self.assertIn('ERROR:test_a2c:CAhandler.certificates_get() failed to get new data', lcm.output)
+
+
+if __name__ == '__main__':
+
+    unittest.main()
diff --git a/test/test_helper.py b/test/test_helper.py
index 2958e47c..3565b40d 100644
--- a/test/test_helper.py
+++ b/test/test_helper.py
@@ -9,6 +9,7 @@
 import socket
 from unittest.mock import patch, MagicMock, Mock
 import dns.resolver
+import base64
 
 sys.path.insert(0, '.')
 sys.path.insert(1, '..')
@@ -25,7 +26,7 @@ def setUp(self):
         """ setup unittest """
         import logging
         logging.basicConfig(level=logging.CRITICAL)
-        from acme_srv.helper import b64decode_pad, b64_decode, b64_encode, b64_url_encode, b64_url_recode, convert_string_to_byte, convert_byte_to_string, decode_message, decode_deserialize, get_url, generate_random_string, signature_check, validate_email, uts_to_date_utc, date_to_uts_utc, load_config, cert_serial_get, cert_san_get, cert_dates_get, build_pem_file, date_to_datestr, datestr_to_date, dkeys_lower, csr_cn_get, cert_pubkey_get, csr_pubkey_get, url_get, url_get_with_own_dns,  dns_server_list_load, csr_san_get, csr_extensions_get, fqdn_resolve, fqdn_in_san_check, sha256_hash, sha256_hash_hex, cert_der2pem, cert_pem2der, cert_extensions_get, csr_dn_get, logger_setup, logger_info, print_debug, jwk_thumbprint_get, allowed_gai_family, patched_create_connection, validate_csr, servercert_get, txt_get, proxystring_convert, proxy_check, handle_exception, ca_handler_load, eab_handler_load, hooks_load, error_dic_get, _logger_nonce_modify, _logger_certificate_modify, _logger_token_modify, _logger_challenges_modify, config_check, cert_issuer_get, cert_cn_get, string_sanitize, pembundle_to_list, certid_asn1_get, certid_check, certid_hex_get, v6_adjust, ipv6_chk, header_info_get
+        from acme_srv.helper import b64decode_pad, b64_decode, b64_encode, b64_url_encode, b64_url_recode, convert_string_to_byte, convert_byte_to_string, decode_message, decode_deserialize, get_url, generate_random_string, signature_check, validate_email, uts_to_date_utc, date_to_uts_utc, load_config, cert_serial_get, cert_san_get, cert_san_pyopenssl_get, cert_dates_get, build_pem_file, date_to_datestr, datestr_to_date, dkeys_lower, csr_cn_get, cert_pubkey_get, csr_pubkey_get, url_get, url_get_with_own_dns,  dns_server_list_load, csr_san_get, csr_san_byte_get, csr_extensions_get, fqdn_resolve, fqdn_in_san_check, sha256_hash, sha256_hash_hex, cert_der2pem, cert_pem2der, cert_extensions_get, csr_dn_get, logger_setup, logger_info, print_debug, jwk_thumbprint_get, allowed_gai_family, patched_create_connection, validate_csr, servercert_get, txt_get, proxystring_convert, proxy_check, handle_exception, ca_handler_load, eab_handler_load, hooks_load, error_dic_get, _logger_nonce_modify, _logger_certificate_modify, _logger_token_modify, _logger_challenges_modify, config_check, cert_issuer_get, cert_cn_get, string_sanitize, pembundle_to_list, certid_asn1_get, certid_check, certid_hex_get, v6_adjust, ipv6_chk, ip_validate, header_info_get, encode_url, uts_now, cert_ski_get, cert_ski_pyopenssl_get, cert_aki_get, cert_aki_pyopenssl_get, validate_fqdn, validate_ip, validate_identifier, header_info_field_validate, header_info_lookup, config_eab_profile_load, config_headerinfo_load, domainlist_check, allowed_domainlist_check, eab_profile_string_check, eab_profile_list_check, eab_profile_check, eab_profile_header_info_check, cert_extensions_py_openssl_get, cryptography_version_get, cn_validate, csr_subject_get, eab_profile_subject_string_check, eab_profile_subject_check, csr_cn_lookup, request_operation
         self.logger = logging.getLogger('test_a2c')
         self.allowed_gai_family = allowed_gai_family
         self.b64_decode = b64_decode
@@ -37,11 +38,17 @@ def setUp(self):
         self.ca_handler_load = ca_handler_load
         self.cert_dates_get = cert_dates_get
         self.cert_extensions_get = cert_extensions_get
+        self.cert_extensions_py_openssl_get = cert_extensions_py_openssl_get
         self.certid_asn1_get = certid_asn1_get
         self.certid_check = certid_check
         self.cert_pubkey_get = cert_pubkey_get
         self.cert_san_get = cert_san_get
+        self.cert_san_pyopenssl_get = cert_san_pyopenssl_get
         self.cert_serial_get = cert_serial_get
+        self.cert_aki_get = cert_aki_get
+        self.cert_aki_pyopenssl_get = cert_aki_pyopenssl_get
+        self.cert_ski_get = cert_ski_get
+        self.cert_ski_pyopenssl_get = cert_ski_pyopenssl_get
         self.cert_issuer_get = cert_issuer_get
         self.cert_pem2der = cert_pem2der
         self.cert_der2pem = cert_der2pem
@@ -50,6 +57,7 @@ def setUp(self):
         self.config_check = config_check
         self.convert_byte_to_string = convert_byte_to_string
         self.convert_string_to_byte = convert_string_to_byte
+        self.cryptography_version_get = cryptography_version_get
         self.csr_cn_get = csr_cn_get
         self.csr_dn_get = csr_dn_get
         self.csr_extensions_get = csr_extensions_get
@@ -68,6 +76,8 @@ def setUp(self):
         self.fqdn_in_san_check = fqdn_in_san_check
         self.generate_random_string = generate_random_string
         self.get_url = get_url
+        self.header_info_field_validate = header_info_field_validate
+        self.header_info_lookup = header_info_lookup
         self.hooks_load = hooks_load
         self.ipv6_chk = ipv6_chk
         self.jwk_thumbprint_get = jwk_thumbprint_get
@@ -89,6 +99,9 @@ def setUp(self):
         self.url_get_with_own_dns = url_get_with_own_dns
         self.uts_to_date_utc = uts_to_date_utc
         self.validate_email = validate_email
+        self.validate_ip = validate_ip
+        self.validate_fqdn = validate_fqdn
+        self.validate_identifier = validate_identifier
         self.validate_csr = validate_csr
         self.sha256_hash = sha256_hash
         self.sha256_hash_hex = sha256_hash_hex
@@ -97,6 +110,24 @@ def setUp(self):
         self.v6_adjust = v6_adjust
         self.handle_exception = handle_exception
         self.header_info_get = header_info_get
+        self.csr_san_byte_get = csr_san_byte_get
+        self.encode_url = encode_url
+        self.uts_now = uts_now
+        self.ip_validate = ip_validate
+        self.config_headerinfo_load = config_headerinfo_load
+        self.config_eab_profile_load = config_eab_profile_load
+        self.domainlist_check = domainlist_check
+        self.allowed_domainlist_check = allowed_domainlist_check
+        self.eab_profile_string_check = eab_profile_string_check
+        self.eab_profile_list_check = eab_profile_list_check
+        self.eab_profile_check = eab_profile_check
+        self.eab_profile_header_info_check = eab_profile_header_info_check
+        self.cn_validate = cn_validate
+        self.csr_subject_get = csr_subject_get
+        self.eab_profile_subject_string_check = eab_profile_subject_string_check
+        self.eab_profile_subject_check = eab_profile_subject_check
+        self.csr_cn_lookup = csr_cn_lookup
+        self.request_operation = request_operation
 
     def test_001_helper_b64decode_pad(self):
         """ test b64decode_pad() method with a regular base64 encoded string """
@@ -366,7 +397,7 @@ def test_043_helper_cert_serial_get(self):
                 bta75ocePrurdNxsxKJhLlXbnKD6lurCb4khRhrmLmpK8JxhuaevEVklSQX0gqlR
                 fxAH4XQsaqcaedPNI+W5OUITMz40ezDCbUqxS9KEMCGPoOTXNRAjbr72sc4Vkw7H
                 t+eRUDECE+0UnjyeCjTn3EU="""
-        self.assertEqual('a', self.cert_serial_get(self.logger, cert, hexformat=True))
+        self.assertEqual('0a', self.cert_serial_get(self.logger, cert, hexformat=True))
 
     def test_044_helper_cert_issuer_get(self):
         """ test cert_issuer_get """
@@ -441,8 +472,29 @@ def test_048_helper_cert_san_get(self):
         cert = """MIIDezCCAWOgAwIBAgIIIAuZLppuFT4wDQYJKoZIhvcNAQELBQAwKjEXMBUGA1UECxMOYWNtZTJjZXJ0aWZpZXIxDzANBgNVBAMTBnN1Yi1jYTAeFw0yMzA3MjAwNDIxMTlaFw0yNDA3MTkwNDIxMTlaMBkxFzAVBgNVBAMTDjE5Mi4xNjguMTQuMTMxMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEQTs6Bra1zfVSiReD4AYj8HCKdcaMO5WsgB0zhpVu3HuSQSIQHC8CMe8haCywjYisbbWeDzT654tc674/MjScraOBgDB+MB0GA1UdDgQWBBQQa+M+3oTsdKTSB/Rt3Dk7/Vy0YzAfBgNVHSMEGDAWgBS/3o6OBiIiq61DyN3UT6irSEE+1TALBgNVHQ8EBAMCA+gwDAYDVR0TAQH/BAIwADAhBgNVHREEGjAYghBmb29iYXIuYmFyLmxvY2FshwTAqA6DMA0GCSqGSIb3DQEBCwUAA4ICAQCcevAczULbl5Le/xI1LSQ/PSsROjOZHUjlWf5bRs53aTM6wMqDBsFGdLzTN5vzWqVjie1Nzu8XGSEEuF0L/2bltGgYiYQqD4HKJedEEbYxQbg77o9JLp52MltvXGRH5gYGSGPZbuQ8QANvDn6FqBZjskOtED8SZGGt5spgxK7eguoJoQken68TgdZptL6l6eryTgouPbG0j5vTPPxuZpqxM9vQa4ADyqyvOKRMkZC98IbruChlCtFztILJPkvNx8Gbmlzv201uW9/9mNzcV8vVtlcB+Ftb/+sCfYuU/ShwUuOxOLE7+OKjLlalfniNwqx2l6f30nvvsa11vQc/Rwy1Z+vv96EzyF+GthMx2qLIG4eLLbISATwUfpR0UcLMtr83LRzB578rxrtwcgB5s+AWSDsYEKnzXabQdX1cEuiM3iEdlZ7McFzRvwElObhoDDOqOjGALWmdboox6dDskpQEhe6JALsj3mH07017h5T3W3PvqWD2IAsqH+WTuxCTmfjbqqoAz/Zt2ipIAFtSk79WvWwth/K+xtYhmuoe2+ygocqa9tF9AyoihImSEk1EjXvqKqRLPZwg41C3WKvLlg57fpRFZYR1W28ZqAqqVNf8MMHcsHdZ7koMBhIKKnSe/HdLWm7ghVjAEdYVYvOcOZHzxXBmnV/6ZLRQXu2XQnATJw=="""
         self.assertEqual(['DNS:foobar.bar.local', 'IP:192.168.14.131'], self.cert_san_get(self.logger, cert))
 
-    def test_049_helper_cert_serial_get(self):
-        """ test cert_serial for a multiple SAN of different types"""
+    def test_049_helper_cert_san_pyopenssl_get(self):
+        """ test cert_san_get for a single SAN """
+        cert = """MIIDDTCCAfWgAwIBAgIBCjANBgkqhkiG9w0BAQsFADAaMRgwFgYDVQQDEw9mb28u
+                ZXhhbXBsZS5jb20wHhcNMTkwMTIwMTY1OTIwWhcNMTkwMjE5MTY1OTIwWjAaMRgw
+                FgYDVQQDEw9mb28uZXhhbXBsZS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw
+                ggEKAoIBAQCqUeNzDyBVugUKZq597ishYAdMPgus5Nw5pWE/Jw7PP0koeFE2wODq
+                HVb+XNFFEX4IOyiE2Pi4ilzfXYGKchhP3wHgnkxGNIwt/cDNZgyTiUpITV/ciFaC
+                7avkvQS6ScCYUYrhby7QnvcU02mAyhNcSVGI5TW7HhFdtWrEAK3N8H6yhxHLSi2y
+                dpQ3kCJyJylqt/Rv3uKNjCvTv867K6A1QSsXoAxtPK9P0UOTRvgHkFf8T32Bn/Er
+                1bjkX9Ms8rqDQmicCWJk260lUHzN6vxaeiEg7Kz3TA8Ik3DMIcvwJrE168G1APo+
+                FyOIKyx+t78HWOlNINIqZMj5e2DpulV7AgMBAAGjXjBcMB8GA1UdIwQYMBaAFK1Z
+                zuGt0Pe+NLerCXqQBYmVV7suMB0GA1UdDgQWBBStWc7hrdD3vjS3qwl6kAWJlVe7
+                LjAaBgNVHREEEzARgg9mb28uZXhhbXBsZS5jb20wDQYJKoZIhvcNAQELBQADggEB
+                AANW0DD4Xp7LH/Rzf2jVLwiFlbtR6iazyn9S/pH2Gwqjkscv/27/dqJb7CfPdD02
+                5ItQcYkZPJhDOsj63kvUaD89QU31RnYQrXrbXFqYOIAq6kxfZUoQmpfEBxbB4Wxm
+                TW0OWS+FMqNw/SuGs6EQjTRA+gBOeGzj4H9yOFOg0PpadBayZ7UT4lm1LOiFHh8h
+                bta75ocePrurdNxsxKJhLlXbnKD6lurCb4khRhrmLmpK8JxhuaevEVklSQX0gqlR
+                fxAH4XQsaqcaedPNI+W5OUITMz40ezDCbUqxS9KEMCGPoOTXNRAjbr72sc4Vkw7H
+                t+eRUDECE+0UnjyeCjTn3EU="""
+        self.assertEqual(['DNS:foo.example.com'], self.cert_san_pyopenssl_get(self.logger, cert))
+
+    def test_050_cert_san_pyopenssl_get(self):
+        """ test cert_san_get for a multiple SAN of type DNS"""
         cert = """MIIDIzCCAgugAwIBAgICBZgwDQYJKoZIhvcNAQELBQAwGjEYMBYGA1UEAxMPZm9v
                 LmV4YW1wbGUuY29tMB4XDTE5MDEyMDE3MDkxMVoXDTE5MDIxOTE3MDkxMVowGjEY
                 MBYGA1UEAxMPZm9vLmV4YW1wbGUuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
@@ -460,30 +512,45 @@ def test_049_helper_cert_serial_get(self):
                 TP6Gp79DzCiPKFt52Y8yVikIET4fnyRzU8kGKLuPoIt+EQQzpG26qWAjeNHAASEM
                 keiA+tedMWzydX52B+tGg+l2svxg34apIBDjK8pF+8ZxTt5yjVUa10GbpffJuiEh
                 NWQddOR8IHg+v6lWc9BtuuKK5ubsg6XOiEjhhr42AKViKalX1i4+"""
-        self.assertEqual(1432, self.cert_serial_get(self.logger, cert))
+        self.assertEqual(['DNS:foo-2.example.com', 'DNS:foo-1.example.com'], self.cert_san_pyopenssl_get(self.logger, cert))
 
-    def test_050_helper_cert_san_get(self):
-        """ test cert_san_get for a single SAN and recode = True"""
-        cert = """MIIDDTCCAfWgAwIBAgIBCjANBgkqhkiG9w0BAQsFADAaMRgwFgYDVQQDEw9mb28u
-                ZXhhbXBsZS5jb20wHhcNMTkwMTIwMTY1OTIwWhcNMTkwMjE5MTY1OTIwWjAaMRgw
-                FgYDVQQDEw9mb28uZXhhbXBsZS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw
-                ggEKAoIBAQCqUeNzDyBVugUKZq597ishYAdMPgus5Nw5pWE/Jw7PP0koeFE2wODq
-                HVb+XNFFEX4IOyiE2Pi4ilzfXYGKchhP3wHgnkxGNIwt/cDNZgyTiUpITV/ciFaC
-                7avkvQS6ScCYUYrhby7QnvcU02mAyhNcSVGI5TW7HhFdtWrEAK3N8H6yhxHLSi2y
-                dpQ3kCJyJylqt/Rv3uKNjCvTv867K6A1QSsXoAxtPK9P0UOTRvgHkFf8T32Bn/Er
-                1bjkX9Ms8rqDQmicCWJk260lUHzN6vxaeiEg7Kz3TA8Ik3DMIcvwJrE168G1APo+
-                FyOIKyx+t78HWOlNINIqZMj5e2DpulV7AgMBAAGjXjBcMB8GA1UdIwQYMBaAFK1Z
-                zuGt0Pe+NLerCXqQBYmVV7suMB0GA1UdDgQWBBStWc7hrdD3vjS3qwl6kAWJlVe7
-                LjAaBgNVHREEEzARgg9mb28uZXhhbXBsZS5jb20wDQYJKoZIhvcNAQELBQADggEB
-                AANW0DD4Xp7LH/Rzf2jVLwiFlbtR6iazyn9S/pH2Gwqjkscv/27/dqJb7CfPdD02
-                5ItQcYkZPJhDOsj63kvUaD89QU31RnYQrXrbXFqYOIAq6kxfZUoQmpfEBxbB4Wxm
-                TW0OWS+FMqNw/SuGs6EQjTRA+gBOeGzj4H9yOFOg0PpadBayZ7UT4lm1LOiFHh8h
-                bta75ocePrurdNxsxKJhLlXbnKD6lurCb4khRhrmLmpK8JxhuaevEVklSQX0gqlR
-                fxAH4XQsaqcaedPNI+W5OUITMz40ezDCbUqxS9KEMCGPoOTXNRAjbr72sc4Vkw7H
-                t+eRUDECE+0UnjyeCjTn3EU="""
-        self.assertEqual(['DNS:foo.example.com'], self.cert_san_get(self.logger, cert, recode=True))
+    def test_051_helper_cert_san_pyopenssl_get(self):
+        """ test cert_san_get for a multiple SAN of type DNS"""
+        cert = """MIIDaDCCAVCgAwIBAgIICwL0UBNcUakwDQYJKoZIhvcNAQELBQAwKjEXMBUGA1UECxMOYWNtZTJjZXJ0aWZpZXIxDzANBgNVBAMTBnN1Yi1jYTAeFw0yMzA3MTkxODU5NDRaFw0yNDA3MTgxODU5NDRaMBkxFzAVBgNVBAMTDjE5Mi4xNjguMTQuMTMxMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEN626lPpwBt4SEvdf5Tb0BpP1tl9KiFE/9xCIyYPsi9VXVDq/EcwO3CRp4fy+3bhZj6i43DdnluETcx8ZR2XyE6NuMGwwHQYDVR0OBBYEFBp+ZupvT2BB92sDkxy2GffHXDRLMB8GA1UdIwQYMBaAFL/ejo4GIiKrrUPI3dRPqKtIQT7VMAsGA1UdDwQEAwID6DAMBgNVHRMBAf8EAjAAMA8GA1UdEQQIMAaHBMCoDoMwDQYJKoZIhvcNAQELBQADggIBAFpq5RWGP4kDRnRjq8pte87bGS9LEmSlGOA8HlQZ+kjAoTunNN7/gvDch4F/CIl1N8cbQ/Ty1vx9CznTpQ39c2LNMILnjNHqQpYRIgLSBvCm26pAdlmicy6zdGlRKaePoMXINw4csDZ4REERg/c21ANhFclYyWWUM987bHZuBZJM8zBfR98ZnOzuQMRb5xztRlXSvddW4qEyKihl+5wPduaF8hDui4wbDFW6pUE9DWO/S1m37Tshh1O3NLlAlaMMwLsYaGkW7yzM4OrzmghJCRtdF9lbYYqHoKxLVWyCRF/pXqqQ/y+k4sN0MeZ7Wk4dI18aGHTGEzu6GSynNptyCQNsoTYexDA/rx57ukX7TqrU5JU/VyrKYD+M/rsLMj3vY4YmmH4W12IhAxa6+UmGG9ixHKpTgLVLRJDdzPMLY+IdI9WHdo7nHDOsaKvrFWqmvsCxT214jN0fVkOTMazG4ILg4DZhMWh8QxGULR7ul2oYnlyGUXiag7qLjNu1/RltJg9sp+ZxVC7RWaoCwxp6CIT95wrUAFTt9NBkccafsQKsF2ZtrUNZ8Z7B3y6hzr9d6rWlZCKlcr/ZNSOnrRTwuCz5HL3Gd2/DfyZUmy5U1+URbktMIdddlV5jaeSpwFZI8Xga4cYJAE7xjVq8HN3jbZ6m4PyylfaQfXisozKRECs4"""
+        self.assertEqual(['IP Address:192.168.14.131'], self.cert_san_pyopenssl_get(self.logger, cert))
+
+    def test_052_helper_cert_san_pyopenssl_get(self):
+        """ test cert_san_get for a multiple SAN of type DNS"""
+        cert = """MIIDezCCAWOgAwIBAgIIIAuZLppuFT4wDQYJKoZIhvcNAQELBQAwKjEXMBUGA1UECxMOYWNtZTJjZXJ0aWZpZXIxDzANBgNVBAMTBnN1Yi1jYTAeFw0yMzA3MjAwNDIxMTlaFw0yNDA3MTkwNDIxMTlaMBkxFzAVBgNVBAMTDjE5Mi4xNjguMTQuMTMxMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEQTs6Bra1zfVSiReD4AYj8HCKdcaMO5WsgB0zhpVu3HuSQSIQHC8CMe8haCywjYisbbWeDzT654tc674/MjScraOBgDB+MB0GA1UdDgQWBBQQa+M+3oTsdKTSB/Rt3Dk7/Vy0YzAfBgNVHSMEGDAWgBS/3o6OBiIiq61DyN3UT6irSEE+1TALBgNVHQ8EBAMCA+gwDAYDVR0TAQH/BAIwADAhBgNVHREEGjAYghBmb29iYXIuYmFyLmxvY2FshwTAqA6DMA0GCSqGSIb3DQEBCwUAA4ICAQCcevAczULbl5Le/xI1LSQ/PSsROjOZHUjlWf5bRs53aTM6wMqDBsFGdLzTN5vzWqVjie1Nzu8XGSEEuF0L/2bltGgYiYQqD4HKJedEEbYxQbg77o9JLp52MltvXGRH5gYGSGPZbuQ8QANvDn6FqBZjskOtED8SZGGt5spgxK7eguoJoQken68TgdZptL6l6eryTgouPbG0j5vTPPxuZpqxM9vQa4ADyqyvOKRMkZC98IbruChlCtFztILJPkvNx8Gbmlzv201uW9/9mNzcV8vVtlcB+Ftb/+sCfYuU/ShwUuOxOLE7+OKjLlalfniNwqx2l6f30nvvsa11vQc/Rwy1Z+vv96EzyF+GthMx2qLIG4eLLbISATwUfpR0UcLMtr83LRzB578rxrtwcgB5s+AWSDsYEKnzXabQdX1cEuiM3iEdlZ7McFzRvwElObhoDDOqOjGALWmdboox6dDskpQEhe6JALsj3mH07017h5T3W3PvqWD2IAsqH+WTuxCTmfjbqqoAz/Zt2ipIAFtSk79WvWwth/K+xtYhmuoe2+ygocqa9tF9AyoihImSEk1EjXvqKqRLPZwg41C3WKvLlg57fpRFZYR1W28ZqAqqVNf8MMHcsHdZ7koMBhIKKnSe/HdLWm7ghVjAEdYVYvOcOZHzxXBmnV/6ZLRQXu2XQnATJw=="""
+        self.assertEqual(['DNS:foobar.bar.local', 'IP Address:192.168.14.131'], self.cert_san_pyopenssl_get(self.logger, cert))
 
-    def test_051_helper_cert_san_get(self):
+    def test_053_helper_cert_san_pyopenssl_get(self):
+        """ test cert_san_get for a single SAN """
+        cert = """
+-----BEGIN CERTIFICATE-----
+MIIDDTCCAfWgAwIBAgIBCjANBgkqhkiG9w0BAQsFADAaMRgwFgYDVQQDEw9mb28u
+ZXhhbXBsZS5jb20wHhcNMTkwMTIwMTY1OTIwWhcNMTkwMjE5MTY1OTIwWjAaMRgw
+FgYDVQQDEw9mb28uZXhhbXBsZS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw
+ggEKAoIBAQCqUeNzDyBVugUKZq597ishYAdMPgus5Nw5pWE/Jw7PP0koeFE2wODq
+HVb+XNFFEX4IOyiE2Pi4ilzfXYGKchhP3wHgnkxGNIwt/cDNZgyTiUpITV/ciFaC
+7avkvQS6ScCYUYrhby7QnvcU02mAyhNcSVGI5TW7HhFdtWrEAK3N8H6yhxHLSi2y
+dpQ3kCJyJylqt/Rv3uKNjCvTv867K6A1QSsXoAxtPK9P0UOTRvgHkFf8T32Bn/Er
+1bjkX9Ms8rqDQmicCWJk260lUHzN6vxaeiEg7Kz3TA8Ik3DMIcvwJrE168G1APo+
+FyOIKyx+t78HWOlNINIqZMj5e2DpulV7AgMBAAGjXjBcMB8GA1UdIwQYMBaAFK1Z
+zuGt0Pe+NLerCXqQBYmVV7suMB0GA1UdDgQWBBStWc7hrdD3vjS3qwl6kAWJlVe7
+LjAaBgNVHREEEzARgg9mb28uZXhhbXBsZS5jb20wDQYJKoZIhvcNAQELBQADggEB
+AANW0DD4Xp7LH/Rzf2jVLwiFlbtR6iazyn9S/pH2Gwqjkscv/27/dqJb7CfPdD02
+5ItQcYkZPJhDOsj63kvUaD89QU31RnYQrXrbXFqYOIAq6kxfZUoQmpfEBxbB4Wxm
+TW0OWS+FMqNw/SuGs6EQjTRA+gBOeGzj4H9yOFOg0PpadBayZ7UT4lm1LOiFHh8h
+bta75ocePrurdNxsxKJhLlXbnKD6lurCb4khRhrmLmpK8JxhuaevEVklSQX0gqlR
+fxAH4XQsaqcaedPNI+W5OUITMz40ezDCbUqxS9KEMCGPoOTXNRAjbr72sc4Vkw7H
+t+eRUDECE+0UnjyeCjTn3EU=
+-----END CERTIFICATE-----
+                """
+        self.assertEqual(['DNS:foo.example.com'], self.cert_san_pyopenssl_get(self.logger, cert, recode=False))
+
+
+    def test_054_helper_cert_san_get(self):
         """ test cert_san_get for a single SAN and recode = False"""
         cert = """-----BEGIN X509 CERTIFICATE-----
 MIIE2zCCAsOgAwIBAgIPAXI102H4bCWEkhD2SaLsMA0GCSqGSIb3DQEBDQUAMDIx
@@ -517,7 +584,7 @@ def test_051_helper_cert_san_get(self):
         self.assertEqual(['DNS:foo1.bar.local'], self.cert_san_get(self.logger, cert, recode=False))
 
     @patch('acme_srv.helper.cert_load')
-    def test_052_helper_cert_san_get(self, mock_certload):
+    def test_055_helper_cert_san_get(self, mock_certload):
         """ test cert_san_get for a single SAN and recode = False"""
         cert = "cert"
         mock_certload.return_value = 'mock_csrload'
@@ -525,38 +592,38 @@ def test_052_helper_cert_san_get(self, mock_certload):
             self.assertFalse(self.cert_san_get(self.logger, cert, recode=False))
         self.assertIn("ERROR:test_a2c:cert_san_get(): Error: 'str' object has no attribute 'extensions'", lcm.output)
 
-    def test_053_helper_build_pem_file(self):
+    def test_056_helper_build_pem_file(self):
         """ test build_pem_file without exsting content """
         existing = None
         cert = 'cert'
         self.assertEqual('-----BEGIN CERTIFICATE-----\ncert\n-----END CERTIFICATE-----\n', self.build_pem_file(self.logger, existing, cert, True))
 
-    def test_054_helper_build_pem_file(self):
+    def test_057_helper_build_pem_file(self):
         """ test build_pem_file with exsting content """
         existing = 'existing'
         cert = 'cert'
         self.assertEqual('existing-----BEGIN CERTIFICATE-----\ncert\n-----END CERTIFICATE-----\n', self.build_pem_file(self.logger, existing, cert, True))
 
-    def test_055_helper_build_pem_file(self):
+    def test_058_helper_build_pem_file(self):
         """ test build_pem_file with long cert (to test wrap) """
         existing = None
         cert = 'aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa'
         self.assertEqual('-----BEGIN CERTIFICATE-----\naaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\naaaaaaaaa\n-----END CERTIFICATE-----\n', self.build_pem_file(self.logger, existing, cert, True))
 
-    def test_056_helper_build_pem_file(self):
+    def test_059_helper_build_pem_file(self):
         """ test build_pem_file with long cert (to test wrap) """
         existing = None
         cert = 'aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa'
         self.assertEqual('-----BEGIN CERTIFICATE-----\naaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\n-----END CERTIFICATE-----\n', self.build_pem_file(self.logger, existing, cert, False))
 
-    def test_057_helper_build_pem_file(self):
+    def test_060_helper_build_pem_file(self):
         """ test build_pem_file with long cert (to test wrap) """
         existing = 'existing'
         cert = 'aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa'
         self.assertEqual('existing-----BEGIN CERTIFICATE-----\naaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\n-----END CERTIFICATE-----\n', self.build_pem_file(self.logger, existing, cert, False))
 
 
-    def test_058_helper_build_pem_file(self):
+    def test_061_helper_build_pem_file(self):
         """ test build_pem_file for CSR """
         existing = None
         csr = 'MIIClzCCAX8CAQAwGTEXMBUGA1UEAwwOZm9vMS5iYXIubG9jYWwwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDBvH7P73CwR7AF/WGeTfIDLlMWD6VZV3CTZBF0AwNMTFU/zbdAX8r63pzElX/5C5ZVsc36XHqdAJcioJlI33uE3RhOSvDyOcDgWlnPK9gj2soQ7enizGqd1u7hf6C3IwFtc4uGNOU3Z/tnTzVdYiCSKS+5lTZfMxn4FtEUN+w90NHBvC+AlTo3Gl0gqbYOZgg/UwWj60u7S2gBzSeb2/w62Z7bz+SknGZbeI4ySo30ET6oCSCAUN42jE+1dHI/Y+tGBtqP3h7W7OezKeLsJjD9r07U0+uMoVCY9oKTyT0gK8+gsde0tpt6QKa93HJGUPAP9ehrKCl335QcJESFw67/AgMBAAGgOTA3BgkqhkiG9w0BCQ4xKjAoMAsGA1UdDwQEAwIF4DAZBgNVHREEEjAQgg5mb28xLmJhci5sb2NhbDANBgkqhkiG9w0BAQsFAAOCAQEAf4cdGpYHLqX+06BFF7+NqXLmKvc7n66vAfevLN75eu/pCXhhRSdpXvcYm+mAVEXJCPaG2kFGt6wfBvVWoVX/91d+OuAtiUHmhY95Oi7g3RF3ThCrvT2mR4zsNiKgC34jXbl9489iIiFRBQXkq2fLwN5JwBYutUENwkDIeApRRbmUzTDbar1xoBAQ3GjVtOAEjHc/3S1yyKkCpM6Qkg8uWOJAXw9INJqH6x55nMZrvTUuXkURc/mvhV+bp2vdKoigGvfa3VVfoAI0BZLQMohQ9QLKoNQsKxEs3JidvpZrl3o23LMGEPoJs3zIuowTa217PHwdBw4UwtD7KxJK/+344A=='
@@ -579,59 +646,59 @@ def test_058_helper_build_pem_file(self):
 """
         self.assertEqual(result, self.build_pem_file(self.logger, existing, csr, False, True))
 
-    def test_059_helper_b64_decode(self):
+    def test_062_helper_b64_decode(self):
         """ test bas64 decoder for string value"""
         self.assertEqual('test', self.b64_decode(self.logger, 'dGVzdA=='))
 
-    def test_060_helper_b64_decode(self):
+    def test_063_helper_b64_decode(self):
         """ test bas64 decoder for byte value """
         self.assertEqual('test', self.b64_decode(self.logger, b'dGVzdA=='))
 
-    def test_061_helper_date_to_datestr(self):
+    def test_064_helper_date_to_datestr(self):
         """ convert dateobj to date-string with default format"""
         self.assertEqual('2019-10-27T00:00:00Z', self.date_to_datestr(datetime.date(2019, 10, 27)))
 
-    def test_062_helper_date_to_datestr(self):
+    def test_065_helper_date_to_datestr(self):
         """ convert dateobj to date-string with a predefined format"""
         self.assertEqual('2019.10.27', self.date_to_datestr(datetime.date(2019, 10, 27), '%Y.%m.%d'))
 
-    def test_063_helper_date_to_datestr(self):
+    def test_066_helper_date_to_datestr(self):
         """ convert dateobj to date-string for an knvalid date"""
         self.assertEqual(None, self.date_to_datestr('foo', '%Y.%m.%d'))
 
-    def test_064_helper_datestr_to_date(self):
+    def test_067_helper_datestr_to_date(self):
         """ convert datestr to date with default format"""
         self.assertEqual(datetime.datetime(2019, 11, 27, 0, 1, 2), self.datestr_to_date('2019-11-27T00:01:02'))
 
-    def test_065_helper_datestr_to_date(self):
+    def test_068_helper_datestr_to_date(self):
         """ convert datestr to date with predefined format"""
         self.assertEqual(datetime.datetime(2019, 11, 27, 0, 0, 0), self.datestr_to_date('2019.11.27', '%Y.%m.%d'))
 
-    def test_066_helper_datestr_to_date(self):
+    def test_069_helper_datestr_to_date(self):
         """ convert datestr to date with invalid format"""
         self.assertEqual(None, self.datestr_to_date('foo', '%Y.%m.%d'))
 
-    def test_067_helper_dkeys_lower(self):
+    def test_070_helper_dkeys_lower(self):
         """ dkeys_lower with a simple string """
         tree = 'fOo'
         self.assertEqual('fOo', self.dkeys_lower(tree))
 
-    def test_068_helper_dkeys_lower(self):
+    def test_071_helper_dkeys_lower(self):
         """ dkeys_lower with a simple list """
         tree = ['fOo', 'bAr']
         self.assertEqual(['fOo', 'bAr'], self.dkeys_lower(tree))
 
-    def test_069_helper_dkeys_lower(self):
+    def test_072_helper_dkeys_lower(self):
         """ dkeys_lower with a simple dictionary """
         tree = {'kEy': 'vAlUe'}
         self.assertEqual({'key': 'vAlUe'}, self.dkeys_lower(tree))
 
-    def test_070_helper_dkeys_lower(self):
+    def test_073_helper_dkeys_lower(self):
         """ dkeys_lower with a nested dictionary containg strings, list and dictionaries"""
         tree = {'kEy1': 'vAlUe2', 'keys2': ['lIsT2', {'kEyS3': 'vAlUe3', 'kEyS4': 'vAlUe3'}], 'keys4': {'kEyS4': 'vAluE5', 'kEyS5': 'vAlUE6'}}
         self.assertEqual({'key1': 'vAlUe2', 'keys2': ['lIsT2', {'keys3': 'vAlUe3', 'keys4': 'vAlUe3'}], 'keys4': {'keys5': 'vAlUE6', 'keys4': 'vAluE5'}}, self.dkeys_lower(tree))
 
-    def test_071_helper_cert_pubkey_get(self):
+    def test_074_helper_cert_pubkey_get(self):
         """ test get public_key from certificate """
         cert = """
 -----BEGIN X509 CERTIFICATE-----
@@ -675,7 +742,7 @@ def test_071_helper_cert_pubkey_get(self):
 """
         self.assertEqual(pub_key, self.cert_pubkey_get(self.logger, cert))
 
-    def test_072_helper_csr_pubkey_get(self):
+    def test_075_helper_csr_pubkey_get(self):
         """ test get public_key from certificate """
         csr = """MIIClzCCAX8CAQAwGTEXMBUGA1UEAwwOZm9vMS5iYXIubG9jYWwwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDBvH7P73CwR7AF/WGeTfIDLlMWD6VZV3CTZBF0AwNMTFU/zbdAX8r63pzElX/5C5ZVsc36XHqdAJcioJlI33uE3RhOSvDyOcDgWlnPK9gj2soQ7enizGqd1u7hf6C3IwFtc4uGNOU3Z/tnTzVdYiCSKS+5lTZfMxn4FtEUN+w90NHBvC+AlTo3Gl0gqbYOZgg/UwWj60u7S2gBzSeb2/w62Z7bz+SknGZbeI4ySo30ET6oCSCAUN42jE+1dHI/Y+tGBtqP3h7W7OezKeLsJjD9r07U0+uMoVCY9oKTyT0gK8+gsde0tpt6QKa93HJGUPAP9ehrKCl335QcJESFw67/AgMBAAGgOTA3BgkqhkiG9w0BCQ4xKjAoMAsGA1UdDwQEAwIF4DAZBgNVHREEEjAQgg5mb28xLmJhci5sb2NhbDANBgkqhkiG9w0BAQsFAAOCAQEAf4cdGpYHLqX+06BFF7+NqXLmKvc7n66vAfevLN75eu/pCXhhRSdpXvcYm+mAVEXJCPaG2kFGt6wfBvVWoVX/91d+OuAtiUHmhY95Oi7g3RF3ThCrvT2mR4zsNiKgC34jXbl9489iIiFRBQXkq2fLwN5JwBYutUENwkDIeApRRbmUzTDbar1xoBAQ3GjVtOAEjHc/3S1yyKkCpM6Qkg8uWOJAXw9INJqH6x55nMZrvTUuXkURc/mvhV+bp2vdKoigGvfa3VVfoAI0BZLQMohQ9QLKoNQsKxEs3JidvpZrl3o23LMGEPoJs3zIuowTa217PHwdBw4UwtD7KxJK/+344A=="""
 
@@ -691,137 +758,171 @@ def test_072_helper_csr_pubkey_get(self):
 """
         self.assertEqual(pub_key, self.csr_pubkey_get(self.logger, csr))
 
-    def test_073_helper_convert_byte_to_string(self):
+    def test_076_helper_csr_pubkey_get(self):
+        """ test get public_key from certificate """
+        csr = """MIIClzCCAX8CAQAwGTEXMBUGA1UEAwwOZm9vMS5iYXIubG9jYWwwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDBvH7P73CwR7AF/WGeTfIDLlMWD6VZV3CTZBF0AwNMTFU/zbdAX8r63pzElX/5C5ZVsc36XHqdAJcioJlI33uE3RhOSvDyOcDgWlnPK9gj2soQ7enizGqd1u7hf6C3IwFtc4uGNOU3Z/tnTzVdYiCSKS+5lTZfMxn4FtEUN+w90NHBvC+AlTo3Gl0gqbYOZgg/UwWj60u7S2gBzSeb2/w62Z7bz+SknGZbeI4ySo30ET6oCSCAUN42jE+1dHI/Y+tGBtqP3h7W7OezKeLsJjD9r07U0+uMoVCY9oKTyT0gK8+gsde0tpt6QKa93HJGUPAP9ehrKCl335QcJESFw67/AgMBAAGgOTA3BgkqhkiG9w0BCQ4xKjAoMAsGA1UdDwQEAwIF4DAZBgNVHREEEjAQgg5mb28xLmJhci5sb2NhbDANBgkqhkiG9w0BAQsFAAOCAQEAf4cdGpYHLqX+06BFF7+NqXLmKvc7n66vAfevLN75eu/pCXhhRSdpXvcYm+mAVEXJCPaG2kFGt6wfBvVWoVX/91d+OuAtiUHmhY95Oi7g3RF3ThCrvT2mR4zsNiKgC34jXbl9489iIiFRBQXkq2fLwN5JwBYutUENwkDIeApRRbmUzTDbar1xoBAQ3GjVtOAEjHc/3S1yyKkCpM6Qkg8uWOJAXw9INJqH6x55nMZrvTUuXkURc/mvhV+bp2vdKoigGvfa3VVfoAI0BZLQMohQ9QLKoNQsKxEs3JidvpZrl3o23LMGEPoJs3zIuowTa217PHwdBw4UwtD7KxJK/+344A=="""
+
+        pub_key = """-----BEGIN PUBLIC KEY-----
+MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwbx+z+9wsEewBf1hnk3y
+Ay5TFg+lWVdwk2QRdAMDTExVP823QF/K+t6cxJV/+QuWVbHN+lx6nQCXIqCZSN97
+hN0YTkrw8jnA4FpZzyvYI9rKEO3p4sxqndbu4X+gtyMBbXOLhjTlN2f7Z081XWIg
+kikvuZU2XzMZ+BbRFDfsPdDRwbwvgJU6NxpdIKm2DmYIP1MFo+tLu0toAc0nm9v8
+Otme28/kpJxmW3iOMkqN9BE+qAkggFDeNoxPtXRyP2PrRgbaj94e1uznsyni7CYw
+/a9O1NPrjKFQmPaCk8k9ICvPoLHXtLabekCmvdxyRlDwD/Xoaygpd9+UHCREhcOu
+/wIDAQAB
+-----END PUBLIC KEY-----
+"""
+        self.assertEqual(pub_key, self.csr_pubkey_get(self.logger, csr, encoding='pem'))
+
+    def test_077_helper_csr_pubkey_get(self):
+        """ test get public_key from certificate """
+        csr = """MIIClzCCAX8CAQAwGTEXMBUGA1UEAwwOZm9vMS5iYXIubG9jYWwwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDBvH7P73CwR7AF/WGeTfIDLlMWD6VZV3CTZBF0AwNMTFU/zbdAX8r63pzElX/5C5ZVsc36XHqdAJcioJlI33uE3RhOSvDyOcDgWlnPK9gj2soQ7enizGqd1u7hf6C3IwFtc4uGNOU3Z/tnTzVdYiCSKS+5lTZfMxn4FtEUN+w90NHBvC+AlTo3Gl0gqbYOZgg/UwWj60u7S2gBzSeb2/w62Z7bz+SknGZbeI4ySo30ET6oCSCAUN42jE+1dHI/Y+tGBtqP3h7W7OezKeLsJjD9r07U0+uMoVCY9oKTyT0gK8+gsde0tpt6QKa93HJGUPAP9ehrKCl335QcJESFw67/AgMBAAGgOTA3BgkqhkiG9w0BCQ4xKjAoMAsGA1UdDwQEAwIF4DAZBgNVHREEEjAQgg5mb28xLmJhci5sb2NhbDANBgkqhkiG9w0BAQsFAAOCAQEAf4cdGpYHLqX+06BFF7+NqXLmKvc7n66vAfevLN75eu/pCXhhRSdpXvcYm+mAVEXJCPaG2kFGt6wfBvVWoVX/91d+OuAtiUHmhY95Oi7g3RF3ThCrvT2mR4zsNiKgC34jXbl9489iIiFRBQXkq2fLwN5JwBYutUENwkDIeApRRbmUzTDbar1xoBAQ3GjVtOAEjHc/3S1yyKkCpM6Qkg8uWOJAXw9INJqH6x55nMZrvTUuXkURc/mvhV+bp2vdKoigGvfa3VVfoAI0BZLQMohQ9QLKoNQsKxEs3JidvpZrl3o23LMGEPoJs3zIuowTa217PHwdBw4UwtD7KxJK/+344A=="""
+        pub_key = 'MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwbx+z+9wsEewBf1hnk3yAy5TFg+lWVdwk2QRdAMDTExVP823QF/K+t6cxJV/+QuWVbHN+lx6nQCXIqCZSN97hN0YTkrw8jnA4FpZzyvYI9rKEO3p4sxqndbu4X+gtyMBbXOLhjTlN2f7Z081XWIgkikvuZU2XzMZ+BbRFDfsPdDRwbwvgJU6NxpdIKm2DmYIP1MFo+tLu0toAc0nm9v8Otme28/kpJxmW3iOMkqN9BE+qAkggFDeNoxPtXRyP2PrRgbaj94e1uznsyni7CYw/a9O1NPrjKFQmPaCk8k9ICvPoLHXtLabekCmvdxyRlDwD/Xoaygpd9+UHCREhcOu/wIDAQAB'
+        self.assertEqual(pub_key, self.csr_pubkey_get(self.logger, csr, encoding='base64der'))
+
+    def test_078_helper_csr_pubkey_get(self):
+        """ test get public_key from certificate """
+        csr = """MIIClzCCAX8CAQAwGTEXMBUGA1UEAwwOZm9vMS5iYXIubG9jYWwwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDBvH7P73CwR7AF/WGeTfIDLlMWD6VZV3CTZBF0AwNMTFU/zbdAX8r63pzElX/5C5ZVsc36XHqdAJcioJlI33uE3RhOSvDyOcDgWlnPK9gj2soQ7enizGqd1u7hf6C3IwFtc4uGNOU3Z/tnTzVdYiCSKS+5lTZfMxn4FtEUN+w90NHBvC+AlTo3Gl0gqbYOZgg/UwWj60u7S2gBzSeb2/w62Z7bz+SknGZbeI4ySo30ET6oCSCAUN42jE+1dHI/Y+tGBtqP3h7W7OezKeLsJjD9r07U0+uMoVCY9oKTyT0gK8+gsde0tpt6QKa93HJGUPAP9ehrKCl335QcJESFw67/AgMBAAGgOTA3BgkqhkiG9w0BCQ4xKjAoMAsGA1UdDwQEAwIF4DAZBgNVHREEEjAQgg5mb28xLmJhci5sb2NhbDANBgkqhkiG9w0BAQsFAAOCAQEAf4cdGpYHLqX+06BFF7+NqXLmKvc7n66vAfevLN75eu/pCXhhRSdpXvcYm+mAVEXJCPaG2kFGt6wfBvVWoVX/91d+OuAtiUHmhY95Oi7g3RF3ThCrvT2mR4zsNiKgC34jXbl9489iIiFRBQXkq2fLwN5JwBYutUENwkDIeApRRbmUzTDbar1xoBAQ3GjVtOAEjHc/3S1yyKkCpM6Qkg8uWOJAXw9INJqH6x55nMZrvTUuXkURc/mvhV+bp2vdKoigGvfa3VVfoAI0BZLQMohQ9QLKoNQsKxEs3JidvpZrl3o23LMGEPoJs3zIuowTa217PHwdBw4UwtD7KxJK/+344A=="""
+        pub_key = b'MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwbx+z+9wsEewBf1hnk3yAy5TFg+lWVdwk2QRdAMDTExVP823QF/K+t6cxJV/+QuWVbHN+lx6nQCXIqCZSN97hN0YTkrw8jnA4FpZzyvYI9rKEO3p4sxqndbu4X+gtyMBbXOLhjTlN2f7Z081XWIgkikvuZU2XzMZ+BbRFDfsPdDRwbwvgJU6NxpdIKm2DmYIP1MFo+tLu0toAc0nm9v8Otme28/kpJxmW3iOMkqN9BE+qAkggFDeNoxPtXRyP2PrRgbaj94e1uznsyni7CYw/a9O1NPrjKFQmPaCk8k9ICvPoLHXtLabekCmvdxyRlDwD/Xoaygpd9+UHCREhcOu/wIDAQAB'
+        self.assertEqual(pub_key, base64.b64encode(self.csr_pubkey_get(self.logger, csr, encoding='der')))
+
+    def test_079_helper_csr_pubkey_get(self):
+        """ test get public_key from certificate """
+        csr = """MIIClzCCAX8CAQAwGTEXMBUGA1UEAwwOZm9vMS5iYXIubG9jYWwwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDBvH7P73CwR7AF/WGeTfIDLlMWD6VZV3CTZBF0AwNMTFU/zbdAX8r63pzElX/5C5ZVsc36XHqdAJcioJlI33uE3RhOSvDyOcDgWlnPK9gj2soQ7enizGqd1u7hf6C3IwFtc4uGNOU3Z/tnTzVdYiCSKS+5lTZfMxn4FtEUN+w90NHBvC+AlTo3Gl0gqbYOZgg/UwWj60u7S2gBzSeb2/w62Z7bz+SknGZbeI4ySo30ET6oCSCAUN42jE+1dHI/Y+tGBtqP3h7W7OezKeLsJjD9r07U0+uMoVCY9oKTyT0gK8+gsde0tpt6QKa93HJGUPAP9ehrKCl335QcJESFw67/AgMBAAGgOTA3BgkqhkiG9w0BCQ4xKjAoMAsGA1UdDwQEAwIF4DAZBgNVHREEEjAQgg5mb28xLmJhci5sb2NhbDANBgkqhkiG9w0BAQsFAAOCAQEAf4cdGpYHLqX+06BFF7+NqXLmKvc7n66vAfevLN75eu/pCXhhRSdpXvcYm+mAVEXJCPaG2kFGt6wfBvVWoVX/91d+OuAtiUHmhY95Oi7g3RF3ThCrvT2mR4zsNiKgC34jXbl9489iIiFRBQXkq2fLwN5JwBYutUENwkDIeApRRbmUzTDbar1xoBAQ3GjVtOAEjHc/3S1yyKkCpM6Qkg8uWOJAXw9INJqH6x55nMZrvTUuXkURc/mvhV+bp2vdKoigGvfa3VVfoAI0BZLQMohQ9QLKoNQsKxEs3JidvpZrl3o23LMGEPoJs3zIuowTa217PHwdBw4UwtD7KxJK/+344A=="""
+        pub_key = b'MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwbx+z+9wsEewBf1hnk3yAy5TFg+lWVdwk2QRdAMDTExVP823QF/K+t6cxJV/+QuWVbHN+lx6nQCXIqCZSN97hN0YTkrw8jnA4FpZzyvYI9rKEO3p4sxqndbu4X+gtyMBbXOLhjTlN2f7Z081XWIgkikvuZU2XzMZ+BbRFDfsPdDRwbwvgJU6NxpdIKm2DmYIP1MFo+tLu0toAc0nm9v8Otme28/kpJxmW3iOMkqN9BE+qAkggFDeNoxPtXRyP2PrRgbaj94e1uznsyni7CYw/a9O1NPrjKFQmPaCk8k9ICvPoLHXtLabekCmvdxyRlDwD/Xoaygpd9+UHCREhcOu/wIDAQAB'
+        self.assertFalse(self.csr_pubkey_get(self.logger, csr, encoding='unk'))
+
+    def test_080_helper_convert_byte_to_string(self):
         """ convert byte2string for a string value """
         self.assertEqual('foo', self.convert_byte_to_string('foo'))
 
-    def test_074_helper_convert_byte_to_string(self):
+    def test_081_helper_convert_byte_to_string(self):
         """ convert byte2string for a string value """
         self.assertEqual('foo', self.convert_byte_to_string('foo'))
 
-    def test_075_helper_convert_byte_to_string(self):
+    def test_082_helper_convert_byte_to_string(self):
         """ convert byte2string for a string value """
         self.assertNotEqual('foo', self.convert_byte_to_string('foobar'))
 
-    def test_076_helper_convert_byte_to_string(self):
+    def test_083_helper_convert_byte_to_string(self):
         """ convert byte2string for a string value """
         self.assertNotEqual('foo', self.convert_byte_to_string(b'foobar'))
 
-    def test_077_helper_b64_url_encode(self):
+    def test_084_helper_b64_url_encode(self):
         """ test b64_url_encode of string """
         self.assertEqual(b'c3RyaW5n', self.b64_url_encode(self.logger, 'string'))
 
-    def test_078_helper_b64_url_encode(self):
+    def test_085_helper_b64_url_encode(self):
         """ test b64_url_encode of byte """
         self.assertEqual(b'Ynl0ZQ', self.b64_url_encode(self.logger, b'byte'))
 
-    def test_079_helper_csr_cn_get(self):
+    def test_086_helper_csr_cn_get(self):
         """ get cn of csr """
         csr = 'MIIClzCCAX8CAQAwGTEXMBUGA1UEAwwOZm9vMS5iYXIubG9jYWwwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC0lk4lyEIa0VL/u5ic01Zo/o+gyYqFpU7xe+nbFgiKA+R1rqrzP/sR6xjHqS0Rkv/BcBXf81sp/+iDmwIQLVlBTkKdimqVHCJMAbTL8ZNpcLDaRUce4liyX1cmczPTSqI/kcyEr8tKpYN+KzvKZZsNx2Pbgu7y7/70P2uSywiW+sqYZ+X28KGFxq6wwENzJtweDVsbWql9LLtw6daF41UQg10auNlRL1nhW0SlWZh1zPPW/0sa6C3xX28jjVh843b4ekkRNLXSEYQMTi0qYR2LomQ5aTlQ/hellf17UknfN2aA2RH5D7Ek+mndj/rH21bxQg26KRmHlaJld9K1IfvJAgMBAAGgOTA3BgkqhkiG9w0BCQ4xKjAoMAsGA1UdDwQEAwIF4DAZBgNVHREEEjAQgg5mb28xLmJhci5sb2NhbDANBgkqhkiG9w0BAQsFAAOCAQEAl3egrkO3I94IpxxfSJmVetd7s9uW3lSBqh9OiypFevQO7ZgUxau+k05NKTUNpSq3W9H/lRr5AG5x3/VX8XZVbcLKXQ0d6e38uXBAUFQQJmjBVYqd8KcMfqLeFFUBsLcG04yek2tNIbhXZfBtw9UYO27Y5ktMgWjAz2VskIXl3E2L0b8tGnSKDoMB07IVpYB9bHfHX4o+ccIgq1HxyYT1d+eVIQuSHHxR7j7Wkgb8RG9bCWpVWaYWKWU0Inh3gMnP06kPBJ9nOB4adgC3Hz37ab/0KpmBuQBEgmMfINwV/OpJVv2Su1FYK+uX7E1qUGae6QDsfg0Yor9uP0Vkv4b1NA=='
         self.assertEqual('foo1.bar.local', self.csr_cn_get(self.logger, csr))
 
-    def test_080_helper_csr_cn_get(self):
+    def test_087_helper_csr_cn_get(self):
         """ get cn of csr """
         csr = b'MIIClzCCAX8CAQAwGTEXMBUGA1UEAwwOZm9vMS5iYXIubG9jYWwwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC0lk4lyEIa0VL/u5ic01Zo/o+gyYqFpU7xe+nbFgiKA+R1rqrzP/sR6xjHqS0Rkv/BcBXf81sp/+iDmwIQLVlBTkKdimqVHCJMAbTL8ZNpcLDaRUce4liyX1cmczPTSqI/kcyEr8tKpYN+KzvKZZsNx2Pbgu7y7/70P2uSywiW+sqYZ+X28KGFxq6wwENzJtweDVsbWql9LLtw6daF41UQg10auNlRL1nhW0SlWZh1zPPW/0sa6C3xX28jjVh843b4ekkRNLXSEYQMTi0qYR2LomQ5aTlQ/hellf17UknfN2aA2RH5D7Ek+mndj/rH21bxQg26KRmHlaJld9K1IfvJAgMBAAGgOTA3BgkqhkiG9w0BCQ4xKjAoMAsGA1UdDwQEAwIF4DAZBgNVHREEEjAQgg5mb28xLmJhci5sb2NhbDANBgkqhkiG9w0BAQsFAAOCAQEAl3egrkO3I94IpxxfSJmVetd7s9uW3lSBqh9OiypFevQO7ZgUxau+k05NKTUNpSq3W9H/lRr5AG5x3/VX8XZVbcLKXQ0d6e38uXBAUFQQJmjBVYqd8KcMfqLeFFUBsLcG04yek2tNIbhXZfBtw9UYO27Y5ktMgWjAz2VskIXl3E2L0b8tGnSKDoMB07IVpYB9bHfHX4o+ccIgq1HxyYT1d+eVIQuSHHxR7j7Wkgb8RG9bCWpVWaYWKWU0Inh3gMnP06kPBJ9nOB4adgC3Hz37ab/0KpmBuQBEgmMfINwV/OpJVv2Su1FYK+uX7E1qUGae6QDsfg0Yor9uP0Vkv4b1NA=='
         self.assertEqual('foo1.bar.local', self.csr_cn_get(self.logger, csr))
 
-    def test_081_helper_convert_string_to_byte(self):
+    def test_088_helper_convert_string_to_byte(self):
         """ convert string value to byte """
         value = 'foo.bar'
         self.assertEqual(b'foo.bar', self.convert_string_to_byte(value))
 
-    def test_082_helper_convert_string_to_byte(self):
+    def test_089_helper_convert_string_to_byte(self):
         """ convert string value to byte """
         value = b'foo.bar'
         self.assertEqual(b'foo.bar', self.convert_string_to_byte(value))
 
-    def test_083_helper_convert_string_to_byte(self):
+    def test_090_helper_convert_string_to_byte(self):
         """ convert string value to byte """
         value = b''
         self.assertEqual(b'', self.convert_string_to_byte(value))
 
-    def test_084_helper_convert_string_to_byte(self):
+    def test_091_helper_convert_string_to_byte(self):
         """ convert string value to byte """
         value = ''
         self.assertEqual(b'', self.convert_string_to_byte(value))
 
-    def test_085_helper_convert_string_to_byte(self):
+    def test_092_helper_convert_string_to_byte(self):
         """ convert string value to byte """
         value = None
         self.assertFalse(self.convert_string_to_byte(value))
 
-    def test_086_helper_get_url(self):
+    def test_093_helper_get_url(self):
         """ get_url https """
         data_dic = {'HTTP_HOST': 'http_host', 'SERVER_PORT': '443', 'PATH_INFO': 'path_info'}
         self.assertEqual('https://http_host', self.get_url(data_dic, False))
 
-    def test_087_helper_get_url(self):
+    def test_094_helper_get_url(self):
         """ get_url http """
         data_dic = {'HTTP_HOST': 'http_host', 'SERVER_PORT': '80', 'PATH_INFO': 'path_info'}
         self.assertEqual('http://http_host', self.get_url(data_dic, False))
 
-    def test_088_helper_get_url(self):
+    def test_095_helper_get_url(self):
         """ get_url http wsgi.scheme """
         data_dic = {'HTTP_HOST': 'http_host', 'SERVER_PORT': '80', 'PATH_INFO': 'path_info', 'wsgi.url_scheme': 'wsgi.url_scheme'}
         self.assertEqual('wsgi.url_scheme://http_host', self.get_url(data_dic, False))
 
-    def test_089_helper_get_url(self):
+    def test_096_helper_get_url(self):
         """ get_url https include_path true bot no pathinfo"""
         data_dic = {'HTTP_HOST': 'http_host', 'SERVER_PORT': '443'}
         self.assertEqual('https://http_host', self.get_url(data_dic, True))
 
-    def test_090_helper_get_url(self):
+    def test_097_helper_get_url(self):
         """ get_url https and path info"""
         data_dic = {'HTTP_HOST': 'http_host', 'SERVER_PORT': '443', 'PATH_INFO': 'path_info'}
         self.assertEqual('https://http_hostpath_info', self.get_url(data_dic, True))
 
-    def test_091_helper_get_url(self):
+    def test_098_helper_get_url(self):
         """ get_url wsgi.url and pathinfo """
         data_dic = {'HTTP_HOST': 'http_host', 'SERVER_PORT': '80', 'PATH_INFO': 'path_info', 'wsgi.url_scheme': 'wsgi.url_scheme'}
         self.assertEqual('wsgi.url_scheme://http_hostpath_info', self.get_url(data_dic, True))
 
-    def test_092_helper_get_url(self):
+    def test_099_helper_get_url(self):
         """ get_url http and pathinfo"""
         data_dic = {'HTTP_HOST': 'http_host', 'SERVER_PORT': '80', 'PATH_INFO': 'path_info'}
         self.assertEqual('http://http_hostpath_info', self.get_url(data_dic, True))
 
-    def test_093_helper_get_url(self):
+    def test_100_helper_get_url(self):
         """ get_url without hostinfo """
         data_dic = {'SERVER_PORT': '80', 'PATH_INFO': 'path_info'}
         self.assertEqual('http://localhost', self.get_url(data_dic, False))
 
-    def test_094_helper_get_url(self):
+    def test_101_helper_get_url(self):
         """ get_url without SERVER_PORT """
         data_dic = {'HTTP_HOST': 'http_host'}
         self.assertEqual('http://http_host', self.get_url(data_dic, True))
 
     @patch('acme_srv.helper.requests.get')
-    def test_095_helper_url_get(self, mock_request):
+    def test_102_helper_url_get(self, mock_request):
         """ successful url get without dns servers """
         mock_request.return_value.text = 'foo'
         self.assertEqual('foo', self.url_get(self.logger, 'url'))
 
     @patch('acme_srv.helper.requests.get')
-    def test_096_helper_url_get(self, mock_request):
+    def test_103_helper_url_get(self, mock_request):
         """ successful url get without dns servers """
         mock_request.return_value.text = 'foo'
         self.assertEqual('foo', self.url_get(self.logger, 'url', 'dns', 'proxy'))
 
     @patch('acme_srv.helper.requests.get')
-    def test_097_helper_url_get(self, mock_request):
+    def test_104_helper_url_get(self, mock_request):
         """ unsuccessful url get without dns servers """
         # this is stupid but triggrs an expeption
         mock_request.return_value = {'foo': 'foo'}
         self.assertEqual(None, self.url_get(self.logger, 'url'))
 
     @patch('acme_srv.helper.url_get_with_own_dns')
-    def test_098_helper_url_get(self, mock_request):
+    def test_105_helper_url_get(self, mock_request):
         """ successful url get with dns servers """
         mock_request.return_value = 'foo'
         self.assertEqual('foo', self.url_get(self.logger, 'url', 'dns'))
 
     @patch('acme_srv.helper.requests.get', side_effect=Mock(side_effect=Exception('foo')))
-    def test_099_helper_url_get(self, mock_request):
+    def test_106_helper_url_get(self, mock_request):
         """ unsuccessful url_get """
         # mock_request.return_value.text = 'foo'
         with self.assertLogs('test_a2c', level='INFO') as lcm:
@@ -829,7 +930,7 @@ def test_099_helper_url_get(self, mock_request):
         self.assertIn('ERROR:test_a2c:url_get error: foo', lcm.output)
 
     @patch('acme_srv.helper.requests.get')
-    def test_100_helper_url_get(self, mock_request):
+    def test_107_helper_url_get(self, mock_request):
         """ unsuccessful url_get fallback to v4"""
         object = Mock()
         object.text = 'foo'
@@ -837,79 +938,84 @@ def test_100_helper_url_get(self, mock_request):
         self.assertEqual('foo', self.url_get(self.logger, 'url'))
 
     @patch('acme_srv.helper.requests.get')
-    def test_101_helper_url_get_with_own_dns(self, mock_request):
+    def test_108_helper_url_get_with_own_dns(self, mock_request):
         """ successful url_get_with_own_dns get with dns servers """
         mock_request.return_value.text = 'foo'
         self.assertEqual('foo', self.url_get_with_own_dns(self.logger, 'url'))
 
     @patch('acme_srv.helper.requests.get')
-    def test_102_helper_url_get_with_own_dns(self, mock_request):
+    def test_109_helper_url_get_with_own_dns(self, mock_request):
         """ successful url_get_with_own_dns get with dns servers """
         mock_request.return_value = {'foo': 'foo'}
         self.assertEqual(None, self.url_get_with_own_dns(self.logger, 'url'))
 
     @patch('acme_srv.helper.load_config')
-    def test_103_helper_dns_server_list_load(self, mock_load_config):
+    def test_110_helper_dns_server_list_load(self, mock_load_config):
         """ successful dns_server_list_load with empty config file """
         mock_load_config.return_value = {}
         self.assertEqual(['9.9.9.9', '8.8.8.8'], self.dns_server_list_load())
 
     @patch('acme_srv.helper.load_config')
-    def test_104_helper_dns_server_list_load(self, mock_load_config):
+    def test_111_helper_dns_server_list_load(self, mock_load_config):
         """ successful dns_server_list_load with empty Challenge section """
         mock_load_config.return_value = {'Challenge': {}}
         self.assertEqual(['9.9.9.9', '8.8.8.8'], self.dns_server_list_load())
 
     @patch('acme_srv.helper.load_config')
-    def test_105_helper_dns_server_list_load(self, mock_load_config):
+    def test_112_helper_dns_server_list_load(self, mock_load_config):
         """ successful dns_server_list_load with wrong Challenge section """
         mock_load_config.return_value = {'Challenge': {'foo': 'bar'}}
         self.assertEqual(['9.9.9.9', '8.8.8.8'], self.dns_server_list_load())
 
     @patch('acme_srv.helper.load_config')
-    def test_106_helper_dns_server_list_load(self, mock_load_config):
+    def test_113_helper_dns_server_list_load(self, mock_load_config):
         """ successful dns_server_list_load with wrong json format """
         mock_load_config.return_value = {'Challenge': {'dns_server_list': 'bar'}}
         self.assertEqual(['9.9.9.9', '8.8.8.8'], self.dns_server_list_load())
 
     @patch('acme_srv.helper.load_config')
-    def test_107_helper_dns_server_list_load(self, mock_load_config):
+    def test_114_helper_dns_server_list_load(self, mock_load_config):
         """ successful dns_server_list_load with wrong json format """
         mock_load_config.return_value = {'Challenge': {'dns_server_list': '["foo", "bar"]'}}
         self.assertEqual(['foo', 'bar'], self.dns_server_list_load())
 
-    def test_108_helper_csr_san_get(self):
+    def test_115_helper_csr_san_get(self):
         """ get sans but no csr """
         csr = None
         self.assertEqual([], self.csr_san_get(self.logger, csr))
 
-    def test_109_helper_csr_san_get(self):
+    def test_116_helper_csr_san_get(self):
         """ get sans but one san with == """
         csr = 'MIIClzCCAX8CAQAwGTEXMBUGA1UEAwwOZm9vMS5iYXIubG9jYWwwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDMwfxxbCCTsZY8mTFZkoQ5cAJyQZLUiz34sDDRvEpI9ZzdNNm2AEZR7AgKNuBkLwzUzY5iQ182huNzYJYZZEvYX++ocF2ngapTMQgfB+bWS5bpWIdjnAcz1/86jmJgTciwL25dSnEWL17Yn3pAWweoewr730rq/PMyIbviQrasksnSo7abe2mctxkHjHb5sZ+Z1yRTN6ir/bObXmxr+vHeeD2vLRv4Hd5XaA1d+k31J2FVMnrn5OpWbxGHo49zd0xdy2mgTdZ9UraLaQnyGlkjYzV0rqHIAIm8HOUjGN5U75/rlOPF0x62FCICZU/z1AgRvugaA5eO8zTSQJiMiBe3AgMBAAGgOTA3BgkqhkiG9w0BCQ4xKjAoMAsGA1UdDwQEAwIF4DAZBgNVHREEEjAQgg5mb28xLmJhci5sb2NhbDANBgkqhkiG9w0BAQsFAAOCAQEANAXOIkv0CovmdzyoAv1dsiK0TK2XHBdBTEPFDsrT7MnrIXOFS4FnDrg8zpn7QBzBRTl3HaKN8fnpIHkA/6ZRDqaEJq0AeskjxIg9LKDBBx5TEdgPh1CwruRWLlXtrqU7XXQmk0wLIo/kfaDRcTjyJ3yHTEK06mCAaws0sTKlTw2D4pIiDRp8zbLHeSEUX5UKOSGbLSSUY/F2XwgPB8nC2BCD/gkvHRR+dMQSdOCiS9GLwZdYAAyESw6WhmGPjmVbeTRgSt/9//yx3JKQgkFYmpSMLKR2G525M+l1qfku/4b0iMOa4vQjFRj5AXZH0SBpAKtvnFxUpP6P9mTE7+akOQ=='
         self.assertEqual(['DNS:foo1.bar.local'], self.csr_san_get(self.logger, csr))
 
-    def test_110_helper_csr_san_get(self):
+    def test_117_helper_csr_san_get(self):
         """ get sans but one san without == """
         csr = 'MIIClzCCAX8CAQAwGTEXMBUGA1UEAwwOZm9vMS5iYXIubG9jYWwwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDMwfxxbCCTsZY8mTFZkoQ5cAJyQZLUiz34sDDRvEpI9ZzdNNm2AEZR7AgKNuBkLwzUzY5iQ182huNzYJYZZEvYX++ocF2ngapTMQgfB+bWS5bpWIdjnAcz1/86jmJgTciwL25dSnEWL17Yn3pAWweoewr730rq/PMyIbviQrasksnSo7abe2mctxkHjHb5sZ+Z1yRTN6ir/bObXmxr+vHeeD2vLRv4Hd5XaA1d+k31J2FVMnrn5OpWbxGHo49zd0xdy2mgTdZ9UraLaQnyGlkjYzV0rqHIAIm8HOUjGN5U75/rlOPF0x62FCICZU/z1AgRvugaA5eO8zTSQJiMiBe3AgMBAAGgOTA3BgkqhkiG9w0BCQ4xKjAoMAsGA1UdDwQEAwIF4DAZBgNVHREEEjAQgg5mb28xLmJhci5sb2NhbDANBgkqhkiG9w0BAQsFAAOCAQEANAXOIkv0CovmdzyoAv1dsiK0TK2XHBdBTEPFDsrT7MnrIXOFS4FnDrg8zpn7QBzBRTl3HaKN8fnpIHkA/6ZRDqaEJq0AeskjxIg9LKDBBx5TEdgPh1CwruRWLlXtrqU7XXQmk0wLIo/kfaDRcTjyJ3yHTEK06mCAaws0sTKlTw2D4pIiDRp8zbLHeSEUX5UKOSGbLSSUY/F2XwgPB8nC2BCD/gkvHRR+dMQSdOCiS9GLwZdYAAyESw6WhmGPjmVbeTRgSt/9//yx3JKQgkFYmpSMLKR2G525M+l1qfku/4b0iMOa4vQjFRj5AXZH0SBpAKtvnFxUpP6P9mTE7+akOQ'
         self.assertEqual(['DNS:foo1.bar.local'], self.csr_san_get(self.logger, csr))
 
-    def test_111_helper_csr_san_get(self):
+    def test_118_helper_csr_san_get(self):
         """ get sans but two sans """
         csr = 'MIICpzCCAY8CAQAwGTEXMBUGA1UEAwwOZm9vMS5iYXIubG9jYWwwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDMwfxxbCCTsZY8mTFZkoQ5cAJyQZLUiz34sDDRvEpI9ZzdNNm2AEZR7AgKNuBkLwzUzY5iQ182huNzYJYZZEvYX++ocF2ngapTMQgfB+bWS5bpWIdjnAcz1/86jmJgTciwL25dSnEWL17Yn3pAWweoewr730rq/PMyIbviQrasksnSo7abe2mctxkHjHb5sZ+Z1yRTN6ir/bObXmxr+vHeeD2vLRv4Hd5XaA1d+k31J2FVMnrn5OpWbxGHo49zd0xdy2mgTdZ9UraLaQnyGlkjYzV0rqHIAIm8HOUjGN5U75/rlOPF0x62FCICZU/z1AgRvugaA5eO8zTSQJiMiBe3AgMBAAGgSTBHBgkqhkiG9w0BCQ4xOjA4MAsGA1UdDwQEAwIF4DApBgNVHREEIjAggg5mb28xLmJhci5sb2NhbIIOZm9vMi5iYXIubG9jYWwwDQYJKoZIhvcNAQELBQADggEBADeuf4J8Xziw2OuvLNnLOSgHQl2HdMFtRdgJoun7zPobsP3L3qyXLvvhJcQsIJggu5ZepnHGrCxroSbtRSO65GtLQA0Rq3DCGcPIC1fe9AYrqoynx8bWt2Hd+PyDrBppHVoQzj6yNCt6XNSDs04BMtjs9Pu4DD6DDHmxFMVNdHXea2Rms7C5nLQvXgw7yOF3Zk1vEu7Kue7d3zZMhN+HwwrNEA7RGAEzHHlCv5LL4Mw+kf6OJ8nf/WDiLDKEQIh6bnOuB42Y2wUMpzui8Uur0VJO+twY46MvjiVMMBZE3aPJU33eNPAQVC7GinStn+zQIJA5AADdcO8Lk1qdtaDiGp8'
         self.assertEqual(['DNS:foo1.bar.local', 'DNS:foo2.bar.local'], self.csr_san_get(self.logger, csr))
 
-    def test_112_helper_csr_san_get(self):
+    def test_119_helper_csr_san_get(self):
         """ get sans but three sans """
         csr = 'MIICtzCCAZ8CAQAwGTEXMBUGA1UEAwwOZm9vMS5iYXIubG9jYWwwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDMwfxxbCCTsZY8mTFZkoQ5cAJyQZLUiz34sDDRvEpI9ZzdNNm2AEZR7AgKNuBkLwzUzY5iQ182huNzYJYZZEvYX++ocF2ngapTMQgfB+bWS5bpWIdjnAcz1/86jmJgTciwL25dSnEWL17Yn3pAWweoewr730rq/PMyIbviQrasksnSo7abe2mctxkHjHb5sZ+Z1yRTN6ir/bObXmxr+vHeeD2vLRv4Hd5XaA1d+k31J2FVMnrn5OpWbxGHo49zd0xdy2mgTdZ9UraLaQnyGlkjYzV0rqHIAIm8HOUjGN5U75/rlOPF0x62FCICZU/z1AgRvugaA5eO8zTSQJiMiBe3AgMBAAGgWTBXBgkqhkiG9w0BCQ4xSjBIMAsGA1UdDwQEAwIF4DA5BgNVHREEMjAwgg5mb28xLmJhci5sb2NhbIIOZm9vMi5iYXIubG9jYWyCDmZvbzMuYmFyLmxvY2FsMA0GCSqGSIb3DQEBCwUAA4IBAQAQRkub6G4uijaXOYpCkoz40I+SVRsbRDgnMNjsooZz1+7DVglFjrr6Pb0PPTOvOxtmbHP2KK0WokDn4LqOD2t0heuI+KPQy7m/ROpOB/YZOzTWEB8yS4vjkf/RFiJ7fnCAc8vA+3K/mBVb+89F8w/KlyPmpg1GK7UNgjEa5bnznTox8q12CocCJVykPEiC8AT/VPWUOPfg6gs+V6LO8R73VRPMVy0ttYKGX80ob+KczDTMUhoxXg8OG+G+bXXU+4Tu4l+nQWf2lFejECi/vNKzUT90IbcGJwyk7rc4Q7BJ/t/5nMo+vuV9f+2HI7qakHcw6u9RGylL4OYDf1CrqF1R'
         self.assertEqual(['DNS:foo1.bar.local', 'DNS:foo2.bar.local', 'DNS:foo3.bar.local'], self.csr_san_get(self.logger, csr))
 
-    def test_113_helper_csr_san_get(self):
+    def test_120_helper_csr_san_get(self):
         """ get sans but three sans """
         csr = 'MIIBFjCBvQIBADAYMRYwFAYDVQQDEw1mb28uYmFyLmxvY2FsMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAETOQukalTTCD8y7zoAsmxeAWlbi9oZtzh7XQc7A7KF4fZLP3pYjoZG6s+sXCp7bUpKhuIejrDRp1cFE5NlEK8jaBDMEEGCSqGSIb3DQEJDjE0MDIwMAYDVR0RBCkwJ4INZm9vLmJhci5sb2NhbIcEwKgOg4cQ/oAAAAAAAAACFV3//sABAjAKBggqhkjOPQQDAgNIADBFAiBKUb5r/8aSN4/utaDoi0vIcaASVZz8p1nSJ1YWSCkIpAIhAI20iVBu5j0tBmTc3uRzKIYTqsnXpH0UV8bcONy4m1Sa'
         self.assertEqual(['DNS:foo.bar.local', 'IP:192.168.14.131', 'IP:fe80::215:5dff:fec0:102'], self.csr_san_get(self.logger, csr))
 
+    def test_121_helper_csr_san_byte_get(self):
+        """ get sans but two sans """
+        csr = 'MIICpzCCAY8CAQAwGTEXMBUGA1UEAwwOZm9vMS5iYXIubG9jYWwwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDMwfxxbCCTsZY8mTFZkoQ5cAJyQZLUiz34sDDRvEpI9ZzdNNm2AEZR7AgKNuBkLwzUzY5iQ182huNzYJYZZEvYX++ocF2ngapTMQgfB+bWS5bpWIdjnAcz1/86jmJgTciwL25dSnEWL17Yn3pAWweoewr730rq/PMyIbviQrasksnSo7abe2mctxkHjHb5sZ+Z1yRTN6ir/bObXmxr+vHeeD2vLRv4Hd5XaA1d+k31J2FVMnrn5OpWbxGHo49zd0xdy2mgTdZ9UraLaQnyGlkjYzV0rqHIAIm8HOUjGN5U75/rlOPF0x62FCICZU/z1AgRvugaA5eO8zTSQJiMiBe3AgMBAAGgSTBHBgkqhkiG9w0BCQ4xOjA4MAsGA1UdDwQEAwIF4DApBgNVHREEIjAggg5mb28xLmJhci5sb2NhbIIOZm9vMi5iYXIubG9jYWwwDQYJKoZIhvcNAQELBQADggEBADeuf4J8Xziw2OuvLNnLOSgHQl2HdMFtRdgJoun7zPobsP3L3qyXLvvhJcQsIJggu5ZepnHGrCxroSbtRSO65GtLQA0Rq3DCGcPIC1fe9AYrqoynx8bWt2Hd+PyDrBppHVoQzj6yNCt6XNSDs04BMtjs9Pu4DD6DDHmxFMVNdHXea2Rms7C5nLQvXgw7yOF3Zk1vEu7Kue7d3zZMhN+HwwrNEA7RGAEzHHlCv5LL4Mw+kf6OJ8nf/WDiLDKEQIh6bnOuB42Y2wUMpzui8Uur0VJO+twY46MvjiVMMBZE3aPJU33eNPAQVC7GinStn+zQIJA5AADdcO8Lk1qdtaDiGp8'
+        self.assertEqual('MCCCDmZvbzEuYmFyLmxvY2Fsgg5mb28yLmJhci5sb2NhbA==', self.csr_san_byte_get(self.logger, csr))
+
     @patch('acme_srv.helper.csr_load')
-    def test_114_helper_csr_san_get(self, mock_csrload):
+    def test_122_helper_csr_san_get(self, mock_csrload):
         """ get sans but three sans """
         csr = 'csr'
         mock_csrload.return_value = 'mock_csrload'
@@ -917,140 +1023,140 @@ def test_114_helper_csr_san_get(self, mock_csrload):
             self.assertEqual([], self.csr_san_get(self.logger, csr))
         self.assertIn("ERROR:test_a2c:csr_san_get(): Error: 'str' object has no attribute 'extensions'", lcm.output)
 
-    def test_114_helper_csr_extensions_get(self):
+    def test_123_helper_csr_extensions_get(self):
         """ get sns in hex """
         csr = 'MIIClzCCAX8CAQAwGTEXMBUGA1UEAwwOZm9vMS5iYXIubG9jYWwwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDMwfxxbCCTsZY8mTFZkoQ5cAJyQZLUiz34sDDRvEpI9ZzdNNm2AEZR7AgKNuBkLwzUzY5iQ182huNzYJYZZEvYX++ocF2ngapTMQgfB+bWS5bpWIdjnAcz1/86jmJgTciwL25dSnEWL17Yn3pAWweoewr730rq/PMyIbviQrasksnSo7abe2mctxkHjHb5sZ+Z1yRTN6ir/bObXmxr+vHeeD2vLRv4Hd5XaA1d+k31J2FVMnrn5OpWbxGHo49zd0xdy2mgTdZ9UraLaQnyGlkjYzV0rqHIAIm8HOUjGN5U75/rlOPF0x62FCICZU/z1AgRvugaA5eO8zTSQJiMiBe3AgMBAAGgOTA3BgkqhkiG9w0BCQ4xKjAoMAsGA1UdDwQEAwIF4DAZBgNVHREEEjAQgg5mb28xLmJhci5sb2NhbDANBgkqhkiG9w0BAQsFAAOCAQEANAXOIkv0CovmdzyoAv1dsiK0TK2XHBdBTEPFDsrT7MnrIXOFS4FnDrg8zpn7QBzBRTl3HaKN8fnpIHkA/6ZRDqaEJq0AeskjxIg9LKDBBx5TEdgPh1CwruRWLlXtrqU7XXQmk0wLIo/kfaDRcTjyJ3yHTEK06mCAaws0sTKlTw2D4pIiDRp8zbLHeSEUX5UKOSGbLSSUY/F2XwgPB8nC2BCD/gkvHRR+dMQSdOCiS9GLwZdYAAyESw6WhmGPjmVbeTRgSt/9//yx3JKQgkFYmpSMLKR2G525M+l1qfku/4b0iMOa4vQjFRj5AXZH0SBpAKtvnFxUpP6P9mTE7+akOQ'
         self.assertEqual(['AwIF4A==', 'MBCCDmZvbzEuYmFyLmxvY2Fs'], self.csr_extensions_get(self.logger, csr))
 
-    def test_115_helper_csr_extensions_get(self):
+    def test_124_helper_csr_extensions_get(self):
         """ get tnauth identifier """
         csr = 'MIICuzCCAaMCAQAwHjEcMBoGA1UEAwwTY2VydC5zdGlyLmJhci5sb2NhbDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALsLm4zgkl2lEx2EHy1ENfh3cYB79Xb5sD3ehkY+1pXphIWoM9KYVqHKOurModjsh75YjRBSilRfTFSk6kCUahTJyeCbM6Vzl75CcZy7poUxiK+u80JMU/xymUsrqY4GZlh2/XtFMxXHUSf3bhKZAIjBNugsvR/sHtEvJ6RJiuYqHMWUzZ/Vby5L0ywNl+LPSY7AVTUAZ0lKrnUCP4dHnbjwjf+nPi7vT6G0yrEg0qPOYXtJOXdf7vvjLi8J+ap758NtG2qapLdbToIPr0uOEvMO6zs8z1bIyjOHU3kzlpKHzDsPYy8txxKC/3Rae7sKB9gWm8WUxFBmuA7gaFDGQAECAwEAAaBYMFYGCSqGSIb3DQEJDjFJMEcwCwYDVR0PBAQDAgXgMB4GA1UdEQQXMBWCE2NlcnQuc3Rpci5iYXIubG9jYWwwGAYIKwYBBQUHARoEDDAKoAgWBjEyMzQ1NjANBgkqhkiG9w0BAQsFAAOCAQEAjyhJfgb/zJBMYp6ylRtEXgtBpsX9ePUL/iLgIDMcGtwaFm3pkQOSBr4xiTxftnqN77SlC8UEu7PDR73JX6iqLNJWucPlhAXVrr367ygO8GGLrtGddClZmo0lhRBRErgpagWB/jFkbL8afPGJwgQQXF0KWFMcajAPiIl1l6M0w11KqJ23Pwrmi7VJHzIgh4ys0D2UrX7KuV4PIOOmG0s7jTfBSB+yUH2zwVzOAzbr3wrD1WubD7hRaHDUi4bn4DRbquQOzbqfTI6QhetUcNpq4DwhBRcnZwUMJUIcxLAsFnDgGSW+dmJe6JH8MsS+8ZmOLllyQxWzYEVquQQvxFVTZA'
         self.assertEqual(['AwIF4A==', 'MBWCE2NlcnQuc3Rpci5iYXIubG9jYWw=', 'MAqgCBYGMTIzNDU2'], self.csr_extensions_get(self.logger, csr))
 
-    def test_116_helper_validate_email(self):
+    def test_125_helper_validate_email(self):
         """ validate email containing "-" in domain """
         self.assertTrue(self.validate_email(self.logger, 'foo@example-example.com'))
 
-    def test_117_helper_validate_email(self):
+    def test_126_helper_validate_email(self):
         """ validate email containing "-" in user"""
         self.assertTrue(self.validate_email(self.logger, 'foo-foo@example.com'))
 
-    def test_118_helper_get_url(self):
+    def test_127_helper_get_url(self):
         """ get_url with xforwarded https """
         data_dic = {'HTTP_X_FORWARDED_PROTO': 'https', 'HTTP_HOST': 'http_host', 'SERVER_PORT': '443', 'PATH_INFO': 'path_info'}
         self.assertEqual('https://http_host', self.get_url(data_dic, False))
 
-    def test_119_helper_get_url(self):
+    def test_128_helper_get_url(self):
         """ get_url with xforwarded http """
         data_dic = {'HTTP_X_FORWARDED_PROTO': 'http', 'HTTP_HOST': 'http_host', 'SERVER_PORT': '443', 'PATH_INFO': 'path_info'}
         self.assertEqual('http://http_host', self.get_url(data_dic, False))
 
-    def test_120_helper_validate_email(self):
+    def test_129_helper_validate_email(self):
         """ validate email containing first letter of domain cannot be a number"""
         self.assertFalse(self.validate_email(self.logger, 'foo@1example.com'))
 
-    def test_121_helper_validate_email(self):
+    def test_130_helper_validate_email(self):
         """ validate email containing last letter of domain cannot - """
         self.assertFalse(self.validate_email(self.logger, 'foo@example-.com'))
 
-    def test_122_helper_cert_dates_get(self):
+    def test_131_helper_cert_dates_get(self):
         """ get issuing and expiration date from rsa certificate """
         cert = 'MIIElTCCAn2gAwIBAgIRAKD_ulfqPUn-ggOUHOxjp40wDQYJKoZIhvcNAQELBQAwSDELMAkGA1UEBhMCREUxDzANBgNVBAgMBkJlcmxpbjEXMBUGA1UECgwOQWNtZTJDZXJ0aWZpZXIxDzANBgNVBAMMBnN1Yi1jYTAeFw0yMDA1MjcxMjMwMjNaFw0yMDA2MjYxMjMwMjNaMBkxFzAVBgNVBAMMDmZvbzEuYmFyLmxvY2FsMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwbx-z-9wsEewBf1hnk3yAy5TFg-lWVdwk2QRdAMDTExVP823QF_K-t6cxJV_-QuWVbHN-lx6nQCXIqCZSN97hN0YTkrw8jnA4FpZzyvYI9rKEO3p4sxqndbu4X-gtyMBbXOLhjTlN2f7Z081XWIgkikvuZU2XzMZ-BbRFDfsPdDRwbwvgJU6NxpdIKm2DmYIP1MFo-tLu0toAc0nm9v8Otme28_kpJxmW3iOMkqN9BE-qAkggFDeNoxPtXRyP2PrRgbaj94e1uznsyni7CYw_a9O1NPrjKFQmPaCk8k9ICvPoLHXtLabekCmvdxyRlDwD_Xoaygpd9-UHCREhcOu_wIDAQABo4GoMIGlMAsGA1UdDwQEAwIF4DAZBgNVHREEEjAQgg5mb28xLmJhci5sb2NhbDAdBgNVHQ4EFgQUqy5KOBlkyX29l4EHTCSzhZuDg-EwDgYDVR0PAQH_BAQDAgWgMB8GA1UdIwQYMBaAFBs0P896R0FUZHfnxMJL52ftKQOkMAwGA1UdEwEB_wQCMAAwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMBMA0GCSqGSIb3DQEBCwUAA4ICAQB7pQpILzxqcU2RKlr17rcne6NSJTUJnNXALeUFy5PrnjjJY1_B1cKaWluk3p7AMFvUjBpcucGCfEDudW290AQxYjrvl8_ePkzRzEkAo76L7ZqED5upYBZVn_3lA5Alr8L67UC0bDMhKTsy8WJzhWHQlMb37_YFUvtNPoI_MI09Q842VXeNQz5UDZmW9qhyeDIkf6fwOAO66VnGTLuUm2LGQZ-St2GauxR0ZUcRtMJoc-c7WOdHs8DlUCoFtglrzVH98501Sx749CG4nkJr4QNDpkw2hAhlo4Cxzp6PlljPNSgM9MsqqVdrgqDteDM_n-yrVFGezCik4QexDkWARPutRLQtpbhudExVnoFM68ihZ0y3oeDjgUBLybBQpcBAsBqiJ66Q8HTZRSqO9zlKW5Vm1KwAVDh_qgELxvqd0wIVkyxBKPta2l1fvb5YBiVqo4JyNcCTnoBS1emO4vk8XjroKijwLnU0cEXwHrY4JF1uU_kOtoZMGPul5EuBMcODLs7JJ3_IqJd8quI7Vf5zSsaB6nSzQ8XmiQiVogKflBeLl7AWmYCiL-FLP_q4dSJmvdr6fPMNy4-cfDO4Awc8RNfv-VjF5Mq57X1IXJrWKkat4lCEoPMq5WRJV8uVm6XNdwvUJxgCYR9mfol7T6imODDd7BNV4dKYvyteoS0auC0iww'
         self.assertEqual((1590582623, 1593174623), self.cert_dates_get(self.logger, cert))
 
-    def test_123_helper_cert_dates_get(self):
+    def test_132_helper_cert_dates_get(self):
         """ get issuing and expiration date no certificate """
         cert = None
         self.assertEqual((0, 0), self.cert_dates_get(self.logger, cert))
 
-    def test_124_helper_cert_dates_get(self):
+    def test_133_helper_cert_dates_get(self):
         """ get issuing and expiration date damaged certificate """
         cert = 'foo'
         self.assertEqual((0, 0), self.cert_dates_get(self.logger, cert))
 
-    def test_125_helper_cert_dates_get(self):
+    def test_134_helper_cert_dates_get(self):
         """ get issuing and expiration date ecc certificate """
         cert = 'MIIDozCCAYugAwIBAgIIMMxkE7mRR+YwDQYJKoZIhvcNAQELBQAwKjEXMBUGA1UECxMOYWNtZTJjZXJ0aWZpZXIxDzANBgNVBAMTBnN1Yi1jYTAeFw0yMDA3MTEwNDUzMTFaFw0yMTA3MTEwNDUzMTFaMBkxFzAVBgNVBAMMDmZvbzEuYmFyLmxvY2FsMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAER/KMoV5+zQgegqYue2ztPK2nZVpK2vxb02UzwyHw4ebhJ2gBobI23lSBRa1so1ug0kej7U+ohm5aGFdNxLM0G6OBqDCBpTALBgNVHQ8EBAMCBeAwGQYDVR0RBBIwEIIOZm9vMS5iYXIubG9jYWwwHQYDVR0OBBYEFCSaU743wU8jMETIO381r13tVLdMMA4GA1UdDwEB/wQEAwIFoDAfBgNVHSMEGDAWgBS/3o6OBiIiq61DyN3UT6irSEE+1TAMBgNVHRMBAf8EAjAAMB0GA1UdJQQWMBQGCCsGAQUFBwMCBggrBgEFBQcDATANBgkqhkiG9w0BAQsFAAOCAgEAmmhHuBhXNM2Azv53rCKY72yTQIoDVHjYrAvTmS6NsJzYflEOMkI7FCes64dWp54BerSD736Yax67b4XmLXc/+T41d7QAcnhY5xvLJiMpSsW37icHcLZpjlOrYDoRmny2U7n6t1aQ03nwgV+BgdaUQYLkUZuczs4kdqH1c9Ot9CCRTHpqSWlmWzGeRgt2uT4gKhFESP9lzx37YwKBHulBGthv1kcAaz8w8iPXBg01OEDiraXCBZFoYDEpDi2w2Y6ChCr7sNsY7aJ3a+2iHGYlktXEntk78S+g00HW61G9oLoRgeqEH3L6qVIpnswPAU/joub0YhNBIUFenCj8c3HMBgMcczzdZL+qStdymhpVkZetzXtMTKtgmxhkRzAOQUBBcHFc+wM97FqC0S4HJAuoHQ4EJ46MxwZH0jBVqcqCPMSaJ88uV902+VGGXrnxMR8RbGWLoCmsYb1ISmBUt+31PjMCYbXKwLmzvbRpO7XAQimvtOqoufl5yeRUJRLcUS6Let0QzU196/nZ789d7Etep7RjDYQm7/QhiWH197yKZ5/mUxqfyHDQ3hk5iX7S/gbo1jQXElEv5tB8Ozs+zVQmB2bXpN8c+8XUaZnwvYC2y+0LAQN4z7xilReCaasxQSsEOLCrlsannkGV704HYnnaKBS2tI948QotHnADHdfHl3o'
         self.assertEqual((1594443191, 1625979191), self.cert_dates_get(self.logger, cert))
 
     @patch('dns.resolver.Resolver')
-    def test_126_helper_fqdn_resolve(self, mock_resolve):
+    def test_135_helper_fqdn_resolve(self, mock_resolve):
         """ successful dns-query returning covering github """
         mock_resolve.return_value.query.return_value = ['foo']
         self.assertEqual((None, False), self.fqdn_resolve('foo', dnssrv='10.0.0.1'))
 
     @patch('dns.resolver.Resolver')
-    def test_127_helper_fqdn_resolve(self, mock_resolve):
+    def test_136_helper_fqdn_resolve(self, mock_resolve):
         """ successful dns-query returning covering github """
         mock_resolve.return_value.resolve.return_value = ['foo']
         self.assertEqual(('foo', False), self.fqdn_resolve('foo.bar.local', dnssrv='10.0.0.1'))
 
 
     @patch('dns.resolver.Resolver')
-    def test_128_helper_fqdn_resolve(self, mock_resolve):
+    def test_137_helper_fqdn_resolve(self, mock_resolve):
         """ successful dns-query returning covering github """
         mock_resolve.return_value.resolve.return_value = ['foo']
         self.assertEqual((None, False), self.fqdn_resolve('foo'))
 
     @patch('dns.resolver.Resolver')
-    def test_129_helper_fqdn_resolve(self, mock_resolve):
+    def test_138_helper_fqdn_resolve(self, mock_resolve):
         """ successful dns-query returning one value """
         mock_resolve.return_value.resolve.return_value = ['foo']
         self.assertEqual(('foo', False), self.fqdn_resolve('foo.bar.local'))
 
     @patch('dns.resolver.Resolver')
-    def test_130_helper_fqdn_resolve(self, mock_resolve):
+    def test_139_helper_fqdn_resolve(self, mock_resolve):
         """ successful dns-query returning two values """
         mock_resolve.return_value.resolve.return_value = ['bar', 'foo']
         self.assertEqual(('bar', False), self.fqdn_resolve('foo.bar.local'))
 
     @patch('dns.resolver.Resolver.resolve', side_effect=Mock(side_effect=dns.resolver.NXDOMAIN))
-    def test_131_helper_fqdn_resolve(self, mock_resolve):
+    def test_140_helper_fqdn_resolve(self, mock_resolve):
         """ catch NXDOMAIN """
         self.assertEqual((None, True), self.fqdn_resolve('foo.bar.local'))
 
     @patch('dns.resolver.Resolver.resolve', side_effect=Mock(side_effect=dns.resolver.NoAnswer))
-    def test_132_helper_fqdn_resolve(self, mock_resolve):
+    def test_141_helper_fqdn_resolve(self, mock_resolve):
         """ catch NoAnswer """
         self.assertEqual((None, True), self.fqdn_resolve('foo.bar.local'))
 
     @patch('dns.resolver.Resolver.resolve', side_effect=Mock(side_effect=dns.resolver.NoNameservers))
-    def test_133_helper_fqdn_resolve(self, mock_resolve):
+    def test_142_helper_fqdn_resolve(self, mock_resolve):
         """ catch other dns related execption """
         self.assertEqual((None, False), self.fqdn_resolve('foo.bar.local'))
 
     @patch('dns.resolver.Resolver.resolve', side_effect=Mock(side_effect=Exception('foo')))
-    def test_134_helper_fqdn_resolve(self, mock_resolve):
+    def test_143_helper_fqdn_resolve(self, mock_resolve):
         """ catch other execption """
         self.assertEqual((None, False), self.fqdn_resolve('foo.bar.local'))
 
     @patch('dns.resolver.Resolver.resolve', side_effect=[Mock(side_effect=dns.resolver.NXDOMAIN), ['foo']])
-    def test_135_helper_fqdn_resolve(self, mock_resolve):
+    def test_144_helper_fqdn_resolve(self, mock_resolve):
         """ catch NXDOMAIN on v4 and fine in v6 """
         self.assertEqual(('foo', False), self.fqdn_resolve('foo.bar.local'))
 
     @patch('dns.resolver.Resolver.resolve', side_effect=[Mock(side_effect=dns.resolver.NoAnswer), ['foo']])
-    def test_136_helper_fqdn_resolve(self, mock_resolve):
+    def test_145_helper_fqdn_resolve(self, mock_resolve):
         """ catch NoAnswer on v4 and fine in v6 """
         self.assertEqual(('foo', False), self.fqdn_resolve('foo.bar.local'))
 
     @patch('dns.resolver.Resolver.resolve', side_effect=[Mock(side_effect=dns.resolver.NoNameservers), ['foo']])
-    def test_137_helper_fqdn_resolve(self, mock_resolve):
+    def test_146_helper_fqdn_resolve(self, mock_resolve):
         """ catch other dns related execption on v4 and fine in v6 """
         self.assertEqual(('foo', False), self.fqdn_resolve('foo.bar.local'))
 
     @patch('dns.resolver.Resolver.resolve', side_effect=[Mock(side_effect=Exception('foo')), ['foo']])
-    def test_138_helper_fqdn_resolve(self, mock_resolve):
+    def test_147_helper_fqdn_resolve(self, mock_resolve):
         """ catch other execption when resolving v4 but fine in v6"""
         self.assertEqual(('foo', False), self.fqdn_resolve('foo.bar.local'))
 
-    def test_139_helper_signature_check(self):
+    def test_148_helper_signature_check(self):
         """ sucessful validation symmetric key"""
         mkey = '{"k": "ZndUSkZvVldvMEFiRzQ5VWNCdERtNkNBNnBTcTl4czNKVEVxdUZiaEdpZXZNUVJBVmRuSFREcDJYX2s3X0NxTA", "kty": "oct"}'
         message = '{"payload": "eyJlIjogIkFRQUIiLCAia3R5IjogIlJTQSIsICJuIjogIm5kN3ZWUTNraW4zS3BKdTd6RUZNTlVPb0ZIQmVDUWRFRTUyOF9iOHo2djNDNnYtQS0zeUdBcTFWTjZmRTluUXdYSmNlZ2ZNdm1MczlCVVllVjZ2M1FzdGhkVFRCdW5FS1l0TVVZUVRmNkpwaHNEb1pHTkt1dnpCY2ZxSlN2TXpCNHdwa3hORm1Pa2M1QVhwRzhnQWJiTTRuS3JDQkdCQ21lZ2RJUEc3U0g3Mk9tejN6YjIwemZfZlo4dHVoUzk1eUJKdndKRjhZRGtCdDViWUV5ZnQ4aVoyWVFGVmRZZW5FMDhKOGRBUGNVQy1HYld6NmJXUm9Xc0xOT21VNkVjSndsSV9tRXRqazA5aTNlVEhOa2Vna3NrZUJOeXhlSkdtaVRtMHRtS1MwOEVvY0VQTDA1UktxSm9XNnhVcHNITDcwSzdzUVRaUDBHSUY1VXBwSkZXMnlVdyJ9", "protected": "eyJ1cmwiOiAiaHR0cDovL2FjbWUtc3J2LmJhci5sb2NhbC9hY21lL25ld2FjY291bnQiLCAiYWxnIjogIkhTMjU2IiwgImtpZCI6ICJiYXIifQ", "signature": "VXYLfPuoClsn_rhPPV8qjspZV1Q7HyX8rXv6odWYnLI"}'
         self.assertEqual((True, None), self.signature_check(self.logger, message, mkey, json_=True))
 
-    def test_140_helper_signature_check(self):
+    def test_149_helper_signature_check(self):
         """ sucessful validation wrong symmetric key"""
         mkey = '{"k": "ZndUSkZvVldvMEFiRzQ5VWNCdERtNkNBNnBTcTl4czNKVEVxdUZiaEdpZXZNUVJBVmRuSFREcDJYX2s3X0NxvA", "kty": "oct"}'
         message = '{"payload": "eyJlIjogIkFRQUIiLCAia3R5IjogIlJTQSIsICJuIjogIm5kN3ZWUTNraW4zS3BKdTd6RUZNTlVPb0ZIQmVDUWRFRTUyOF9iOHo2djNDNnYtQS0zeUdBcTFWTjZmRTluUXdYSmNlZ2ZNdm1MczlCVVllVjZ2M1FzdGhkVFRCdW5FS1l0TVVZUVRmNkpwaHNEb1pHTkt1dnpCY2ZxSlN2TXpCNHdwa3hORm1Pa2M1QVhwRzhnQWJiTTRuS3JDQkdCQ21lZ2RJUEc3U0g3Mk9tejN6YjIwemZfZlo4dHVoUzk1eUJKdndKRjhZRGtCdDViWUV5ZnQ4aVoyWVFGVmRZZW5FMDhKOGRBUGNVQy1HYld6NmJXUm9Xc0xOT21VNkVjSndsSV9tRXRqazA5aTNlVEhOa2Vna3NrZUJOeXhlSkdtaVRtMHRtS1MwOEVvY0VQTDA1UktxSm9XNnhVcHNITDcwSzdzUVRaUDBHSUY1VXBwSkZXMnlVdyJ9", "protected": "eyJ1cmwiOiAiaHR0cDovL2FjbWUtc3J2LmJhci5sb2NhbC9hY21lL25ld2FjY291bnQiLCAiYWxnIjogIkhTMjU2IiwgImtpZCI6ICJiYXIifQ", "signature": "VXYLfPuoClsn_rhPPV8qjspZV1Q7HyX8rXv6odWYnLI"}'
@@ -1061,7 +1167,7 @@ def test_140_helper_signature_check(self):
             error = 'Verification failed for all signatures["Failed: [InvalidJWSSignature(\'Verification failed\')]"]'
         self.assertEqual((False, error), self.signature_check(self.logger, message, mkey, json_=True))
 
-    def test_141_helper_signature_check(self):
+    def test_150_helper_signature_check(self):
         """ sucessful validation wrong symmetric key without json_ flag set """
         mkey = '{"k": "ZndUSkZvVldvMEFiRzQ5VWNCdERtNkNBNnBTcTl4czNKVEVxdUZiaEdpZXZNUVJBVmRuSFREcDJYX2s3X0NxvA", "kty": "oct"}'
         message = '{"payload": "eyJlIjogIkFRQUIiLCAia3R5IjogIlJTQSIsICJuIjogIm5kN3ZWUTNraW4zS3BKdTd6RUZNTlVPb0ZIQmVDUWRFRTUyOF9iOHo2djNDNnYtQS0zeUdBcTFWTjZmRTluUXdYSmNlZ2ZNdm1MczlCVVllVjZ2M1FzdGhkVFRCdW5FS1l0TVVZUVRmNkpwaHNEb1pHTkt1dnpCY2ZxSlN2TXpCNHdwa3hORm1Pa2M1QVhwRzhnQWJiTTRuS3JDQkdCQ21lZ2RJUEc3U0g3Mk9tejN6YjIwemZfZlo4dHVoUzk1eUJKdndKRjhZRGtCdDViWUV5ZnQ4aVoyWVFGVmRZZW5FMDhKOGRBUGNVQy1HYld6NmJXUm9Xc0xOT21VNkVjSndsSV9tRXRqazA5aTNlVEhOa2Vna3NrZUJOeXhlSkdtaVRtMHRtS1MwOEVvY0VQTDA1UktxSm9XNnhVcHNITDcwSzdzUVRaUDBHSUY1VXBwSkZXMnlVdyJ9", "protected": "eyJ1cmwiOiAiaHR0cDovL2FjbWUtc3J2LmJhci5sb2NhbC9hY21lL25ld2FjY291bnQiLCAiYWxnIjogIkhTMjU2IiwgImtpZCI6ICJiYXIifQ", "signature": "VXYLfPuoClsn_rhPPV8qjspZV1Q7HyX8rXv6odWYnLI"}'
@@ -1069,63 +1175,66 @@ def test_141_helper_signature_check(self):
             error = 'type object argument after ** must be a mapping, not str'
         else:
             error = 'jwcrypto.jwk.JWK() argument after ** must be a mapping, not str'
-        self.assertEqual((False, error), self.signature_check(self.logger, message, mkey))
 
-    def test_142_helper_signature_check(self):
+        with self.assertLogs('test_a2c', level='INFO') as lcm:
+            self.assertEqual((False, error), self.signature_check(self.logger, message, mkey))
+        self.assertIn('ERROR:test_a2c:No jwkey extracted', lcm.output)
+
+    def test_151_helper_signature_check(self):
         """ sucessful validation invalid key """
         mkey = 'invalid key'
         message = '{"payload": "eyJlIjogIkFRQUIiLCAia3R5IjogIlJTQSIsICJuIjogIm5kN3ZWUTNraW4zS3BKdTd6RUZNTlVPb0ZIQmVDUWRFRTUyOF9iOHo2djNDNnYtQS0zeUdBcTFWTjZmRTluUXdYSmNlZ2ZNdm1MczlCVVllVjZ2M1FzdGhkVFRCdW5FS1l0TVVZUVRmNkpwaHNEb1pHTkt1dnpCY2ZxSlN2TXpCNHdwa3hORm1Pa2M1QVhwRzhnQWJiTTRuS3JDQkdCQ21lZ2RJUEc3U0g3Mk9tejN6YjIwemZfZlo4dHVoUzk1eUJKdndKRjhZRGtCdDViWUV5ZnQ4aVoyWVFGVmRZZW5FMDhKOGRBUGNVQy1HYld6NmJXUm9Xc0xOT21VNkVjSndsSV9tRXRqazA5aTNlVEhOa2Vna3NrZUJOeXhlSkdtaVRtMHRtS1MwOEVvY0VQTDA1UktxSm9XNnhVcHNITDcwSzdzUVRaUDBHSUY1VXBwSkZXMnlVdyJ9", "protected": "eyJ1cmwiOiAiaHR0cDovL2FjbWUtc3J2LmJhci5sb2NhbC9hY21lL25ld2FjY291bnQiLCAiYWxnIjogIkhTMjU2IiwgImtpZCI6ICJiYXIifQ", "signature": "VXYLfPuoClsn_rhPPV8qjspZV1Q7HyX8rXv6odWYnLI"}'
         self.assertEqual((False, ''), self.signature_check(self.logger, message, mkey, json_=True))
 
-    def test_143_fqdn_in_san_check(self):
+    def test_152_fqdn_in_san_check(self):
         """ successful check one entry one match """
         fqdn = 'foo.bar.local'
         san_list = ['DNS:foo.bar.local']
         self.assertTrue(self.fqdn_in_san_check(self.logger, san_list, fqdn))
 
-    def test_144_fqdn_in_san_check(self):
+    def test_153_fqdn_in_san_check(self):
         """ successful check two entries one match """
         fqdn = 'foo.bar.local'
         san_list = ['DNS:foo1.bar.local', 'DNS:foo.bar.local']
         self.assertTrue(self.fqdn_in_san_check(self.logger, san_list, fqdn))
 
-    def test_145_fqdn_in_san_check(self):
+    def test_154_fqdn_in_san_check(self):
         """ successful check two entries no DNS one match """
         fqdn = 'foo.bar.local'
         san_list = ['IP: 10.0.0.l', 'DNS:foo.bar.local']
         self.assertTrue(self.fqdn_in_san_check(self.logger, san_list, fqdn))
 
-    def test_146_fqdn_in_san_check(self):
+    def test_155_fqdn_in_san_check(self):
         """ successful check no fqdn """
         fqdn = None
         san_list = ['IP: 10.0.0.l', 'DNS:foo.bar.local']
         self.assertFalse(self.fqdn_in_san_check(self.logger, san_list, fqdn))
 
-    def test_147_fqdn_in_san_check(self):
+    def test_156_fqdn_in_san_check(self):
         """ successful check no fqdn """
         fqdn = ''
         san_list = ['IP: 10.0.0.l', 'DNS:foo.bar.local']
         self.assertFalse(self.fqdn_in_san_check(self.logger, san_list, fqdn))
 
-    def test_148_fqdn_in_san_check(self):
+    def test_157_fqdn_in_san_check(self):
         """ successful check blank fqdn """
         fqdn = ' '
         san_list = ['IP: 10.0.0.l', 'DNS:foo.bar.local']
         self.assertFalse(self.fqdn_in_san_check(self.logger, san_list, fqdn))
 
-    def test_149_fqdn_in_san_check(self):
+    def test_158_fqdn_in_san_check(self):
         """ successful check empty san_list """
         fqdn = 'foo.bar.local'
         san_list = []
         self.assertFalse(self.fqdn_in_san_check(self.logger, san_list, fqdn))
 
-    def test_150_fqdn_in_san_check(self):
+    def test_159_fqdn_in_san_check(self):
         """ successful check two entries one match """
         fqdn = 'foo.bar.local'
         san_list = ['foo1.bar.local', 'DNS:foo.bar.local']
         self.assertTrue(self.fqdn_in_san_check(self.logger, san_list, fqdn))
 
-    def test_151_fqdn_in_san_check(self):
+    def test_160_fqdn_in_san_check(self):
         """ successful check two entries one match """
         fqdn = 'foo.bar.local'
         san_list = ['foo1.bar.local']
@@ -1133,42 +1242,42 @@ def test_151_fqdn_in_san_check(self):
             self.assertFalse(self.fqdn_in_san_check(self.logger, san_list, fqdn))
         self.assertIn('ERROR:test_a2c:ERROR: fqdn_in_san_check() SAN split failed: foo1.bar.local', lcm.output)
 
-    def test_152_sha256_hash_hex(self):
+    def test_161_sha256_hash_hex(self):
         """ sha256 digest as hex file """
         self.assertEqual('2c26b46b68ffc68ff99b453c1d30413413422d706483bfa0f98a5e886266e7ae', self.sha256_hash_hex(self.logger, 'foo'))
 
-    def test_153_sha256_hash_hex(self):
+    def test_162_sha256_hash_hex(self):
         """ sha256 digest as hex file """
         self.assertEqual('fcde2b2edba56bf408601fb721fe9b5c338d10ee429ea04fae5511b68fbf8fb9', self.sha256_hash_hex(self.logger, 'bar'))
 
-    def test_154_sha256_hash(self):
+    def test_163_sha256_hash(self):
         """ sha256 digest """
         self.assertEqual(b'LCa0a2j_xo_5m0U8HTBBNBNCLXBkg7-g-YpeiGJm564', self.b64_url_encode(self.logger, self.sha256_hash(self.logger, 'foo')))
 
-    def test_155_sha256_hash(self):
+    def test_164_sha256_hash(self):
         """ sha256 digest """
         self.assertEqual(b'_N4rLtula_QIYB-3If6bXDONEO5CnqBPrlURto-_j7k', self.b64_url_encode(self.logger, self.sha256_hash(self.logger, 'bar')))
 
-    def test_156_b64_encode(self):
+    def test_165_b64_encode(self):
         """ base64 encode string """
         self.assertEqual('Zm9v', self.b64_encode(self.logger, b'foo'))
 
-    def test_157_b64_encode(self):
+    def test_166_b64_encode(self):
         """ base64 encode string """
         self.assertEqual('YmFyMQ==', self.b64_encode(self.logger, b'bar1'))
 
-    def test_158_b64_encode(self):
+    def test_167_b64_encode(self):
         """ base64 encode string """
         self.assertEqual('YmFyMTI=', self.b64_encode(self.logger, b'bar12'))
 
-    def test_159_cert_der2pem(self):
+    def test_168_cert_der2pem(self):
        """ test cert_der2pem """
        b64 = 'MIIETjCCAjagAwIBAgIRAIG11e4S8ErJuwCYAKsoU3UwDQYJKoZIhvcNAQELBQAwETEPMA0GA1UEAxMGc3ViLWNhMB4XDTIxMDYxMjA2MjMzOFoXDTIzMDYwMjA2MjMzOFowGTEXMBUGA1UEAwwOZm9vMS5iYXIubG9jYWwwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC0lk4lyEIa0VL/u5ic01Zo/o+gyYqFpU7xe+nbFgiKA+R1rqrzP/sR6xjHqS0Rkv/BcBXf81sp/+iDmwIQLVlBTkKdimqVHCJMAbTL8ZNpcLDaRUce4liyX1cmczPTSqI/kcyEr8tKpYN+KzvKZZsNx2Pbgu7y7/70P2uSywiW+sqYZ+X28KGFxq6wwENzJtweDVsbWql9LLtw6daF41UQg10auNlRL1nhW0SlWZh1zPPW/0sa6C3xX28jjVh843b4ekkRNLXSEYQMTi0qYR2LomQ5aTlQ/hellf17UknfN2aA2RH5D7Ek+mndj/rH21bxQg26KRmHlaJld9K1IfvJAgMBAAGjgZgwgZUwCwYDVR0PBAQDAgXgMBkGA1UdEQQSMBCCDmZvbzEuYmFyLmxvY2FsMB0GA1UdDgQWBBReDKlEWwro02ljWMCi10HMqhDmbzAfBgNVHSMEGDAWgBSDJ855iatD1k7LCUzmM5yhe4IzeDAMBgNVHRMBAf8EAjAAMB0GA1UdJQQWMBQGCCsGAQUFBwMCBggrBgEFBQcDATANBgkqhkiG9w0BAQsFAAOCAgEAhv7Jco6VjT25FuyOz/C0N5+q2M8sqjcDDYMwUTKXVkIc7/lSsubL8z64eS4I5iBecNOlPXASMoMe0KbdrvzqItYgeisC08rnWQayuDr/dj2Y/v4WptZdTPc0pWZQ7LUSxcZaydMFsIKxtfO2HR84DqrUbpvDfVSP7/UiN2O0TbSBiEC6Xayu6IudGZ9naHTAXzTau6SejcbH+0jWZsDXd1SbDPd3a+ZcHbDLIZAzsjcurleDPS54PIXjblOgMrsheDq/wzxKtvLOZEe8Gr6THwtX6uS0oQ72BFNGfZVVPFiL/q0Dvj2FveBtv7k14QcBqHutE4pEpYb/kcU7cxCVgGlUw8Q8trYQhBB37X9dOHjC2G8cyCeyVr+xfUE12wTKZDRIXjG3FMpKgeB4oNYPWA5m/1GBOGddhmogIB8GXeenDcAjBdVOFuuOrMInHLnLD9w7iEiopfx+six3Nxpo3thDV4xdiTZsWp9ojZhQzW8haEQleJ3Xyl65UuZKHyrRJ0OWR4LRkNwJitG5F0MYg8bjgik/cHTwzIB0HXgnaVeMBJY3sOkvCpAlTGZe1GL9foWIeFkprPG4cePrjtC3Mn8rHH0pIi1mdkcAIdexYdg/qlroKk2ROLXnX5LHmrM1CDZQphgyzLETdwXQdTBOJvc8FsDPhp5p+iqgT2e16QI='
        result = b'-----BEGIN CERTIFICATE-----\nMIIETjCCAjagAwIBAgIRAIG11e4S8ErJuwCYAKsoU3UwDQYJKoZIhvcNAQELBQAw\nETEPMA0GA1UEAxMGc3ViLWNhMB4XDTIxMDYxMjA2MjMzOFoXDTIzMDYwMjA2MjMz\nOFowGTEXMBUGA1UEAwwOZm9vMS5iYXIubG9jYWwwggEiMA0GCSqGSIb3DQEBAQUA\nA4IBDwAwggEKAoIBAQC0lk4lyEIa0VL/u5ic01Zo/o+gyYqFpU7xe+nbFgiKA+R1\nrqrzP/sR6xjHqS0Rkv/BcBXf81sp/+iDmwIQLVlBTkKdimqVHCJMAbTL8ZNpcLDa\nRUce4liyX1cmczPTSqI/kcyEr8tKpYN+KzvKZZsNx2Pbgu7y7/70P2uSywiW+sqY\nZ+X28KGFxq6wwENzJtweDVsbWql9LLtw6daF41UQg10auNlRL1nhW0SlWZh1zPPW\n/0sa6C3xX28jjVh843b4ekkRNLXSEYQMTi0qYR2LomQ5aTlQ/hellf17UknfN2aA\n2RH5D7Ek+mndj/rH21bxQg26KRmHlaJld9K1IfvJAgMBAAGjgZgwgZUwCwYDVR0P\nBAQDAgXgMBkGA1UdEQQSMBCCDmZvbzEuYmFyLmxvY2FsMB0GA1UdDgQWBBReDKlE\nWwro02ljWMCi10HMqhDmbzAfBgNVHSMEGDAWgBSDJ855iatD1k7LCUzmM5yhe4Iz\neDAMBgNVHRMBAf8EAjAAMB0GA1UdJQQWMBQGCCsGAQUFBwMCBggrBgEFBQcDATAN\nBgkqhkiG9w0BAQsFAAOCAgEAhv7Jco6VjT25FuyOz/C0N5+q2M8sqjcDDYMwUTKX\nVkIc7/lSsubL8z64eS4I5iBecNOlPXASMoMe0KbdrvzqItYgeisC08rnWQayuDr/\ndj2Y/v4WptZdTPc0pWZQ7LUSxcZaydMFsIKxtfO2HR84DqrUbpvDfVSP7/UiN2O0\nTbSBiEC6Xayu6IudGZ9naHTAXzTau6SejcbH+0jWZsDXd1SbDPd3a+ZcHbDLIZAz\nsjcurleDPS54PIXjblOgMrsheDq/wzxKtvLOZEe8Gr6THwtX6uS0oQ72BFNGfZVV\nPFiL/q0Dvj2FveBtv7k14QcBqHutE4pEpYb/kcU7cxCVgGlUw8Q8trYQhBB37X9d\nOHjC2G8cyCeyVr+xfUE12wTKZDRIXjG3FMpKgeB4oNYPWA5m/1GBOGddhmogIB8G\nXeenDcAjBdVOFuuOrMInHLnLD9w7iEiopfx+six3Nxpo3thDV4xdiTZsWp9ojZhQ\nzW8haEQleJ3Xyl65UuZKHyrRJ0OWR4LRkNwJitG5F0MYg8bjgik/cHTwzIB0HXgn\naVeMBJY3sOkvCpAlTGZe1GL9foWIeFkprPG4cePrjtC3Mn8rHH0pIi1mdkcAIdex\nYdg/qlroKk2ROLXnX5LHmrM1CDZQphgyzLETdwXQdTBOJvc8FsDPhp5p+iqgT2e1\n6QI=\n-----END CERTIFICATE-----\n'
        der = self.b64_decode(self.logger, b64)
        self.assertEqual(result, self.cert_der2pem(der))
 
-    def test_160_cert_pem2der(self):
+    def test_169_cert_pem2der(self):
         """ test cert_der2pem """
         cert = """-----BEGIN CERTIFICATE-----
 MIIEZDCCAkygAwIBAgIIe941mx0FQtAwDQYJKoZIhvcNAQELBQAwKjEXMBUGA1UE
@@ -1199,7 +1308,9 @@ def test_160_cert_pem2der(self):
         result = 'MIIEZDCCAkygAwIBAgIIe941mx0FQtAwDQYJKoZIhvcNAQELBQAwKjEXMBUGA1UECxMOYWNtZTJjZXJ0aWZpZXIxDzANBgNVBAMTBnN1Yi1jYTAeFw0yMTA0MDkxNTUyMDBaFw0yNjA0MDkxNTUyMDBaMBgxFjAUBgNVBAMTDWVzdGNsaWVudC5lc3QwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDAn6IqwTE1RvZUm3gelpu4tmrdFj8Ub98J1YeQz7qrew5iA81NeH9tR484edjcY0ieOt3e1MfxJoziWtaeqxpsfytmVB/i+850kVZmvRCR1jhW/4AzidkVBMQiCR5erPmmheeCxbKkto0rHb7ziRA+F8/fZLKfLNsahEQPxDuMItyQFCOQFHh8Hfuend2NgsQKeZ1r5Czf3n5Q6NFff7HG+MDeNDNdPB3ShgcvvNCFUS1z615/GIItfSqcWTAVaJ7436cA7yy5y4+0SvjfXYtHYfythBj/5UqlUmjni8Irj5K8uEtb1YUujmvlTTbzPkhYqIkSoyr7t21Dz+gcYn49AgMBAAGjgZ8wgZwwDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQUN3Z0iLv1FE17DCDBfpxW2P+5+kIwCwYDVR0PBAQDAgO4MBMGA1UdJQQMMAoGCCsGAQUFBwMCMBgGA1UdEQQRMA+CDWVzdGNsaWVudC5lc3QwEQYJYIZIAYb4QgEBBAQDAgWgMB4GCWCGSAGG+EIBDQQRFg94Y2EgY2VydGlmaWNhdGUwDQYJKoZIhvcNAQELBQADggIBACMAHHH4/0eAXbS/uKsIjLN1QPnnzgjxC0xoUon8UVM0PUMH+FMg6rs21Xyl5tn5iItmvKI9c3akAZ00RUQKVdmJVFRUKywmfF7n5epBpXtWJrSH817NT9GOp+PO5VUTDV5VkvpVLoy7WzThrheLKz1nC1dWowRz86tcBLAsC1zT17fsNZXQDuv4LiQQXs7QKhUU75r1IxrdBPeBQSP5skGpWxm8sapQSfOALoXu1pSoGIr6tqvNGuEoZGvUuWeQHG/G8c2ufL+6lEzZBBCd6e2tErkqD/vqfCRzbLcGgSPX0HVWdkjH09nHWXI5UhNr2YgGF7YvSTKWJfbDVlTql1BuSn2yTQtDk4E8k9BLr8WfqFSZvYrivT9Ax1n3BD9jvQL5+QRdioH1kqNGMme0Pb43pHciX4hu9L5rGenZRmxeGXZ78uSOR+n2bGxAMw1OY7Rx/lsNSKWDSN+7xIrwjjXO5Uthev1ecrLAK2+EpjITa6Y85ms39V4ypCEdujkKEBeVxuN8DdMJ2GaFGluSRZeYZ0LAPfYr5sp6G6904WF+PcT0WjGenH4PJLXrAttbhhvQxXU0Q8s2CUwUHy5OT/DW3POq7WETc+zmFGwZqiP3W9gmN0hHXsKqkNmz2RYgoH57lPS1PJb0klGUNHG98CtsmlhrivhSTJWqSIOfyKGF'
         self.assertEqual(result, self.b64_encode(self.logger, self.cert_pem2der(cert)))
 
-    def test_161_helper_cert_extensions_get(self):
+    @patch('acme_srv.helper.cert_extensions_py_openssl_get')
+    @patch('acme_srv.helper.cryptography_version_get')
+    def test_170_helper_cert_extensions_get(self, mock_version, mock_py):
         """ test cert_san_get for a single SAN and recode = False"""
         cert = """-----BEGIN CERTIFICATE-----
 MIIEZDCCAkygAwIBAgIIe941mx0FQtAwDQYJKoZIhvcNAQELBQAwKjEXMBUGA1UE
@@ -1227,44 +1338,100 @@ def test_161_helper_cert_extensions_get(self):
 CUwUHy5OT/DW3POq7WETc+zmFGwZqiP3W9gmN0hHXsKqkNmz2RYgoH57lPS1PJb0
 klGUNHG98CtsmlhrivhSTJWqSIOfyKGF
 -----END CERTIFICATE-----"""
+        mock_version.return_value = 36
         self.assertEqual(['MAA=', 'BBQ3dnSIu/UUTXsMIMF+nFbY/7n6Qg==', 'AwIDuA==', 'MAoGCCsGAQUFBwMC', 'MA+CDWVzdGNsaWVudC5lc3Q=', 'AwIFoA==', 'Fg94Y2EgY2VydGlmaWNhdGU='], self.cert_extensions_get(self.logger, cert, recode=False))
+        self.assertFalse(mock_py.called)
 
-    def test_162_helper_cert_extensions_get(self):
+    @patch('acme_srv.helper.cert_extensions_py_openssl_get')
+    @patch('acme_srv.helper.cryptography_version_get')
+    def test_171_helper_cert_extensions_get(self, mock_version, mock_py):
         """ test cert_san_get for a single SAN and recode = True"""
         cert = "MIIEZDCCAkygAwIBAgIIe941mx0FQtAwDQYJKoZIhvcNAQELBQAwKjEXMBUGA1UECxMOYWNtZTJjZXJ0aWZpZXIxDzANBgNVBAMTBnN1Yi1jYTAeFw0yMTA0MDkxNTUyMDBaFw0yNjA0MDkxNTUyMDBaMBgxFjAUBgNVBAMTDWVzdGNsaWVudC5lc3QwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDAn6IqwTE1RvZUm3gelpu4tmrdFj8Ub98J1YeQz7qrew5iA81NeH9tR484edjcY0ieOt3e1MfxJoziWtaeqxpsfytmVB/i+850kVZmvRCR1jhW/4AzidkVBMQiCR5erPmmheeCxbKkto0rHb7ziRA+F8/fZLKfLNsahEQPxDuMItyQFCOQFHh8Hfuend2NgsQKeZ1r5Czf3n5Q6NFff7HG+MDeNDNdPB3ShgcvvNCFUS1z615/GIItfSqcWTAVaJ7436cA7yy5y4+0SvjfXYtHYfythBj/5UqlUmjni8Irj5K8uEtb1YUujmvlTTbzPkhYqIkSoyr7t21Dz+gcYn49AgMBAAGjgZ8wgZwwDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQUN3Z0iLv1FE17DCDBfpxW2P+5+kIwCwYDVR0PBAQDAgO4MBMGA1UdJQQMMAoGCCsGAQUFBwMCMBgGA1UdEQQRMA+CDWVzdGNsaWVudC5lc3QwEQYJYIZIAYb4QgEBBAQDAgWgMB4GCWCGSAGG+EIBDQQRFg94Y2EgY2VydGlmaWNhdGUwDQYJKoZIhvcNAQELBQADggIBACMAHHH4/0eAXbS/uKsIjLN1QPnnzgjxC0xoUon8UVM0PUMH+FMg6rs21Xyl5tn5iItmvKI9c3akAZ00RUQKVdmJVFRUKywmfF7n5epBpXtWJrSH817NT9GOp+PO5VUTDV5VkvpVLoy7WzThrheLKz1nC1dWowRz86tcBLAsC1zT17fsNZXQDuv4LiQQXs7QKhUU75r1IxrdBPeBQSP5skGpWxm8sapQSfOALoXu1pSoGIr6tqvNGuEoZGvUuWeQHG/G8c2ufL+6lEzZBBCd6e2tErkqD/vqfCRzbLcGgSPX0HVWdkjH09nHWXI5UhNr2YgGF7YvSTKWJfbDVlTql1BuSn2yTQtDk4E8k9BLr8WfqFSZvYrivT9Ax1n3BD9jvQL5+QRdioH1kqNGMme0Pb43pHciX4hu9L5rGenZRmxeGXZ78uSOR+n2bGxAMw1OY7Rx/lsNSKWDSN+7xIrwjjXO5Uthev1ecrLAK2+EpjITa6Y85ms39V4ypCEdujkKEBeVxuN8DdMJ2GaFGluSRZeYZ0LAPfYr5sp6G6904WF+PcT0WjGenH4PJLXrAttbhhvQxXU0Q8s2CUwUHy5OT/DW3POq7WETc+zmFGwZqiP3W9gmN0hHXsKqkNmz2RYgoH57lPS1PJb0klGUNHG98CtsmlhrivhSTJWqSIOfyKGF"
+        mock_version.return_value = 36
         self.assertEqual(['MAA=', 'BBQ3dnSIu/UUTXsMIMF+nFbY/7n6Qg==', 'AwIDuA==', 'MAoGCCsGAQUFBwMC', 'MA+CDWVzdGNsaWVudC5lc3Q=', 'AwIFoA==', 'Fg94Y2EgY2VydGlmaWNhdGU='], self.cert_extensions_get(self.logger, cert, recode=True))
+        self.assertFalse(mock_py.called)
+
+    @patch('acme_srv.helper.cert_extensions_py_openssl_get')
+    @patch('acme_srv.helper.cryptography_version_get')
+    def test_172_helper_cert_extensions_get(self, mock_version, mock_py):
+        """ test cert_san_get for a single SAN and recode = True"""
+        cert = "MIIEZDCCAkygAwIBAgIIe941mx0FQtAwDQYJKoZIhvcNAQELBQAwKjEXMBUGA1UECxMOYWNtZTJjZXJ0aWZpZXIxDzANBgNVBAMTBnN1Yi1jYTAeFw0yMTA0MDkxNTUyMDBaFw0yNjA0MDkxNTUyMDBaMBgxFjAUBgNVBAMTDWVzdGNsaWVudC5lc3QwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDAn6IqwTE1RvZUm3gelpu4tmrdFj8Ub98J1YeQz7qrew5iA81NeH9tR484edjcY0ieOt3e1MfxJoziWtaeqxpsfytmVB/i+850kVZmvRCR1jhW/4AzidkVBMQiCR5erPmmheeCxbKkto0rHb7ziRA+F8/fZLKfLNsahEQPxDuMItyQFCOQFHh8Hfuend2NgsQKeZ1r5Czf3n5Q6NFff7HG+MDeNDNdPB3ShgcvvNCFUS1z615/GIItfSqcWTAVaJ7436cA7yy5y4+0SvjfXYtHYfythBj/5UqlUmjni8Irj5K8uEtb1YUujmvlTTbzPkhYqIkSoyr7t21Dz+gcYn49AgMBAAGjgZ8wgZwwDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQUN3Z0iLv1FE17DCDBfpxW2P+5+kIwCwYDVR0PBAQDAgO4MBMGA1UdJQQMMAoGCCsGAQUFBwMCMBgGA1UdEQQRMA+CDWVzdGNsaWVudC5lc3QwEQYJYIZIAYb4QgEBBAQDAgWgMB4GCWCGSAGG+EIBDQQRFg94Y2EgY2VydGlmaWNhdGUwDQYJKoZIhvcNAQELBQADggIBACMAHHH4/0eAXbS/uKsIjLN1QPnnzgjxC0xoUon8UVM0PUMH+FMg6rs21Xyl5tn5iItmvKI9c3akAZ00RUQKVdmJVFRUKywmfF7n5epBpXtWJrSH817NT9GOp+PO5VUTDV5VkvpVLoy7WzThrheLKz1nC1dWowRz86tcBLAsC1zT17fsNZXQDuv4LiQQXs7QKhUU75r1IxrdBPeBQSP5skGpWxm8sapQSfOALoXu1pSoGIr6tqvNGuEoZGvUuWeQHG/G8c2ufL+6lEzZBBCd6e2tErkqD/vqfCRzbLcGgSPX0HVWdkjH09nHWXI5UhNr2YgGF7YvSTKWJfbDVlTql1BuSn2yTQtDk4E8k9BLr8WfqFSZvYrivT9Ax1n3BD9jvQL5+QRdioH1kqNGMme0Pb43pHciX4hu9L5rGenZRmxeGXZ78uSOR+n2bGxAMw1OY7Rx/lsNSKWDSN+7xIrwjjXO5Uthev1ecrLAK2+EpjITa6Y85ms39V4ypCEdujkKEBeVxuN8DdMJ2GaFGluSRZeYZ0LAPfYr5sp6G6904WF+PcT0WjGenH4PJLXrAttbhhvQxXU0Q8s2CUwUHy5OT/DW3POq7WETc+zmFGwZqiP3W9gmN0hHXsKqkNmz2RYgoH57lPS1PJb0klGUNHG98CtsmlhrivhSTJWqSIOfyKGF"
+        mock_version.return_value = 34
+        mock_py.return_value = ['foo', 'bar']
+        self.assertEqual(['foo', 'bar'], self.cert_extensions_get(self.logger, cert, recode=True))
+        self.assertTrue(mock_py.called)
+
+    def test_172_helper_cert_extensions_py_openssl_get(self):
+        """ test cert_san_get for a single SAN and recode = False"""
+        cert = """-----BEGIN CERTIFICATE-----
+MIIEZDCCAkygAwIBAgIIe941mx0FQtAwDQYJKoZIhvcNAQELBQAwKjEXMBUGA1UE
+CxMOYWNtZTJjZXJ0aWZpZXIxDzANBgNVBAMTBnN1Yi1jYTAeFw0yMTA0MDkxNTUy
+MDBaFw0yNjA0MDkxNTUyMDBaMBgxFjAUBgNVBAMTDWVzdGNsaWVudC5lc3QwggEi
+MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDAn6IqwTE1RvZUm3gelpu4tmrd
+Fj8Ub98J1YeQz7qrew5iA81NeH9tR484edjcY0ieOt3e1MfxJoziWtaeqxpsfytm
+VB/i+850kVZmvRCR1jhW/4AzidkVBMQiCR5erPmmheeCxbKkto0rHb7ziRA+F8/f
+ZLKfLNsahEQPxDuMItyQFCOQFHh8Hfuend2NgsQKeZ1r5Czf3n5Q6NFff7HG+MDe
+NDNdPB3ShgcvvNCFUS1z615/GIItfSqcWTAVaJ7436cA7yy5y4+0SvjfXYtHYfyt
+hBj/5UqlUmjni8Irj5K8uEtb1YUujmvlTTbzPkhYqIkSoyr7t21Dz+gcYn49AgMB
+AAGjgZ8wgZwwDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQUN3Z0iLv1FE17DCDBfpxW
+2P+5+kIwCwYDVR0PBAQDAgO4MBMGA1UdJQQMMAoGCCsGAQUFBwMCMBgGA1UdEQQR
+MA+CDWVzdGNsaWVudC5lc3QwEQYJYIZIAYb4QgEBBAQDAgWgMB4GCWCGSAGG+EIB
+DQQRFg94Y2EgY2VydGlmaWNhdGUwDQYJKoZIhvcNAQELBQADggIBACMAHHH4/0eA
+XbS/uKsIjLN1QPnnzgjxC0xoUon8UVM0PUMH+FMg6rs21Xyl5tn5iItmvKI9c3ak
+AZ00RUQKVdmJVFRUKywmfF7n5epBpXtWJrSH817NT9GOp+PO5VUTDV5VkvpVLoy7
+WzThrheLKz1nC1dWowRz86tcBLAsC1zT17fsNZXQDuv4LiQQXs7QKhUU75r1Ixrd
+BPeBQSP5skGpWxm8sapQSfOALoXu1pSoGIr6tqvNGuEoZGvUuWeQHG/G8c2ufL+6
+lEzZBBCd6e2tErkqD/vqfCRzbLcGgSPX0HVWdkjH09nHWXI5UhNr2YgGF7YvSTKW
+JfbDVlTql1BuSn2yTQtDk4E8k9BLr8WfqFSZvYrivT9Ax1n3BD9jvQL5+QRdioH1
+kqNGMme0Pb43pHciX4hu9L5rGenZRmxeGXZ78uSOR+n2bGxAMw1OY7Rx/lsNSKWD
+SN+7xIrwjjXO5Uthev1ecrLAK2+EpjITa6Y85ms39V4ypCEdujkKEBeVxuN8DdMJ
+2GaFGluSRZeYZ0LAPfYr5sp6G6904WF+PcT0WjGenH4PJLXrAttbhhvQxXU0Q8s2
+CUwUHy5OT/DW3POq7WETc+zmFGwZqiP3W9gmN0hHXsKqkNmz2RYgoH57lPS1PJb0
+klGUNHG98CtsmlhrivhSTJWqSIOfyKGF
+-----END CERTIFICATE-----"""
+        self.assertEqual(['MAA=', 'BBQ3dnSIu/UUTXsMIMF+nFbY/7n6Qg==', 'AwIDuA==', 'MAoGCCsGAQUFBwMC', 'MA+CDWVzdGNsaWVudC5lc3Q=', 'AwIFoA==', 'Fg94Y2EgY2VydGlmaWNhdGU='], self.cert_extensions_py_openssl_get(self.logger, cert, recode=False))
 
-    def test_163_csr_dn_get(self):
+    def test_173_cert_extensions_py_openssl_get(self):
+        """ test cert_san_get for a single SAN and recode = True"""
+        cert = "MIIEZDCCAkygAwIBAgIIe941mx0FQtAwDQYJKoZIhvcNAQELBQAwKjEXMBUGA1UECxMOYWNtZTJjZXJ0aWZpZXIxDzANBgNVBAMTBnN1Yi1jYTAeFw0yMTA0MDkxNTUyMDBaFw0yNjA0MDkxNTUyMDBaMBgxFjAUBgNVBAMTDWVzdGNsaWVudC5lc3QwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDAn6IqwTE1RvZUm3gelpu4tmrdFj8Ub98J1YeQz7qrew5iA81NeH9tR484edjcY0ieOt3e1MfxJoziWtaeqxpsfytmVB/i+850kVZmvRCR1jhW/4AzidkVBMQiCR5erPmmheeCxbKkto0rHb7ziRA+F8/fZLKfLNsahEQPxDuMItyQFCOQFHh8Hfuend2NgsQKeZ1r5Czf3n5Q6NFff7HG+MDeNDNdPB3ShgcvvNCFUS1z615/GIItfSqcWTAVaJ7436cA7yy5y4+0SvjfXYtHYfythBj/5UqlUmjni8Irj5K8uEtb1YUujmvlTTbzPkhYqIkSoyr7t21Dz+gcYn49AgMBAAGjgZ8wgZwwDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQUN3Z0iLv1FE17DCDBfpxW2P+5+kIwCwYDVR0PBAQDAgO4MBMGA1UdJQQMMAoGCCsGAQUFBwMCMBgGA1UdEQQRMA+CDWVzdGNsaWVudC5lc3QwEQYJYIZIAYb4QgEBBAQDAgWgMB4GCWCGSAGG+EIBDQQRFg94Y2EgY2VydGlmaWNhdGUwDQYJKoZIhvcNAQELBQADggIBACMAHHH4/0eAXbS/uKsIjLN1QPnnzgjxC0xoUon8UVM0PUMH+FMg6rs21Xyl5tn5iItmvKI9c3akAZ00RUQKVdmJVFRUKywmfF7n5epBpXtWJrSH817NT9GOp+PO5VUTDV5VkvpVLoy7WzThrheLKz1nC1dWowRz86tcBLAsC1zT17fsNZXQDuv4LiQQXs7QKhUU75r1IxrdBPeBQSP5skGpWxm8sapQSfOALoXu1pSoGIr6tqvNGuEoZGvUuWeQHG/G8c2ufL+6lEzZBBCd6e2tErkqD/vqfCRzbLcGgSPX0HVWdkjH09nHWXI5UhNr2YgGF7YvSTKWJfbDVlTql1BuSn2yTQtDk4E8k9BLr8WfqFSZvYrivT9Ax1n3BD9jvQL5+QRdioH1kqNGMme0Pb43pHciX4hu9L5rGenZRmxeGXZ78uSOR+n2bGxAMw1OY7Rx/lsNSKWDSN+7xIrwjjXO5Uthev1ecrLAK2+EpjITa6Y85ms39V4ypCEdujkKEBeVxuN8DdMJ2GaFGluSRZeYZ0LAPfYr5sp6G6904WF+PcT0WjGenH4PJLXrAttbhhvQxXU0Q8s2CUwUHy5OT/DW3POq7WETc+zmFGwZqiP3W9gmN0hHXsKqkNmz2RYgoH57lPS1PJb0klGUNHG98CtsmlhrivhSTJWqSIOfyKGF"
+        self.assertEqual(['MAA=', 'BBQ3dnSIu/UUTXsMIMF+nFbY/7n6Qg==', 'AwIDuA==', 'MAoGCCsGAQUFBwMC', 'MA+CDWVzdGNsaWVudC5lc3Q=', 'AwIFoA==', 'Fg94Y2EgY2VydGlmaWNhdGU='], self.cert_extensions_py_openssl_get(self.logger, cert, recode=True))
+
+    def test_172_csr_dn_get(self):
         """" test csr_dn_get """
         csr = 'MIICjDCCAXQCAQAwFzEVMBMGA1UEAwwMdGVzdF9yZXF1ZXN0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAy6VRYaXuLS/DPa+pf5IEwycpjPfZ2vTFlvjvhwu9A3yaQQn4kD33Fu4p+zorIVmsjgpkUel2104lxFeSV081YKGzOtsajzaIRZhF7mHG5aVA8cahVPHlnxT06kO8F545ZsxE6T22tCbrLJpZk4hcaQUmGcZDWZqI7CXhbi1LSuIVIAAF0lTGMsanIM97ZEtA9mhtxFd7TsLlJpmls1l8MTavFcBtAZXqAsi4LnzEbozSjaLnuXsTe7tPmOS0uOLX+EcTAH/SxkbIg3whehTzC/sVmz5STbpklq3QuudtUl/509fpSa/UQ+WFOUUC3GhiiMM813ZsbAnt1BJepKtrfQIDAQABoDAwLgYJKoZIhvcNAQkOMSEwHzAdBgNVHREEFjAUghJ0ZXN0X3JlcXVlc3QubG9jYWwwDQYJKoZIhvcNAQELBQADggEBAFcKxjJXHBVjzqF3e6fCkDbF1JnVtNyDxZB+h4b5lI7SIuA9O/+0hcl/njeFB1gJbRODws10kKkiAYLXvS/fsLJg1gdyFPmDiCd2nJhDUCBcGmVYraGhV45x67jcUmoeqSSj5KyUY9zI+v3nANvZMf+g31ORtW8PuspkiiLJiyuGzFS67DGovbcBRrM67IApO7p04VwLA0hssFUa+wF9PUWIyu9TLx+w0rNYcp3d1wkJ905TB8gwOKXeB0RwkporlOF3KEcT+ueKZE04867bjZ/ZpiuIDFnO23MsUKLKU9ebWgwYN/xzxA8sroM69y+Acpt9Zwn3vRjVlT92Ztl218Q='
         self.assertEqual('CN=test_request', self.csr_dn_get(self.logger, csr))
 
-    def test_164_logger_setup(self):
+    def test_173_logger_setup(self):
         """ logger setup """
         self.assertTrue(self.logger_setup(False))
 
-    def test_165_logger_setup(self):
+    def test_174_logger_setup(self):
         """ logger setup """
         self.assertTrue(self.logger_setup(True))
 
     @patch('acme_srv.helper.load_config')
-    def test_166_logger_setup(self, mock_load_cfg):
+    def test_175_logger_setup(self, mock_load_cfg):
         """ logger setup """
         mock_load_cfg.return_value = {'Helper': {'log_format': 'foo'}}
         self.assertTrue(self.logger_setup(True))
 
     @patch('configparser.RawConfigParser')
-    def test_167_load_config(self, mock_parser):
+    def test_176_load_config(self, mock_parser):
         """ load config """
         self.assertTrue(self.load_config(None, None, None))
 
+    @patch('configparser.RawConfigParser')
+    def test_177_load_config(self, mock_parser):
+        """ load config """
+        self.assertTrue(self.load_config(self.logger, None, None))
+
     @patch.dict('os.environ', {'ACME_SRV_CONFIGFILE': 'ACME_SRV_CONFIGFILE'})
     @patch('configparser.RawConfigParser')
-    def test_168_load_config(self, mock_parser):
+    def test_178_load_config(self, mock_parser):
         """ load config """
         self.assertTrue(self.load_config(None, None, None))
 
-    def test_169_logger_info(self):
+    def test_179_logger_info(self):
         """ logger info """
         addr = 'addr'
         url = 'url'
@@ -1273,7 +1440,7 @@ def test_169_logger_info(self):
             self.logger_info(self.logger, addr, url, data_dic)
         self.assertIn("INFO:test_a2c:addr url {'foo': 'bar'}", lcm.output)
 
-    def test_170_logger_info(self):
+    def test_180_logger_info(self):
         """ logger info replace remove Nonce in header """
         addr = 'addr'
         url = 'url'
@@ -1282,7 +1449,7 @@ def test_170_logger_info(self):
             self.logger_info(self.logger, addr, url, data_dic)
         self.assertIn("INFO:test_a2c:addr url {'foo': 'bar', 'header': {'Replay-Nonce': '- modified -'}}", lcm.output)
 
-    def test_171_logger_info(self):
+    def test_181_logger_info(self):
         """ logger info replace remnove cert """
         addr = 'addr'
         url = '/acme/cert/secret'
@@ -1291,7 +1458,7 @@ def test_171_logger_info(self):
             self.logger_info(self.logger, addr, url, data_dic)
         self.assertIn("INFO:test_a2c:addr /acme/cert/secret {'foo': 'bar', 'data': ' - certificate - '}", lcm.output)
 
-    def test_172_logger_info(self):
+    def test_182_logger_info(self):
         """ logger info replace remove token """
         addr = 'addr'
         url = 'url'
@@ -1300,7 +1467,7 @@ def test_172_logger_info(self):
             self.logger_info(self.logger, addr, url, data_dic)
         self.assertIn("INFO:test_a2c:addr url {'foo': 'bar', 'data': {'token': '- modified -'}}", lcm.output)
 
-    def test_173_logger_info(self):
+    def test_183_logger_info(self):
         """ logger info replace remove single token in challenges """
         addr = 'addr'
         url = 'url'
@@ -1309,7 +1476,7 @@ def test_173_logger_info(self):
             self.logger_info(self.logger, addr, url, data_dic)
         self.assertIn("INFO:test_a2c:addr url {'foo': 'bar', 'data': {'challenges': [{'foo1': 'bar1', 'token': '- modified - '}]}}", lcm.output)
 
-    def test_174_logger_info(self):
+    def test_184_logger_info(self):
         """ logger info replace remove two token in challenges """
         addr = 'addr'
         url = 'url'
@@ -1319,31 +1486,31 @@ def test_174_logger_info(self):
         self.assertIn("INFO:test_a2c:addr url {'foo': 'bar', 'data': {'challenges': [{'foo1': 'bar1', 'token': '- modified - '}, {'foo2': 'bar2', 'token': '- modified - '}]}}", lcm.output)
 
     @patch('builtins.print')
-    def test_175_print_debug(self, mock_print):
+    def test_185_print_debug(self, mock_print):
         """ test print_debug """
         self.print_debug(False, 'test')
         self.assertFalse(mock_print.called)
 
     @patch('builtins.print')
-    def test_176_print_debug(self, mock_print):
+    def test_186_print_debug(self, mock_print):
         """ test print_debug """
         self.print_debug(True, 'test')
         self.assertTrue(mock_print.called)
 
-    def test_177_jwk_thumbprint_get(self):
+    def test_187_jwk_thumbprint_get(self):
         """ test jwk_thumbprint_get with empty pubkey """
         pub_key = None
         self.assertFalse(self.jwk_thumbprint_get(self.logger, pub_key))
 
     @patch('jwcrypto.jwk.JWK')
-    def test_178_jwk_thumbprint_get(self, mock_jwk):
+    def test_188_jwk_thumbprint_get(self, mock_jwk):
         """ test jwk_thumbprint_get with  pubkey """
         pub_key = {'pub_key': 'pub_key'}
         mock_jwk = Mock()
         self.assertTrue(self.jwk_thumbprint_get(self.logger, pub_key))
 
     @patch('jwcrypto.jwk.JWK')
-    def test_179_jwk_thumbprint_get(self, mock_jwk):
+    def test_189_jwk_thumbprint_get(self, mock_jwk):
         """ test jwk_thumbprint_get with  pubkey """
         pub_key = {'pub_key': 'pub_key'}
         mock_jwk.side_effect = Exception('exc_jwk_jwk')
@@ -1352,11 +1519,11 @@ def test_179_jwk_thumbprint_get(self, mock_jwk):
         self.assertIn('ERROR:test_a2c:jwk_thumbprint_get(): error: exc_jwk_jwk', lcm.output)
 
     @patch('socket.AF_INET')
-    def test_180_allowed_gai_family(self, mock_sock):
+    def test_190_allowed_gai_family(self, mock_sock):
         """ test allowed_gai_family """
         self.assertTrue(self.allowed_gai_family())
 
-    def test_181_validate_csr(self):
+    def test_191_validate_csr(self):
         """ patched_create_connection """
         self.assertTrue(self.validate_csr(self.logger, 'oder_dic', 'csr'))
 
@@ -1364,7 +1531,7 @@ def test_181_validate_csr(self):
     @patch('ssl.DER_cert_to_PEM_cert')
     @patch('ssl.SSLContext.wrap_socket')
     @patch('socks.socksocket')
-    def test_182_servercert_get(self, mock_sock, mock_context, mock_cert, mock_convert):
+    def test_192_servercert_get(self, mock_sock, mock_context, mock_cert, mock_convert):
         """ test servercert get """
         mock_convert.return_value = ('proxy_proto', 'proxy_addr', 'proxy_port')
         mock_sock = Mock()
@@ -1378,7 +1545,7 @@ def test_182_servercert_get(self, mock_sock, mock_context, mock_cert, mock_conve
     @patch('ssl.SSLContext.wrap_socket')
     @patch('socket.socket')
     @patch('socks.socksocket')
-    def test_183_servercert_get(self, mock_sock, mock_ssock, mock_context, mock_cert, mock_convert, mock_ipchk):
+    def test_193_servercert_get(self, mock_sock, mock_ssock, mock_context, mock_cert, mock_convert, mock_ipchk):
         """ test servercert get ippv6 """
         mock_convert.return_value = ('proxy_proto', 'proxy_addr', 'proxy_port')
         mock_ipchk.return_value = True
@@ -1393,7 +1560,7 @@ def test_183_servercert_get(self, mock_sock, mock_ssock, mock_context, mock_cert
     @patch('ssl.SSLContext.wrap_socket')
     @patch('socket.socket')
     @patch('socks.socksocket')
-    def test_184_servercert_get(self, mock_sock, mock_ssock, mock_context, mock_cert, mock_convert):
+    def test_194_servercert_get(self, mock_sock, mock_ssock, mock_context, mock_cert, mock_convert):
         """ test servercert get with proxy """
         mock_convert.return_value = ('proxy_proto', 'proxy_addr', 'proxy_port')
         mock_context = Mock()
@@ -1405,7 +1572,7 @@ def test_184_servercert_get(self, mock_sock, mock_ssock, mock_context, mock_cert
     @patch('ssl.DER_cert_to_PEM_cert')
     @patch('ssl.SSLContext.wrap_socket')
     @patch('socks.socksocket')
-    def test_185_servercert_get(self, mock_sock, mock_context, mock_cert):
+    def test_195_servercert_get(self, mock_sock, mock_context, mock_cert):
         """ test servercert exception """
         mock_sock = Mock()
         mock_context.side_effect = Exception('exc_warp_sock')
@@ -1415,9 +1582,24 @@ def test_185_servercert_get(self, mock_sock, mock_context, mock_cert):
         self.assertFalse(mock_cert.called)
         self.assertIn('ERROR:test_a2c:servercert_get() failed with: exc_warp_sock', lcm.output)
 
+    @patch('ssl.TLSVersion')
+    @patch('acme_srv.helper.proxystring_convert')
+    @patch('ssl.DER_cert_to_PEM_cert')
+    @patch('ssl.SSLContext.wrap_socket')
+    @patch('socks.socksocket')
+    def test_196_servercert_get(self, mock_sock, mock_context, mock_cert, mock_convert, map_min_version):
+        """ test servercert get """
+        mock_convert.return_value = ('proxy_proto', 'proxy_addr', 'proxy_port')
+        mock_sock = Mock()
+        mock_context = Mock()
+        mock_cert.return_value = 'foo'
+        with self.assertLogs('test_a2c', level='INFO') as lcm:
+            self.assertEqual('foo', self.servercert_get(self.logger, 'hostname'))
+        self.assertIn('ERROR:test_a2c:servercert_get(): minimum_version not supported', lcm.output)
+
     @patch('dns.resolver.Resolver')
     @patch('dns.resolver.resolve')
-    def test_186_txt_get(self, mock_resolve, mock_res):
+    def test_197_txt_get(self, mock_resolve, mock_res):
         """ successful dns-query returning one txt record """
         resp_obj = Mock()
         resp_obj.strings = ['foo', 'bar']
@@ -1426,7 +1608,7 @@ def test_186_txt_get(self, mock_resolve, mock_res):
         self.assertTrue(mock_res.called)
 
     @patch('dns.resolver.resolve')
-    def test_187_txt_get(self, mock_resolve):
+    def test_198_txt_get(self, mock_resolve):
         """ successful dns-query returning one txt record """
         resp_obj = Mock()
         resp_obj.strings = ['foo', 'bar']
@@ -1434,7 +1616,7 @@ def test_187_txt_get(self, mock_resolve):
         self.assertEqual(['foo'], self.txt_get(self.logger, 'foo'))
 
     @patch('dns.resolver.resolve')
-    def test_188_txt_get(self, mock_resolve):
+    def test_199_txt_get(self, mock_resolve):
         """ successful dns-query returning one txt record """
         resp_obj1 = Mock()
         resp_obj1.strings = ['foo1', 'bar1']
@@ -1444,136 +1626,136 @@ def test_188_txt_get(self, mock_resolve):
         self.assertEqual(['foo1', 'foo2'], self.txt_get(self.logger, 'foo'))
 
     @patch('dns.resolver.resolve')
-    def test_189_txt_get(self, mock_resolve):
+    def test_200_txt_get(self, mock_resolve):
         """ successful dns-query returning one txt record """
         mock_resolve.side_effect = Exception('mock_resolve')
         with self.assertLogs('test_a2c', level='INFO') as lcm:
             self.assertFalse(self.txt_get(self.logger, 'foo'))
         self.assertIn('ERROR:test_a2c:txt_get() error: mock_resolve', lcm.output)
 
-    def test_190_proxystring_convert(self):
+    def test_201_proxystring_convert(self):
         """ convert proxy_string http """
         self.assertEqual((3, 'proxy', 8080), self.proxystring_convert(self.logger, 'http://proxy:8080'))
 
-    def test_191_proxystring_convert(self):
+    def test_202_proxystring_convert(self):
         """ convert proxy_string socks4 """
         self.assertEqual((1, 'proxy', 8080), self.proxystring_convert(self.logger, 'socks4://proxy:8080'))
 
-    def test_192_proxystring_convert(self):
+    def test_203_proxystring_convert(self):
         """ convert proxy_string socks5 """
         self.assertEqual((2, 'proxy', 8080), self.proxystring_convert(self.logger, 'socks5://proxy:8080'))
 
-    def test_193_proxystring_convert(self):
+    def test_204_proxystring_convert(self):
         """ convert proxy_string unknown protocol """
         with self.assertLogs('test_a2c', level='INFO') as lcm:
             self.assertEqual((None, 'proxy', 8080), self.proxystring_convert(self.logger, 'unk://proxy:8080'))
         self.assertIn('ERROR:test_a2c:proxystring_convert(): unknown proxy protocol: unk', lcm.output)
 
-    def test_194_proxystring_convert(self):
+    def test_205_proxystring_convert(self):
         """ convert proxy_string unknown protocol """
         with self.assertLogs('test_a2c', level='INFO') as lcm:
             self.assertEqual((3, 'proxy', None), self.proxystring_convert(self.logger, 'http://proxy:ftp'))
         self.assertIn('ERROR:test_a2c:proxystring_convert(): unknown proxy port: ftp', lcm.output)
 
-    def test_195_proxystring_convert(self):
+    def test_206_proxystring_convert(self):
         """ convert proxy_string porxy sting without protocol """
         with self.assertLogs('test_a2c', level='INFO') as lcm:
             self.assertEqual((None, None, None), self.proxystring_convert(self.logger, 'proxy'))
         self.assertIn('ERROR:test_a2c:proxystring_convert(): error splitting proxy_server string: proxy',  lcm.output)
         self.assertIn('ERROR:test_a2c:proxystring_convert(): proxy_proto (None), proxy_addr (None) or proxy_port (None) missing', lcm.output)
 
-    def test_196_proxystring_convert(self):
+    def test_207_proxystring_convert(self):
         """ convert proxy_string porxy sting without port """
         with self.assertLogs('test_a2c', level='INFO') as lcm:
             self.assertEqual((None, None, None), self.proxystring_convert(self.logger, 'http://proxy'))
         self.assertIn('ERROR:test_a2c:proxystring_convert(): error splitting proxy into host/port: proxy', lcm.output)
         self.assertIn('ERROR:test_a2c:proxystring_convert(): proxy_proto (http), proxy_addr (None) or proxy_port (None) missing', lcm.output)
 
-    def test_197_proxy_check(self):
+    def test_208_proxy_check(self):
         """ check proxy for empty list  """
         fqdn = 'foo.bar.local'
         proxy_list = {}
         self.assertFalse(self.proxy_check(self.logger, fqdn, proxy_list))
 
-    def test_198_proxy_check(self):
+    def test_209_proxy_check(self):
         """ check proxy - no match """
         fqdn = 'foo.bar.local'
         proxy_list = {'foo1.bar.local': 'proxy_match'}
         self.assertFalse(self.proxy_check(self.logger, fqdn, proxy_list))
 
-    def test_199_proxy_check(self):
+    def test_210_proxy_check(self):
         """ check proxy - single entry """
         fqdn = 'foo.bar.local'
         proxy_list = {'foo.bar.local': 'proxy_match'}
         self.assertEqual('proxy_match', self.proxy_check(self.logger, fqdn, proxy_list))
 
-    def test_200_proxy_check(self):
+    def test_211_proxy_check(self):
         """ check proxy  - multiple entry """
         fqdn = 'foo.bar.local'
         proxy_list = {'bar.bar.local': 'proxy_nomatch', 'foo.bar.local': 'proxy_match'}
         self.assertEqual('proxy_match', self.proxy_check(self.logger, fqdn, proxy_list))
 
-    def test_201_proxy_check(self):
+    def test_212_proxy_check(self):
         """ check proxy  -  multiple entrie domain match"""
         fqdn = 'foo.bar.local'
         proxy_list = {'bar.bar.local': 'proxy_nomatch', 'bar.local$': 'proxy_match'}
         self.assertEqual('proxy_match', self.proxy_check(self.logger, fqdn, proxy_list))
 
-    def test_202_proxy_check(self):
+    def test_213_proxy_check(self):
         """ check proxy for empty list  multiple entrie domain match"""
         fqdn = 'foo.bar.local'
         proxy_list = {'bar.local$': 'proxy_nomatch', 'foo.bar.local$': 'proxy_match'}
         self.assertEqual('proxy_match', self.proxy_check(self.logger, fqdn, proxy_list))
 
-    def test_203_proxy_check(self):
+    def test_214_proxy_check(self):
         """ check proxy - multiple entrie domain match"""
         fqdn = 'foo.bar.local'
         proxy_list = {'bar.local$': 'proxy_match', 'foo1.bar.local$': 'proxy_nomatch'}
         self.assertEqual('proxy_match', self.proxy_check(self.logger, fqdn, proxy_list))
 
-    def test_204_proxy_check(self):
+    def test_215_proxy_check(self):
         """ check proxy - wildcard """
         fqdn = 'foo.bar.local'
         proxy_list = {'foo1.bar.local$': 'proxy_nomatch', '*.bar.local$': 'proxy_match'}
         self.assertEqual('proxy_match', self.proxy_check(self.logger, fqdn, proxy_list))
 
-    def test_205_proxy_check(self):
+    def test_216_proxy_check(self):
         """ check proxy - wildcard """
         fqdn = 'foo.bar.local'
         proxy_list = {'.local$': 'proxy_nomatch', '*.bar.local$': 'proxy_match'}
         self.assertEqual('proxy_match', self.proxy_check(self.logger, fqdn, proxy_list))
 
-    def test_206_proxy_check(self):
+    def test_217_proxy_check(self):
         """ check proxy - wildcard """
         fqdn = 'local'
         proxy_list = {'local$': 'proxy_match', '*.bar.local$': 'proxy_no_match'}
         self.assertEqual('proxy_match', self.proxy_check(self.logger, fqdn, proxy_list))
 
-    def test_207_proxy_check(self):
+    def test_218_proxy_check(self):
         """ check proxy - wildcard """
         fqdn = 'foo.bar.local'
         proxy_list = {'*': 'wildcard', 'notlocal$': 'proxy_no_match', '*.notbar.local$': 'proxy_no_match'}
         self.assertEqual('wildcard', self.proxy_check(self.logger, fqdn, proxy_list))
 
-    def test_208_handle_exception(self):
+    def test_219_handle_exception(self):
         """ test exception handler """
         exc_type = FakeDBStore
         exc_value = Mock()
         exc_traceback = Mock()
         self.handle_exception(exc_type, exc_value, exc_traceback)
 
-    def test_209_proxy_check(self):
+    def test_220_proxy_check(self):
         """ check proxy - wildcard """
         fqdn = 'foo.bar.local'
         proxy_list = {'*.bar.local$': 'proxy_match'}
         self.assertEqual('proxy_match', self.proxy_check(self.logger, fqdn, proxy_list))
 
-    def test_210_ca_handler_load(self):
+    def test_221_ca_handler_load(self):
         """ test ca_handler_load """
         config_dic = {'foo': 'bar'}
         self.assertFalse(self.ca_handler_load(self.logger, config_dic))
 
-    def test_211_ca_handler_load(self):
+    def test_222_ca_handler_load(self):
         """ test ca_handler_load """
         config_dic = {'foo': 'bar'}
         with self.assertLogs('test_a2c', level='INFO') as lcm:
@@ -1581,7 +1763,7 @@ def test_211_ca_handler_load(self):
         self.assertIn('ERROR:test_a2c:Helper.ca_handler_load(): CAhandler configuration missing in config file', lcm.output)
 
     @patch('importlib.import_module')
-    def test_212_ca_handler_load(self, mock_imp):
+    def test_223_ca_handler_load(self, mock_imp):
         """ test ca_handler_load """
         config_dic = {'CAhandler': {'foo': 'bar'}}
         mock_imp.side_effect = Exception('exc_mock_imp')
@@ -1590,14 +1772,14 @@ def test_212_ca_handler_load(self, mock_imp):
         self.assertIn('CRITICAL:test_a2c:Helper.ca_handler_load(): loading default CAhandler failed with err: exc_mock_imp', lcm.output)
 
     @patch('importlib.import_module')
-    def test_213_ca_handler_load(self, mock_imp):
+    def test_224_ca_handler_load(self, mock_imp):
         """ test ca_handler_load """
         config_dic = {'CAhandler': {'foo': 'bar'}}
         mock_imp.return_value = 'foo'
         self.assertEqual('foo', self.ca_handler_load(self.logger, config_dic))
 
     @patch('importlib.util')
-    def test_214_ca_handler_load(self, mock_util):
+    def test_225_ca_handler_load(self, mock_util):
         """ test ca_handler_load """
         config_dic = {'CAhandler': {'handler_file': 'foo'}}
         mock_util.module_from_spec = Mock(return_value='foo')
@@ -1605,7 +1787,7 @@ def test_214_ca_handler_load(self, mock_util):
 
     @patch('importlib.import_module')
     @patch('importlib.util')
-    def test_215_ca_handler_load(self, mock_util, mock_imp):
+    def test_226_ca_handler_load(self, mock_util, mock_imp):
         """ test ca_handler_load """
         config_dic = {'CAhandler': {'handler_file': 'foo'}}
         mock_util.module_from_spec.side_effect = Exception('exc_mock_util')
@@ -1616,7 +1798,7 @@ def test_215_ca_handler_load(self, mock_util, mock_imp):
 
     @patch('importlib.import_module')
     @patch('importlib.util')
-    def test_216_ca_handler_load(self, mock_util, mock_imp):
+    def test_227_ca_handler_load(self, mock_util, mock_imp):
         """ test ca_handler_load """
         config_dic = {'CAhandler': {'handler_file': 'foo'}}
         mock_util.module_from_spec.side_effect = Exception('exc_mock_util')
@@ -1625,7 +1807,7 @@ def test_216_ca_handler_load(self, mock_util, mock_imp):
             self.assertFalse(self.ca_handler_load(self.logger, config_dic))
         self.assertIn('CRITICAL:test_a2c:Helper.ca_handler_load(): loading default CAhandler failed with err: exc_mock_imp', lcm.output)
 
-    def test_217_eab_handler_load(self):
+    def test_228_eab_handler_load(self):
         """ test eab_handler_load """
         config_dic = {'foo': 'bar'}
         with self.assertLogs('test_a2c', level='INFO') as lcm:
@@ -1633,7 +1815,7 @@ def test_217_eab_handler_load(self):
         self.assertIn('ERROR:test_a2c:Helper.eab_handler_load(): EABhandler configuration missing in config file', lcm.output)
 
     @patch('importlib.import_module')
-    def test_218_eab_handler_load(self, mock_imp):
+    def test_229_eab_handler_load(self, mock_imp):
         """ test eab_handler_load """
         config_dic = {'EABhandler': {'foo': 'bar'}}
         mock_imp.side_effect = Exception('exc_mock_imp')
@@ -1642,14 +1824,14 @@ def test_218_eab_handler_load(self, mock_imp):
         self.assertIn('CRITICAL:test_a2c:Helper.eab_handler_load(): loading default EABhandler failed with err: exc_mock_imp', lcm.output)
 
     @patch('importlib.import_module')
-    def test_219_eab_handler_load(self, mock_imp):
+    def test_230_eab_handler_load(self, mock_imp):
         """ test eab_handler_load """
         config_dic = {'EABhandler': {'foo': 'bar'}}
         mock_imp.return_value = 'foo'
         self.assertEqual('foo', self.eab_handler_load(self.logger, config_dic))
 
     @patch('importlib.util')
-    def test_220_eab_handler_load(self, mock_util):
+    def test_231_eab_handler_load(self, mock_util):
         """ test eab_handler_load """
         config_dic = {'EABhandler': {'eab_handler_file': 'foo'}}
         mock_util.module_from_spec = Mock(return_value='foo')
@@ -1657,7 +1839,7 @@ def test_220_eab_handler_load(self, mock_util):
 
     @patch('importlib.import_module')
     @patch('importlib.util')
-    def test_221_eab_handler_load(self, mock_util, mock_imp):
+    def test_232_eab_handler_load(self, mock_util, mock_imp):
         """ test eab_handler_load """
         config_dic = {'EABhandler': {'eab_handler_file': 'foo'}}
         mock_util.module_from_spec.side_effect = Exception('exc_mock_util')
@@ -1668,7 +1850,7 @@ def test_221_eab_handler_load(self, mock_util, mock_imp):
 
     @patch('importlib.import_module')
     @patch('importlib.util')
-    def test_222_eab_handler_load(self, mock_util, mock_imp):
+    def test_233_eab_handler_load(self, mock_util, mock_imp):
         """ test eab_handler_load """
         config_dic = {'EABhandler': {'eab_handler_file': 'foo'}}
         mock_util.module_from_spec.side_effect = Exception('exc_mock_util')
@@ -1677,18 +1859,18 @@ def test_222_eab_handler_load(self, mock_util, mock_imp):
             self.assertFalse(self.eab_handler_load(self.logger, config_dic))
         self.assertIn('CRITICAL:test_a2c:Helper.eab_handler_load(): loading default EABhandler failed with err: exc_mock_imp', lcm.output)
 
-    def test_223_hooks_load(self):
+    def test_234_hooks_load(self):
         """ test hooks load with empty config_dic """
         config_dic = {}
         self.assertFalse(self.hooks_load(self.logger, config_dic))
 
-    def test_224_hooks_load(self):
+    def test_235_hooks_load(self):
         """ test hooks load with hooks but no hooks_file in config_dic """
         config_dic = {'Hooks': {'foo': 'bar'}}
         self.assertFalse(self.hooks_load(self.logger, config_dic))
 
     @patch('importlib.util')
-    def test_225_hooks_load(self, mock_util):
+    def test_236_hooks_load(self, mock_util):
         """ test hooks load with hooks but no hooks_file in  config_dic """
         config_dic = {'Hooks': {'hooks_file': 'bar'}}
         mock_util.module_from_spec = Mock(return_value='foo')
@@ -1697,7 +1879,7 @@ def test_225_hooks_load(self, mock_util):
         self.assertTrue(mock_util.module_from_spec.called)
 
     @patch('importlib.util')
-    def test_226_hooks_load(self, mock_util):
+    def test_237_hooks_load(self, mock_util):
         """ test hooks load with hooks but no hooks_file in  config_dic """
         config_dic = {'Hooks': {'hooks_file': 'bar'}}
         mock_util.module_from_spec = Exception('exc_mock_util')
@@ -1705,7 +1887,7 @@ def test_226_hooks_load(self, mock_util):
             self.assertFalse(self.hooks_load(self.logger, config_dic))
         self.assertIn("CRITICAL:test_a2c:Helper.hooks_load(): loading Hooks configured in cfg failed with err: 'Exception' object is not callable", lcm.output)
 
-    def test_227_error_dic_get(self):
+    def test_238_error_dic_get(self):
         """ test error_dic_get """
         result = {
             'badcsr': 'urn:ietf:params:acme:error:badCSR',
@@ -1721,67 +1903,68 @@ def test_227_error_dic_get(self):
             'unsupportedidentifier': 'urn:ietf:params:acme:error:unsupportedIdentifier',
             'ordernotready': 'urn:ietf:params:acme:error:orderNotReady',
             'ratelimited': 'urn:ietf:params:acme:error:rateLimited',
-            'badrevocationreason': 'urn:ietf:params:acme:error:badRevocationReason'}
+            'badrevocationreason': 'urn:ietf:params:acme:error:badRevocationReason',
+            'rejectedidentifier': 'urn:ietf:params:acme:error:rejectedIdentifier'}
         self.assertEqual(result, self.error_dic_get(self.logger))
 
-    def test_228_logger_nonce_modify(self):
+    def test_239_logger_nonce_modify(self):
         """ test _logger_nonce_modify() """
         data_dic = {'foo': 'bar'}
         self.assertEqual({'foo': 'bar'}, self.logger_nonce_modify(data_dic))
 
-    def test_229_logger_nonce_modify(self):
+    def test_240_logger_nonce_modify(self):
         """ test _logger_nonce_modify() """
         data_dic = {'foo': 'bar', 'header': {'foo': 'bar'}}
         self.assertEqual({'foo': 'bar', 'header': {'foo': 'bar'}}, self.logger_nonce_modify(data_dic))
 
-    def test_230_logger_nonce_modify(self):
+    def test_241_logger_nonce_modify(self):
         """ test _logger_nonce_modify() """
         data_dic = {'foo': 'bar', 'header': {'Replay-Nonce': 'bar'}}
         self.assertEqual({'foo': 'bar', 'header': {'Replay-Nonce': '- modified -'}}, self.logger_nonce_modify(data_dic))
 
-    def test_231_logger_certificate_modify(self):
+    def test_242_logger_certificate_modify(self):
         """ test _logger_certificate_modify() """
         data_dic = {'data': 'bar'}
         self.assertEqual({'data': 'bar'}, self.logger_certificate_modify(data_dic, 'locator'))
 
-    def test_232_logger_certificate_modify(self):
+    def test_243_logger_certificate_modify(self):
         """ test _logger_certificate_modify() """
         data_dic = {'data': 'bar'}
         self.assertEqual({'data': ' - certificate - '}, self.logger_certificate_modify(data_dic, 'foo/acme/cert'))
 
-    def test_233_logger_token_modify(self):
+    def test_244_logger_token_modify(self):
         """ test _logger_token_modify() """
         data_dic = {'data': 'bar'}
         self.assertEqual({'data': 'bar'}, self.logger_token_modify(data_dic))
 
-    def test_234_logger_token_modify(self):
+    def test_245_logger_token_modify(self):
         """ test _logger_token_modify() """
         data_dic = {'data': {'token': 'token'}}
         self.assertEqual({'data': {'token': '- modified -'}}, self.logger_token_modify(data_dic))
 
-    def test_235_logger_challenges_modify(self):
+    def test_246_logger_challenges_modify(self):
         """ test _logger_challenges_modify() """
         data_dic = {'data': 'bar'}
         self.assertEqual({'data': 'bar'}, self.logger_challenges_modify(data_dic))
 
-    def test_236_logger_challenges_modify(self):
+    def test_247_logger_challenges_modify(self):
         """ test _logger_challenges_modify() """
         data_dic = {'data': {'challenges': [{'token': 'token1'}]}}
         self.assertEqual({'data': {'challenges': [{'token': '- modified - '}]}}, self.logger_challenges_modify(data_dic))
 
-    def test_237_logger_challenges_modify(self):
+    def test_248_logger_challenges_modify(self):
         """ test _logger_challenges_modify() """
         data_dic = {'data': {'challenges': [{'token': 'token1'}, {'token': 'token2'}]}}
         self.assertEqual({'data': {'challenges': [{'token': '- modified - '}, {'token': '- modified - '}]}}, self.logger_challenges_modify(data_dic))
 
-    def test_238_config_check(self):
+    def test_249_config_check(self):
         """ test config check """
         config_dic = {'foo': {'bar': '"foobar"'}}
         with self.assertLogs('test_a2c', level='INFO') as lcm:
             self.config_check(self.logger, config_dic)
         self.assertIn('WARNING:test_a2c:config_check(): section foo option: bar contains " characters. Check if this is really needed!', lcm.output)
 
-    def test_239_helper_cert_cn_get(self):
+    def test_250_helper_cert_cn_get(self):
         """ get cn of csr """
         cert = """MIIDDTCCAfWgAwIBAgIBCjANBgkqhkiG9w0BAQsFADAaMRgwFgYDVQQDEw9mb28u
                 ZXhhbXBsZS5jb20wHhcNMTkwMTIwMTY1OTIwWhcNMTkwMjE5MTY1OTIwWjAaMRgw
@@ -1802,64 +1985,64 @@ def test_239_helper_cert_cn_get(self):
                 t+eRUDECE+0UnjyeCjTn3EU="""
         self.assertEqual('foo.example.com', self.cert_cn_get(self.logger, cert))
 
-    def test_240_logger_challenges_modify(self):
+    def test_251_logger_challenges_modify(self):
         """ test string_sanitize() """
         unsafe_string = 'foo'
         self.assertEqual('foo', self.string_sanitize(self.logger, unsafe_string))
 
-    def test_241_logger_challenges_modify(self):
+    def test_252_logger_challenges_modify(self):
         """ test string_sanitize() """
         unsafe_string = 'foo\n;'
         self.assertEqual('foo;', self.string_sanitize(self.logger, unsafe_string))
 
-    def test_242_logger_challenges_modify(self):
+    def test_253_logger_challenges_modify(self):
         """ test string_sanitize() """
         unsafe_string = 'fooö'
         self.assertEqual('foo', self.string_sanitize(self.logger, unsafe_string))
 
-    def test_243_logger_challenges_modify(self):
+    def test_254_logger_challenges_modify(self):
         """ test string_sanitize() """
         unsafe_string = 'fooö'
         self.assertEqual('foo', self.string_sanitize(self.logger, unsafe_string))
 
-    def test_244_logger_challenges_modify(self):
+    def test_255_logger_challenges_modify(self):
         """ test string_sanitize() """
         unsafe_string = 'foo    '
         self.assertEqual('foo ', self.string_sanitize(self.logger, unsafe_string))
 
-    def test_245_logger_challenges_modify(self):
+    def test_256_logger_challenges_modify(self):
         """ test string_sanitize() """
         unsafe_string = 'foo\u0009'
         self.assertEqual('foo ', self.string_sanitize(self.logger, unsafe_string))
 
-    def test_246_pembundle_to_list(self):
+    def test_257_pembundle_to_list(self):
         """ bundle to list """
         pembundle_to_list = 'foo'
         self.assertFalse(self.pembundle_to_list(self.logger, pembundle_to_list))
 
-    def test_247_pembundle_to_list(self):
+    def test_258_pembundle_to_list(self):
         """ bundle to list """
         pembundle_to_list = '-----BEGIN CERTIFICATE-----foo'
         self.assertEqual(['-----BEGIN CERTIFICATE-----foo\n'], self.pembundle_to_list(self.logger, pembundle_to_list))
 
-    def test_248_pembundle_to_list(self):
+    def test_259_pembundle_to_list(self):
         """ bundle to list """
         pembundle_to_list = '-----BEGIN CERTIFICATE-----foo\n-----BEGIN CERTIFICATE-----foo1'
         self.assertEqual(['-----BEGIN CERTIFICATE-----foo\n', '-----BEGIN CERTIFICATE-----foo1\n'], self.pembundle_to_list(self.logger, pembundle_to_list))
 
-    def test_249_certid_check(self):
+    def test_260_certid_check(self):
         """ test certid_check """
         certid = 'e181efbe6f7ae3ea71c78fc99e4226d7185715be3d289eaa56801dff4696ca4d0420ae0dcf53345691826b81d093e9c7588c35dd5ec5eacf5b1b2606330515d5faf402082cca85f640d54142'
         renewal_info = 'MFswCwYJYIZIAWUDBAIBBCDhge--b3rj6nHHj8meQibXGFcVvj0onqpWgB3_RpbKTQQgrg3PUzRWkYJrgdCT6cdYjDXdXsXqz1sbJgYzBRXV-vQCCCzKhfZA1UFC'
         self.assertTrue(self.certid_check(self.logger, renewal_info, certid))
 
-    def test_250_certid_check(self):
+    def test_261_certid_check(self):
         """ test certid_check """
         certid = 'false'
         renewal_info = 'MFswCwYJYIZIAWUDBAIBBCDhge--b3rj6nHHj8meQibXGFcVvj0onqpWgB3_RpbKTQQgrg3PUzRWkYJrgdCT6cdYjDXdXsXqz1sbJgYzBRXV-vQCCCzKhfZA1UFC'
         self.assertFalse(self.certid_check(self.logger, renewal_info, certid))
 
-    def test_251_certid_asn1_get(self):
+    def test_262_certid_asn1_get(self):
         """ test certid_asn1_get()"""
 
         cert_pem = '''-----BEGIN CERTIFICATE-----
@@ -1918,51 +2101,51 @@ def test_251_certid_asn1_get(self):
         result = 'e181efbe6f7ae3ea71c78fc99e4226d7185715be3d289eaa56801dff4696ca4d0420ae0dcf53345691826b81d093e9c7588c35dd5ec5eacf5b1b2606330515d5faf402082cca85f640d54142'
         self.assertEqual(result, self.certid_asn1_get(self.logger, cert_pem, issuer_pem))
 
-    def test_252_certid_hex_get(self):
+    def test_263_certid_hex_get(self):
         """ test certid_check """
         certid = 'false'
         renewal_info = 'MFswCwYJYIZIAWUDBAIBBCDhge--b3rj6nHHj8meQibXGFcVvj0onqpWgB3_RpbKTQQgrg3PUzRWkYJrgdCT6cdYjDXdXsXqz1sbJgYzBRXV-vQCCCzKhfZA1UFC'
         self.assertEqual(('300b0609608648016503040201', 'e181efbe6f7ae3ea71c78fc99e4226d7185715be3d289eaa56801dff4696ca4d0420ae0dcf53345691826b81d093e9c7588c35dd5ec5eacf5b1b2606330515d5faf402082cca85f640d54142'), self.certid_hex_get(self.logger, renewal_info))
 
     @patch('acme_srv.helper.USER_AGENT', 'FOOBAR')
-    def test_253_v6_adjust(self):
+    def test_264_v6_adjust(self):
         """ test v6_adjust() """
         url = 'http://www.foo.bar'
         self.assertEqual(({'Connection': 'close', 'Accept-Encoding': 'gzip', 'User-Agent': 'FOOBAR'}, 'http://www.foo.bar'), self.v6_adjust(self.logger, url))
 
     @patch('acme_srv.helper.USER_AGENT', 'FOOBAR')
-    def test_254_v6_adjust(self):
+    def test_265_v6_adjust(self):
         """ test v6_adjust() """
         url = 'http://192.168.123.10'
         self.assertEqual(({'Connection': 'close', 'Accept-Encoding': 'gzip', 'User-Agent': 'FOOBAR'}, 'http://192.168.123.10'), self.v6_adjust(self.logger, url))
 
     @patch('acme_srv.helper.USER_AGENT', 'FOOBAR')
-    def test_255_v6_adjust(self):
+    def test_266_v6_adjust(self):
         """ test v6_adjust() """
         url = 'http://fe80::215:5dff:fec0:102'
         self.assertEqual(({'Connection': 'close', 'Accept-Encoding': 'gzip', 'User-Agent': 'FOOBAR', 'Host': 'fe80::215:5dff:fec0:102'}, 'http://[fe80::215:5dff:fec0:102]/'), self.v6_adjust(self.logger, url))
 
-    def test_256_ipv6_chk(self):
+    def test_267_ipv6_chk(self):
         """ test ipv6_chk()"""
         addr_obj = 'fe80::215:5dff:fec0:102'
         self.assertTrue(self.ipv6_chk(self.logger, addr_obj))
 
-    def test_257_ipv6_chk(self):
+    def test_268_ipv6_chk(self):
         """ test ipv6_chk()"""
         addr_obj = 'foo.bar.local'
         self.assertFalse(self.ipv6_chk(self.logger, addr_obj))
 
-    def test_258_ipv6_chk(self):
+    def test_269_ipv6_chk(self):
         """ test ipv6_chk()"""
         addr_obj = '192.168.123.10'
         self.assertFalse(self.ipv6_chk(self.logger, addr_obj))
 
-    def test_259_ipv6_chk(self):
+    def test_270_ipv6_chk(self):
         """ test ipv6_chk()"""
         addr_obj = None
         self.assertFalse(self.ipv6_chk(self.logger, addr_obj))
 
-    def test_260_header_info_get(self):
+    def test_271_header_info_get(self):
         """ header_info_get () """
         models_mock = MagicMock()
         models_mock.DBstore().certificates_search.return_value = ('foo', 'bar')
@@ -1970,7 +2153,7 @@ def test_260_header_info_get(self):
         patch.dict('sys.modules', modules).start()
         self.assertEqual(['foo', 'bar'], self.header_info_get(self.logger, 'csr'))
 
-    def test_261_header_info_get(self):
+    def test_272_header_info_get(self):
         """ header_info_get () """
         models_mock = MagicMock()
         models_mock.DBstore().certificates_search.side_effect = Exception('mock_search')
@@ -1980,5 +2163,1063 @@ def test_261_header_info_get(self):
             self.assertFalse(self.header_info_get(self.logger, 'csr'))
         self.assertIn('ERROR:test_a2c:Helper.header_info_get(): error: mock_search', lcm.output)
 
+    def test_273_encode_url(self):
+        # Test with a simple URL
+        url = "www.example.com"
+        self.assertEqual(url, self.encode_url(self.logger, url))
+
+    def test_274_encode_url(self):
+        # Test with a URL containing spaces
+        url = "www.example.com/hello world"
+        self.assertEqual('www.example.com/hello%20world', self.encode_url(self.logger, url))
+
+    def test_275_encode_url(self):
+        # Test with a URL containing special characters
+        url = "www.example.com/hello@world?foo=bar&bar=foo"
+        self.assertEqual('www.example.com/hello%40world%3Ffoo%3Dbar%26bar%3Dfoo', self.encode_url(self.logger, url))
+
+    def test_276_uts_now(self):
+        """ test uts_now() """
+        self.assertIsInstance(self.uts_now(), int)
+
+    def test_277_ip_validate(self):
+        """ test ip validate """
+        self.assertEqual(('1.0.0.10.in-addr.arpa', False), self.ip_validate(self.logger, '10.0.0.1'))
+
+    def test_278_ip_validate(self):
+        """ test ip validate """
+        self.assertEqual((None, True), self.ip_validate(self.logger, '1000.0.0.1'))
+
+    def test_279_cert_ski_get(self):
+        """ test cert_san_get for a multiple SAN of type DNS"""
+        cert = """MIIDIzCCAgugAwIBAgICBZgwDQYJKoZIhvcNAQELBQAwGjEYMBYGA1UEAxMPZm9v
+                LmV4YW1wbGUuY29tMB4XDTE5MDEyMDE3MDkxMVoXDTE5MDIxOTE3MDkxMVowGjEY
+                MBYGA1UEAxMPZm9vLmV4YW1wbGUuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
+                MIIBCgKCAQEA+EM+gzAyjegQSRbJI+qZJhuAGM9i48xvIfuOQHleXoJPjV+8VZRV
+                KDljZNXdNT5Zi7K6HY9C622NOV7QefB6zTtm6mSY08ypNsaeorhIvJdnpaJ9gAGH
+                YeQqJ04fL099kiRXJAv8gT8wdpiekg2KEU4wlXMIRfSHiiB37yjcqUzXl6XYYKGe
+                2USMpDfliXL3o8TW2KByGUdCzXUdNbMgzRXwYxkX2+xV2f0vn8NyXHiHg9yJRof2
+                HTjyvAcXN5Nr987slq/Ex5lXLtpB861Ov3ZbwxyzREjmreZBlze7KTfP5IY66XuN
+                Mvhi7AAs0cLTd3SNjpppE/yvUi5q5gfhXQIDAQABo3MwcTAfBgNVHSMEGDAWgBSl
+                YnpKQw12MmEMpvsTEeQi17UsnDAdBgNVHQ4EFgQUpWJ6SkMNdjJhDKb7ExHkIte1
+                LJwwLwYDVR0RBCgwJoIRZm9vLTIuZXhhbXBsZS5jb22CEWZvby0xLmV4YW1wbGUu
+                Y29tMA0GCSqGSIb3DQEBCwUAA4IBAQASA20TtMPXIHH10dikLhFuI14EOtZzXvCx
+                kGlJw9/5JuvVKLsL1wd8BC9o/lg8apDqsrDZ/+0Nc8g3Z9HRN99vcLsVDdT27DkM
+                BslfXdN/qBhKAp3m7jw29uijX5fss+Wz9iHfHciUjVyMJ4DoFxHYPbMWQG8XEUKR
+                TP6Gp79DzCiPKFt52Y8yVikIET4fnyRzU8kGKLuPoIt+EQQzpG26qWAjeNHAASEM
+                keiA+tedMWzydX52B+tGg+l2svxg34apIBDjK8pF+8ZxTt5yjVUa10GbpffJuiEh
+                NWQddOR8IHg+v6lWc9BtuuKK5ubsg6XOiEjhhr42AKViKalX1i4+"""
+        self.assertEqual('a5627a4a430d7632610ca6fb1311e422d7b52c9c', self.cert_ski_get(self.logger, cert))
+
+    def test_280_cert_ski_pyopenssl_get(self):
+        """ test cert_san_get for a multiple SAN of type DNS"""
+        cert = """MIIDIzCCAgugAwIBAgICBZgwDQYJKoZIhvcNAQELBQAwGjEYMBYGA1UEAxMPZm9v
+                LmV4YW1wbGUuY29tMB4XDTE5MDEyMDE3MDkxMVoXDTE5MDIxOTE3MDkxMVowGjEY
+                MBYGA1UEAxMPZm9vLmV4YW1wbGUuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
+                MIIBCgKCAQEA+EM+gzAyjegQSRbJI+qZJhuAGM9i48xvIfuOQHleXoJPjV+8VZRV
+                KDljZNXdNT5Zi7K6HY9C622NOV7QefB6zTtm6mSY08ypNsaeorhIvJdnpaJ9gAGH
+                YeQqJ04fL099kiRXJAv8gT8wdpiekg2KEU4wlXMIRfSHiiB37yjcqUzXl6XYYKGe
+                2USMpDfliXL3o8TW2KByGUdCzXUdNbMgzRXwYxkX2+xV2f0vn8NyXHiHg9yJRof2
+                HTjyvAcXN5Nr987slq/Ex5lXLtpB861Ov3ZbwxyzREjmreZBlze7KTfP5IY66XuN
+                Mvhi7AAs0cLTd3SNjpppE/yvUi5q5gfhXQIDAQABo3MwcTAfBgNVHSMEGDAWgBSl
+                YnpKQw12MmEMpvsTEeQi17UsnDAdBgNVHQ4EFgQUpWJ6SkMNdjJhDKb7ExHkIte1
+                LJwwLwYDVR0RBCgwJoIRZm9vLTIuZXhhbXBsZS5jb22CEWZvby0xLmV4YW1wbGUu
+                Y29tMA0GCSqGSIb3DQEBCwUAA4IBAQASA20TtMPXIHH10dikLhFuI14EOtZzXvCx
+                kGlJw9/5JuvVKLsL1wd8BC9o/lg8apDqsrDZ/+0Nc8g3Z9HRN99vcLsVDdT27DkM
+                BslfXdN/qBhKAp3m7jw29uijX5fss+Wz9iHfHciUjVyMJ4DoFxHYPbMWQG8XEUKR
+                TP6Gp79DzCiPKFt52Y8yVikIET4fnyRzU8kGKLuPoIt+EQQzpG26qWAjeNHAASEM
+                keiA+tedMWzydX52B+tGg+l2svxg34apIBDjK8pF+8ZxTt5yjVUa10GbpffJuiEh
+                NWQddOR8IHg+v6lWc9BtuuKK5ubsg6XOiEjhhr42AKViKalX1i4+"""
+        self.assertEqual('a5627a4a430d7632610ca6fb1311e422d7b52c9c', self.cert_ski_pyopenssl_get(self.logger, cert))
+
+    @patch('acme_srv.helper.cert_ski_pyopenssl_get')
+    @patch('acme_srv.helper.cert_load')
+    def test_281_ski_get(self, mock_load, mock_ski):
+        """ test cert_ski_get() """
+        cert = 'cert'
+        mock_ski.return_value = 'mock_ski'
+        mock_load.return_value = 'mock_load'
+        self.assertEqual('mock_ski', self.cert_ski_get(self.logger, cert))
+        self.assertTrue(mock_ski.called)
+
+    @patch('OpenSSL.crypto.load_certificate')
+    def test_282_ski_get(self, mock_load):
+        """ test cert_ski_get() """
+        cert = 'cert'
+        mock_load.get_extension_count.return_value = 2
+        with self.assertLogs('test_a2c', level='INFO') as lcm:
+            self.assertFalse(self.cert_ski_pyopenssl_get(self.logger, cert))
+        self.assertIn('ERROR:test_a2c:cert_ski_pyopenssl_get(): No SKI found in certificate', lcm.output)
+
+    def test_283_cert_aki_get(self):
+        """ test cert_san_get aki"""
+        cert = 'MIIEOzCCAiOgAwIBAgIIKndYX0qdb04wDQYJKoZIhvcNAQELBQAwKjEXMBUGA1UECxMOYWNtZTJjZXJ0aWZpZXIxDzANBgNVBAMTBnN1Yi1jYTAeFw0yNDAxMjkyMDA0NTZaFw0yNTAxMjgyMDA0NTZaMD8xFzAVBgNVBAMTDmxlZ28uYmFyLmxvY2FsMRcwFQYDVQQKDA5hY21lMmNlcnRpZmllcjELMAkGA1UEBhMCREUwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQKIqEIxeS0JIN+iqsJ+08IJFFmuvfpjFnH4wFD2OLlmeTvfpDsnD00uw/orLvecDvjt48JvgYR8Wv+9C4ajIDfo4IBGTCCARUwHQYDVR0OBBYEFCka80MPgj45/quHJ9oF8Cc1YlsXMB8GA1UdIwQYMBaAFL/ejo4GIiKrrUPI3dRPqKtIQT7VMAsGA1UdDwQEAwID6DBRBgNVHSUBAf8ERzBFBggrBgEFBQcDAQYIKwYBBQUHAwIGCCsGAQUFBwMDBggrBgEFBQcDBAYIKwYBBQUHAwgGCCsGAQUFBwMJBgcrBgEFAgMFMEoGA1UdHwRDMEEwHqAcoBqGGFVSSTpodHRwOi8vZm9vLmJhci5sb2NhbDAfoB2gG4YZVVJJOmh0dHA6Ly9mb28xLmJhci5sb2NhbDAMBgNVHRMBAf8EAjAAMBkGA1UdEQQSMBCCDmxlZ28uYmFyLmxvY2FsMA0GCSqGSIb3DQEBCwUAA4ICAQB4FxJwQ/aILMzh7jBSr358RA92mX8srPmzQrjPYoU7T2LxwMf+eb0z5x0PMFH8j5FgRvRGWo6rcco8rL+B+gvrVhQ0TfAFEF77WJfKG2XMlnEN/9Ri73J7+dA45kaw8CZRSfUBpIW6fb4N+6frXyIKwBaZnrT6qiy+Izu+ZH6RkaTFrBn5yOWvVyk7aBHE1eZ+3+eA3qBI4UPaeYFSwr3gY5dxfbPktlFgvpCI22ff4NAb/fzjAQsKRTkXkOVqAvBJcWI5d/g32IVMLq0ub13XLe+yHk0iCxyMaIRdN4+W6RYi3gvtTQh6LaOjncWDYLdsm+vN+YqXEqieY5TC1oC8kG9We9eHzKHdNquJnrju536DPqh4xYEDcb+PGvTr3sqYdSikA9v5FuWUGeiZD/ZEvw/p7F7DevD5NO1JaOtfWDwDwxFHEyn+iwTVq3QDEc4j+oyGnQJs5Spoyz3tJi31VMJk+EAKKUV66aVNynLM7Ce4Oj0M67o4pcnDd0uWBMSAg4lH8KIX0IsmMfLnirIqOOwrZ4UkPKlEjD+oZQf5IBukfdHob/bo4fW8q4eU/I8z9w3BTdV1yNVH/ANHg5AItoPabkr65oBTwY51j3FVq0gK+4xVrevcyIeY3A9XFzA18k/gX7O/kf/IrM0dcZWJnsW39byiWhUd4JetJaGeKg'
+        self.assertEqual('bfde8e8e062222abad43c8ddd44fa8ab48413ed5', self.cert_aki_get(self.logger, cert))
+
+    def test_284_cert_aki_pyopenssl_get(self):
+        """ test cert_san_get aki"""
+        cert = 'MIIEOzCCAiOgAwIBAgIIKndYX0qdb04wDQYJKoZIhvcNAQELBQAwKjEXMBUGA1UECxMOYWNtZTJjZXJ0aWZpZXIxDzANBgNVBAMTBnN1Yi1jYTAeFw0yNDAxMjkyMDA0NTZaFw0yNTAxMjgyMDA0NTZaMD8xFzAVBgNVBAMTDmxlZ28uYmFyLmxvY2FsMRcwFQYDVQQKDA5hY21lMmNlcnRpZmllcjELMAkGA1UEBhMCREUwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQKIqEIxeS0JIN+iqsJ+08IJFFmuvfpjFnH4wFD2OLlmeTvfpDsnD00uw/orLvecDvjt48JvgYR8Wv+9C4ajIDfo4IBGTCCARUwHQYDVR0OBBYEFCka80MPgj45/quHJ9oF8Cc1YlsXMB8GA1UdIwQYMBaAFL/ejo4GIiKrrUPI3dRPqKtIQT7VMAsGA1UdDwQEAwID6DBRBgNVHSUBAf8ERzBFBggrBgEFBQcDAQYIKwYBBQUHAwIGCCsGAQUFBwMDBggrBgEFBQcDBAYIKwYBBQUHAwgGCCsGAQUFBwMJBgcrBgEFAgMFMEoGA1UdHwRDMEEwHqAcoBqGGFVSSTpodHRwOi8vZm9vLmJhci5sb2NhbDAfoB2gG4YZVVJJOmh0dHA6Ly9mb28xLmJhci5sb2NhbDAMBgNVHRMBAf8EAjAAMBkGA1UdEQQSMBCCDmxlZ28uYmFyLmxvY2FsMA0GCSqGSIb3DQEBCwUAA4ICAQB4FxJwQ/aILMzh7jBSr358RA92mX8srPmzQrjPYoU7T2LxwMf+eb0z5x0PMFH8j5FgRvRGWo6rcco8rL+B+gvrVhQ0TfAFEF77WJfKG2XMlnEN/9Ri73J7+dA45kaw8CZRSfUBpIW6fb4N+6frXyIKwBaZnrT6qiy+Izu+ZH6RkaTFrBn5yOWvVyk7aBHE1eZ+3+eA3qBI4UPaeYFSwr3gY5dxfbPktlFgvpCI22ff4NAb/fzjAQsKRTkXkOVqAvBJcWI5d/g32IVMLq0ub13XLe+yHk0iCxyMaIRdN4+W6RYi3gvtTQh6LaOjncWDYLdsm+vN+YqXEqieY5TC1oC8kG9We9eHzKHdNquJnrju536DPqh4xYEDcb+PGvTr3sqYdSikA9v5FuWUGeiZD/ZEvw/p7F7DevD5NO1JaOtfWDwDwxFHEyn+iwTVq3QDEc4j+oyGnQJs5Spoyz3tJi31VMJk+EAKKUV66aVNynLM7Ce4Oj0M67o4pcnDd0uWBMSAg4lH8KIX0IsmMfLnirIqOOwrZ4UkPKlEjD+oZQf5IBukfdHob/bo4fW8q4eU/I8z9w3BTdV1yNVH/ANHg5AItoPabkr65oBTwY51j3FVq0gK+4xVrevcyIeY3A9XFzA18k/gX7O/kf/IrM0dcZWJnsW39byiWhUd4JetJaGeKg'
+        self.assertEqual('bfde8e8e062222abad43c8ddd44fa8ab48413ed5', self.cert_aki_pyopenssl_get(self.logger, cert))
+
+    @patch('acme_srv.helper.cert_aki_pyopenssl_get')
+    @patch('acme_srv.helper.cert_load')
+    def test_285_aki_get(self, mock_load, mock_aki):
+        """ test cert_ski_get() """
+        cert = 'cert'
+        mock_aki.return_value = 'mock_aki'
+        mock_load.return_value = 'mock_load'
+        self.assertEqual('mock_aki', self.cert_aki_get(self.logger, cert))
+        self.assertTrue(mock_aki.called)
+
+    @patch('OpenSSL.crypto.load_certificate')
+    def test_286_aki_get(self, mock_load):
+        """ test cert_aki_get() """
+        cert = 'cert'
+        mock_load.get_extension_count.return_value = 2
+        with self.assertLogs('test_a2c', level='INFO') as lcm:
+            self.assertFalse(self.cert_aki_pyopenssl_get(self.logger, cert))
+        self.assertIn('ERROR:test_a2c:cert_ski_pyopenssl_get(): No AKI found in certificate', lcm.output)
+
+    def test_287_validate_fqdn(self):
+        """ test validate_fqdn() """
+        self.assertTrue(self.validate_fqdn(self.logger, 'foo.bar.com'))
+
+    def test_288_validate_fqdn(self):
+        """ test validate_fqdn() """
+        self.assertFalse(self.validate_fqdn(self.logger, '-foo.bar.com'))
+
+    def test_289_validate_fqdn(self):
+        """ test validate_fqdn() """
+        self.assertFalse(self.validate_fqdn(self.logger, 'foo.bar.com/foo'))
+
+    def test_290_validate_fqdn(self):
+        """ test validate_fqdn() """
+        self.assertFalse(self.validate_fqdn(self.logger, 'foo.bar.com#foo'))
+
+    def test_291_validate_fqdn(self):
+        """ test validate_fqdn() """
+        self.assertFalse(self.validate_fqdn(self.logger, 'foo.bar.com?foo=foo'))
+
+    def test_292_validate_fqdn(self):
+        """ test validate_fqdn() """
+        self.assertFalse(self.validate_fqdn(self.logger, '2a01:c22:b0cf:600:74be:80a7:4feb:bfe8'))
+
+    def test_293_validate_fqdn(self):
+        """ test validate_fqdn() """
+        self.assertFalse(self.validate_fqdn(self.logger, 'foo.bar.com:8080'))
+
+    def test_294_validate_fqdn(self):
+        """ test validate_fqdn() """
+        self.assertFalse(self.validate_fqdn(self.logger, 'foo@bar.local'))
+
+    def test_295_validate_fqdn(self):
+        """ test validate_fqdn() """
+        self.assertTrue(self.validate_fqdn(self.logger, '*.bar.local'))
+
+    def test_296_validate_ip(self):
+        """ test validate_ip() """
+        self.assertTrue(self.validate_ip(self.logger, '10.0.0.1'))
+
+    def test_297_validate_ip(self):
+        """ test validate_ip() """
+        self.assertTrue(self.validate_ip(self.logger, '2a01:c22:b0cf:600:74be:80a7:4feb:bfe8'))
+
+    def test_298_validate_ip(self):
+        """ test validate_ip() """
+        self.assertFalse(self.validate_ip(self.logger, 'foo.bar.local'))
+
+    def test_299_validate_ip(self):
+        """ test validate_ip() """
+        self.assertFalse(self.validate_ip(self.logger, 'foo@bar.local'))
+
+    def test_300_validate_ip(self):
+        """ test validate_ip() """
+        self.assertFalse(self.validate_ip(self.logger, '301.0.0.1'))
+
+    @patch('acme_srv.helper.validate_fqdn')
+    @patch('acme_srv.helper.validate_ip')
+    def test_301_validate_identifier(self, mock_ip, mock_fqdn):
+        """ test validate_identifier """
+        mock_fqdn.return_value = 'dns'
+        mock_ip.return_value = 'ip'
+        self.assertEqual('dns', self.validate_identifier(self.logger, 'dns', 'foo.bar.com'))
+        self.assertTrue(mock_fqdn.called)
+        self.assertFalse(mock_ip.called)
+
+    @patch('acme_srv.helper.validate_fqdn')
+    @patch('acme_srv.helper.validate_ip')
+    def test_302_validate_identifier(self, mock_ip, mock_fqdn):
+        """ test validate_identifier """
+        mock_fqdn.return_value = 'dns'
+        mock_ip.return_value = 'ip'
+        self.assertEqual('ip', self.validate_identifier(self.logger, 'ip', 'ip'))
+        self.assertFalse(mock_fqdn.called)
+        self.assertTrue(mock_ip.called)
+
+    @patch('acme_srv.helper.validate_fqdn')
+    @patch('acme_srv.helper.validate_ip')
+    def test_303_validate_identifier(self, mock_ip, mock_fqdn):
+        """ test validate_identifier """
+        mock_fqdn.return_value = 'dns'
+        mock_ip.return_value = 'ip'
+        self.assertFalse(self.validate_identifier(self.logger, 'unk', 'ip'))
+        self.assertFalse(mock_fqdn.called)
+        self.assertFalse(mock_ip.called)
+
+    @patch('acme_srv.helper.validate_fqdn')
+    @patch('acme_srv.helper.validate_ip')
+    def test_304_validate_identifier(self, mock_ip, mock_fqdn):
+        """ test validate_identifier """
+        mock_fqdn.return_value = 'dns'
+        mock_ip.return_value = 'ip'
+        self.assertFalse(self.validate_identifier(self.logger, 'tnauthlist', 'ip'))
+        self.assertFalse(mock_fqdn.called)
+        self.assertFalse(mock_ip.called)
+
+    @patch('acme_srv.helper.validate_fqdn')
+    @patch('acme_srv.helper.validate_ip')
+    def test_305_validate_identifier(self, mock_ip, mock_fqdn):
+        """ test validate_identifier """
+        mock_fqdn.return_value = 'dns'
+        mock_ip.return_value = 'ip'
+        self.assertTrue(self.validate_identifier(self.logger, 'tnauthlist', 'ip', True))
+        self.assertFalse(mock_fqdn.called)
+        self.assertFalse(mock_ip.called)
+
+    @patch('acme_srv.helper.header_info_lookup')
+    def test_306_header_info_field_validate(self, mock_lookup):
+        """ test header_info_field_validate """
+        mock_lookup.return_value = 'value2'
+        self.assertEqual(('value2', None), self.header_info_field_validate(self.logger, 'csr', 'header_info_field', 'key', ['value0', 'value2']))
+
+    @patch('acme_srv.helper.header_info_lookup')
+    def test_307_header_info_field_validate(self, mock_lookup):
+        """ test header_info_field_validate """
+        mock_lookup.return_value = 'unk_value'
+        self.assertEqual((None, 'parameter "unk_value" is not allowed'), self.header_info_field_validate(self.logger, 'csr', 'header_info_field', 'parameter', ['value0', 'value2']))
+
+    @patch('acme_srv.helper.header_info_lookup')
+    def test_308_header_info_field_validate(self, mock_lookup):
+        """ test header_info_field_validate """
+        mock_lookup.return_value = None
+        self.assertEqual(('value0', None), self.header_info_field_validate(self.logger, 'csr', 'header_info_field', 'parameter', ['value0', 'value2']))
+
+    @patch('acme_srv.helper.header_info_get')
+    def test_309_header_info_lookup(self, mock_info):
+        """ test header_info_lookup """
+        mock_info.return_value = [{'header_info': '{"header_info_field": "foo1=value1 foo2=value2"}'}]
+        self.assertEqual('value1', self.header_info_lookup(self.logger, 'csr', 'header_info_field', 'foo1'))
+
+    @patch('acme_srv.helper.header_info_get')
+    def test_310_header_info_lookup(self, mock_info):
+        """ test header_info_lookup """
+        mock_info.return_value = [{'header_info': '{"header_info_field": "foo1=value1=foo foo2=value2=foo"}'}]
+        self.assertEqual('value1=foo', self.header_info_lookup(self.logger, 'csr', 'header_info_field', 'foo1'))
+
+    @patch('acme_srv.helper.header_info_get')
+    def test_311_header_info_lookup(self, mock_info):
+        """ test header_info_lookup """
+        mock_info.return_value = None
+        self.assertFalse(self.header_info_lookup(self.logger, 'csr', 'header_info_field', 'foo1'))
+
+    @patch('acme_srv.helper.header_info_get')
+    def test_312_header_info_lookup(self, mock_info):
+        """ test header_info_lookup """
+        mock_info.return_value = [{'foo': '{"header_info_field": "foo1=value1 foo2=value2"}'}]
+        with self.assertLogs('test_a2c', level='INFO') as lcm:
+            self.assertFalse(self.header_info_lookup(self.logger, 'csr', 'header_info_field', 'foo1'))
+        self.assertIn('ERROR:test_a2c:header_info_lookup() header_info_field not found: header_info_field', lcm.output)
+
+    @patch('acme_srv.helper.header_info_get')
+    def test_313_header_info_lookup(self, mock_info):
+        """ test header_info_lookup """
+        mock_info.return_value = [{'header_info': '{"foo": "foo1=value1 foo2=value2"}'}]
+        with self.assertLogs('test_a2c', level='INFO') as lcm:
+            self.assertFalse(self.header_info_lookup(self.logger, 'csr', 'header_info_field', 'foo1'))
+        self.assertIn('ERROR:test_a2c:header_info_lookup() header_info_field not found: header_info_field', lcm.output)
+
+    @patch('acme_srv.helper.header_info_get')
+    def test_314_header_info_lookup(self, mock_info):
+        """ test header_info_lookup """
+        mock_info.return_value = 'bump'
+        with self.assertLogs('test_a2c', level='INFO') as lcm:
+            self.assertFalse(self.header_info_lookup(self.logger, 'csr', 'header_info_field', 'foo1'))
+        self.assertIn('ERROR:test_a2c:header_info_lookup() header_info_field not found: header_info_field', lcm.output)
+
+    @patch('acme_srv.helper.json.loads')
+    @patch('acme_srv.helper.header_info_get')
+    def test_315_header_info_lookup(self, mock_info, mock_json):
+        """ test header_info_lookup """
+        mock_info.return_value = [{'header_info': 'foo1=value1 foo2=value2'}]
+        mock_json.side_effect = Exception('mock_json')
+        with self.assertLogs('test_a2c', level='INFO') as lcm:
+            self.assertFalse(self.header_info_lookup(self.logger, 'csr', 'header_info_field', 'foo1'))
+        self.assertIn('ERROR:test_a2c:header_info_lookup() could not parse header_info_field: mock_json', lcm.output)
+
+    def test_316_config_headerinfo_load(self):
+        """ test config_headerinfo_load()"""
+        config_dic = {'Order': {'header_info_list': '["foo", "bar", "foobar"]'}}
+        self.assertEqual('foo', self.config_headerinfo_load(self.logger, config_dic))
+
+    def test_317_config_headerinfo_load(self):
+        """ test config_headerinfo_load()"""
+        config_dic = {'Order': {'header_info_list': '["foo"]'}}
+        self.assertEqual('foo', self.config_headerinfo_load(self.logger, config_dic))
+
+    def test_318_config_headerinfo_load(self):
+        """ test config_headerinfo_load()"""
+        config_dic = {'Order': {'header_info_list': 'foo'}}
+        with self.assertLogs('test_a2c', level='INFO') as lcm:
+            self.assertFalse(self.config_headerinfo_load(self.logger, config_dic))
+        self.assertIn('WARNING:test_a2c:Helper.config_headerinfo_load() header_info_list failed with error: Expecting value: line 1 column 1 (char 0)', lcm.output)
+
+    @patch('acme_srv.helper.eab_handler_load')
+    def test_319_config_eab_profile_load(self, mock_eabload):
+        """ test config_eab_profiling()"""
+        config_dic = configparser.ConfigParser()
+        config_dic['CAhandler'] = {'eab_profiling': True}
+        config_dic['EABhandler'] = {'eab_handler_file': 'eab_handler_file'}
+        eabl = Mock()
+        eabl.EABhandler = 'bar'
+        mock_eabload.return_value = eabl
+        self.assertEqual((True, 'bar'), self.config_eab_profile_load(self.logger, config_dic))
+        self.assertTrue(mock_eabload.called)
+
+    @patch('acme_srv.helper.eab_handler_load')
+    def test_320_config_eab_profile_load(self, mock_eabload):
+        """ test config_eab_profiling()"""
+        config_dic = configparser.ConfigParser()
+        config_dic['CAhandler'] = {'eab_profiling': True}
+        eabl = Mock()
+        eabl.EABhandler = 'bar'
+        mock_eabload.return_value = eabl
+        with self.assertLogs('test_a2c', level='INFO') as lcm:
+            self.assertEqual((True, None), self.config_eab_profile_load(self.logger, config_dic))
+        self.assertFalse(mock_eabload.called)
+        self.assertIn('CRITICAL:test_a2c:CAhandler._config_load(): EABHandler configuration incomplete', lcm.output)
+        self.assertFalse(mock_eabload.called)
+
+    @patch('acme_srv.helper.eab_handler_load')
+    def test_321_config_eab_profile_load(self, mock_eabload):
+        """ test config_eab_profiling()"""
+        config_dic = configparser.ConfigParser()
+        config_dic['CAhandler'] = {'eab_profiling': True}
+        config_dic['EABhandler'] = {'eab_handler_file': 'eab_handler_file'}
+        mock_eabload.return_value = None
+        with self.assertLogs('test_a2c', level='INFO') as lcm:
+            self.assertEqual((True, None), self.config_eab_profile_load(self.logger, config_dic))
+        self.assertTrue(mock_eabload.called)
+        self.assertIn('CRITICAL:test_a2c:CAhandler._config_load(): EABHandler could not get loaded', lcm.output)
+
+    @patch('acme_srv.helper.eab_handler_load')
+    def test_322_config_eab_profile_load(self, mock_eabload):
+        """ test config_eab_profiling()"""
+        config_dic = configparser.ConfigParser()
+        config_dic['CAhandler'] = {'eab_profiling': False}
+        config_dic['EABhandler'] = {'eab_handler_file': 'eab_handler_file'}
+        self.assertEqual((False, None), self.config_eab_profile_load(self.logger, config_dic))
+        self.assertFalse(mock_eabload.called)
+
+    @patch('acme_srv.helper.eab_handler_load')
+    def test_323_config_eab_profile_load(self, mock_eabload):
+        """ test config_eab_profiling()"""
+        config_dic = configparser.ConfigParser()
+        config_dic['CAhandler'] = {'eab_profiling': 'aa'}
+        config_dic['EABhandler'] = {'eab_handler_file': 'eab_handler_file'}
+        self.assertEqual((False, None), self.config_eab_profile_load(self.logger, config_dic))
+        self.assertFalse(mock_eabload.called)
+
+    def test_324_domainlist_check(self):
+        """ domainlist_check failed check as empty entry"""
+        list_ = ['bar.foo$', 'foo.bar$']
+        entry = None
+        self.assertFalse(self.domainlist_check(self.logger, entry, list_))
+
+    def test_325_domainlist_check(self):
+        """ domainlist_check check against empty list"""
+        list_ = []
+        entry = 'host.bar.foo'
+        self.assertTrue(self.domainlist_check(self.logger, entry, list_))
+
+    def test_326_domainlist_check(self):
+        """ domainlist_check successful check against 1st element of a list"""
+        list_ = ['bar.foo$', 'foo.bar$']
+        entry = 'host.bar.foo'
+        self.assertTrue(self.domainlist_check(self.logger, entry, list_))
+
+    def test_327_domainlist_check(self):
+        """ domainlist_check unsuccessful as endcheck failed"""
+        list_ = ['bar.foo$', 'foo.bar$']
+        entry = 'host.bar.foo.bar_'
+        self.assertFalse(self.domainlist_check(self.logger, entry, list_))
+
+    def test_328_domainlist_check(self):
+        """ domainlist_check successful without $"""
+        list_ = ['bar.foo', 'foo.bar$']
+        entry = 'host.bar.foo.bar_'
+        self.assertTrue(self.domainlist_check(self.logger, entry, list_))
+
+    def test_329_domainlist_check(self):
+        """ domainlist_check wildcard check"""
+        list_ = ['bar.foo$', 'foo.bar$']
+        entry = '*.bar.foo'
+        self.assertTrue(self.domainlist_check(self.logger, entry, list_))
+
+    def test_330_domainlist_check(self):
+        """ domainlist_check failed wildcard check"""
+        list_ = ['bar.foo$', 'foo.bar$']
+        entry = '*.bar.foo_'
+        self.assertFalse(self.domainlist_check(self.logger, entry, list_))
+
+    def test_331_domainlist_check(self):
+        """ domainlist_check not end check"""
+        list_ = ['bar.foo$', 'foo.bar$']
+        entry = 'bar.foo gna'
+        self.assertFalse(self.domainlist_check(self.logger, entry, list_))
+
+    def test_332_domainlist_check(self):
+        """ domainlist_check $ at the end"""
+        list_ = ['bar.foo$', 'foo.bar$']
+        entry = 'bar.foo$'
+        self.assertFalse(self.domainlist_check(self.logger, entry, list_))
+
+    def test_333_domainlist_check(self):
+        """ domainlist_check check against empty list flip"""
+        list_ = []
+        entry = 'host.bar.foo'
+        self.assertFalse(self.domainlist_check(self.logger, entry, list_, True))
+
+    def test_334_domainlist_check(self):
+        """ domainlist_check flip successful check """
+        list_ = ['bar.foo$', 'foo.bar$']
+        entry = 'host.bar.foo'
+        self.assertFalse(self.domainlist_check(self.logger, entry, list_, True))
+
+    def test_335_domainlist_check(self):
+        """ domainlist_check flip unsuccessful check"""
+        list_ = ['bar.foo$', 'foo.bar$']
+        entry = 'host.bar.foo'
+        self.assertFalse(self.domainlist_check(self.logger, entry, list_, True))
+
+    def test_336_domainlist_check(self):
+        """ domainlist_check unsuccessful whildcard check"""
+        list_ = ['foo.bar$', r'\*.bar.foo']
+        entry = 'host.bar.foo'
+        self.assertFalse(self.domainlist_check(self.logger, entry, list_))
+
+    def test_337_domainlist_check(self):
+        """ domainlist_check successful whildcard check"""
+        list_ = ['foo.bar$', r'\*.bar.foo']
+        entry = '*.bar.foo'
+        self.assertTrue(self.domainlist_check(self.logger, entry, list_))
+
+    def test_338_domainlist_check(self):
+        """ domainlist_check successful whildcard in list but not in string """
+        list_ = ['foo.bar$', '*.bar.foo']
+        entry = 'foo.bar.foo'
+        self.assertTrue(self.domainlist_check(self.logger, entry, list_))
+
+    @patch('acme_srv.helper.csr_cn_get')
+    @patch('acme_srv.helper.csr_san_get')
+    def test_339_allowed_domainlist_check(self,  mock_san, mock_cn):
+        """ CAhandler._check_csr with empty allowed_domainlist """
+        allowed_domainlist = []
+        mock_san.return_value = ['DNS:host.foo.bar']
+        mock_cn.return_value = 'host2.foo.bar'
+        csr = 'csr'
+        self.assertTrue(self.allowed_domainlist_check(self.logger, csr, allowed_domainlist))
+
+    @patch('acme_srv.helper.domainlist_check')
+    @patch('acme_srv.helper.csr_cn_get')
+    @patch('acme_srv.helper.csr_san_get')
+    def test_340_allowed_domainlist_check(self, mock_san, mock_cn, mock_lcheck):
+        """ CAhandler._check_csr with list and failed check """
+        allowed_domainlist = ['foo.bar']
+        mock_san.return_value = ['DNS:host.foo.bar']
+        mock_cn.return_value = 'host2.foo.bar'
+        mock_lcheck.side_effect = [True, False]
+        csr = 'csr'
+        self.assertFalse(self.allowed_domainlist_check(self.logger, csr, allowed_domainlist))
+
+    @patch('acme_srv.helper.domainlist_check')
+    @patch('acme_srv.helper.csr_cn_get')
+    @patch('acme_srv.helper.csr_san_get')
+    def test_341_allowed_domainlist_check(self, mock_san, mock_cn, mock_lcheck):
+        """ CAhandler._check_csr with list and successful check """
+        allowed_domainlist = ['foo.bar']
+        mock_san.return_value = ['DNS:host.foo.bar']
+        mock_cn.return_value = 'host2.foo.bar'
+        mock_lcheck.side_effect = [True, True]
+        csr = 'csr'
+        self.assertTrue(self.allowed_domainlist_check(self.logger, csr, allowed_domainlist))
+
+    @patch('acme_srv.helper.domainlist_check')
+    @patch('acme_srv.helper.csr_cn_get')
+    @patch('acme_srv.helper.csr_san_get')
+    def test_342_allowed_domainlist_check(self, mock_san, mock_cn, mock_lcheck):
+        """ CAhandler._check_csr san parsing failed """
+        allowed_domainlist = ['foo.bar']
+        mock_san.return_value = ['host.google.com']
+        mock_cn.return_value = 'host2.foo.bar'
+        mock_lcheck.side_effect = [True, True]
+        csr = 'csr'
+        self.assertFalse(self.allowed_domainlist_check(self.logger, csr, allowed_domainlist))
+
+    @patch('acme_srv.helper.csr_cn_get')
+    @patch('acme_srv.helper.csr_san_get')
+    def test_343_allowed_domainlist_check(self, mock_san, mock_cn):
+        """ CAhandler._check_csr san parsing failed """
+        allowed_domainlist = ['foo.bar']
+        mock_san.return_value = []
+        mock_cn.return_value = None
+        csr = 'csr'
+        self.assertFalse(self.allowed_domainlist_check(self.logger, csr, allowed_domainlist))
+
+    def test_344_eab_profile_string_check(self):
+        """ test _eab_profile_string_check() """
+        cahandler = FakeDBStore()
+        cahandler.foo = 'foo'
+        self.eab_profile_string_check(self.logger, cahandler, 'foo', 'bar')
+        self.assertEqual('bar', cahandler.foo)
+
+    def test_345_eab_profile_string_check(self):
+        """ test _eab_profile_string_check() """
+        cahandler = FakeDBStore()
+        cahandler.foo = 'foo'
+        with self.assertLogs('test_a2c', level='INFO') as lcm:
+            self.eab_profile_string_check(self.logger, cahandler, 'foobar', 'bar')
+        self.assertEqual('foo', cahandler.foo)
+        self.assertIn('ERROR:test_a2c:Helper.eab_profile_string_check(): ignore string attribute: key: foobar value: bar', lcm.output)
+
+    def test_346_eab_profile_list_check(self):
+        """ test _eab_profile_list_check() """
+        cahandler = FakeDBStore()
+        cahandler.foo = 'foo'
+        with self.assertLogs('test_a2c', level='INFO') as lcm:
+            self.eab_profile_list_check(self.logger, cahandler, 'eabhandler', 'csr', 'foobar', 'bar')
+        self.assertEqual('foo', cahandler.foo)
+        self.assertIn('ERROR:test_a2c:Helper.eab_profile_list_check(): ignore list attribute: key: foobar value: bar', lcm.output)
+
+    def test_347_eab_profile_list_check(self):
+        """ test _eab_profile_list_check() """
+        cahandler = FakeDBStore()
+        eabhandler = Mock()
+        eabhandler.allowed_domains_check.return_value = False
+        cahandler.foo = 'foo'
+        self.eab_profile_list_check(self.logger, cahandler, eabhandler, 'csr', 'allowed_domainlist', 'bar')
+        self.assertEqual('foo', cahandler.foo)
+
+    def test_348_eab_profile_list_check(self):
+        """ test _eab_profile_list_check() """
+        cahandler = FakeDBStore()
+        eabhandler = Mock()
+        eabhandler.allowed_domains_check.return_value = 'error'
+        cahandler.foo = 'foo'
+        self.assertEqual('error', self.eab_profile_list_check(self.logger, cahandler, eabhandler, 'csr', 'allowed_domainlist', 'bar'))
+        self.assertEqual('foo', cahandler.foo)
+
+    @patch('acme_srv.helper.header_info_field_validate')
+    def test_349_eab_profile_list_check(self, mock_hifv):
+        """ test _eab_profile_list_check() """
+        cahandler = FakeDBStore()
+        cahandler.foo = 'foo'
+        cahandler.header_info_field = 'header_info_field'
+        eabhandler = Mock()
+        eabhandler.allowed_domains_check.return_value = 'error'
+        cahandler.foo = 'foo'
+        mock_hifv.return_value = ('mock_hifv', None)
+        self.assertFalse(self.eab_profile_list_check(self.logger, cahandler, eabhandler, 'csr', 'foo', 'bar'))
+        self.assertEqual('mock_hifv', cahandler.foo)
+
+    @patch('acme_srv.helper.header_info_field_validate')
+    def test_350_eab_profile_list_check(self, mock_hifv):
+        """ test _eab_profile_list_check() """
+        cahandler = FakeDBStore()
+        cahandler.foo = 'foo'
+        cahandler.header_info_field = 'header_info_field'
+        eabhandler = Mock()
+        eabhandler.allowed_domains_check.return_value = 'error'
+        cahandler.foo = 'foo'
+        mock_hifv.return_value = (None, 'error')
+        self.assertEqual('error', self.eab_profile_list_check(self.logger, cahandler, eabhandler, 'csr', 'foo', 'bar'))
+        self.assertEqual('foo', cahandler.foo)
+
+    def test_351_eab_profile_list_check(self):
+        """ test _eab_profile_list_check() test allowed domain check if cahander contains attribute """
+        cahandler = FakeDBStore()
+        eabhandler = Mock()
+        eabhandler.allowed_domains_check.return_value = False
+        cahandler.allowed_domainlist = ['foo', 'foobar']
+        cahandler.foo = 'foo'
+        cahandler.header_info_field = None
+        self.eab_profile_list_check(self.logger, cahandler, eabhandler, 'csr', 'allowed_domainlist', ['bar'])
+        self.assertEqual('foo', cahandler.foo)
+        self.assertTrue(eabhandler.allowed_domains_check.called)
+        self.assertEqual(['foo', 'foobar'], cahandler.allowed_domainlist)
+
+    @patch('acme_srv.helper.eab_profile_check')
+    @patch('acme_srv.helper.header_info_lookup')
+    def test_352_eab_profile_header_info_check(self, mock_lookup, mock_eab):
+        """ test eab_profile_header_info_check() """
+        cahandler = FakeDBStore()
+        cahandler.eab_profiling = False
+        cahandler.header_info_field = None
+        self.assertFalse(self.eab_profile_header_info_check(self.logger, cahandler, 'csr', 'handler_hifield'))
+        self.assertFalse(mock_lookup.called)
+        self.assertFalse(mock_eab.called)
+
+    @patch('acme_srv.helper.eab_profile_check')
+    @patch('acme_srv.helper.header_info_lookup')
+    def test_353_eab_profile_header_info_check(self, mock_lookup, mock_eab):
+        """ test eab_profile_header_info_check() """
+        cahandler = FakeDBStore()
+        cahandler.eab_profiling = False
+        cahandler.header_info_field = 'hi_field'
+        mock_lookup.return_value = 'hi_value'
+        cahandler.hi_field = 'pre_hi_field'
+        self.assertFalse(self.eab_profile_header_info_check(self.logger, cahandler, 'csr', 'hi_field'))
+        self.assertEqual('hi_value', cahandler.hi_field)
+        self.assertTrue(mock_lookup.called)
+        self.assertFalse(mock_eab.called)
+
+    @patch('acme_srv.helper.eab_profile_check')
+    @patch('acme_srv.helper.header_info_lookup')
+    def test_354_eab_profile_header_info_check(self, mock_lookup, mock_eab):
+        """ test eab_profile_header_info_check() """
+        cahandler = FakeDBStore()
+        cahandler.eab_profiling = False
+        cahandler.header_info_field = 'hi_field'
+        mock_lookup.return_value = 'hi_value'
+        cahandler.hi_field = 'pre_hi_field'
+        cahandler.profile_name = 'profile_name'
+        self.assertFalse(self.eab_profile_header_info_check(self.logger, cahandler, 'csr'))
+        self.assertEqual('pre_hi_field', cahandler.hi_field)
+        self.assertEqual('hi_value', cahandler.profile_name)
+        self.assertTrue(mock_lookup.called)
+        self.assertFalse(mock_eab.called)
+
+    @patch('acme_srv.helper.eab_profile_check')
+    @patch('acme_srv.helper.header_info_lookup')
+    def test_355_eab_profile_header_info_check(self, mock_lookup, mock_eab):
+        """ test eab_profile_header_info_check() """
+        cahandler = FakeDBStore()
+        cahandler.eab_profiling = False
+        cahandler.header_info_field = 'hi_field'
+        mock_lookup.return_value = None
+        cahandler.hi_field = 'pre_hi_field'
+        cahandler.profile_name = 'profile_name'
+        self.assertFalse(self.eab_profile_header_info_check(self.logger, cahandler, 'csr'))
+        self.assertEqual('pre_hi_field', cahandler.hi_field)
+        self.assertEqual('profile_name', cahandler.profile_name)
+        self.assertFalse(mock_eab.called)
+
+    @patch('acme_srv.helper.eab_profile_check')
+    @patch('acme_srv.helper.header_info_lookup')
+    def test_356_eab_profile_header_info_check(self, mock_lookup, mock_eab):
+        """ test eab_profile_header_info_check() """
+        cahandler = FakeDBStore()
+        cahandler.eab_profiling = True
+        cahandler.eab_handler = None
+        cahandler.header_info_field = 'hi_field'
+        mock_lookup.return_value = 'hi_value'
+        cahandler.hi_field = 'pre_hi_field'
+        with self.assertLogs('test_a2c', level='INFO') as lcm:
+            self.assertEqual('Eab_profiling enabled but no handler defined', self.eab_profile_header_info_check(self.logger, cahandler, 'csr', 'hi_field'))
+        self.assertIn('ERROR:test_a2c:Helper.eab_profile_header_info_check(): eab_profiling enabled but no handler defined', lcm.output)
+
+        self.assertEqual('pre_hi_field', cahandler.hi_field)
+        self.assertFalse(mock_eab.called)
+        self.assertFalse(mock_lookup.called)
+
+    @patch('acme_srv.helper.eab_profile_check')
+    @patch('acme_srv.helper.header_info_lookup')
+    def test_357_eab_profile_header_info_check(self, mock_lookup, mock_eab):
+        """ test eab_profile_header_info_check() """
+        cahandler = FakeDBStore()
+        cahandler.eab_profiling = True
+        cahandler.eab_handler = 'eab_handler'
+        cahandler.header_info_field = 'hi_field'
+        mock_lookup.return_value = 'hi_value'
+        mock_eab.return_value = 'mock_eab'
+        cahandler.hi_field = 'pre_hi_field'
+        self.assertEqual('mock_eab', self.eab_profile_header_info_check(self.logger, cahandler, 'csr', 'hi_field'))
+        self.assertEqual('pre_hi_field', cahandler.hi_field)
+        self.assertFalse(mock_lookup.called)
+        self.assertTrue(mock_eab.called)
+
+    @patch('acme_srv.helper.eab_profile_list_check')
+    @patch('acme_srv.helper.eab_profile_string_check')
+    def test_358_eab_profile_check(self, mock_string, mock_list):
+        """ test _eab_profile_check()"""
+        self.cahandler = MagicMock()
+        self.csr = "testCSR"
+        self.handler_hifield = "testField"
+        self.cahandler.eab_handler.return_value.__enter__.return_value.eab_profile_get.return_value = {"testField": "stringValue"}
+        self.assertIsNone(self.eab_profile_check(self.logger, self.cahandler, self.csr, self.handler_hifield))
+        self.assertTrue(mock_string.called)
+        self.assertFalse(mock_list.called)
+
+    @patch('acme_srv.helper.eab_profile_list_check')
+    @patch('acme_srv.helper.eab_profile_string_check')
+    def test_359_eab_profile_check(self, mock_string, mock_list):
+        self.cahandler = MagicMock()
+        self.csr = "testCSR"
+        self.handler_hifield = "testField"
+        self.cahandler.eab_handler.return_value.__enter__.return_value.eab_profile_get.return_value = {"testField": ["listValue"]}
+        mock_list.return_value = None
+        self.assertIsNone(self.eab_profile_check(self.logger, self.cahandler, self.csr, self.handler_hifield))
+        self.assertFalse(mock_string.called)
+        self.assertTrue(mock_list.called)
+
+    @patch('acme_srv.helper.header_info_lookup')
+    @patch('acme_srv.helper.eab_profile_list_check')
+    @patch('acme_srv.helper.eab_profile_string_check')
+    def test_360_eab_profile_check(self, mock_string, mock_list, mock_hil):
+        self.cahandler = MagicMock()
+        self.csr = "testCSR"
+        self.handler_hifield = "testField"
+        self.cahandler.eab_handler.return_value.__enter__.return_value.eab_profile_get.return_value = {"testField": ["listValue"]}
+        mock_list.return_value = 'mock_list'
+        self.assertEqual('mock_list', self.eab_profile_check(self.logger, self.cahandler, self.csr, self.handler_hifield))
+        self.assertFalse(mock_string.called)
+        self.assertTrue(mock_list.called)
+        self.assertFalse(mock_hil.called)
+
+    @patch('acme_srv.helper.header_info_lookup')
+    @patch('acme_srv.helper.eab_profile_list_check')
+    @patch('acme_srv.helper.eab_profile_string_check')
+    def test_361_eab_profile_check(self, mock_string, mock_list, mock_hil):
+        self.cahandler = MagicMock()
+        self.csr = "testCSR"
+        self.handler_hifield = "testField"
+        self.cahandler.eab_handler.return_value.__enter__.return_value.eab_profile_get.return_value = {"testField1": ["listValue"]}
+        mock_list.return_value = 'mock_list'
+        self.assertEqual('header_info field "testField" is not allowed by profile', self.eab_profile_check(self.logger, self.cahandler, self.csr, self.handler_hifield))
+        self.assertFalse(mock_string.called)
+        self.assertTrue(mock_list.called)
+        self.assertTrue(mock_hil.called)
+
+    @patch('acme_srv.helper.eab_profile_list_check')
+    @patch('acme_srv.helper.eab_profile_string_check')
+    def test_362_eab_profile_check(self, mock_string, mock_list):
+        self.cahandler = MagicMock()
+        self.csr = "testCSR"
+        self.handler_hifield = "testField"
+        self.cahandler.eab_handler.return_value.__enter__.return_value.eab_profile_get.return_value = {"testField": ["listValue"]}
+        self.cahandler.eab_profile_list_check.return_value = 'eab_list_check'
+        mock_list.return_value = None
+        self.assertEqual('eab_list_check', self.eab_profile_check(self.logger, self.cahandler, self.csr, self.handler_hifield))
+        self.assertFalse(mock_string.called)
+        self.assertFalse(mock_list.called)
+
+    @patch('acme_srv.helper.eab_profile_subject_check')
+    @patch('acme_srv.helper.eab_profile_list_check')
+    @patch('acme_srv.helper.eab_profile_string_check')
+    def test_363_eab_profile_check(self, mock_string, mock_list, mock_subject):
+        self.cahandler = MagicMock()
+        self.csr = "testCSR"
+        self.handler_hifield = None
+        mock_subject.return_value = 'mock_subject'
+        self.cahandler.eab_handler.return_value.__enter__.return_value.eab_profile_get.return_value = {"subject": ["listValue"]}
+        self.cahandler.eab_profile_list_check.return_value = 'eab_list_check'
+        mock_list.return_value = None
+        self.assertEqual('mock_subject', self.eab_profile_check(self.logger, self.cahandler, self.csr, self.handler_hifield))
+        self.assertFalse(mock_string.called)
+        self.assertFalse(mock_list.called)
+        self.assertTrue(mock_subject.called)
+
+    @patch('cryptography.__version__', '3.4.7')
+    def test_363_cryptography_version_get_success(self):
+        self.assertEqual(3, self.cryptography_version_get(self.logger))
+
+    @patch('cryptography.__version__', None)
+    def test_364_cryptography_version_get_success(self):
+        with self.assertLogs('test_a2c', level='INFO') as lcm:
+            self.assertEqual(36, self.cryptography_version_get(self.logger))
+        self.assertIn("ERROR:test_a2c:cryptography_version_get(): Error: 'NoneType' object has no attribute 'split'", lcm.output)
+
+    @patch('acme_srv.helper.validate_fqdn')
+    @patch('acme_srv.helper.validate_ip')
+    def test_365_cn_validate(self, mock_ip, mock_fqdn):
+        """ test cn_validate() """
+        mock_ip.return_value = True
+        mock_fqdn.return_value = True
+        self.assertFalse(self.cn_validate(self.logger, 'foo.bar.com'))
+        self.assertFalse(mock_fqdn.called)
+
+    @patch('acme_srv.helper.validate_fqdn')
+    @patch('acme_srv.helper.validate_ip')
+    def test_366_cn_validate(self, mock_ip, mock_fqdn):
+        """ test cn_validate() """
+        mock_ip.return_value = False
+        mock_fqdn.return_value = True
+        self.assertFalse(self.cn_validate(self.logger, 'foo.bar.com'))
+        self.assertTrue(mock_fqdn.called)
+
+    @patch('acme_srv.helper.validate_fqdn')
+    @patch('acme_srv.helper.validate_ip')
+    def test_367_cn_validate(self, mock_ip, mock_fqdn):
+        """ test cn_validate() """
+        mock_ip.return_value = False
+        mock_fqdn.return_value = False
+        self.assertEqual('Profile subject check failed: CN validation failed', self.cn_validate(self.logger, 'foo.bar.com'))
+        self.assertTrue(mock_fqdn.called)
+
+    @patch('acme_srv.helper.validate_fqdn')
+    @patch('acme_srv.helper.validate_ip')
+    def test_368_cn_validate(self, mock_ip, mock_fqdn):
+        """ test cn_validate() """
+        mock_ip.return_value = False
+        mock_fqdn.return_value = False
+        self.assertEqual('Profile subject check failed: commonName missing', self.cn_validate(self.logger, None))
+        self.assertFalse(mock_fqdn.called)
+
+    def test_369_csr_subject_get(self):
+        """ test csr_subject_get() """
+        csr = 'MIICwDCCAagCAQAwVDESMBAGA1UEAwwJbGVnby5hY21lMQ0wCwYDVQQKDARhY21lMQwwCgYDVQQLDANmb28xCzAJBgNVBAYTAlVTMRQwEgYDVQQFEwswMC0xMS0yMi0zMzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAM5AKMmB3o8LLEEGuHo0Ipl4K8z9m3EyM9teSVocQz39DK8s2dKpx8MrsVkTg6M3fuL4yPlim8v0+unPtB18dFeThkijHetxL5x08pVvMVwa7Cjk/22e5IRgBGSQYCO6KCUsNh2vhH93r7x71wlTV3sYe2t0HaEdGqBxdct76J9kyeCY06Br+4PMR7afRvHv4vFH6Y2+hSD4oOd5cSTZXnNWcWRbjNFY7aytzl4JpJiEK0ealDMSf/ZP0n8Sdx1vCx8amaozrLg5z3eLULiAUUgCtqOWOgNLQFNSqjyhZmMTZGGJcTgb43KAKWsO3bfM6rvNTZRbrM7dAsg/bQsK6mMCAwEAAaAnMCUGCSqGSIb3DQEJDjEYMBYwFAYDVR0RBA0wC4IJbGVnby5hY21lMA0GCSqGSIb3DQEBCwUAA4IBAQA19j8Lge9Vqxc/hvWYcU1Kx3KBx5TN97PK0wQFPIIWX20/JRoodzfrMSqO0EgZWB+czoRi8G+2ezbK13sV02dKovo8ISoSvgSZtt53UKBz+JmQd7Q7G1vONZ7d2PT0nTUN4fTA5YQs5nys3O8/2oOxJiJO6IyhmpiVqUbrlU6Harb4MfjNTb+teSQRSCOAX/8U9TdPwuAi6rXdWjXAUxBDQySWkW/B3pd77Ztt5nDFP2DT+7f7mAoWG4+XY6iXcXs1GsDA4XRTx2rCvhQtQomVGAKFwd8aTpHL/ZwNt1GOw6oMZkKKf+axVA1pvAYGhey/4x3uwKf654VB3e2iOCea'
+        result_dic = {'commonName': 'lego.acme', 'organizationName': 'acme', 'organizationalUnitName': 'foo', 'countryName': 'US', 'serialNumber': '00-11-22-33'}
+        self.assertEqual(result_dic, self.csr_subject_get(self.logger, csr))
+
+    def test_370_csr_subject_get(self):
+        """ test csr_subject_get() """
+        csr = 'MIICcDCCAVgCAQAwADCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANOKk0E61QJ2K/NiGSO0aJyqrLfmHytPr35ptLwNdfKQ/8Vb2uoHYAvxVEO9weNTQVlZ9ApkJquBTRoSdqTy6p87inh8JwzFM/neJAsMg2ZiH3gRRRfmIb/4Kce0BUQ66DFSV8sWThyv13EcL+pZYdqRvONujVn7XVPbmB2ZI8qI4iXswRq45mFBW5Dyt3Rlw+KOBu1ejo0lqB2FGQiBONxQrFDyF4nVWN3R9BlhuybSF4Elhos7pkiEfrE+8EzYy+7yMEiDh1m+TmwZRNEdtSWNORF51CF3bYUz8pvpt66vKGi/F6k2iljelw1kNsswZAciNi2jG7S0M+MWMFi680sCAwEAAaArMCkGCSqGSIb3DQEJDjEcMBowGAYDVR0RBBEwD4INZm9vLmJhci5sb2NhbDANBgkqhkiG9w0BAQsFAAOCAQEAivCrcL+uVzDdykT87073atC4B2DHky5bzL+iI8C+BkPq0jRdcVkExMrUtTdtp8Ot1zQHtYc/c/Tj+aYDZ6SdMYtrtHUgxS5JyFh0p+MEvkgZHcWOVC+VlWA+lC9kdX3WetsGT6xqCG4l+BpgCUERghFJ5/+K0bbCI4jT/5ZCT7+pO0qZtw0eg6tQBLPSXzXN98x3nmuaw9PzO1rVG5IMItyU+TlX3pJRXKpqSOHEbeaGWHizMUlbDKzoIiUf+11I9RwTeLlp/HPG8uvRc/zZ1einZPLQgow5kU15jFQSgQtzFHV4ZxuYmWN7oMIruwBNP1hkoTNL1kJcPeOwtEdOMw=='
+        self.assertFalse(self.csr_subject_get(self.logger, csr))
+
+    @patch('acme_srv.helper.cn_validate')
+    def test_370_eab_profile_subjet_string_check(self, mock_validate):
+        """ test eab_profile_subject_string_check() """
+        profile_dic = {'foo': 'bar1'}
+        self.assertEqual('Profile subject check failed for foo', self.eab_profile_subject_string_check(self.logger, profile_dic, 'foo', 'bar'))
+        self.assertFalse(mock_validate.called)
+
+    @patch('acme_srv.helper.cn_validate')
+    def test_371_eab_profile_subjet_string_check(self, mock_validate):
+        """ test eab_profile_subject_string_check() """
+        profile_dic = {'foo': '*'}
+        self.assertFalse(self.eab_profile_subject_string_check(self.logger, profile_dic, 'foo', 'bar'))
+        self.assertFalse(mock_validate.called)
+
+    @patch('acme_srv.helper.cn_validate')
+    def test_372_eab_profile_subjet_string_check(self, mock_validate):
+        """ test eab_profile_subject_string_check() """
+        profile_dic = {'foo': 'bar'}
+        self.assertFalse(self.eab_profile_subject_string_check(self.logger, profile_dic, 'foo', 'bar'))
+        self.assertFalse(mock_validate.called)
+
+    @patch('acme_srv.helper.cn_validate')
+    def test_373_eab_profile_subjet_string_check(self, mock_validate):
+        """ test eab_profile_subject_string_check() """
+        profile_dic = {'foo': ['bar1', 'bar2', 'bar3']}
+        self.assertEqual('Profile subject check failed for foo', self.eab_profile_subject_string_check(self.logger, profile_dic, 'foo', 'bar'))
+        self.assertFalse(mock_validate.called)
+
+    @patch('acme_srv.helper.cn_validate')
+    def test_374_eab_profile_subjet_string_check(self, mock_validate):
+        """ test eab_profile_subject_string_check() """
+        profile_dic = {'foo': ['bar1', 'bar2', 'bar3']}
+        self.assertFalse(self.eab_profile_subject_string_check(self.logger, profile_dic, 'foo', 'bar2'))
+        self.assertFalse(mock_validate.called)
+
+    @patch('acme_srv.helper.cn_validate')
+    def test_375_eab_profile_subjet_string_check(self, mock_validate):
+        """ test eab_profile_subject_string_check() """
+        profile_dic = {'foo': ['bar1', 'bar2', 'bar3']}
+        mock_validate.return_value = 'error'
+        self.assertEqual('error', self.eab_profile_subject_string_check(self.logger, profile_dic, 'commonName', 'bar'))
+        self.assertTrue(mock_validate.called)
+
+    @patch('acme_srv.helper.cn_validate')
+    def test_376_eab_profile_subjet_string_check(self, mock_validate):
+        """ test eab_profile_subject_string_check() """
+        profile_dic = {'foo': ['bar1', 'bar2', 'bar3']}
+        mock_validate.return_value = 'error'
+        self.assertEqual('Profile subject check failed for bar', self.eab_profile_subject_string_check(self.logger, profile_dic, 'bar', 'bar'))
+        self.assertFalse(mock_validate.called)
+
+    @patch('acme_srv.helper.eab_profile_subject_string_check')
+    @patch('acme_srv.helper.csr_subject_get')
+    def test_377_eab_profile_subject_check(self, mock_cn, mock_strchk):
+        """ test eab_profile_subject_check() """
+        profile_dic = {'foo': 'bar'}
+        mock_cn.return_value = {'o': 'o', 'ou': 'ou', 'cn': 'cn'}
+        mock_strchk.side_effect = ['o', 'ou', 'cn']
+        self.assertEqual('o', self.eab_profile_subject_check(self.logger, 'csr', profile_dic))
+
+    @patch('acme_srv.helper.eab_profile_subject_string_check')
+    @patch('acme_srv.helper.csr_subject_get')
+    def test_378_eab_profile_subject_check(self, mock_cn, mock_strchk):
+        """ test eab_profile_subject_check() """
+        profile_dic = {'foo': 'bar'}
+        mock_cn.return_value = {'o': 'o', 'ou': 'ou', 'cn': 'cn'}
+        mock_strchk.side_effect = [False, 'ou', 'cn']
+        self.assertEqual('ou', self.eab_profile_subject_check(self.logger, 'csr', profile_dic))
+
+    @patch('acme_srv.helper.eab_profile_subject_string_check')
+    @patch('acme_srv.helper.csr_subject_get')
+    def test_379_eab_profile_subject_check(self, mock_cn, mock_strchk):
+        """ test eab_profile_subject_check() """
+        profile_dic = {'foo': 'bar'}
+        mock_cn.return_value = {'o': 'o', 'ou': 'ou', 'cn': 'cn'}
+        mock_strchk.side_effect = [False, False, 'cn']
+        self.assertEqual('cn', self.eab_profile_subject_check(self.logger, 'csr', profile_dic))
+
+    @patch('acme_srv.helper.eab_profile_subject_string_check')
+    @patch('acme_srv.helper.csr_subject_get')
+    def test_378_eab_profile_subject_check(self, mock_cn, mock_strchk):
+        """ test eab_profile_subject_check() """
+        profile_dic = {'foo': 'bar'}
+        mock_cn.return_value = {'o': 'o', 'ou': 'ou', 'cn': 'cn'}
+        mock_strchk.side_effect = [False, False, False]
+        self.assertEqual('Profile subject check failed', self.eab_profile_subject_check(self.logger, 'csr', profile_dic))
+
+    @patch('acme_srv.helper.csr_san_get')
+    @patch('acme_srv.helper.csr_cn_get')
+    def test_059_csr_cn_lookup(self, mock_cnget, mock_san_get):
+        """ test _csr_cn_lookup() """
+        mock_cnget.return_value = 'cn'
+        mock_san_get.return_value = ['foo:san1', 'foo:san2']
+        self.assertEqual('cn', self.csr_cn_lookup(self.logger, 'csr'))
+
+    @patch('acme_srv.helper.csr_san_get')
+    @patch('acme_srv.helper.csr_cn_get')
+    def test_060_csr_cn_lookup(self, mock_cnget, mock_san_get):
+        """ test _csr_cn_lookup() """
+        mock_cnget.return_value = None
+        mock_san_get.return_value = ['foo:san1', 'foo:san2']
+        self.assertEqual('san1', self.csr_cn_lookup(self.logger, 'csr'))
+
+    @patch('acme_srv.helper.csr_san_get')
+    @patch('acme_srv.helper.csr_cn_get')
+    def test_061_csr_cn_lookup(self, mock_cnget, mock_san_get):
+        """ test _csr_cn_lookup() """
+        mock_cnget.return_value = None
+        mock_san_get.return_value = ['foosan1', 'foo:san2']
+        with self.assertLogs('test_a2c', level='INFO') as lcm:
+            self.assertEqual('san2', self.csr_cn_lookup(self.logger, 'csr'))
+        self.assertIn('ERROR:test_a2c:CAhandler._csr_cn_lookup() split failed: list index out of range', lcm.output)
+
+    @patch('acme_srv.helper.csr_san_get')
+    @patch('acme_srv.helper.csr_cn_get')
+    def test_062_csr_cn_lookup(self, mock_cnget, mock_san_get):
+        """ test _csr_cn_lookup() """
+        mock_cnget.return_value = None
+        mock_san_get.return_value = None
+        with self.assertLogs('test_a2c', level='INFO') as lcm:
+            self.assertFalse(self.csr_cn_lookup(self.logger, 'csr'))
+        self.assertIn('ERROR:test_a2c:CAhandler._csr_cn_lookup() no SANs found in CSR', lcm.output)
+
+    @patch('acme_srv.helper.requests.put')
+    @patch('acme_srv.helper.requests.post')
+    @patch('acme_srv.helper.requests.get')
+    def test_063_request_operation(self, mock_get, mock_post, mock_put):
+        """ test request_operation() """
+        mockresponse_get = Mock()
+        mockresponse_get.status_code = 'status_code'
+        mockresponse_get.json = lambda: {'get': 'get'}
+        mock_get.return_value = mockresponse_get
+        mockresponse_post = Mock()
+        mockresponse_post.status_code = 'status_code'
+        mockresponse_post.json = lambda: {'post': 'post'}
+        mock_post.return_value = mockresponse_post
+        mockresponse_put = Mock()
+        mockresponse_put.status_code = 'status_code'
+        mockresponse_put.json = lambda: {'put': 'put'}
+        mock_put.return_value = mockresponse_put
+        self.assertEqual(('status_code', {'get': 'get'}), self.request_operation(logger=self.logger, url='foo', method='get'))
+        self.assertTrue(mock_get.called)
+        self.assertFalse(mock_post.called)
+        self.assertFalse(mock_put.called)
+
+    @patch('acme_srv.helper.requests.put')
+    @patch('acme_srv.helper.requests.post')
+    @patch('acme_srv.helper.requests.get')
+    def test_064_request_operation(self, mock_get, mock_post, mock_put):
+        """ test request_operation() """
+        mockresponse_get = Mock()
+        mockresponse_get.status_code = 'status_code'
+        mockresponse_get.json = lambda: {'get': 'get'}
+        mock_get.return_value = mockresponse_get
+        mockresponse_post = Mock()
+        mockresponse_post.status_code = 'status_code'
+        mockresponse_post.json = lambda: {'post': 'post'}
+        mock_post.return_value = mockresponse_post
+        mockresponse_put = Mock()
+        mockresponse_put.status_code = 'status_code'
+        mockresponse_put.json = lambda: {'put': 'put'}
+        mock_put.return_value = mockresponse_put
+        self.assertEqual(('status_code', {'post': 'post'}), self.request_operation(logger=self.logger, url='foo', method='post'))
+        self.assertFalse(mock_get.called)
+        self.assertTrue(mock_post.called)
+        self.assertFalse(mock_put.called)
+
+    @patch('acme_srv.helper.requests.put')
+    @patch('acme_srv.helper.requests.post')
+    @patch('acme_srv.helper.requests.get')
+    def test_065_request_operation(self, mock_get, mock_post, mock_put):
+        """ test request_operation() """
+        mockresponse_get = Mock()
+        mockresponse_get.status_code = 'status_code'
+        mockresponse_get.json = lambda: {'get': 'get'}
+        mock_get.return_value = mockresponse_get
+        mockresponse_post = Mock()
+        mockresponse_post.status_code = 'status_code'
+        mockresponse_post.json = lambda: {'post': 'post'}
+        mock_post.return_value = mockresponse_post
+        mockresponse_put = Mock()
+        mockresponse_put.status_code = 'status_code'
+        mockresponse_put.json = lambda: {'put': 'put'}
+        mock_put.return_value = mockresponse_put
+        self.assertEqual(('status_code', {'put': 'put'}), self.request_operation(logger=self.logger, url='foo', method='put'))
+        self.assertFalse(mock_get.called)
+        self.assertFalse(mock_post.called)
+        self.assertTrue(mock_put.called)
+
+    @patch('acme_srv.helper.requests.put')
+    @patch('acme_srv.helper.requests.post')
+    @patch('acme_srv.helper.requests.get')
+    def test_066_request_operation(self, mock_get, mock_post, mock_put):
+        """ test request_operation() """
+        mockresponse_get = Mock()
+        mockresponse_get.status_code = 'status_code'
+        mockresponse_get.json = 'string'
+        mock_get.return_value = mockresponse_get
+        self.assertEqual(('status_code', "'str' object is not callable"), self.request_operation(logger=self.logger, url='foo', method='get'))
+        self.assertTrue(mock_get.called)
+        self.assertFalse(mock_post.called)
+        self.assertFalse(mock_put.called)
+
+    @patch('acme_srv.helper.requests.put')
+    @patch('acme_srv.helper.requests.post')
+    @patch('acme_srv.helper.requests.get')
+    def test_067_request_operation(self, mock_get, mock_post, mock_put):
+        """ test request_operation() """
+        mockresponse_get = Mock()
+        mockresponse_get.status_code = 'status_code'
+        mockresponse_get.json = 'string'
+        mockresponse_get.text = None
+        mock_get.return_value = mockresponse_get
+        self.assertEqual(('status_code', None), self.request_operation(logger=self.logger, url='foo', method='get'))
+        self.assertTrue(mock_get.called)
+        self.assertFalse(mock_post.called)
+        self.assertFalse(mock_put.called)
+
+    @patch('acme_srv.helper.requests.put')
+    @patch('acme_srv.helper.requests.post')
+    @patch('acme_srv.helper.requests.get')
+    def test_068_request_operation(self, mock_get, mock_post, mock_put):
+        """ test request_operation() """
+        mockresponse_get = Mock()
+        mockresponse_get.status_code = 'status_code'
+        mockresponse_get.json = 'string'
+        mockresponse_get.text = None
+        mock_get.return_value = mockresponse_get
+        with self.assertLogs('test_a2c', level='INFO') as lcm:
+            self.assertEqual((500, "'NoneType' object has no attribute 'status_code'"), self.request_operation(logger=self.logger, url='foo', method='unknown'))
+        self.assertIn("ERROR:test_a2c:request_operation returned error: 'NoneType' object has no attribute 'status_code'", lcm.output)
+        self.assertFalse(mock_get.called)
+        self.assertFalse(mock_post.called)
+        self.assertFalse(mock_put.called)
+
+
 if __name__ == '__main__':
-    unittest.main()
+    unittest.main()
\ No newline at end of file
diff --git a/test/test_nclm_ca_handler.py b/test/test_nclm_ca_handler.py
index 86fa331f..2d8e06c8 100644
--- a/test/test_nclm_ca_handler.py
+++ b/test/test_nclm_ca_handler.py
@@ -46,343 +46,23 @@ def test_003__api_post(self, mock_post):
             self.assertEqual('exc_api_post', self.cahandler._api_post('url', 'data'))
         self.assertIn('ERROR:test_a2c:CAhandler._api_post() returned error: exc_api_post', lcm.output)
 
-    @patch('requests.get')
-    def test_004_ca_id_lookup(self, mock_req):
-        """ CAhandler._ca_id_lookup() returns nothing """
-        self.cahandler.api_host = 'api_host'
-        self.cahandler.ca_name = 'ca_name'
-        self.cahandler.headers = 'headers'
-        mockresponse = Mock()
-        mock_req.return_value = mockresponse
-        mockresponse.json = lambda: {}
-        with self.assertLogs('test_a2c', level='INFO') as lcm:
-            self.assertFalse(self.cahandler._ca_id_lookup())
-        self.assertIn('ERROR:test_a2c:ca_id.lookup() no CAs found in response ...', lcm.output)
-
-    @patch('requests.get')
-    def test_005_ca_id_lookup(self, mock_req):
-        """ CAhandler._ca_id_lookup() returns wrong data """
-        self.cahandler.api_host = 'api_host'
-        self.cahandler.ca_name = 'ca_name'
-        self.cahandler.headers = 'headers'
-        mockresponse = Mock()
-        mock_req.return_value = mockresponse
-        mockresponse.json = lambda: {'foo': 'bar'}
-        with self.assertLogs('test_a2c', level='INFO') as lcm:
-            self.assertFalse(self.cahandler._ca_id_lookup())
-        self.assertIn('ERROR:test_a2c:ca_id.lookup() no CAs found in response ...', lcm.output)
-
-    @patch('requests.get')
-    def test_006_ca_id_lookup(self, mock_req):
-        """ CAhandler._ca_id_lookup() returns wrong data """
-        self.cahandler.api_host = 'api_host'
-        self.cahandler.ca_name = 'ca_name'
-        self.cahandler.headers = 'headers'
-        mockresponse = Mock()
-        mock_req.return_value = mockresponse
-        mockresponse.json = lambda: {'foo': 'bar'}
-        with self.assertLogs('test_a2c', level='INFO') as lcm:
-            self.assertFalse(self.cahandler._ca_id_lookup())
-        self.assertIn('ERROR:test_a2c:ca_id.lookup() no CAs found in response ...', lcm.output)
-
-    @patch('requests.get')
-    def test_007_ca_id_lookup(self, mock_req):
-        """ CAhandler._ca_id_lookup() returns empty ca-list """
-        self.cahandler.api_host = 'api_host'
-        self.cahandler.ca_name = 'ca_name'
-        self.cahandler.headers = 'headers'
-        mockresponse = Mock()
-        mock_req.return_value = mockresponse
-        mockresponse.json = lambda: {'CAs': []}
-        with self.assertLogs('test_a2c', level='INFO') as lcm:
-            self.assertFalse(self.cahandler._ca_id_lookup())
-        self.assertIn('ERROR:test_a2c:_ca_id_lookup(): no ca id found for ca_name', lcm.output)
-
-    @patch('requests.get')
-    def test_008_ca_id_lookup(self, mock_req):
-        """ CAhandler._ca_id_lookup() returns wrong ca-list """
-        self.cahandler.api_host = 'api_host'
-        self.cahandler.ca_name = 'ca_name'
-        self.cahandler.headers = 'headers'
-        mockresponse = Mock()
-        mock_req.return_value = mockresponse
-        mockresponse.json = lambda: {'CAs': [{'foo': 'foo'}]}
-        with self.assertLogs('test_a2c', level='INFO') as lcm:
-            self.assertFalse(self.cahandler._ca_id_lookup())
-        self.assertIn('ERROR:test_a2c:_ca_id_lookup(): no ca id found for ca_name', lcm.output)
-
-    @patch('requests.get')
-    def test_009_ca_id_lookup(self, mock_req):
-        """ CAhandler._ca_id_lookup() returns ca-list with name not matching """
-        self.cahandler.api_host = 'api_host'
-        self.cahandler.ca_name = 'ca_name'
-        self.cahandler.headers = 'headers'
-        mockresponse = Mock()
-        mock_req.return_value = mockresponse
-        mockresponse.json = lambda: {'CAs': [{'name': 'foo'}]}
-        with self.assertLogs('test_a2c', level='INFO') as lcm:
-            self.assertFalse(self.cahandler._ca_id_lookup())
-        self.assertIn('ERROR:test_a2c:_ca_id_lookup(): no ca id found for ca_name', lcm.output)
-
-    @patch('requests.get')
-    def test_010_ca_id_lookup(self, mock_req):
-        """ CAhandler._ca_id_lookup() returns ca-list with name matching  but no id """
-        self.cahandler.api_host = 'api_host'
-        self.cahandler.ca_name = 'ca_name'
-        self.cahandler.headers = 'headers'
-        mockresponse = Mock()
-        mock_req.return_value = mockresponse
-        mockresponse.json = lambda: {'CAs': [{'name': 'ca_name'}]}
-        with self.assertLogs('test_a2c', level='INFO') as lcm:
-            self.assertFalse(self.cahandler._ca_id_lookup())
-        self.assertIn('ERROR:test_a2c:_ca_id_lookup(): no ca id found for ca_name', lcm.output)
-
-    @patch('requests.get')
-    def test_011_ca_id_lookup(self, mock_req):
-        """ CAhandler._ca_id_lookup() returns ca-list with name matching  and id """
-        self.cahandler.api_host = 'api_host'
-        self.cahandler.ca_name = 'ca_name'
-        self.cahandler.headers = 'headers'
-        mockresponse = Mock()
-        mock_req.return_value = mockresponse
-        mockresponse.json = lambda: {'CAs': [{'name': 'ca_name', 'id': 'id'}]}
-        self.assertEqual('id', self.cahandler._ca_id_lookup())
-
-    @patch('requests.get')
-    def test_012_ca_id_lookup(self, mock_req):
-        """ CAhandler._ca_id_lookup() returns ca-list with desc not matching """
-        self.cahandler.api_host = 'api_host'
-        self.cahandler.ca_name = 'ca_name'
-        self.cahandler.headers = 'headers'
-        mockresponse = Mock()
-        mock_req.return_value = mockresponse
-        mockresponse.json = lambda: {'CAs': [{'desc': 'foo'}]}
-        with self.assertLogs('test_a2c', level='INFO') as lcm:
-            self.assertFalse(self.cahandler._ca_id_lookup())
-        self.assertIn('ERROR:test_a2c:_ca_id_lookup(): no ca id found for ca_name', lcm.output)
-
-    @patch('requests.get')
-    def test_013_ca_id_lookup(self, mock_req):
-        """ CAhandler._ca_id_lookup() returns ca-list with desc matching  but no id """
-        self.cahandler.api_host = 'api_host'
-        self.cahandler.ca_name = 'ca_name'
-        self.cahandler.headers = 'headers'
-        mockresponse = Mock()
-        mock_req.return_value = mockresponse
-        mockresponse.json = lambda: {'CAs': [{'desc': 'ca_name'}]}
-        with self.assertLogs('test_a2c', level='INFO') as lcm:
-            self.assertFalse(self.cahandler._ca_id_lookup())
-        self.assertIn('ERROR:test_a2c:_ca_id_lookup(): no ca id found for ca_name', lcm.output)
-
-    @patch('requests.get')
-    def test_014_ca_id_lookup(self, mock_req):
-        """ CAhandler._ca_id_lookup() returns ca-list with desc matching  and id """
-        self.cahandler.api_host = 'api_host'
-        self.cahandler.ca_name = 'ca_name'
-        self.cahandler.headers = 'headers'
-        mockresponse = Mock()
-        mock_req.return_value = mockresponse
-        mockresponse.json = lambda: {'CAs': [{'desc': 'ca_name', 'id': 'id'}]}
-        self.assertEqual('id', self.cahandler._ca_id_lookup())
-
-    @patch('requests.get')
-    def test_015_ca_id_lookup(self, mock_get):
-        """ CAhandler._cert_bundle_build() returns everything with one ca cert """
-        self.cahandler.api_host = 'api_host'
-        mockresponse1 = Mock()
-        mockresponse1.json = lambda: {'certificate': {'der': 'der', 'pem': 'pem', 'issuerInfo': {'id': 'id'}}}
-        mockresponse2 = Mock()
-        mockresponse2.json = lambda: {'certificate': {'pem': 'pemca'}}
-        mock_get.side_effect = [mockresponse1, mockresponse2]
-        self.assertEqual((None, 'pempemca', 'der'), self.cahandler._cert_bundle_build('foo'))
-
-    @patch('requests.get')
-    def test_016_ca_id_lookup(self, mock_get):
-        """ CAhandler._cert_bundle_build() returns everything with two ca cert """
-        self.cahandler.api_host = 'api_host'
-        mockresponse1 = Mock()
-        mockresponse1.json = lambda: {'certificate': {'der': 'der', 'pem': 'pem', 'issuerInfo': {'id': 'id1'}}}
-        mockresponse2 = Mock()
-        mockresponse2.json = lambda: {'certificate': {'pem': 'pemca1', 'issuerInfo': {'id': 'id'}}}
-        mockresponse3 = Mock()
-        mockresponse3.json = lambda: {'certificate': {'pem': 'pemca2', 'issuerInfo': {'id': 'id'}}}
-        mock_get.side_effect = [mockresponse1, mockresponse2, mockresponse3]
-        self.assertEqual((None, 'pempemca1pemca2', 'der'), self.cahandler._cert_bundle_build('foo'))
-
-    @patch('requests.get')
-    def test_017_ca_id_lookup(self, mock_get):
-        """ CAhandler._cert_bundle_build() returns everything without der in cert_dic """
-        self.cahandler.api_host = 'api_host'
-        mockresponse1 = Mock()
-        mockresponse1.json = lambda: {'certificate': {'pem': 'pem', 'issuerInfo': {'id': 'id'}}}
-        mockresponse2 = Mock()
-        mockresponse2.json = lambda: {'certificate': {'pem': 'pemca'}}
-        mock_get.side_effect = [mockresponse1, mockresponse2]
-        with self.assertLogs('test_a2c', level='INFO') as lcm:
-            self.assertEqual(('no der certificate returned for id foo', 'pempemca', None), self.cahandler._cert_bundle_build('foo'))
-        self.assertIn('ERROR:test_a2c:CAhandler._cert_bundle_build(): no der certificate returned for id: foo', lcm.output)
-
-    @patch('requests.get')
-    def test_018_ca_id_lookup(self, mock_get):
-        """ CAhandler._cert_bundle_build() returns everything without pem in cert_dic """
-        self.cahandler.api_host = 'api_host'
-        self.cahandler.ca_id_list = [1]
-        mockresponse1 = Mock()
-        mockresponse1.json = lambda: {'certificate': {'der': 'der', 'issuerInfo': {'id': 'id'}}}
-        mockresponse2 = Mock()
-        mockresponse2.json = lambda: {'certificate': {'pem': 'pemca'}}
-        mock_get.side_effect = [mockresponse1, mockresponse2]
-        with self.assertLogs('test_a2c', level='INFO') as lcm:
-            self.assertEqual(('no pem certificate returned for id foo', 'pemca', 'der'), self.cahandler._cert_bundle_build('foo'))
-        self.assertIn('ERROR:test_a2c:CAhandler._cert_bundle_build(): no pem certificate returned for id: foo', lcm.output)
-
-    @patch('requests.get')
-    def test_019_ca_id_lookup(self, mock_get):
-        """ CAhandler._cert_bundle_build() returns everything without pem in ca_dic """
-        self.cahandler.api_host = 'api_host'
-        self.cahandler.ca_id_list = [1]
-        mockresponse1 = Mock()
-        mockresponse1.json = lambda: {'certificate': {'der': 'der', 'pem': 'pem', 'issuerInfo': {'id': 'id'}}}
-        mockresponse2 = Mock()
-        mockresponse2.json = lambda: {'certificate': {'foo': 'bar'}}
-        mock_get.side_effect = [mockresponse1, mockresponse2]
-        with self.assertLogs('test_a2c', level='INFO') as lcm:
-            self.assertEqual(('no pem certificate returned for id id', 'pem', 'der'), self.cahandler._cert_bundle_build('foo'))
-        self.assertIn('ERROR:test_a2c:CAhandler._cert_bundle_build(): no pem certificate returned for id: id', lcm.output)
-
-    @patch('requests.get')
-    def test_020_ca_id_lookup(self, mock_get):
-        """ CAhandler._cert_bundle_build() returns wrong ca_dic """
-        self.cahandler.api_host = 'api_host'
-        self.cahandler.ca_id_list = [1]
-        mockresponse1 = Mock()
-        mockresponse1.json = lambda: {'certificate': {'der': 'der', 'pem': 'pem', 'issuerInfo': {'id': 'id'}}}
-        mockresponse2 = Mock()
-        mockresponse2.json = lambda: {'foo': 'bar'}
-        mock_get.side_effect = [mockresponse1, mockresponse2]
-        with self.assertLogs('test_a2c', level='INFO') as lcm:
-            self.assertEqual(('invalid reponse returned for id: id', 'pem', 'der'), self.cahandler._cert_bundle_build('foo'))
-        self.assertIn('ERROR:test_a2c:CAhandler._cert_bundle_build(): invalid reponse returned for id: id', lcm.output)
-
-    @patch('requests.get')
-    def test_021_ca_id_lookup(self, mock_get):
-        """ CAhandler._cert_bundle_build() returns wrong cert_dic """
-        self.cahandler.api_host = 'api_host'
-        self.cahandler.ca_id_list = [1]
-        mockresponse1 = Mock()
-        mockresponse1.json = lambda: {'foo': 'bar'}
-        mockresponse2 = Mock()
-        mockresponse2.json = lambda: {'foo': 'bar'}
-        mock_get.side_effect = [mockresponse1, mockresponse2]
-        with self.assertLogs('test_a2c', level='INFO') as lcm:
-            self.assertEqual(('invalid reponse returned for id: foo', None, None), self.cahandler._cert_bundle_build('foo'))
-        self.assertIn('ERROR:test_a2c:CAhandler._cert_bundle_build(): invalid reponse returned for id: foo', lcm.output)
-
-    @patch('examples.ca_handler.nclm_ca_handler.CAhandler._san_compare')
-    @patch('examples.ca_handler.nclm_ca_handler.CAhandler._cert_list_fetch')
-    def test_022_cert_id_lookup(self, mock_fetch, mock_comp):
-        """ CAhandler._cert_id_lookup() - one cert - ok """
-        self.cahandler.api_host = 'api_host'
-        mock_fetch.return_value = [{'subjectAltName': 'subjectAltName', 'certificateId': 1}]
-        mock_comp.return_value = True
-        self.assertEqual(1, self.cahandler._cert_id_lookup('csr_cn', 'san_list'))
-
-    @patch('examples.ca_handler.nclm_ca_handler.CAhandler._san_compare')
-    @patch('examples.ca_handler.nclm_ca_handler.CAhandler._cert_list_fetch')
-    def test_023_cert_id_lookup(self, mock_fetch, mock_comp):
-        """ CAhandler._cert_id_lookup() - two certs - match 2nd entry in list """
-        self.cahandler.api_host = 'api_host'
-        mock_fetch.return_value = [{'subjectAltName': 'subjectAltName1', 'certificateId': 1}, {'subjectAltName': 'subjectAltName2', 'certificateId': 2}]
-        mock_comp.side_effect = [True, False]
-        self.assertEqual(2, self.cahandler._cert_id_lookup('csr_cn', 'san_list'))
-
-    @patch('examples.ca_handler.nclm_ca_handler.CAhandler._san_compare')
-    @patch('examples.ca_handler.nclm_ca_handler.CAhandler._cert_list_fetch')
-    def test_024_cert_id_lookup(self, mock_fetch, mock_comp):
-        """ CAhandler._cert_id_lookup() - no cn two certs - match 2nd entry in list """
-        self.cahandler.api_host = 'api_host'
-        mock_fetch.return_value = [{'subjectAltName': 'subjectAltName1', 'certificateId': 1}, {'subjectAltName': 'subjectAltName2', 'certificateId': 2}]
-        mock_comp.side_effect = [True, False]
-        self.assertEqual(2, self.cahandler._cert_id_lookup(None, 'san_list'))
-
-    @patch('examples.ca_handler.nclm_ca_handler.CAhandler._san_compare')
-    @patch('examples.ca_handler.nclm_ca_handler.CAhandler._cert_list_fetch')
-    def test_025_cert_id_lookup(self, mock_fetch, mock_comp):
-        """ CAhandler._cert_id_lookup() - two certs - match 1st entry in list """
-        self.cahandler.api_host = 'api_host'
-        mock_fetch.return_value = [{'subjectAltName': 'subjectAltName1', 'certificateId': 1}, {'subjectAltName': 'subjectAltName2', 'certificateId': 2}]
-        mock_comp.side_effect = [False, True]
-        self.assertEqual(1, self.cahandler._cert_id_lookup('csr_cn', 'san_list'))
-
-    @patch('examples.ca_handler.nclm_ca_handler.CAhandler._san_compare')
-    @patch('examples.ca_handler.nclm_ca_handler.CAhandler._cert_list_fetch')
-    def test_026_cert_id_lookup(self, mock_fetch, mock_comp):
-        """ CAhandler._cert_id_lookup() - no certificateid return from nclm """
-        self.cahandler.api_host = 'api_host'
-        mockresponse = Mock()
-        mock_fetch.return_value = [{'subjectAltName': 'subjectAltName', 'foo': 'bar'}]
-        mock_comp.return_value = True
-        with self.assertLogs('test_a2c', level='INFO') as lcm:
-            self.assertFalse(self.cahandler._cert_id_lookup('csr_cn', 'san_list'))
-        self.assertIn("ERROR:test_a2c:_cert_id_lookup(): response incomplete: 'certificateId'", lcm.output)
-
-    @patch('examples.ca_handler.nclm_ca_handler.CAhandler._san_compare')
-    @patch('examples.ca_handler.nclm_ca_handler.CAhandler._cert_list_fetch')
-    def test_027_cert_id_lookup(self, mock_fetch, mock_comp):
-        """ CAhandler._cert_id_lookup() - two certs match """
-        self.cahandler.api_host = 'api_host'
-        mock_fetch.return_value = [{'subjectAltName': 'subjectAltName1', 'certificateId': 1}, {'subjectAltName': 'subjectAltName2', 'certificateId': 2}]
-        mock_comp.side_effect = [True, True]
-        self.assertEqual(2, self.cahandler._cert_id_lookup('csr_cn', 'san_list'))
-
-    @patch('examples.ca_handler.nclm_ca_handler.CAhandler._san_compare')
-    @patch('examples.ca_handler.nclm_ca_handler.CAhandler._cert_list_fetch')
-    def test_028_cert_id_lookup(self, mock_fetch, mock_comp):
-        """ CAhandler._cert_id_lookup() - one cert - no san in """
-        self.cahandler.api_host = 'api_host'
-        mock_fetch.return_value = [{'foo': 'bar', 'certificateId': 'certificateId'}]
-        mock_comp.return_value = True
-        self.assertFalse(self.cahandler._cert_id_lookup('csr_cn', 'san_list'))
-
-    @patch('examples.ca_handler.nclm_ca_handler.CAhandler._san_compare')
-    @patch('examples.ca_handler.nclm_ca_handler.CAhandler._cert_list_fetch')
-    def test_029_cert_id_lookup(self, mock_req, mock_comp):
-        """ CAhandler._cert_id_lookup() - no san_list in function """
-        self.cahandler.api_host = 'api_host'
+    @patch.object(requests, 'post')
+    def test_004__api_post(self, mock_req):
+        """ test _api_post successful run """
         mockresponse = Mock()
-        mockresponse.json = lambda: {'certificates': [{'subjectAltName': 'subjectAltName', 'certificateId': 'certificateId'}]}
         mock_req.return_value = mockresponse
-        mock_comp.return_value = True
-        self.assertFalse(self.cahandler._cert_id_lookup('csr_cn', None))
-
-    @patch('examples.ca_handler.nclm_ca_handler.CAhandler._san_compare')
-    @patch('examples.ca_handler.nclm_ca_handler.CAhandler._cert_list_fetch')
-    def test_030_cert_id_lookup(self, mock_fetch, mock_comp,):
-        """ CAhandler._cert_id_lookup() - _cert_list_fetch() does not return anything """
-        self.cahandler.api_host = 'api_host'
-        mock_fetch.return_value = None
-        mock_comp.return_value = True
-        with self.assertLogs('test_a2c', level='INFO') as lcm:
-            self.assertFalse(self.cahandler._cert_id_lookup('csr_cn', 'san_list'))
-        self.assertIn('ERROR:test_a2c:_cert_id_lookup(): no certificates found for csr_cn', lcm.output)
+        mockresponse.status_code = 'status_code'
+        mockresponse.json = Exception('json_exc')
+        self.assertEqual({'status': 'status_code'}, self.cahandler._api_post('url', 'data'))
 
-    @patch('examples.ca_handler.nclm_ca_handler.CAhandler._cert_list_fetch')
-    def test_031_cert_id_lookup(self, mock_fetch):
-        """ CAhandler._cert_id_lookup() - request raises exception """
-        self.cahandler.api_host = 'api_host'
-        mock_fetch.side_effect = Exception('req_exc')
-        with self.assertLogs('test_a2c', level='INFO') as lcm:
-            self.assertFalse(self.cahandler._cert_id_lookup('csr_cn', 'san_list'))
-        self.assertIn('ERROR:test_a2c:CAhandler._cert_id_lookup() returned error: req_exc', lcm.output)
-
-    def test_032__config_check(self):
+    def test_005__config_check(self):
         """ CAhandler._config.check() no api_host """
         with self.assertLogs('test_a2c', level='INFO') as lcm:
             self.cahandler._config_check()
         self.assertEqual('api_host to be set in config file', self.cahandler.error)
         self.assertIn('ERROR:test_a2c:"api_host" to be set in config file', lcm.output)
 
-    def test_033__config_check(self):
+    def test_006__config_check(self):
         """ CAhandler._config.check() no api_user """
         self.cahandler.api_host = 'api_host'
         with self.assertLogs('test_a2c', level='INFO') as lcm:
@@ -390,7 +70,7 @@ def test_033__config_check(self):
         self.assertEqual('api_user to be set in config file', self.cahandler.error)
         self.assertIn('ERROR:test_a2c:"api_user" to be set in config file', lcm.output)
 
-    def test_034__config_check(self):
+    def test_007__config_check(self):
         """ CAhandler._config.check() no api_user """
         self.cahandler.api_host = 'api_host'
         self.cahandler.credential_dic = {'api_user': False}
@@ -399,7 +79,7 @@ def test_034__config_check(self):
         self.assertEqual('api_user to be set in config file', self.cahandler.error)
         self.assertIn('ERROR:test_a2c:"api_user" to be set in config file', lcm.output)
 
-    def test_035__config_check(self):
+    def test_008__config_check(self):
         """ CAhandler._config.check() no api_password """
         self.cahandler.api_host = 'api_host'
         self.cahandler.credential_dic = {'api_user': 'api_user'}
@@ -408,7 +88,7 @@ def test_035__config_check(self):
         self.assertEqual('api_password to be set in config file', self.cahandler.error)
         self.assertIn('ERROR:test_a2c:"api_password" to be set in config file', lcm.output)
 
-    def test_036__config_check(self):
+    def test_009__config_check(self):
         """ CAhandler._config.check() no api_password """
         self.cahandler.api_host = 'api_host'
         self.cahandler.credential_dic = {'api_user': 'api_user', 'api_password': False}
@@ -417,7 +97,7 @@ def test_036__config_check(self):
         self.assertEqual('api_password to be set in config file', self.cahandler.error)
         self.assertIn('ERROR:test_a2c:"api_password" to be set in config file', lcm.output)
 
-    def test_037__config_check(self):
+    def test_010__config_check(self):
         """ CAhandler._config.check() no tsg_name """
         self.cahandler.api_host = 'api_host'
         self.cahandler.credential_dic = {'api_user': 'api_user', 'api_password': 'api_password'}
@@ -426,31 +106,31 @@ def test_037__config_check(self):
         self.assertEqual('tsg_name to be set in config file', self.cahandler.error)
         self.assertIn('ERROR:test_a2c:"tsg_name" to be set in config file', lcm.output)
 
-    def test_038__config_check(self):
+    def test_011__config_check(self):
         """ CAhandler._config.check() no tsg_name """
         self.cahandler.api_host = 'api_host'
         self.cahandler.credential_dic = {'api_user': 'api_user', 'api_password': 'api_password'}
-        self.cahandler.tsg_info_dic = {'name': False}
+        self.cahandler.container_info_dic = {'name': False}
         with self.assertLogs('test_a2c', level='INFO') as lcm:
             self.cahandler._config_check()
         self.assertEqual('tsg_name to be set in config file', self.cahandler.error)
         self.assertIn('ERROR:test_a2c:"tsg_name" to be set in config file', lcm.output)
 
-    def test_039__config_check(self):
+    def test_012__config_check(self):
         """ CAhandler._config.check() no ca_name """
         self.cahandler.api_host = 'api_host'
         self.cahandler.credential_dic = {'api_user': 'api_user', 'api_password': 'api_password'}
-        self.cahandler.tsg_info_dic = {'name': 'name'}
+        self.cahandler.container_info_dic = {'name': 'name'}
         with self.assertLogs('test_a2c', level='INFO') as lcm:
             self.cahandler._config_check()
         self.assertEqual('ca_name to be set in config file', self.cahandler.error)
         self.assertIn('ERROR:test_a2c:"ca_name" to be set in config file', lcm.output)
 
-    def test_040__config_check(self):
+    def test_013__config_check(self):
         """ CAhandler._config.check() ca_bundle False """
         self.cahandler.api_host = 'api_host'
         self.cahandler.credential_dic = {'api_user': 'api_user', 'api_password': 'api_password'}
-        self.cahandler.tsg_info_dic = {'name': 'name'}
+        self.cahandler.container_info_dic = {'name': 'name'}
         self.cahandler.ca_name = 'ca_name'
         self.cahandler.ca_id_list = ['id1', 'id2']
         self.cahandler.ca_bundle = False
@@ -460,143 +140,124 @@ def test_040__config_check(self):
         self.assertIn('WARNING:test_a2c:"ca_bundle" set to "False" - validation of server certificate disabled', lcm.output)
 
     @patch('examples.ca_handler.nclm_ca_handler.load_config')
-    def test_041_config_load(self, mock_load_cfg):
+    def test_014_config_load(self, mock_load_cfg):
         """ CAhandler._config_load no cahandler section """
         mock_load_cfg.return_value = {}
         self.cahandler._config_load()
         self.assertFalse(self.cahandler.api_host)
         self.assertEqual({'api_user': None, 'api_password': None}, self.cahandler.credential_dic)
-        self.assertEqual({'name': None, 'id': None}, self.cahandler.tsg_info_dic)
         self.assertFalse(self.cahandler.ca_name)
         self.assertTrue(self.cahandler.ca_bundle)
         self.assertEqual({'name': None, 'id': None}, self.cahandler.template_info_dic)
-        self.assertEqual(300, self.cahandler.request_delta_treshold)
         self.assertEqual(20, self.cahandler.request_timeout)
 
     @patch('examples.ca_handler.nclm_ca_handler.load_config')
-    def test_042_config_load(self, mock_load_cfg):
+    def test_015_config_load(self, mock_load_cfg):
         """ CAhandler._config_load api_host """
         mock_load_cfg.return_value = {'CAhandler': {'api_host': 'api_host'}}
         self.cahandler._config_load()
         self.assertEqual('api_host', self.cahandler.api_host)
         self.assertEqual({'api_user': None, 'api_password': None}, self.cahandler.credential_dic)
-        self.assertEqual({'name': None, 'id': None}, self.cahandler.tsg_info_dic)
         self.assertFalse(self.cahandler.ca_name)
         self.assertTrue(self.cahandler.ca_bundle)
         self.assertEqual({'name': None, 'id': None}, self.cahandler.template_info_dic)
-        self.assertEqual(300, self.cahandler.request_delta_treshold)
         self.assertEqual(20, self.cahandler.request_timeout)
 
     @patch('examples.ca_handler.nclm_ca_handler.load_config')
-    def test_043_config_load(self, mock_load_cfg):
+    def test_016_config_load(self, mock_load_cfg):
         """ CAhandler._config_load api_user """
         mock_load_cfg.return_value = {'CAhandler': {'api_user': 'api_user'}}
         self.cahandler._config_load()
         self.assertFalse(self.cahandler.api_host)
         self.assertEqual({'api_user': 'api_user', 'api_password': None}, self.cahandler.credential_dic)
-        self.assertEqual({'name': None, 'id': None}, self.cahandler.tsg_info_dic)
         self.assertFalse(self.cahandler.ca_name)
         self.assertTrue(self.cahandler.ca_bundle)
         self.assertEqual({'name': None, 'id': None}, self.cahandler.template_info_dic)
-        self.assertEqual(300, self.cahandler.request_delta_treshold)
         self.assertEqual(20, self.cahandler.request_timeout)
 
     @patch('examples.ca_handler.nclm_ca_handler.load_config')
-    def test_044_config_load(self, mock_load_cfg):
+    def test_017_config_load(self, mock_load_cfg):
         """ CAhandler._config_load api_password """
         mock_load_cfg.return_value = {'CAhandler': {'api_password': 'api_password'}}
         self.cahandler._config_load()
         self.assertFalse(self.cahandler.api_host)
         self.assertEqual({'api_user': None, 'api_password': 'api_password'}, self.cahandler.credential_dic)
-        self.assertEqual({'name': None, 'id': None}, self.cahandler.tsg_info_dic)
         self.assertFalse(self.cahandler.ca_name)
         self.assertTrue(self.cahandler.ca_bundle)
         self.assertEqual({'name': None, 'id': None}, self.cahandler.template_info_dic)
-        self.assertEqual(300, self.cahandler.request_delta_treshold)
         self.assertEqual(20, self.cahandler.request_timeout)
 
     @patch('examples.ca_handler.nclm_ca_handler.load_config')
-    def test_045_config_load(self, mock_load_cfg):
+    def test_018_config_load(self, mock_load_cfg):
         """ CAhandler._config_load ca_name """
         mock_load_cfg.return_value = {'CAhandler': {'ca_name': 'ca_name'}}
         self.cahandler._config_load()
         self.assertFalse(self.cahandler.api_host)
         self.assertEqual({'api_user': None, 'api_password': None}, self.cahandler.credential_dic)
-        self.assertEqual({'name': None, 'id': None}, self.cahandler.tsg_info_dic)
         self.assertEqual('ca_name', self.cahandler.ca_name)
         self.assertTrue(self.cahandler.ca_bundle)
         self.assertEqual({'name': None, 'id': None}, self.cahandler.template_info_dic)
-        self.assertEqual(300, self.cahandler.request_delta_treshold)
         self.assertEqual(20, self.cahandler.request_timeout)
 
     @patch('examples.ca_handler.nclm_ca_handler.load_config')
-    def test_046_config_load(self, mock_load_cfg):
+    def test_019_config_load(self, mock_load_cfg):
         """ CAhandler._config_load tsg_name """
         mock_load_cfg.return_value = {'CAhandler': {'tsg_name': 'tsg_name'}}
         self.cahandler._config_load()
         self.assertFalse(self.cahandler.api_host)
         self.assertEqual({'api_user': None, 'api_password': None}, self.cahandler.credential_dic)
-        self.assertEqual({'name': 'tsg_name', 'id': None}, self.cahandler.tsg_info_dic)
         self.assertFalse(self.cahandler.ca_name)
         self.assertTrue(self.cahandler.ca_bundle)
         self.assertEqual({'name': None, 'id': None}, self.cahandler.template_info_dic)
-        self.assertEqual(300, self.cahandler.request_delta_treshold)
         self.assertEqual(20, self.cahandler.request_timeout)
 
     @patch('examples.ca_handler.nclm_ca_handler.load_config')
-    def test_047_config_load(self, mock_load_cfg):
+    def test_020_config_load(self, mock_load_cfg):
         """ CAhandler._config_load ca_bundle string """
         mock_load_cfg.return_value = {'CAhandler': {'ca_bundle': 'ca_bundle'}}
         self.cahandler._config_load()
         self.assertFalse(self.cahandler.api_host)
         self.assertEqual({'api_user': None, 'api_password': None}, self.cahandler.credential_dic)
-        self.assertEqual({'name': None, 'id': None}, self.cahandler.tsg_info_dic)
         self.assertFalse(self.cahandler.ca_name)
         self.assertEqual('ca_bundle', self.cahandler.ca_bundle)
         self.assertEqual({'name': None, 'id': None}, self.cahandler.template_info_dic)
-        self.assertEqual(300, self.cahandler.request_delta_treshold)
         self.assertEqual(20, self.cahandler.request_timeout)
 
     @patch('examples.ca_handler.nclm_ca_handler.load_config')
-    def test_048_config_load(self, mock_load_cfg):
+    def test_021_config_load(self, mock_load_cfg):
         """ CAhandler._config_load ca_bundle False """
         mock_load_cfg.return_value = {'CAhandler': {'ca_bundle': False}}
         self.cahandler._config_load()
         self.assertFalse(self.cahandler.api_host)
         self.assertEqual({'api_user': None, 'api_password': None}, self.cahandler.credential_dic)
-        self.assertEqual({'name': None, 'id': None}, self.cahandler.tsg_info_dic)
         self.assertFalse(self.cahandler.ca_name)
         self.assertFalse(self.cahandler.ca_bundle)
         self.assertEqual({'name': None, 'id': None}, self.cahandler.template_info_dic)
-        self.assertEqual(300, self.cahandler.request_delta_treshold)
         self.assertEqual(20, self.cahandler.request_timeout)
 
     @patch('examples.ca_handler.nclm_ca_handler.load_config')
-    def test_049_config_load(self, mock_load_cfg):
+    def test_022_config_load(self, mock_load_cfg):
         """ CAhandler._config_load template_name """
         mock_load_cfg.return_value = {'CAhandler': {'template_name': 'template_name'}}
         self.cahandler._config_load()
         self.assertFalse(self.cahandler.api_host)
         self.assertEqual({'api_user': None, 'api_password': None}, self.cahandler.credential_dic)
-        self.assertEqual({'name': None, 'id': None}, self.cahandler.tsg_info_dic)
         self.assertFalse(self.cahandler.ca_name)
         self.assertEqual({'name': 'template_name', 'id': None}, self.cahandler.template_info_dic)
-        self.assertEqual(300, self.cahandler.request_delta_treshold)
         self.assertEqual(20, self.cahandler.request_timeout)
 
     @patch.dict('os.environ', {'api_user_var': 'user_var'})
     @patch('examples.ca_handler.nclm_ca_handler.load_config')
-    def test_050_config_load(self, mock_load_cfg):
+    def test_023_config_load(self, mock_load_cfg):
         """ CAhandler._config_load load username from variable """
         mock_load_cfg.return_value = {'CAhandler': {'api_user_variable': 'api_user_var'}}
         self.cahandler._config_load()
         self.assertFalse(self.cahandler.api_host)
         self.assertEqual({'api_user': 'user_var', 'api_password': None}, self.cahandler.credential_dic)
-        self.assertEqual(300, self.cahandler.request_delta_treshold)
 
     @patch.dict('os.environ', {'api_user_var': 'user_var'})
     @patch('examples.ca_handler.nclm_ca_handler.load_config')
-    def test_051_config_load(self, mock_load_cfg):
+    def test_024_config_load(self, mock_load_cfg):
         """ CAhandler._config_load load username from non existing """
         mock_load_cfg.return_value = {'CAhandler': {'api_user_variable': 'does_not_exist'}}
         with self.assertLogs('test_a2c', level='INFO') as lcm:
@@ -604,11 +265,10 @@ def test_051_config_load(self, mock_load_cfg):
         self.assertFalse(self.cahandler.api_host)
         self.assertEqual({'api_user': None, 'api_password': None}, self.cahandler.credential_dic)
         self.assertIn("ERROR:test_a2c:CAhandler._config_load() could not load user_variable:'does_not_exist'", lcm.output)
-        self.assertEqual(300, self.cahandler.request_delta_treshold)
 
     @patch.dict('os.environ', {'api_user_var': 'user_var'})
     @patch('examples.ca_handler.nclm_ca_handler.load_config')
-    def test_052_config_load(self, mock_load_cfg):
+    def test_025_config_load(self, mock_load_cfg):
         """ CAhandler._config_load load username from wich gets overwritten from cfg-file """
         mock_load_cfg.return_value = {'CAhandler': {'api_user_variable': 'api_user_var', 'api_user': 'api_user'}}
         with self.assertLogs('test_a2c', level='INFO') as lcm:
@@ -616,21 +276,19 @@ def test_052_config_load(self, mock_load_cfg):
         self.assertFalse(self.cahandler.api_host)
         self.assertEqual({'api_user': 'api_user', 'api_password': None}, self.cahandler.credential_dic)
         self.assertIn('INFO:test_a2c:CAhandler._config_load() overwrite api_user', lcm.output)
-        self.assertEqual(300, self.cahandler.request_delta_treshold)
 
     @patch.dict('os.environ', {'api_password_var': 'password_var'})
     @patch('examples.ca_handler.nclm_ca_handler.load_config')
-    def test_053_config_load(self, mock_load_cfg):
+    def test_026_config_load(self, mock_load_cfg):
         """ CAhandler._config_load load password from variable """
         mock_load_cfg.return_value = {'CAhandler': {'api_password_variable': 'api_password_var'}}
         self.cahandler._config_load()
         self.assertFalse(self.cahandler.api_host)
         self.assertEqual({'api_user': None, 'api_password': 'password_var'}, self.cahandler.credential_dic)
-        self.assertEqual(300, self.cahandler.request_delta_treshold)
 
     @patch.dict('os.environ', {'api_password_var': 'password_var'})
     @patch('examples.ca_handler.nclm_ca_handler.load_config')
-    def test_054_config_load(self, mock_load_cfg):
+    def test_027_config_load(self, mock_load_cfg):
         """ CAhandler._config_load load password from non existing variable """
         mock_load_cfg.return_value = {'CAhandler': {'api_password_variable': 'does_not_exist'}}
         with self.assertLogs('test_a2c', level='INFO') as lcm:
@@ -638,11 +296,10 @@ def test_054_config_load(self, mock_load_cfg):
         self.assertFalse(self.cahandler.api_host)
         self.assertEqual({'api_user': None, 'api_password': None}, self.cahandler.credential_dic)
         self.assertIn("ERROR:test_a2c:CAhandler._config_load() could not load password_variable:'does_not_exist'", lcm.output)
-        self.assertEqual(300, self.cahandler.request_delta_treshold)
 
     @patch.dict('os.environ', {'api_password_var': 'password_var'})
     @patch('examples.ca_handler.nclm_ca_handler.load_config')
-    def test_055_config_load(self, mock_load_cfg):
+    def test_028_config_load(self, mock_load_cfg):
         """ CAhandler._config_load load password from variable which gets overwritten """
         mock_load_cfg.return_value = {'CAhandler': {'api_password_variable': 'api_password_var', 'api_password': 'api_password'}}
         with self.assertLogs('test_a2c', level='INFO') as lcm:
@@ -650,12 +307,11 @@ def test_055_config_load(self, mock_load_cfg):
         self.assertFalse(self.cahandler.api_host)
         self.assertEqual({'api_password': 'api_password', 'api_user': None}, self.cahandler.credential_dic)
         self.assertIn('INFO:test_a2c:CAhandler._config_load() overwrite api_password', lcm.output)
-        self.assertEqual(300, self.cahandler.request_delta_treshold)
 
     @patch('examples.ca_handler.nclm_ca_handler.parse_url')
     @patch('json.loads')
     @patch('examples.ca_handler.nclm_ca_handler.load_config')
-    def test_056_config_load(self, mock_load_cfg, mock_json, mock_url):
+    def test_029_config_load(self, mock_load_cfg, mock_json, mock_url):
         """ test _config_load ca_handler configured load proxies """
         mock_load_cfg.return_value = {'DEFAULT': {'proxy_server_list': 'foo'}}
         mock_url.return_value = {'foo': 'bar'}
@@ -663,13 +319,12 @@ def test_056_config_load(self, mock_load_cfg, mock_json, mock_url):
         self.cahandler._config_load()
         self.assertTrue(mock_json.called)
         self.assertTrue(mock_url.called)
-        self.assertEqual(300, self.cahandler.request_delta_treshold)
 
     @patch('examples.ca_handler.nclm_ca_handler.proxy_check')
     @patch('examples.ca_handler.nclm_ca_handler.parse_url')
     @patch('json.loads')
     @patch('examples.ca_handler.nclm_ca_handler.load_config')
-    def test_057_config_load(self, mock_load_cfg, mock_json, mock_url, mock_chk):
+    def test_030_config_load(self, mock_load_cfg, mock_json, mock_url, mock_chk):
         """ test _config_load ca_handler configured load proxies """
         mock_load_cfg.return_value = {'DEFAULT': {'proxy_server_list': 'foo'}}
         mock_url.return_value = {'host': 'bar:8888'}
@@ -680,13 +335,12 @@ def test_057_config_load(self, mock_load_cfg, mock_json, mock_url, mock_chk):
         self.assertTrue(mock_url.called)
         self.assertTrue(mock_chk.called)
         self.assertEqual({'http': 'proxy.bar.local', 'https': 'proxy.bar.local'},self.cahandler.proxy )
-        self.assertEqual(300, self.cahandler.request_delta_treshold)
 
     @patch('examples.ca_handler.nclm_ca_handler.proxy_check')
     @patch('examples.ca_handler.nclm_ca_handler.parse_url')
     @patch('json.loads')
     @patch('examples.ca_handler.nclm_ca_handler.load_config')
-    def test_058_config_load(self, mock_load_cfg, mock_json, mock_url, mock_chk):
+    def test_031_config_load(self, mock_load_cfg, mock_json, mock_url, mock_chk):
         """ test _config_load ca_handler configured load proxies """
         mock_load_cfg.return_value = {'DEFAULT': {'proxy_server_list': 'foo'}}
         mock_url.return_value = {'host': 'bar'}
@@ -699,630 +353,237 @@ def test_058_config_load(self, mock_load_cfg, mock_json, mock_url, mock_chk):
         self.assertFalse(mock_chk.called)
         self.assertFalse(self.cahandler.proxy )
         self.assertIn('WARNING:test_a2c:Challenge._config_load() proxy_server_list failed with error: not enough values to unpack (expected 2, got 1)', lcm.output)
-        self.assertEqual(300, self.cahandler.request_delta_treshold)
-
-    @patch('examples.ca_handler.nclm_ca_handler.load_config')
-    def test_059_config_load(self, mock_load_cfg):
-        """ CAhandler._config_load request_delta_treshold """
-        mock_load_cfg.return_value = {'CAhandler': {'request_delta_treshold': 60}}
-        self.cahandler._config_load()
-        self.assertFalse(self.cahandler.api_host)
-        self.assertEqual({'api_user': None, 'api_password': None}, self.cahandler.credential_dic)
-        self.assertEqual({'name': None, 'id': None}, self.cahandler.tsg_info_dic)
-        self.assertFalse(self.cahandler.ca_name)
-        self.assertEqual(60, self.cahandler.request_delta_treshold)
-
-    @patch('examples.ca_handler.nclm_ca_handler.load_config')
-    def test_060_config_load(self, mock_load_cfg):
-        """ CAhandler._config_load request_delta_treshold string """
-        mock_load_cfg.return_value = {'CAhandler': {'request_delta_treshold': 'aaa'}}
-        with self.assertLogs('test_a2c', level='INFO') as lcm:
-            self.cahandler._config_load()
-        self.assertFalse(self.cahandler.api_host)
-        self.assertEqual({'api_user': None, 'api_password': None}, self.cahandler.credential_dic)
-        self.assertEqual({'name': None, 'id': None}, self.cahandler.tsg_info_dic)
-        self.assertFalse(self.cahandler.ca_name)
-        self.assertEqual(300, self.cahandler.request_delta_treshold)
-        self.assertIn('ERROR:test_a2c:CAhandler._config_load() could not load request_delta_treshold:aaa', lcm.output)
 
     @patch('examples.ca_handler.nclm_ca_handler.load_config')
-    def test_061_config_load(self, mock_load_cfg):
+    def test_032_config_load(self, mock_load_cfg):
         """ CAhandler._config_load request_delta_treshold """
         mock_load_cfg.return_value = {'CAhandler': {'request_timeout': 10}}
         self.cahandler._config_load()
         self.assertEqual(10, self.cahandler.request_timeout)
 
     @patch('examples.ca_handler.nclm_ca_handler.load_config')
-    def test_062_config_load(self, mock_load_cfg):
+    def test_033_config_load(self, mock_load_cfg):
         """ CAhandler._config_load request_delta_treshold """
         mock_load_cfg.return_value = {'CAhandler': {'request_timeout': 'aa'}}
         self.cahandler._config_load()
         self.assertEqual(20, self.cahandler.request_timeout)
 
-    @patch('examples.ca_handler.nclm_ca_handler.CAhandler._lastrequests_get')
-    @patch('examples.ca_handler.nclm_ca_handler.date_to_uts_utc')
-    @patch('examples.ca_handler.nclm_ca_handler.CAhandler._unusedrequests_get')
-    @patch('examples.ca_handler.nclm_ca_handler.uts_now')
-    def test_063__csr_id_lookup(self, mock_utsnow, mock_unureq, mock_uts, mock_lastreq):
-        """ CAhandler._csr_id_lookup - all ok """
-        mock_utsnow.return_value = 1000
-        mock_uts.return_value = 900
-        mock_unureq.return_value = [{'addedAt': 'addedAt', 'subjectName': 'CN=csr_cn, O=bar', 'requestID': 'requestID'}]
-        self.assertEqual('requestID', self.cahandler._csr_id_lookup('csr_cn', ['csr_san_list']))
-        self.assertFalse(mock_lastreq.called)
-
-    @patch('examples.ca_handler.nclm_ca_handler.CAhandler._lastrequests_get')
-    @patch('examples.ca_handler.nclm_ca_handler.date_to_uts_utc')
-    @patch('examples.ca_handler.nclm_ca_handler.CAhandler._unusedrequests_get')
-    @patch('examples.ca_handler.nclm_ca_handler.uts_now')
-    def test_064__csr_id_lookup(self, mock_utsnow, mock_unureq, mock_uts, mock_lastreq):
-        """ CAhandler._csr_id_lookup - no requestID in list exception triggered """
-        mock_utsnow.return_value = 1000
-        mock_uts.return_value = 900
-        mock_unureq.return_value = [{'addedAt': 'addedAt', 'subjectName': 'CN=csr_cn, O=bar'}]
-        with self.assertLogs('test_a2c', level='INFO') as lcm:
-            self.assertFalse(self.cahandler._csr_id_lookup('csr_cn', ['csr_san_list']))
-        self.assertFalse(mock_lastreq.called)
-        self.assertIn("ERROR:test_a2c:_csr_id_lookup(): response incomplete: 'requestID'", lcm.output)
-
-    @patch('examples.ca_handler.nclm_ca_handler.CAhandler._lastrequests_get')
-    @patch('examples.ca_handler.nclm_ca_handler.date_to_uts_utc')
-    @patch('examples.ca_handler.nclm_ca_handler.CAhandler._unusedrequests_get')
-    @patch('examples.ca_handler.nclm_ca_handler.uts_now')
-    def test_065__csr_id_lookup(self, mock_utsnow, mock_unureq, mock_uts, mock_lastreq):
-        """ CAhandler._csr_id_lookup - cn in mock_unureq not correctly ordered """
-        mock_utsnow.return_value = 1000
-        mock_uts.return_value = 900
-        mock_unureq.return_value = [{'addedAt': 'addedAt', 'subjectName': 'O=bar, CN=csr_cn', 'requestID': 'requestID'}]
-        self.assertEqual('requestID', self.cahandler._csr_id_lookup('csr_cn', ['csr_san_list']))
-        self.assertFalse(mock_lastreq.called)
-
-    @patch('examples.ca_handler.nclm_ca_handler.CAhandler._lastrequests_get')
-    @patch('examples.ca_handler.nclm_ca_handler.date_to_uts_utc')
-    @patch('examples.ca_handler.nclm_ca_handler.CAhandler._unusedrequests_get')
-    @patch('examples.ca_handler.nclm_ca_handler.uts_now')
-    def test_066__csr_id_lookup(self, mock_utsnow, mock_unureq, mock_uts, mock_lastreq):
-        """ CAhandler._csr_id_lookup - empty subjectName """
-        mock_utsnow.return_value = 1000
-        mock_uts.return_value = 900
-        mock_unureq.return_value = [{'addedAt': 'addedAt', 'subjectName': '', 'requestID': 'requestID'}]
-        self.assertFalse(self.cahandler._csr_id_lookup('csr_cn', ['csr_san_list']))
-        self.assertFalse(mock_lastreq.called)
-
-    @patch('examples.ca_handler.nclm_ca_handler.CAhandler._lastrequests_get')
-    @patch('examples.ca_handler.nclm_ca_handler.date_to_uts_utc')
-    @patch('examples.ca_handler.nclm_ca_handler.CAhandler._unusedrequests_get')
-    @patch('examples.ca_handler.nclm_ca_handler.uts_now')
-    def test_067__csr_id_lookup(self, mock_utsnow, mock_unureq, mock_uts, mock_lastreq):
-        """ CAhandler._csr_id_lookup - no subjectName """
-        mock_utsnow.return_value = 1000
-        mock_uts.return_value = 900
-        mock_unureq.return_value = [{'addedAt': 'addedAt', 'requestID': 'requestID'}]
-        self.assertFalse(self.cahandler._csr_id_lookup('csr_cn', ['csr_san_list']))
-        self.assertFalse(mock_lastreq.called)
-
-    @patch('examples.ca_handler.nclm_ca_handler.CAhandler._lastrequests_get')
-    @patch('examples.ca_handler.nclm_ca_handler.date_to_uts_utc')
-    @patch('examples.ca_handler.nclm_ca_handler.CAhandler._unusedrequests_get')
-    @patch('examples.ca_handler.nclm_ca_handler.uts_now')
-    def test_068__csr_id_lookup(self, mock_utsnow, mock_unureq, mock_uts, mock_lastreq):
-        """ CAhandler._csr_id_lookup - requests to old """
-        mock_utsnow.return_value = 1000
-        mock_uts.return_value = 100
-        mock_unureq.return_value = [{'addedAt': 'addedAt', 'subjectName': 'O=bar, CN=csr_cn', 'requestID': 'requestID'}]
-        self.assertFalse(self.cahandler._csr_id_lookup('csr_cn', ['csr_san_list']))
-        self.assertFalse(mock_lastreq.called)
-
-    @patch('examples.ca_handler.nclm_ca_handler.CAhandler._lastrequests_get')
-    @patch('examples.ca_handler.nclm_ca_handler.csr_san_get')
-    @patch('examples.ca_handler.nclm_ca_handler.date_to_uts_utc')
-    @patch('examples.ca_handler.nclm_ca_handler.CAhandler._unusedrequests_get')
-    @patch('examples.ca_handler.nclm_ca_handler.uts_now')
-    def test_069__csr_id_lookup(self, mock_utsnow, mock_unureq, mock_uts, mock_san, mock_lastreq):
-        """ CAhandler._csr_id_lookup - no csr_cn  one san """
-        self.cahandler.api_host = 'api_host'
-        mock_utsnow.return_value = 1000
-        mock_uts.return_value = 900
-        mock_unureq.return_value = [{'addedAt': 'addedAt', 'requestID': 'requestID'}]
-        mock_lastreq.return_value = [{'pkcs10': 'pkcs10', 'requestId': 1}]
-        mock_san.return_value = ['csr_san_list']
-        self.assertEqual(1, self.cahandler._csr_id_lookup(None, ['csr_san_list'], 'pkcs10'))
-        self.assertTrue(mock_lastreq.called)
-
-    @patch('examples.ca_handler.nclm_ca_handler.CAhandler._lastrequests_get')
-    @patch('examples.ca_handler.nclm_ca_handler.csr_san_get')
-    @patch('examples.ca_handler.nclm_ca_handler.date_to_uts_utc')
-    @patch('examples.ca_handler.nclm_ca_handler.CAhandler._unusedrequests_get')
-    @patch('examples.ca_handler.nclm_ca_handler.uts_now')
-    def test_070__csr_id_lookup(self, mock_utsnow, mock_unureq, mock_uts, mock_san, mock_lastreq):
-        """ CAhandler._csr_id_lookup - no csr_cn  two sans """
-        self.cahandler.api_host = 'api_host'
-        mock_utsnow.return_value = 1000
-        mock_uts.return_value = 900
-        mock_unureq.return_value = [{'addedAt': 'addedAt', 'requestID': 'requestID'}]
-        mock_lastreq.return_value = [{'pkcs10': 'pkcs10', 'requestId': 1}]
-        mock_san.return_value = ['san1', 'san2']
-        self.assertEqual(1, self.cahandler._csr_id_lookup(None, ['san1', 'san2'], 'pkcs10'))
-        self.assertTrue(mock_lastreq.called)
-
-    @patch('examples.ca_handler.nclm_ca_handler.CAhandler._lastrequests_get')
-    @patch('examples.ca_handler.nclm_ca_handler.csr_san_get')
-    @patch('examples.ca_handler.nclm_ca_handler.date_to_uts_utc')
-    @patch('examples.ca_handler.nclm_ca_handler.CAhandler._unusedrequests_get')
-    @patch('examples.ca_handler.nclm_ca_handler.uts_now')
-    def test_071__csr_id_lookup(self, mock_utsnow, mock_unureq, mock_uts, mock_san, mock_lastreq):
-        """ CAhandler._csr_id_lookup - no csr_cn  two sans to be reordered """
-        self.cahandler.api_host = 'api_host'
-        mock_utsnow.return_value = 1000
-        mock_uts.return_value = 900
-        mock_unureq.return_value = [{'addedAt': 'addedAt', 'requestID': 'requestID'}]
-        mock_lastreq.return_value = [{'pkcs10': 'pkcs10', 'requestId': 1}]
-        mock_san.return_value = ['san1', 'san2']
-        self.assertEqual(1, self.cahandler._csr_id_lookup(None, ['san2', 'san1'], 'pkcs10'))
-        self.assertTrue(mock_lastreq.called)
-
-    @patch('examples.ca_handler.nclm_ca_handler.CAhandler._lastrequests_get')
-    @patch('examples.ca_handler.nclm_ca_handler.csr_san_get')
-    @patch('examples.ca_handler.nclm_ca_handler.date_to_uts_utc')
-    @patch('examples.ca_handler.nclm_ca_handler.CAhandler._unusedrequests_get')
-    @patch('examples.ca_handler.nclm_ca_handler.uts_now')
-    def test_072__csr_id_lookup(self, mock_utsnow, mock_unureq, mock_uts, mock_san, mock_lastreq):
-        """ CAhandler._csr_id_lookup - no csr_cn  no requestID """
-        self.cahandler.api_host = 'api_host'
-        mock_utsnow.return_value = 1000
-        mock_uts.return_value = 900
-        mock_unureq.return_value = [{'addedAt': 'addedAt', 'requestID': 'requestID'}]
-        mock_lastreq.return_value = [{'pkcs10': 'pkcs10', 'foo': 'bar'}]
-        mock_san.return_value = ['san2', 'san1']
-        self.assertFalse(self.cahandler._csr_id_lookup(None, ['san1', 'san2'], 'pkcs10'))
-        self.assertTrue(mock_lastreq.called)
-
-    @patch('examples.ca_handler.nclm_ca_handler.CAhandler._lastrequests_get')
-    @patch('examples.ca_handler.nclm_ca_handler.csr_san_get')
-    @patch('examples.ca_handler.nclm_ca_handler.date_to_uts_utc')
-    @patch('examples.ca_handler.nclm_ca_handler.CAhandler._unusedrequests_get')
-    @patch('examples.ca_handler.nclm_ca_handler.uts_now')
-    def test_073__csr_id_lookup(self, mock_utsnow, mock_unureq, mock_uts, mock_san, mock_lastreq):
-        """ CAhandler._csr_id_lookup - no csr_cn  sans are not matching """
-        self.cahandler.api_host = 'api_host'
-        mock_utsnow.return_value = 1000
-        mock_uts.return_value = 900
-        mock_unureq.return_value = [{'addedAt': 'addedAt', 'requestID': 'requestID'}]
-        mock_lastreq.return_value = [{'pkcs10': 'pkcs10', 'requestID': 'requestID'}]
-        mock_san.return_value = ['san1']
-        self.assertFalse(self.cahandler._csr_id_lookup(None, ['san1', 'san2'], 'pkcs10'))
-        self.assertTrue(mock_lastreq.called)
-
-    @patch('examples.ca_handler.nclm_ca_handler.CAhandler._lastrequests_get')
-    @patch('examples.ca_handler.nclm_ca_handler.csr_san_get')
-    @patch('examples.ca_handler.nclm_ca_handler.date_to_uts_utc')
-    @patch('examples.ca_handler.nclm_ca_handler.CAhandler._unusedrequests_get')
-    @patch('examples.ca_handler.nclm_ca_handler.uts_now')
-    def test_074__csr_id_lookup(self, mock_utsnow, mock_unureq, mock_uts, mock_san, mock_lastreq):
-        """ CAhandler._csr_id_lookup - no csr_cn  no pkcs10 """
-        self.cahandler.api_host = 'api_host'
-        mock_utsnow.return_value = 1000
-        mock_uts.return_value = 900
-        mock_unureq.return_value = [{'addedAt': 'addedAt', 'requestID': 'requestID'}]
-        mock_lastreq.return_value = [{'pkcs10': 'pkcs10', 'requestId': 1}]
-        mock_san.return_value = ['san1']
-        self.assertFalse(self.cahandler._csr_id_lookup(None, ['san1', 'san2']))
-        self.assertTrue(mock_lastreq.called)
-
-    @patch('examples.ca_handler.nclm_ca_handler.CAhandler._lastrequests_get')
-    @patch('examples.ca_handler.nclm_ca_handler.csr_san_get')
-    @patch('examples.ca_handler.nclm_ca_handler.date_to_uts_utc')
-    @patch('examples.ca_handler.nclm_ca_handler.CAhandler._unusedrequests_get')
-    @patch('examples.ca_handler.nclm_ca_handler.uts_now')
-    def test_075__csr_id_lookup(self, mock_utsnow, mock_unureq, mock_uts, mock_san, mock_lastreq):
-        """ CAhandler._csr_id_lookup - no csr_cn trigger excption in loop """
-        self.cahandler.api_host = 'api_host'
-        mock_utsnow.return_value = 1000
-        mock_uts.return_value = 900
-        mock_unureq.return_value = [{'addedAt': 'addedAt', 'requestID': 1}]
-        mock_lastreq.return_value = [{'foo': 'bar', 'requestID': 'requestID'}]
-
-        with self.assertLogs('test_a2c', level='INFO') as lcm:
-            self.assertFalse(self.cahandler._csr_id_lookup(None, ['san1', 'san2'], 'pkcs10'))
-        self.assertTrue(mock_lastreq.called)
-        self.assertIn("ERROR:test_a2c:_csr_id_lookup(): response incomplete: 'requestId'", lcm.output)
-
-    @patch('examples.ca_handler.nclm_ca_handler.CAhandler._api_post')
-    def test_076__request_import(self, mock_req):
-        """ CAhandler._request_import """
-        self.cahandler.api_host = 'api_host'
-        mock_req.return_value = 'foo'
-        self.assertEqual('foo', self.cahandler._request_import('csr'))
-
-    @patch('examples.ca_handler.nclm_ca_handler.CAhandler._api_post')
-    def test_077__request_import(self, mock_req):
-        """ CAhandler._request_import - req raises an exception """
-        self.cahandler.api_host = 'api_host'
-        mock_req.side_effect = Exception('exc_req_import')
-        with self.assertLogs('test_a2c', level='INFO') as lcm:
-            self.assertFalse(self.cahandler._request_import('csr'))
-        self.assertIn('ERROR:test_a2c:CAhandler._request_import() returned error: exc_req_import', lcm.output)
-
-    @patch('requests.get')
-    def test_078__unusedrequests_get(self, mock_req):
-        """ CAhandler._unusedrequests_get """
-        self.cahandler.api_host = 'api_host'
-        mockresponse = Mock()
-        mockresponse.json = lambda: {'foo': 'bar'}
-        mock_req.return_value = mockresponse
-        self.assertEqual({'foo': 'bar'}, self.cahandler._unusedrequests_get())
-
-    @patch('requests.get')
-    def test_079__unusedrequests_get(self, mock_req):
-        """ CAhandler._unusedrequests_get """
-        self.cahandler.api_host = 'api_host'
-        mock_req.side_effect = Exception('exc_req_unused')
-        with self.assertLogs('test_a2c', level='INFO') as lcm:
-            self.assertFalse(self.cahandler._unusedrequests_get())
-        self.assertIn('ERROR:test_a2c:CAhandler._unusedrequests_get() returned error: exc_req_unused', lcm.output)
+    @patch('examples.ca_handler.nclm_ca_handler.load_config')
+    def test_034_config_load(self, mock_load_cfg):
+        """ CAhandler._config_load  """
+        mock_load_cfg.return_value = {'CAhandler': {'container_name': 'container_name'}}
+        self.cahandler._config_load()
+        self.assertEqual({'name': 'container_name', 'id': None}, self.cahandler.container_info_dic)
 
+    @patch('requests.post')
     @patch('requests.get')
-    def test_080__login(self, mock_get):
+    def test_035__login(self, mock_get, mock_post):
         """ CAhandler._unusedrequests_get """
         self.cahandler.api_host = 'api_host'
         mockresponse1 = Mock()
-        mockresponse1.status_code = 'foo'
+        mockresponse1.status_code = '500'
         mockresponse1.ok = None
-        # mockresponse1.raise_for_status = Mock(return_value='status')
         mock_get.return_value = mockresponse1
         with self.assertLogs('test_a2c', level='INFO') as lcm:
             self.cahandler._login()
+        self.assertIn('ERROR:test_a2c:CAhandler._login() error during get: 500', lcm.output)
+        self.assertFalse(mock_post.called)
         self.assertFalse(self.cahandler.headers)
-        self.assertIn('ERROR:test_a2c:CAhandler._login() error during get: foo', lcm.output)
 
     @patch('requests.post')
     @patch('requests.get')
-    def test_081__login(self, mock_get, mock_post):
+    def test_036__login(self, mock_get, mock_post):
         """ CAhandler._unusedrequests_get """
         self.cahandler.api_host = 'api_host'
         mockresponse1 = Mock()
-        mockresponse1.status_code = lambda: 'foo'
-        mock_get.return_value = mockresponse1
-        mockresponse2 = Mock()
-        mockresponse2.json = lambda: {'access_token': 'access_token', 'username': 'username', 'realms': 'realms'}
-        mock_post.return_value = mockresponse2
-        self.cahandler._login()
-        self.assertEqual({'Authorization': 'Bearer access_token'}, self.cahandler.headers)
-
-    @patch('requests.post')
-    @patch('requests.get')
-    def test_082__login(self, mock_get, mock_post):
-        """ CAhandler._unusedrequests_get  mock_post without username"""
-        self.cahandler.api_host = 'api_host'
-        mockresponse1 = Mock()
-        mockresponse1.status_code = lambda: 'foo'
+        mockresponse1.status_code = '200'
+        mockresponse1.json = lambda: {'versionNumber': 'versionNumber'}
+        mockresponse1.ok = True
         mock_get.return_value = mockresponse1
         mockresponse2 = Mock()
-        mockresponse2.json = lambda: {'access_token': 'access_token', 'foo': 'bar', 'realms': 'realms'}
+        mockresponse2.status_code = '500'
+        mockresponse2.json = lambda: {'foo': 'bar', 'username': 'username', 'realms': 'realms'}
+        mockresponse2.ok = None
         mock_post.return_value = mockresponse2
-        self.cahandler._login()
-        self.assertEqual({'Authorization': 'Bearer access_token'}, self.cahandler.headers)
+        with self.assertLogs('test_a2c', level='INFO') as lcm:
+            self.cahandler._login()
+        self.assertIn('ERROR:test_a2c:CAhandler._login() error during post: 500', lcm.output)
+        self.assertTrue(mock_post.called)
+        self.assertFalse(self.cahandler.headers)
+        self.assertEqual('versionNumber', self.cahandler.nclm_version)
 
     @patch('requests.post')
     @patch('requests.get')
-    def test_083__login(self, mock_get, mock_post):
-        """ CAhandler._unusedrequests_get  mock_post without username"""
+    def test_037__login(self, mock_get, mock_post):
+        """ CAhandler._unusedrequests_get """
         self.cahandler.api_host = 'api_host'
         mockresponse1 = Mock()
-        mockresponse1.status_code = lambda: 'foo'
+        mockresponse1.status_code = '200'
+        mockresponse1.json = lambda: {'versionNumber': 'versionNumber'}
+        mockresponse1.ok = True
         mock_get.return_value = mockresponse1
         mockresponse2 = Mock()
-        mockresponse2.ok = None
-        mockresponse2.status_code = 'foo2'
+        mockresponse2.status_code = '200'
+        mockresponse2.json = lambda: {'foo': 'bar', 'username': 'username', 'realms': 'realms'}
+        mockresponse2.ok = True
         mock_post.return_value = mockresponse2
         with self.assertLogs('test_a2c', level='INFO') as lcm:
             self.cahandler._login()
+        self.assertIn('ERROR:test_a2c:CAhandler._login(): No token returned. Aborting.', lcm.output)
+        self.assertTrue(mock_post.called)
         self.assertFalse(self.cahandler.headers)
-        self.assertIn('ERROR:test_a2c:CAhandler._login() error during post: foo2', lcm.output)
+        self.assertEqual('versionNumber', self.cahandler.nclm_version)
 
     @patch('requests.post')
     @patch('requests.get')
-    def test_084__login(self, mock_get, mock_post):
-        """ CAhandler._unusedrequests_get mock_post without realms"""
+    def test_038__login(self, mock_get, mock_post):
+        """ CAhandler._unusedrequests_get """
         self.cahandler.api_host = 'api_host'
         mockresponse1 = Mock()
-        mockresponse1.status_code = lambda: 'foo'
+        mockresponse1.status_code = '200'
+        mockresponse1.json = lambda: {'versionNumber': 'versionNumber'}
+        mockresponse1.ok = True
         mock_get.return_value = mockresponse1
         mockresponse2 = Mock()
-        mockresponse2.json = lambda: {'access_token': 'access_token', 'username': 'username', 'foo': 'bar'}
+        mockresponse2.status_code = '200'
+        mockresponse2.json = lambda: {'access_token': 'access_token', 'username': 'username', 'realms': 'realms'}
+        mockresponse2.ok = True
         mock_post.return_value = mockresponse2
         self.cahandler._login()
+        self.assertTrue(mock_post.called)
         self.assertEqual({'Authorization': 'Bearer access_token'}, self.cahandler.headers)
+        self.assertEqual('versionNumber', self.cahandler.nclm_version)
 
-    @patch('requests.post')
-    @patch('requests.get')
-    def test_085__login(self, mock_get, mock_post):
-        """ CAhandler._unusedrequests_get mock_post without access tooken"""
-        self.cahandler.api_host = 'api_host'
-        mockresponse1 = Mock()
-        mockresponse1.status_code = lambda: 'foo'
-        mockresponse1.ok = 'ok'
-        mock_get.return_value = mockresponse1
-        mockresponse2 = Mock()
-        mockresponse2.json = lambda: {'foo': 'bar', 'username': 'username', 'realms': 'realms'}
-        mock_post.return_value = mockresponse2
-        with self.assertLogs('test_a2c', level='INFO') as lcm:
-            self.cahandler._login()
-        self.assertFalse(self.cahandler.headers)
-        self.assertIn('ERROR:test_a2c:CAhandler._login(): No token returned. Aborting...', lcm.output)
-
-    def test_086__san_compare(self):
-        """ CAhandler._san_compare all ok """
-        csr_san_list = ['foo:foo']
-        cert_san_list = {'foo': ['foo']}
-        self.assertTrue(self.cahandler._san_compare(csr_san_list, cert_san_list))
-
-    def test_087__san_compare(self):
-        """ CAhandler._san_compare multiple """
-        csr_san_list = ['foo:foo', 'foo:bar']
-        cert_san_list = {'foo': ['foo', 'bar']}
-        self.assertTrue(self.cahandler._san_compare(csr_san_list, cert_san_list))
-
-    def test_088__san_compare(self):
-        """ CAhandler._san_compare multiple """
-        csr_san_list = ['foo:foo,foo:bar']
-        cert_san_list = {'foo': ['foo', 'bar']}
-        self.assertTrue(self.cahandler._san_compare(csr_san_list, cert_san_list))
-
-    def test_089__san_compare(self):
-        """ CAhandler._san_compare multiple """
-        csr_san_list = ['foo:foo,foo:bar1']
-        cert_san_list = {'foo': ['foo', 'bar']}
-        self.assertFalse(self.cahandler._san_compare(csr_san_list, cert_san_list))
-
-    def test_090_poll(self):
+
+    def test_039_poll(self):
         """ CAhandler.poll() """
         self.assertEqual(('Method not implemented.', None, None, 'poll_identifier', False), self.cahandler.poll('cert_name', 'poll_identifier', 'csr'))
 
-    def test_091_trigger(self):
+    def test_040_trigger(self):
         """ CAhandler.trigger() """
         self.assertEqual(('Method not implemented.', None, None), self.cahandler.trigger('payload'))
 
     @patch('requests.get')
-    def test_092___tsg_id_lookup(self, mock_get):
-        """ CAhandler._tsg_id_lookup() - all ok """
-        self.cahandler.api_host = 'api_host'
-        mockresponse = Mock()
-        mockresponse.json = lambda: {'targetSystemGroups': [{'name': 'name', 'id': 'id'}]}
-        mock_get.return_value = mockresponse
-        self.cahandler.tsg_info_dic = {'name': 'name', 'id': None}
-        self.cahandler._tsg_id_lookup()
-        self.assertEqual({'name': 'name', 'id': 'id'}, self.cahandler.tsg_info_dic)
-
-    @patch('requests.get')
-    def test_093___tsg_id_lookup(self, mock_get):
-        """ CAhandler._tsg_id_lookup() - multipe returned 1st matches """
-        self.cahandler.api_host = 'api_host'
-        mockresponse = Mock()
-        mockresponse.json = lambda: {'targetSystemGroups': [{'name': 'name', 'id': 'id'}, {'name': 'name1', 'id': 'id1'}]}
-        mock_get.return_value = mockresponse
-        self.cahandler.tsg_info_dic = {'name': 'name', 'id': None}
-        self.cahandler._tsg_id_lookup()
-        self.assertEqual({'name': 'name', 'id': 'id'}, self.cahandler.tsg_info_dic)
-
-    @patch('requests.get')
-    def test_094___tsg_id_lookup(self, mock_get):
-        """ CAhandler._tsg_id_lookup() - multipe returned 2nd matches """
+    def test_041_container_id_lookup(self, mock_get):
+        """ CAhandler._container_id_lookup() """
         self.cahandler.api_host = 'api_host'
         mockresponse = Mock()
-        mockresponse.json = lambda: {'targetSystemGroups': [{'name': 'name1', 'id': 'id1'}, {'name': 'name', 'id': 'id'}]}
+        mockresponse.json = lambda: {'items': [{'name': 'name1', 'id': 'id1'}, {'name': 'name2', 'id': 'id2'}]}
         mock_get.return_value = mockresponse
-        self.cahandler.tsg_info_dic = {'name': 'name', 'id': None}
-        self.cahandler._tsg_id_lookup()
-        self.assertEqual({'name': 'name', 'id': 'id'}, self.cahandler.tsg_info_dic)
+        self.cahandler.container_info_dic = {'name': 'name1', 'id': None}
+        self.cahandler._container_id_lookup()
+        self.assertEqual({'name': 'name1', 'id': 'id1'}, self.cahandler.container_info_dic)
 
     @patch('requests.get')
-    def test_095___tsg_id_lookup(self, mock_get):
-        """ CAhandler._tsg_id_lookup() - id is missing """
+    def test_042_container_id_lookup(self, mock_get):
+        """ CAhandler._container_id_lookup() """
         self.cahandler.api_host = 'api_host'
         mockresponse = Mock()
-        mockresponse.json = lambda: {'targetSystemGroups': [{'name': 'name'}]}
+        mockresponse.json = lambda: {'items': [{'name1': 'name1', 'id': 'id1'}, {'name': 'name2', 'id': 'id2'}]}
         mock_get.return_value = mockresponse
-        self.cahandler.tsg_info_dic = {'name': 'name', 'id': None}
+        self.cahandler.container_info_dic = {'name': 'name', 'id': None}
         with self.assertLogs('test_a2c', level='INFO') as lcm:
-            self.cahandler._tsg_id_lookup()
-        self.assertEqual({'name': 'name', 'id': None}, self.cahandler.tsg_info_dic)
-        self.assertIn("ERROR:test_a2c:CAhandler._tsg_id_lookup() incomplete response: {'name': 'name'}", lcm.output)
+            self.cahandler._container_id_lookup()
+        self.assertIn("ERROR:test_a2c:CAhandler._container_id_lookup() incomplete response: {'name1': 'name1', 'id': 'id1'}", lcm.output)
+        self.assertEqual({'name': 'name', 'id': None}, self.cahandler.container_info_dic)
 
     @patch('requests.get')
-    def test_096___tsg_id_lookup(self, mock_get):
-        """ CAhandler._tsg_id_lookup() - name is missing """
+    def test_043_container_id_lookup(self, mock_get):
+        """ CAhandler._container_id_lookup() """
         self.cahandler.api_host = 'api_host'
         mockresponse = Mock()
-        mockresponse.json = lambda: {'targetSystemGroups': [{'foo': 'bar', 'id': 'id'}]}
+        mockresponse.json = lambda: {'foo': [{'name': 'name1', 'id': 'id1'}, {'name': 'name2', 'id': 'id2'}]}
         mock_get.return_value = mockresponse
-        self.cahandler.tsg_info_dic = {'name': 'name', 'id': None}
+        self.cahandler.container_info_dic = {'name': 'name', 'id': None}
         with self.assertLogs('test_a2c', level='INFO') as lcm:
-            self.cahandler._tsg_id_lookup()
-        self.assertEqual({'name': 'name', 'id': None}, self.cahandler.tsg_info_dic)
-        self.assertIn("ERROR:test_a2c:CAhandler._tsg_id_lookup() incomplete response: {'foo': 'bar', 'id': 'id'}", lcm.output)
+            self.cahandler._container_id_lookup()
+        self.assertIn('ERROR:test_a2c:CAhandler._container_id_lookup() no target-system-groups found for filter: name.', lcm.output)
+        self.assertEqual({'name': 'name', 'id': None}, self.cahandler.container_info_dic)
 
     @patch('requests.get')
-    def test_097___tsg_id_lookup(self, mock_get):
-        """ CAhandler._tsg_id_lookup() - targetSystemGroups is missing """
+    def test_044_container_id_lookup(self, mock_req):
+        """ CAhandler._container_id_lookup() """
         self.cahandler.api_host = 'api_host'
-        mockresponse = Mock()
-        mockresponse.json = lambda: {'tsg': [{'foo': 'bar', 'id': 'id'}]}
-        mock_get.return_value = mockresponse
-        self.cahandler.tsg_info_dic = {'name': 'name', 'id': None}
+        mock_req.side_effect = Exception('exc_container_id_lookup')
+        self.cahandler.container_info_dic = {'name': 'name', 'id': None}
         with self.assertLogs('test_a2c', level='INFO') as lcm:
-            self.cahandler._tsg_id_lookup()
-        self.assertEqual({'name': 'name', 'id': None}, self.cahandler.tsg_info_dic)
-        self.assertIn('ERROR:test_a2c:CAhandler._tsg_id_lookup() no target-system-groups found for filter: name...', lcm.output)
+            self.cahandler._container_id_lookup()
+        self.assertIn('ERROR:test_a2c:CAhandler._container_id_lookup() returned error: exc_container_id_lookup', lcm.output)
+        self.assertIn('ERROR:test_a2c:CAhandler._container_id_lookup() no target-system-groups found for filter: name.', lcm.output)
+        self.assertEqual({'name': 'name', 'id': None}, self.cahandler.container_info_dic)
 
-    @patch('requests.get')
-    def test_098__tsg_id_lookup(self, mock_req):
-        """ CAhandler._request_import - req raises an exception """
-        self.cahandler.api_host = 'api_host'
-        mock_req.side_effect = Exception('exc_tsg_id_lookup')
-        with self.assertLogs('test_a2c', level='INFO') as lcm:
-            self.assertFalse(self.cahandler._tsg_id_lookup())
-        self.assertIn('ERROR:test_a2c:CAhandler._tsg_id_lookup() returned error: exc_tsg_id_lookup', lcm.output)
 
-    @patch('requests.get')
-    def test_099__template_id_lookup(self, mock_get):
-        """ CAhandler._template_id_lookup() - all ok """
-        self.cahandler.api_host = 'api_host'
-        mockresponse = Mock()
-        mockresponse.json = lambda: {'template': {'items': [{'displayName': 'template_name', 'allowed': True, 'policyLinkId': 10, 'linkType': 'TEMPLATE'}]}}
-        mock_get.return_value = mockresponse
-        self.cahandler.template_info_dic = {'name': 'template_name', 'id': None}
-        self.cahandler._template_id_lookup()
-        self.assertEqual({'name': 'template_name', 'id': 10}, self.cahandler.template_info_dic)
+    @patch('examples.ca_handler.nclm_ca_handler.CAhandler._templates_enumerate')
+    @patch('examples.ca_handler.nclm_ca_handler.CAhandler._template_list_get')
+    def test_045__template_id_lookup(self, mock_list, mock_enum):
+        """ CAhandler._template_id_lookup """
+        mock_list.return_value = {'foo': 'bar'}
+        with self.assertLogs('test_a2c', level='INFO') as lcm:
+            self.cahandler._template_id_lookup('caid')
+        self.assertIn('ERROR:test_a2c:CAhandler._template_id_lookup() no templates found for filter: None.', lcm.output)
+        self.assertFalse(mock_enum.called)
 
-    @patch('requests.get')
-    def test_100__template_id_lookup(self, mock_get):
-        """ CAhandler._template_id_lookup() - linkId None """
-        self.cahandler.api_host = 'api_host'
-        mockresponse = Mock()
-        mockresponse.json = lambda: {'template': {'items': [{'displayName': 'template_name', 'allowed': True, 'linkId': None, 'linkType': 'TEMPLATE'}]}}
-        mock_get.return_value = mockresponse
-        self.cahandler.template_info_dic = {'name': 'template_name', 'id': None}
-        self.cahandler._template_id_lookup()
-        self.assertEqual({'name': 'template_name', 'id': None}, self.cahandler.template_info_dic)
+    @patch('examples.ca_handler.nclm_ca_handler.CAhandler._templates_enumerate')
+    @patch('examples.ca_handler.nclm_ca_handler.CAhandler._template_list_get')
+    def test_046__template_id_lookup(self, mock_list, mock_enum):
+        """ CAhandler._template_id_lookup """
+        mock_list.return_value = {'items': ['foo', 'bar']}
+        self.cahandler._template_id_lookup('caid')
+        self.assertTrue(mock_enum.called)
 
     @patch('requests.get')
-    def test_101__template_id_lookup(self, mock_get):
-        """ CAhandler._template_id_lookup() - No linkId """
+    def test_047__template_list_get(self, mock_get):
+        """ CAhandler._template_id_lookup() """
         self.cahandler.api_host = 'api_host'
         mockresponse = Mock()
-        mockresponse.json = lambda: {'template': {'items': [{'displayName': 'template_name', 'allowed': True, 'linkType': 'TEMPLATE'}]}}
+        mockresponse.json = lambda: {'foo': 'bar'}
         mock_get.return_value = mockresponse
-        self.cahandler.template_info_dic = {'name': 'template_name', 'id': None}
-        self.cahandler._template_id_lookup()
-        self.assertEqual({'name': 'template_name', 'id': None}, self.cahandler.template_info_dic)
+        self.assertEqual({'foo': 'bar'}, self.cahandler._template_list_get(6))
 
     @patch('requests.get')
-    def test_102__template_id_lookup(self, mock_get):
-        """ CAhandler._template_id_lookup() - no match in template names """
+    def test_048__template_list_get(self, mock_get):
+        """ CAhandler._template_id_lookup() """
         self.cahandler.api_host = 'api_host'
-        mockresponse = Mock()
-        mockresponse.json = lambda: {'template': {'items': [{'displayName': 'nomatch', 'allowed': True, 'linkId': 10, 'linkType': 'TEMPLATE'}]}}
-        mock_get.return_value = mockresponse
-        self.cahandler.template_info_dic = {'name': 'template_name', 'id': None}
-        self.cahandler._template_id_lookup()
-        self.assertEqual({'name': 'template_name', 'id': None}, self.cahandler.template_info_dic)
+        mock_get.side_effect = Exception('req_exc')
+        with self.assertLogs('test_a2c', level='INFO') as lcm:
+            self.assertFalse(self.cahandler._template_list_get(6))
+        self.assertIn('ERROR:test_a2c:CAhandler._template_list_get() returned error: req_exc', lcm.output)
 
     @patch('requests.get')
-    def test_103__template_id_lookup(self, mock_get):
-        """ CAhandler._template_id_lookup() - allowed false """
+    def test_049__template_list_get(self, mock_get):
+        """ CAhandler._template_id_lookup() """
         self.cahandler.api_host = 'api_host'
         mockresponse = Mock()
-        mockresponse.json = lambda: {'template': {'items': [{'displayName': 'template_name', 'allowed': False, 'linkId': 10, 'linkType': 'TEMPLATE'}]}}
+        mockresponse.json = lambda: {'items': 'bar'}
         mock_get.return_value = mockresponse
-        self.cahandler.template_info_dic = {'name': 'template_name', 'id': None}
-        self.cahandler._template_id_lookup()
-        self.assertEqual({'name': 'template_name', 'id': None}, self.cahandler.template_info_dic)
-
-    @patch('requests.get')
-    def test_104__template_id_lookup(self, mock_get):
-        """ CAhandler._template_id_lookup() - template in lower cases """
-        self.cahandler.api_host = 'api_host'
-        mockresponse = Mock()
-        mockresponse.json = lambda: {'template': {'items': [{'displayName': 'template_name', 'allowed': True, 'policyLinkId': 10, 'linkType': 'template'}]}}
-        mock_get.return_value = mockresponse
-        self.cahandler.template_info_dic = {'name': 'template_name', 'id': None}
-        self.cahandler._template_id_lookup()
-        self.assertEqual({'name': 'template_name', 'id': 10}, self.cahandler.template_info_dic)
-
-    @patch('requests.get')
-    def test_105__template_id_lookup(self, mock_get):
-        """ CAhandler._template_id_lookup() - no template """
-        self.cahandler.api_host = 'api_host'
-        mockresponse = Mock()
-        mockresponse.json = lambda: {'template': {'items': [{'displayName': 'template_name', 'allowed': True, 'linkId': 10, 'linkType': 'linkType'}]}}
-        mock_get.return_value = mockresponse
-        self.cahandler.template_info_dic = {'name': 'template_name', 'id': None}
-        self.cahandler._template_id_lookup()
-        self.assertEqual({'name': 'template_name', 'id': None}, self.cahandler.template_info_dic)
-
-    @patch('requests.get')
-    def test_106__template_id_lookup(self, mock_get):
-        """ CAhandler._template_id_lookup() - no linktype """
-        self.cahandler.api_host = 'api_host'
-        mockresponse = Mock()
-        mockresponse.json = lambda: {'template': {'items': [{'displayName': 'template_name', 'allowed': True, 'linkId': 10}]}}
-        mock_get.return_value = mockresponse
-        self.cahandler.template_info_dic = {'name': 'template_name', 'id': None}
-        self.cahandler._template_id_lookup()
-        self.assertEqual({'name': 'template_name', 'id': None}, self.cahandler.template_info_dic)
-
-    @patch('requests.get')
-    def test_107__template_id_lookup(self, mock_get):
-        """ CAhandler._template_id_lookup() - empty list """
-        self.cahandler.api_host = 'api_host'
-        mockresponse = Mock()
-        mockresponse.json = lambda: {'template': {'items': []}}
-        mock_get.return_value = mockresponse
-        self.cahandler.template_info_dic = {'name': 'template_name', 'id': None}
-        self.cahandler._template_id_lookup()
-        self.assertEqual({'name': 'template_name', 'id': None}, self.cahandler.template_info_dic)
-
-    @patch('requests.get')
-    def test_108__template_id_lookup(self, mock_get):
-        """ CAhandler._template_id_lookup() - no items """
-        self.cahandler.api_host = 'api_host'
-        mockresponse = Mock()
-        mockresponse.json = lambda: {'template': {'blank': []}}
-        mock_get.return_value = mockresponse
-        self.cahandler.template_info_dic = {'name': 'template_name', 'id': None}
-        self.cahandler._template_id_lookup()
-        self.assertEqual({'name': 'template_name', 'id': None}, self.cahandler.template_info_dic)
-
-    @patch('requests.get')
-    def test_109__template_id_lookup(self, mock_get):
-        """ CAhandler._template_id_lookup() - wrong dict """
-        self.cahandler.api_host = 'api_host'
-        mockresponse = Mock()
-        mockresponse.json = lambda: {'foo': 'bar'}
-        mock_get.return_value = mockresponse
-        self.cahandler.template_info_dic = {'name': 'template_name', 'id': None}
-        self.cahandler._template_id_lookup()
-        self.assertEqual({'name': 'template_name', 'id': None}, self.cahandler.template_info_dic)
-
-    @patch('requests.get')
-    def test_110__template_id_lookup(self, mock_get):
-        """ CAhandler._template_id_lookup() - wrong dict """
-        self.cahandler.api_host = 'api_host'
-        mockresponse = Mock()
-        mockresponse.json = lambda: {'foo': 'bar'}
-        mock_get.return_value = mockresponse
-        self.cahandler.template_info_dic = {'name': 'template_name', 'id': None}
-        self.cahandler._template_id_lookup()
-        self.assertEqual({'name': 'template_name', 'id': None}, self.cahandler.template_info_dic)
-
-    @patch('requests.get')
-    def test_111__template_id_lookup(self, mock_get):
-        """ CAhandler._template_id_lookup() - empty response """
-        self.cahandler.api_host = 'api_host'
-        mockresponse = Mock()
-        mockresponse.json = None
-        mock_get.return_value = mockresponse
-        self.cahandler.template_info_dic = {'name': 'template_name', 'id': None}
-        self.cahandler._template_id_lookup()
-        self.assertEqual({'name': 'template_name', 'id': None}, self.cahandler.template_info_dic)
-
-    @patch('requests.get')
-    def test_112__template_id_lookup(self, mock_req):
-        """ CAhandler._cert_id_lookup() - request raises exception """
-        self.cahandler.api_host = 'api_host'
-        mock_req.side_effect = Exception('req_exc')
-        self.cahandler.template_info_dic = {'name': 'template_name', 'id': None}
-        with self.assertLogs('test_a2c', level='INFO') as lcm:
-            self.cahandler._template_id_lookup()
-        self.assertEqual({'name': 'template_name', 'id': None}, self.cahandler.template_info_dic)
-        self.assertIn('ERROR:test_a2c:CAhandler._template_id_lookup() returned error: req_exc', lcm.output)
+        self.assertEqual({'items': 'bar'}, self.cahandler._template_list_get(6))
+
+    def test_050__templates_enumerate(self):
+        """ CAhandler._templates_enumerate() """
+        template_list = {'items': [{'name': 'foo', 'id': 'id'}, {'name': 'foo1', 'id': 'id1'}]}
+        self.cahandler.template_info_dic = {'name': 'foo'}
+        self.cahandler._templates_enumerate(template_list)
+        self.assertEqual({'id': 'id', 'name': 'foo'}, self.cahandler.template_info_dic)
+
+    def test_051__templates_enumerate(self):
+        """ CAhandler._templates_enumerate() """
+        template_list = {'items': [{'name': 'foo', 'id': 'id'}, {'name': 'foo1', 'id': 'id1'}]}
+        self.cahandler.template_info_dic = {'name': 'foo1'}
+        self.cahandler._templates_enumerate(template_list)
+        self.assertEqual({'id': 'id1', 'name': 'foo1'}, self.cahandler.template_info_dic)
+
+    def test_052__templates_enumerate(self):
+        """ CAhandler._templates_enumerate() """
+        template_list = {'items': [{'name': 'foo', 'id': 'id'}, {'name': 'foo1', 'id': 'id1'}, {'name': 'foo', 'id': 'id2'}]}
+        self.cahandler.template_info_dic = {'name': 'foo'}
+        self.cahandler._templates_enumerate(template_list)
+        self.assertEqual({'id': 'id', 'name': 'foo'}, self.cahandler.template_info_dic)
 
     @patch('examples.ca_handler.nclm_ca_handler.CAhandler._config_load')
     @patch('examples.ca_handler.nclm_ca_handler.CAhandler._config_check')
     @patch('examples.ca_handler.nclm_ca_handler.CAhandler._login')
-    @patch('examples.ca_handler.nclm_ca_handler.CAhandler._tsg_id_lookup')
-    def test_113__enter__(self, mock_lookup, mock_login, mock_check, mock_load):
+    @patch('examples.ca_handler.nclm_ca_handler.CAhandler._container_id_lookup')
+    def test_053__enter__(self, mock_lookup, mock_login, mock_check, mock_load):
         """ test enter """
         self.cahandler.__enter__()
         self.assertTrue(mock_load.called)
@@ -1333,8 +594,8 @@ def test_113__enter__(self, mock_lookup, mock_login, mock_check, mock_load):
     @patch('examples.ca_handler.nclm_ca_handler.CAhandler._config_load')
     @patch('examples.ca_handler.nclm_ca_handler.CAhandler._config_check')
     @patch('examples.ca_handler.nclm_ca_handler.CAhandler._login')
-    @patch('examples.ca_handler.nclm_ca_handler.CAhandler._tsg_id_lookup')
-    def test_114__enter__(self, mock_lookup, mock_login, mock_check, mock_load):
+    @patch('examples.ca_handler.nclm_ca_handler.CAhandler._container_id_lookup')
+    def test_054__enter__(self, mock_lookup, mock_login, mock_check, mock_load):
         """ test enter  with host already defined """
         self.cahandler.api_host = 'api_host'
         self.cahandler.__enter__()
@@ -1346,8 +607,8 @@ def test_114__enter__(self, mock_lookup, mock_login, mock_check, mock_load):
     @patch('examples.ca_handler.nclm_ca_handler.CAhandler._config_load')
     @patch('examples.ca_handler.nclm_ca_handler.CAhandler._config_check')
     @patch('examples.ca_handler.nclm_ca_handler.CAhandler._login')
-    @patch('examples.ca_handler.nclm_ca_handler.CAhandler._tsg_id_lookup')
-    def test_115__enter__(self, mock_lookup, mock_login, mock_check, mock_load):
+    @patch('examples.ca_handler.nclm_ca_handler.CAhandler._container_id_lookup')
+    def test_055__enter__(self, mock_lookup, mock_login, mock_check, mock_load):
         """ test enter with header defined """
         self.cahandler.headers = 'header'
         self.cahandler.__enter__()
@@ -1359,8 +620,8 @@ def test_115__enter__(self, mock_lookup, mock_login, mock_check, mock_load):
     @patch('examples.ca_handler.nclm_ca_handler.CAhandler._config_load')
     @patch('examples.ca_handler.nclm_ca_handler.CAhandler._config_check')
     @patch('examples.ca_handler.nclm_ca_handler.CAhandler._login')
-    @patch('examples.ca_handler.nclm_ca_handler.CAhandler._tsg_id_lookup')
-    def test_116__enter__(self, mock_lookup, mock_login, mock_check, mock_load):
+    @patch('examples.ca_handler.nclm_ca_handler.CAhandler._container_id_lookup')
+    def test_056__enter__(self, mock_lookup, mock_login, mock_check, mock_load):
         """ test enter with error defined """
         self.cahandler.error = 'error'
         self.cahandler.__enter__()
@@ -1372,10 +633,10 @@ def test_116__enter__(self, mock_lookup, mock_login, mock_check, mock_load):
     @patch('examples.ca_handler.nclm_ca_handler.CAhandler._config_load')
     @patch('examples.ca_handler.nclm_ca_handler.CAhandler._config_check')
     @patch('examples.ca_handler.nclm_ca_handler.CAhandler._login')
-    @patch('examples.ca_handler.nclm_ca_handler.CAhandler._tsg_id_lookup')
-    def test_117__enter__(self, mock_lookup, mock_login, mock_check, mock_load):
+    @patch('examples.ca_handler.nclm_ca_handler.CAhandler._container_id_lookup')
+    def test_057__enter__(self, mock_lookup, mock_login, mock_check, mock_load):
         """ test enter with tst_info_dic defined """
-        self.cahandler.tsg_info_dic = {'id': 'foo'}
+        self.cahandler.container_info_dic = {'id': 'foo'}
         self.cahandler.__enter__()
         self.assertTrue(mock_load.called)
         self.assertTrue(mock_check.called)
@@ -1385,10 +646,10 @@ def test_117__enter__(self, mock_lookup, mock_login, mock_check, mock_load):
     @patch('examples.ca_handler.nclm_ca_handler.CAhandler._config_load')
     @patch('examples.ca_handler.nclm_ca_handler.CAhandler._config_check')
     @patch('examples.ca_handler.nclm_ca_handler.CAhandler._login')
-    @patch('examples.ca_handler.nclm_ca_handler.CAhandler._tsg_id_lookup')
-    def test_118__enter__(self, mock_lookup, mock_login, mock_check, mock_load):
+    @patch('examples.ca_handler.nclm_ca_handler.CAhandler._container_id_lookup')
+    def test_058__enter__(self, mock_lookup, mock_login, mock_check, mock_load):
         """ test enter with error defined """
-        self.cahandler.tsg_info_dic = {'id': 'foo'}
+        self.cahandler.container_info_dic = {'id': 'foo'}
         self.cahandler.error = 'error'
         self.cahandler.__enter__()
         self.assertTrue(mock_load.called)
@@ -1396,377 +657,484 @@ def test_118__enter__(self, mock_lookup, mock_login, mock_check, mock_load):
         self.assertFalse(mock_login.called)
         self.assertFalse(mock_lookup.called)
 
-    @patch('examples.ca_handler.nclm_ca_handler.cert_serial_get')
-    @patch('requests.get')
-    def test_119_revoke(self, mock_get, mock_serial):
-        """ test revoke empty certificate list has been returned """
-        self.cahandler.api_host = 'api_host'
-        mock_serial.return_value = 11
-        mockresponse = Mock()
-        mockresponse.json = lambda: {'foo': 'bar'}
-        mock_get.return_value = mockresponse
-        self.assertEqual((404, 'urn:ietf:params:acme:error:serverInternal', 'Cert could not be found'), self.cahandler.revoke('cert', 'rev_reason', 'rev_date'))
+    def test_059__ca_id_get(self):
+        """ test _ca_id_get() """
+        ca_list = {}
+        self.assertFalse(self.cahandler._ca_id_get(ca_list))
 
-    @patch('examples.ca_handler.nclm_ca_handler.cert_serial_get')
-    @patch('requests.get')
-    def test_120_revoke(self, mock_get, mock_serial):
-        """ test revoke request get aborted with exception """
-        self.cahandler.api_host = 'api_host'
-        mock_serial.return_value = 11
-        mock_get.side_effect = Exception('ex_req_get')
+    def test_060__ca_id_get(self):
+        """ test _ca_id_get() """
+        ca_list = {'ca': {'foo': 'bar'}}
+        self.assertFalse(self.cahandler._ca_id_get(ca_list))
+
+    def test_061__ca_id_get(self):
+        """ test _ca_id_get() """
+        ca_list = {'items': 'bar'}
+        self.assertFalse(self.cahandler._ca_id_get(ca_list))
+
+    def test_062__ca_id_get(self):
+        """ test _ca_id_get() """
+        ca_list = {'items': [{'foo': 'bar'}]}
+        self.assertFalse(self.cahandler._ca_id_get(ca_list))
+
+    def test_063__ca_id_get(self):
+        """ test _ca_id_get() """
+        self.cahandler.ca_name = 'ca_name'
+        ca_list = {'items': [{'name': 'ca_name', 'id': 'id'}]}
+        self.assertEqual('id', self.cahandler._ca_id_get(ca_list))
+
+    def test_064__ca_id_get(self):
+        """ test _ca_id_get() """
+        self.cahandler.ca_name = 'ca_name'
+        ca_list = {'items': [{'name': 'ca_name', 'id1': 'id'}]}
         with self.assertLogs('test_a2c', level='INFO') as lcm:
-            self.assertEqual((404, 'urn:ietf:params:acme:error:serverInternal', 'Cert could not be found'), self.cahandler.revoke('cert', 'rev_reason', 'rev_date'))
-        self.assertIn('ERROR:test_a2c:CAhandler.revoke(): request get aborted with err: ex_req_get', lcm.output)
+            self.assertFalse(self.cahandler._ca_id_get(ca_list))
+        self.assertIn('ERROR:test_a2c:ca_id.lookup() policyLinkId field is missing  ...', lcm.output)
 
-    @patch('examples.ca_handler.nclm_ca_handler.cert_serial_get')
+    def test_065__ca_id_get(self):
+        """ test _ca_id_get() """
+        self.cahandler.ca_name = 'ca_name1'
+        ca_list = {'items': [{'name': 'ca_name', 'id': 'id'}]}
+        self.assertFalse(self.cahandler._ca_id_get(ca_list))
+
+    @patch('examples.ca_handler.nclm_ca_handler.CAhandler._ca_id_get')
     @patch('requests.get')
-    def test_121_revoke(self, mock_get, mock_serial):
-        """ test revoke certificates in certificate_list but content is bogus """
+    def test_066__ca_policylink_id_lookup(self, mock_req, mock_caid):
+        """ test _ca_policylink_id_lookup() """
         self.cahandler.api_host = 'api_host'
-        mock_serial.return_value = 11
+        self.cahandler.container_info_dic = {'id': 'id'}
         mockresponse = Mock()
-        mockresponse.json = lambda: {'certificates': [{'foo': 'bar'}]}
-        mock_get.return_value = mockresponse
-        self.assertEqual((404, 'urn:ietf:params:acme:error:serverInternal', 'CertificateID could not be found'), self.cahandler.revoke('cert', 'rev_reason', 'rev_date'))
+        mockresponse.json = lambda: {'items': ['foo', 'bar', 'foo', 'bar']}
+        mock_req.return_value = mockresponse
+        mock_caid.return_value = 10
+        self.assertEqual(10, self.cahandler._ca_policylink_id_lookup())
+        self.assertTrue(mock_caid.called)
 
-    @patch('requests.post')
-    @patch('examples.ca_handler.nclm_ca_handler.cert_serial_get')
+    @patch('examples.ca_handler.nclm_ca_handler.CAhandler._ca_id_get')
     @patch('requests.get')
-    def test_122_revoke(self, mock_get, mock_serial, mock_post):
-        """ test revoke certificates in certificate_list all good """
+    def test_067__ca_policylink_id_lookup(self, mock_req, mock_caid):
+        """ test _ca_policylink_id_lookup() """
         self.cahandler.api_host = 'api_host'
-        mock_serial.return_value = 11
+        self.cahandler.container_info_dic = {'id': 'id'}
         mockresponse = Mock()
-        mockresponse.json = lambda: {'certificates': [{'certificateId': 100}]}
-        mock_get.return_value = mockresponse
-        mockresponse2 = Mock()
-        mockresponse2.json = lambda: {'foo': 'bar'}
-        mock_post.return_value = mockresponse2
-        self.assertEqual((200, None, {'foo': 'bar'}), self.cahandler.revoke('cert', 'rev_reason', 'rev_date'))
+        mockresponse.json = lambda: {'items': ['foo', 'bar', 'foo', 'bar']}
+        mock_req.return_value = mockresponse
+        mock_caid.return_value = None
+        with self.assertLogs('test_a2c', level='INFO') as lcm:
+            self.assertFalse(self.cahandler._ca_policylink_id_lookup())
+        self.assertIn('ERROR:test_a2c:CAhandler_ca_policylink_id_lookup(): no policylink id found for None', lcm.output)
+        self.assertTrue(mock_caid.called)
 
-    @patch('examples.ca_handler.nclm_ca_handler.CAhandler._api_post')
-    @patch('examples.ca_handler.nclm_ca_handler.cert_serial_get')
+    @patch('examples.ca_handler.nclm_ca_handler.CAhandler._ca_id_get')
     @patch('requests.get')
-    def test_123_revoke(self, mock_get, mock_serial, mock_post):
-        """ test revoke certificates in certificate_list but request.post returns execption """
+    def test_068__ca_policylink_id_lookup(self, mock_req, mock_caid):
+        """ test _ca_policylink_id_lookup() """
         self.cahandler.api_host = 'api_host'
-        mock_serial.return_value = 11
+        self.cahandler.container_info_dic = {'id': 'id'}
         mockresponse = Mock()
-        mockresponse.json = lambda: {'certificates': [{'certificateId': 100}]}
-        mock_get.return_value = mockresponse
-        mock_post.side_effect = Exception('ex_req_post')
-        self.assertEqual((500, 'urn:ietf:params:acme:error:serverInternal', 'Revocation operation failed'), self.cahandler.revoke('cert', 'rev_reason', 'rev_date'))
-
-    def test_124_enroll(self):
-        """ enroll() if there is an error """
-        self.cahandler.error = 'foo'
+        mockresponse.json = lambda: {'foo': ['foo', 'bar', 'foo', 'bar']}
+        mock_req.return_value = mockresponse
+        mock_caid.return_value = None
         with self.assertLogs('test_a2c', level='INFO') as lcm:
-            self.assertEqual((None, None, None, None), self.cahandler.enroll('csr'))
-        self.assertIn('ERROR:test_a2c:foo', lcm.output)
-
-    def test_125_enroll(self):
-        """ enroll() no target-system-id """
-        self.cahandler.tsg_info_dic = {'id': None, 'name': 'name'}
-        self.assertEqual(('CAhandler.eroll(): ID lookup for targetSystemGroup "name" failed.', None, None, None), self.cahandler.enroll('csr'))
-
-    @patch('examples.ca_handler.nclm_ca_handler.CAhandler._template_id_lookup')
-    @patch('examples.ca_handler.nclm_ca_handler.CAhandler._cert_id_lookup')
-    @patch('examples.ca_handler.nclm_ca_handler.CAhandler._api_post')
-    @patch('examples.ca_handler.nclm_ca_handler.CAhandler._csr_id_lookup')
-    @patch('examples.ca_handler.nclm_ca_handler.CAhandler._request_import')
-    @patch('examples.ca_handler.nclm_ca_handler.csr_san_get')
-    @patch('examples.ca_handler.nclm_ca_handler.csr_cn_get')
-    @patch('examples.ca_handler.nclm_ca_handler.CAhandler._ca_policylink_id_lookup')
-    def test_126_enroll(self, mock_lookup, mock_cn_get, mock_san_get, mock_reqimp, mock_csr_lookup, mock_post, mock_cert_lookup, mock_tmpl_lookup):
-        """ enroll() without certid """
-        self.cahandler.api_host = 'api_host'
-        self.cahandler.tsg_info_dic = {'id': 10, 'name': 'name'}
-        self.cahandler.wait_interval = 0
-        mock_lookup.return_value = 10
-        mock_cn_get.return_value = 'cn'
-        mock_san_get.return_value = ['foo.bar.local']
-        mock_reqimp.return_value = True
-        mock_csr_lookup.return_value = 10
-        mock_post.return_value = True
-        mock_cert_lookup.return_value = None
-        self.assertEqual(("certifcate id lookup failed for:  cn, ['foo.bar.local']", None, None, None), self.cahandler.enroll('csr'))
-        self.assertFalse(mock_tmpl_lookup.called)
+            self.assertFalse(self.cahandler._ca_policylink_id_lookup())
+        self.assertIn('ERROR:test_a2c:CAhandler_ca_policylink_id_lookup(): no policylink id found for None', lcm.output)
+        self.assertIn('ERROR:test_a2c:ca_id.lookup() no CAs found in response ...', lcm.output)
+        self.assertFalse(mock_caid.called)
 
     @patch('examples.ca_handler.nclm_ca_handler.CAhandler._cert_bundle_build')
-    @patch('examples.ca_handler.nclm_ca_handler.CAhandler._template_id_lookup')
-    @patch('examples.ca_handler.nclm_ca_handler.CAhandler._cert_id_lookup')
-    @patch('examples.ca_handler.nclm_ca_handler.CAhandler._api_post')
-    @patch('examples.ca_handler.nclm_ca_handler.CAhandler._csr_id_lookup')
-    @patch('examples.ca_handler.nclm_ca_handler.CAhandler._request_import')
-    @patch('examples.ca_handler.nclm_ca_handler.csr_san_get')
-    @patch('examples.ca_handler.nclm_ca_handler.csr_cn_get')
-    @patch('examples.ca_handler.nclm_ca_handler.CAhandler._ca_policylink_id_lookup')
-    def test_127_enroll(self, mock_lookup, mock_cn_get, mock_san_get, mock_reqimp, mock_csr_lookup, mock_post, mock_cert_lookup, mock_tmpl_lookup, mock_bundle):
-        """ enroll()  with certid """
-        self.cahandler.api_host = 'api_host'
-        self.cahandler.tsg_info_dic = {'id': 10, 'name': 'name'}
-        self.cahandler.wait_interval = 0
-        mock_lookup.return_value = 10
-        mock_cn_get.return_value = 'cn'
-        mock_san_get.return_value = ['foo.bar.local']
-        mock_reqimp.return_value = True
-        mock_csr_lookup.return_value = 10
-        mock_post.return_value = True
-        mock_cert_lookup.return_value = 10
-        mock_bundle.return_value = ('error', 'cert_bundle', 'cert_raw')
-        self.assertEqual(('error', 'cert_bundle', 'cert_raw', None), self.cahandler.enroll('csr'))
-        self.assertFalse(mock_tmpl_lookup.called)
+    @patch('examples.ca_handler.nclm_ca_handler.CAhandler._cert_id_get')
+    @patch('examples.ca_handler.nclm_ca_handler.CAhandler._csr_post')
+    def test_069__cert_enroll(self, mock_post, mock_idget, mock_build):
+        """ test _cert_enroll() """
+        mock_post.return_value = 'mock_post'
+        mock_idget.return_value = 'mock_idget'
+        mock_build.return_value = ('error', 'bundle', 'raw')
+        self.assertEqual(('error', 'bundle', 'raw', 'mock_idget'), self.cahandler._cert_enroll('cr', 'policylink_id'))
+        self.assertTrue(mock_post.called)
+        self.assertTrue(mock_idget.called)
+        self.assertTrue(mock_build.called)
 
     @patch('examples.ca_handler.nclm_ca_handler.CAhandler._cert_bundle_build')
-    @patch('examples.ca_handler.nclm_ca_handler.CAhandler._template_id_lookup')
-    @patch('examples.ca_handler.nclm_ca_handler.CAhandler._cert_id_lookup')
-    @patch('examples.ca_handler.nclm_ca_handler.CAhandler._api_post')
-    @patch('examples.ca_handler.nclm_ca_handler.CAhandler._csr_id_lookup')
-    @patch('examples.ca_handler.nclm_ca_handler.CAhandler._request_import')
-    @patch('examples.ca_handler.nclm_ca_handler.csr_san_get')
-    @patch('examples.ca_handler.nclm_ca_handler.csr_cn_get')
-    @patch('examples.ca_handler.nclm_ca_handler.CAhandler._ca_policylink_id_lookup')
-    def test_128_enroll(self, mock_lookup, mock_cn_get, mock_san_get, mock_reqimp, mock_csr_lookup, mock_post, mock_cert_lookup, mock_tmpl_lookup, mock_bundle):
-        """ enroll()  no tmpload """
-        self.cahandler.api_host = 'api_host'
-        self.cahandler.tsg_info_dic = {'id': 10, 'name': 'name'}
-        self.cahandler.wait_interval = 0
-        self.cahandler.template_info_dic = {'name': 'name', 'id': 'id'}
-        mock_lookup.return_value = 10
-        mock_cn_get.return_value = 'cn'
-        mock_san_get.return_value = ['foo.bar.local']
-        mock_reqimp.return_value = True
-        mock_csr_lookup.return_value = 10
-        mock_post.return_value = True
-        mock_cert_lookup.return_value = 10
-        mock_bundle.return_value = ('error', 'cert_bundle', 'cert_raw')
-        self.assertEqual(('error', 'cert_bundle', 'cert_raw', None), self.cahandler.enroll('csr'))
-        self.assertFalse(mock_tmpl_lookup.called)
+    @patch('examples.ca_handler.nclm_ca_handler.CAhandler._cert_id_get')
+    @patch('examples.ca_handler.nclm_ca_handler.CAhandler._csr_post')
+    def test_070__cert_enroll(self, mock_post, mock_idget, mock_build):
+        """ test _cert_enroll() """
+        mock_post.return_value = 'mock_post'
+        mock_idget.return_value = None
+        mock_build.return_value = ('error', 'bundle', 'raw')
+        with self.assertLogs('test_a2c', level='INFO') as lcm:
+            self.assertEqual(('Certifcate_id lookup failed', None, None, None), self.cahandler._cert_enroll('cr', 'policylink_id'))
+        self.assertIn('ERROR:test_a2c:CAhandler.eroll(): certifcate_id lookup failed for job: mock_post', lcm.output)
+        self.assertTrue(mock_post.called)
+        self.assertTrue(mock_idget.called)
+        self.assertFalse(mock_build.called)
 
     @patch('examples.ca_handler.nclm_ca_handler.CAhandler._cert_bundle_build')
-    @patch('examples.ca_handler.nclm_ca_handler.CAhandler._template_id_lookup')
-    @patch('examples.ca_handler.nclm_ca_handler.CAhandler._cert_id_lookup')
-    @patch('examples.ca_handler.nclm_ca_handler.CAhandler._api_post')
-    @patch('examples.ca_handler.nclm_ca_handler.CAhandler._csr_id_lookup')
-    @patch('examples.ca_handler.nclm_ca_handler.CAhandler._request_import')
-    @patch('examples.ca_handler.nclm_ca_handler.csr_san_get')
-    @patch('examples.ca_handler.nclm_ca_handler.csr_cn_get')
-    @patch('examples.ca_handler.nclm_ca_handler.CAhandler._ca_policylink_id_lookup')
-    def test_129_enroll(self, mock_lookup, mock_cn_get, mock_san_get, mock_reqimp, mock_csr_lookup, mock_post, mock_cert_lookup, mock_tmpl_lookup, mock_bundle):
-        """ enroll()  tmpload """
-        self.cahandler.api_host = 'api_host'
-        self.cahandler.tsg_info_dic = {'id': 10, 'name': 'name'}
-        self.cahandler.wait_interval = 0
-        self.cahandler.template_info_dic = {'name': 'name', 'id': None}
-        mock_lookup.return_value = 10
-        mock_cn_get.return_value = 'cn'
-        mock_san_get.return_value = ['foo.bar.local']
-        mock_reqimp.return_value = True
-        mock_csr_lookup.return_value = 10
-        mock_post.return_value = True
-        mock_cert_lookup.return_value = 10
-        mock_bundle.return_value = ('error', 'cert_bundle', 'cert_raw')
-        self.assertEqual(('error', 'cert_bundle', 'cert_raw', None), self.cahandler.enroll('csr'))
-        self.assertTrue(mock_tmpl_lookup.called)
+    @patch('examples.ca_handler.nclm_ca_handler.CAhandler._cert_id_get')
+    @patch('examples.ca_handler.nclm_ca_handler.CAhandler._csr_post')
+    def test_071__cert_enroll(self, mock_post, mock_idget, mock_build):
+        """ test _cert_enroll() """
+        mock_post.return_value = None
+        mock_idget.return_value = 'mock_idget'
+        mock_build.return_value = ('error', 'bundle', 'raw')
+        with self.assertLogs('test_a2c', level='INFO') as lcm:
+            self.assertEqual(('job_id lookup failed', None, None, None), self.cahandler._cert_enroll('cr', 'policylink_id'))
+        self.assertIn('ERROR:test_a2c:CAhandler.eroll(): job_id lookup failed for job', lcm.output)
+        self.assertTrue(mock_post.called)
+        self.assertFalse(mock_idget.called)
+        self.assertFalse(mock_build.called)
 
-    @patch('examples.ca_handler.nclm_ca_handler.CAhandler._cert_bundle_build')
-    @patch('examples.ca_handler.nclm_ca_handler.CAhandler._template_id_lookup')
-    @patch('examples.ca_handler.nclm_ca_handler.CAhandler._cert_id_lookup')
     @patch('examples.ca_handler.nclm_ca_handler.CAhandler._api_post')
-    @patch('examples.ca_handler.nclm_ca_handler.CAhandler._csr_id_lookup')
-    @patch('examples.ca_handler.nclm_ca_handler.CAhandler._request_import')
-    @patch('examples.ca_handler.nclm_ca_handler.csr_san_get')
-    @patch('examples.ca_handler.nclm_ca_handler.csr_cn_get')
-    @patch('examples.ca_handler.nclm_ca_handler.CAhandler._ca_policylink_id_lookup')
-    def test_130_enroll(self, mock_lookup, mock_cn_get, mock_san_get, mock_reqimp, mock_csr_lookup, mock_post, mock_cert_lookup, mock_tmpl_lookup, mock_bundle):
-        """ enroll()  tmpload """
-        self.cahandler.api_host = 'api_host'
-        self.cahandler.tsg_info_dic = {'id': 'id', 'name': 'name'}
-        self.cahandler.wait_interval = 0
-        self.cahandler.template_info_dic = {'name': 'name', 'id': None}
-        mock_lookup.return_value = 0
-        mock_cn_get.return_value = 'cn'
-        mock_san_get.return_value = ['foo.bar.local']
-        mock_reqimp.return_value = True
-        mock_csr_lookup.return_value = 10
-        mock_post.return_value = True
-        mock_cert_lookup.return_value = 10
-        mock_bundle.return_value = ('error', 'cert_bundle', 'cert_raw')
-        self.assertEqual(('enrollment aborted. policylink_id: 0, tsg_id: id', None, None, None), self.cahandler.enroll('csr'))
-        self.assertFalse(mock_tmpl_lookup.called)
+    @patch('examples.ca_handler.nclm_ca_handler.convert_string_to_byte')
+    @patch('examples.ca_handler.nclm_ca_handler.b64_encode')
+    @patch('examples.ca_handler.nclm_ca_handler.build_pem_file')
+    def test_072__csr_post(self, mock_pem, mock_enc, mock_convert, mock_post):
+        """ test _csr_post() """
+        mock_pem.return_value = 'mock_pem'
+        mock_enc.return_value = 'mock_enc'
+        mock_convert.return_value = 'mock_convert'
+        mock_post.return_value = {'id': 'id', 'foo': 'bar'}
+        self.assertEqual('id', self.cahandler._csr_post('csr', 'policylink_id'))
+        self.assertTrue(mock_convert.called)
+        self.assertTrue(mock_enc.called)
+        self.assertTrue(mock_pem.called)
 
-    @patch('requests.get')
-    def test_131__cert_list_fetch(self, mock_req):
-        """ _cert_list_fetch() - response without next """
+    @patch('examples.ca_handler.nclm_ca_handler.CAhandler._api_post')
+    @patch('examples.ca_handler.nclm_ca_handler.convert_string_to_byte')
+    @patch('examples.ca_handler.nclm_ca_handler.b64_encode')
+    @patch('examples.ca_handler.nclm_ca_handler.build_pem_file')
+    def test_073__csr_post(self, mock_pem, mock_enc, mock_convert, mock_post):
+        """ test _csr_post() """
+        mock_pem.return_value = 'mock_pem'
+        mock_enc.return_value = 'mock_enc'
+        mock_convert.return_value = 'mock_convert'
+        mock_post.return_value = {'foo': 'bar'}
+        self.cahandler.template_info_dic = {'id': 'id'}
+        self.assertFalse(self.cahandler._csr_post('csr', 'policylink_id'))
+        self.assertTrue(mock_convert.called)
+        self.assertTrue(mock_enc.called)
+        self.assertTrue(mock_pem.called)
+
+    @patch('requests.get')
+    def test_074__issuer_certid_get(self, mock_req):
+        """ test _issuer_certid_get() """
+        cert_dic = {'urls': {'issuer': 'issuer'}}
         self.cahandler.api_host = 'api_host'
         mockresponse = Mock()
-        mockresponse.json = lambda: {'certificates': ['foo', 'bar']}
+        mockresponse.json = lambda: {'urls': {'certificate': 'foo/v2/certificates/'}}
         mock_req.return_value = mockresponse
-        self.assertEqual(['foo', 'bar'], self.cahandler._cert_list_fetch('url'))
+        self.assertEqual(('foo', True), self.cahandler._issuer_certid_get(cert_dic))
 
     @patch('requests.get')
-    def test_132__cert_list_fetch(self, mock_req):
-        """ _cert_list_fetch() - response 1x pagination """
+    def test_075__issuer_certid_get(self, mock_req):
+        """ test _issuer_certid_get() """
+        cert_dic = {'urls': {'issuer': 'issuer'}}
         self.cahandler.api_host = 'api_host'
-        mockresponse1 = Mock()
-        mockresponse1.json = lambda: {'certificates': ['foo1', 'bar1'], 'next': 'url'}
-        mockresponse2 = Mock()
-        mockresponse2.json = lambda: {'certificates': ['foo2', 'bar2']}
-        mock_req.side_effect = [mockresponse1, mockresponse2]
-        self.assertEqual(['foo1', 'bar1', 'foo2', 'bar2'], self.cahandler._cert_list_fetch('url'))
+        mockresponse = Mock()
+        mockresponse.json = lambda: {'urls': {'bar': 'foo/v2/certificates/'}}
+        mock_req.return_value = mockresponse
+        self.assertEqual((None, False), self.cahandler._issuer_certid_get(cert_dic))
 
+    @patch('examples.ca_handler.nclm_ca_handler.CAhandler._issuer_certid_get')
+    @patch('examples.ca_handler.nclm_ca_handler.build_pem_file')
     @patch('requests.get')
-    def test_133__cert_list_fetch(self, mock_req):
-        """ _cert_list_fetch() - response 2x pagination """
-        self.cahandler.api_host = 'api_host'
-        mockresponse1 = Mock()
-        mockresponse1.json = lambda: {'certificates': ['foo1', 'bar1'], 'next': 'url'}
-        mockresponse2 = Mock()
-        mockresponse2.json = lambda: {'certificates': ['foo2', 'bar2'], 'next': 'url'}
-        mockresponse3 = Mock()
-        mockresponse3.json = lambda: {'certificates': ['foo3', 'bar3']}
-        mock_req.side_effect = [mockresponse1, mockresponse2, mockresponse3]
-        self.assertEqual(['foo1', 'bar1', 'foo2', 'bar2', 'foo3', 'bar3'], self.cahandler._cert_list_fetch('url'))
+    def test_076__cert_bundle_build(self, mock_req, mock_pem, mock_certid):
+        """ test _cert_bundle_build() """
+        mock_pem.return_value = 'mock_pem'
+        mock_certid.return_value = ('id', False)
+        mockresponse = Mock()
+        mockresponse.json = lambda: {'der': 'der'}
+        mock_req.return_value = mockresponse
+        self.assertEqual((None, 'mock_pem', 'der'), self.cahandler._cert_bundle_build('cert_id'))
 
+    @patch('examples.ca_handler.nclm_ca_handler.CAhandler._issuer_certid_get')
+    @patch('examples.ca_handler.nclm_ca_handler.build_pem_file')
     @patch('requests.get')
-    def test_134__cert_list_fetch(self, mock_req):
-        """ _cert_list_fetch() - empty response """
-        self.cahandler.api_host = 'api_host'
+    def test_077__cert_bundle_build(self, mock_req, mock_pem, mock_certid):
+        """ test _cert_bundle_build() """
+        mock_pem.side_effect = ['mock_pem1', 'mock_pem2']
+        mock_certid.side_effect = [('id1', True), ('id2', False)]
         mockresponse = Mock()
-        mockresponse.json = lambda: {}
+        mockresponse.json = lambda: {'der': 'der'}
         mock_req.return_value = mockresponse
-        self.assertFalse(self.cahandler._cert_list_fetch('url'))
+        self.assertEqual((None, 'mock_pem2', 'der'), self.cahandler._cert_bundle_build('cert_id'))
 
+    @patch('examples.ca_handler.nclm_ca_handler.CAhandler._issuer_certid_get')
+    @patch('examples.ca_handler.nclm_ca_handler.build_pem_file')
     @patch('requests.get')
-    def test_135__cert_list_fetch(self, mock_req):
-        """ _cert_list_fetch() - request.get triggers execption """
-        self.cahandler.api_host = 'api_host'
-        mock_req.side_effect = Exception('foo')
-        with self.assertLogs('test_a2c', level='INFO') as lcm:
-            self.assertFalse(self.cahandler._cert_list_fetch('url'))
-        self.assertIn('ERROR:test_a2c:CAhandler._cert_list_fetch() returned error: foo', lcm.output)
+    def test_078__cert_bundle_build(self, mock_req, mock_pem, mock_certid):
+        """ test _cert_bundle_build() """
+        mock_pem.return_value = ''
+        mock_certid.return_value = ('id', False)
+        mockresponse = Mock()
+        mockresponse.json = lambda: {'der': 'der'}
+        mock_req.return_value = mockresponse
+        self.assertEqual((None, None, 'der'), self.cahandler._cert_bundle_build('cert_id'))
 
+    @patch('time.sleep')
     @patch('requests.get')
-    def test_136__lastrequests_get(self, mock_req):
-        """ test_132__lastrequests_get() - all ok """
-        self.cahandler.api_host = 'api_host'
+    def test_079__cert_id_get(self, mock_req, mock_sleep):
+        """ test _cert_id_get() """
         mockresponse = Mock()
-        mockresponse.json = lambda: {'requests': ['foo', 'bar', 'foo', 'bar']}
+        mockresponse.json = lambda: {'status': 'done', 'entities': [{'ref': 'certificate', 'url': 'foo/v2/certificates/'}]}
         mock_req.return_value = mockresponse
-        self.assertEqual(['foo', 'bar', 'foo', 'bar'], self.cahandler._lastrequests_get())
+        self.assertEqual('foo', self.cahandler._cert_id_get(10))
 
+    @patch('time.sleep')
     @patch('requests.get')
-    def test_137__lastrequests_get(self, mock_req):
-        """ test_132__lastrequests_get() - all ok """
-        self.cahandler.api_host = 'api_host'
+    def test_080__cert_id_get(self, mock_req, mock_sleep):
+        """ test _cert_id_get() """
+        mockresponse1 = Mock()
+        mockresponse1.json = lambda: {'status': 'note', 'entities': [{'ref': 'certificate', 'url': 'foo1/v2/certificates/'}]}
+        mockresponse2 = Mock()
+        mockresponse2.json = lambda: {'status': 'done', 'entities': [{'ref': 'certificate', 'url': 'foo2/v2/certificates/'}]}
+        mock_req.side_effect = [mockresponse1, mockresponse2]
+        self.assertEqual('foo2', self.cahandler._cert_id_get(10))
+
+    @patch('requests.get')
+    @patch('examples.ca_handler.nclm_ca_handler.cert_serial_get')
+    def test_081__certid_get_from_serial(self, mock_serial, mock_req):
+        """ _certid_get_from_serial() """
+        mock_serial.return_value = 'mock_serial'
         mockresponse = Mock()
-        mockresponse.json = lambda: {'requests': ['foo', 'bar', 'foo', 'bar']}
+        mockresponse.json = lambda: {'items': [{'id': 'id1'}, {'id': 'id2'}]}
         mock_req.return_value = mockresponse
-        self.assertEqual(['foo', 'bar', 'foo', 'bar'], self.cahandler._lastrequests_get())
+        self.assertEqual('id1', self.cahandler._certid_get_from_serial('cert_raw'))
 
     @patch('requests.get')
-    def test_138__lastrequests_get(self, mock_req):
-        """ test_132__lastrequests_get() - no request list in response """
-        self.cahandler.api_host = 'api_host'
+    @patch('examples.ca_handler.nclm_ca_handler.cert_serial_get')
+    def test_082__certid_get_from_serial(self, mock_serial, mock_req):
+        """ _certid_get_from_serial() """
+        mock_serial.return_value = 'mock_serial'
         mockresponse = Mock()
-        mockresponse.json = lambda: {'foo': 'bar'}
+        mockresponse.json = lambda: {'items': [{'di': 'id1'}, {'id': 'id2'}]}
         mock_req.return_value = mockresponse
         with self.assertLogs('test_a2c', level='INFO') as lcm:
-            self.assertFalse(self.cahandler._lastrequests_get())
-        self.assertIn('ERROR:test_a2c:_lastrequests_get(): response incomplete:', lcm.output)
+            self.assertEqual(None, self.cahandler._certid_get_from_serial('cert_raw'))
+        self.assertIn('ERROR:test_a2c:CAhandler._certid_get_from_serial(): no certificate found for serial: mock_serial', lcm.output)
 
     @patch('requests.get')
-    def test_139__cert_list_fetch(self, mock_req):
-        """ _cert_list_fetch() - request.get triggers execption """
-        self.cahandler.api_host = 'api_host'
-        mock_req.side_effect = Exception('foo')
-        with self.assertLogs('test_a2c', level='INFO') as lcm:
-            self.assertFalse(self.cahandler._lastrequests_get())
-        self.assertIn('ERROR:test_a2c:CAhandler._lastrequests_get() returned error: foo', lcm.output)
-
-    def test_140__ca_id_get(self):
-        """ test _ca_id_get() """
-        ca_list = {}
-        self.assertFalse(self.cahandler._ca_id_get(ca_list))
-
-    def test_141__ca_id_get(self):
-        """ test _ca_id_get() """
-        ca_list = {'ca': {'foo': 'bar'}}
-        self.assertFalse(self.cahandler._ca_id_get(ca_list))
-
-    def test_142__ca_id_get(self):
-        """ test _ca_id_get() """
-        ca_list = {'ca': {'items': 'bar'}}
-        self.assertFalse(self.cahandler._ca_id_get(ca_list))
-
-    def test_143__ca_id_get(self):
-        """ test _ca_id_get() """
-        ca_list = {'ca': {'items': [{'foo': 'bar'}]}}
-        self.assertFalse(self.cahandler._ca_id_get(ca_list))
-
-    def test_144__ca_id_get(self):
-        """ test _ca_id_get() """
-        self.cahandler.ca_name = 'ca_name'
-        ca_list = {'ca': {'items': [{'displayName': 'ca_name', 'policyLinkId': 'id'}]}}
-        self.assertEqual('id', self.cahandler._ca_id_get(ca_list))
-
-    def test_145__ca_id_get(self):
-        """ test _ca_id_get() """
-        self.cahandler.ca_name = 'ca_name'
-        ca_list = {'ca': {'items': [{'displayName': 'ca_name', 'foo': 'id'}]}}
+    @patch('examples.ca_handler.nclm_ca_handler.cert_serial_get')
+    def test_083__certid_get_from_serial(self, mock_serial, mock_req):
+        """ _certid_get_from_serial() """
+        mock_serial.return_value = 'mock_serial'
+        mock_req.side_effect = Exception('mock_req')
         with self.assertLogs('test_a2c', level='INFO') as lcm:
-            self.assertFalse(self.cahandler._ca_id_get(ca_list))
-        self.assertIn('ERROR:test_a2c:ca_id.lookup() policyLinkId field is missing  ...', lcm.output)
-
-    def test_146__ca_id_get(self):
-        """ test _ca_id_get() """
-        self.cahandler.ca_name = 'ca_name1'
-        ca_list = {'ca': {'items': [{'displayName': 'ca_name', 'policyLinkId': 'id'}]}}
-        self.assertFalse(self.cahandler._ca_id_get(ca_list))
-
-    @patch('examples.ca_handler.nclm_ca_handler.CAhandler._ca_id_get')
-    @patch('requests.get')
-    def test_147__ca_policylink_id_lookup(self, mock_req, mock_caid):
-        """ test _ca_policylink_id_lookup() """
-        self.cahandler.api_host = 'api_host'
-        self.cahandler.tsg_info_dic = {'id': 'id'}
+            self.assertEqual(None, self.cahandler._certid_get_from_serial('cert_raw'))
+        self.assertIn('ERROR:test_a2c:CAhandler._certid_get_from_serial(): request get aborted with err: mock_req', lcm.output)
+        self.assertIn('ERROR:test_a2c:CAhandler._certid_get_from_serial(): no certificate found for serial: mock_serial', lcm.output)
+
+    @patch('examples.ca_handler.nclm_ca_handler.CAhandler._certid_get_from_serial')
+    @patch('examples.ca_handler.nclm_ca_handler.header_info_get')
+    @patch('examples.ca_handler.nclm_ca_handler.b64_url_recode')
+    def test_084__cert_id_lookup(self, mock_enc, mock_info, mock_serial):
+        """ test _cert_id_lookup() """
+        mock_enc.return_value = 'mock_enc'
+        mock_info.return_value = [{'poll_identifier': 'poll_identifier'}]
+        mock_serial.return_value = 'mock_serial'
+        self.assertEqual('poll_identifier', self.cahandler._cert_id_lookup('cert_raw'))
+        self.assertFalse(mock_serial.called)
+
+    @patch('examples.ca_handler.nclm_ca_handler.CAhandler._certid_get_from_serial')
+    @patch('examples.ca_handler.nclm_ca_handler.header_info_get')
+    @patch('examples.ca_handler.nclm_ca_handler.b64_url_recode')
+    def test_085__cert_id_lookup(self, mock_enc, mock_info, mock_serial):
+        """ test _cert_id_lookup() """
+        mock_enc.return_value = 'mock_enc'
+        mock_info.return_value = [{'poll_identifier': None}]
+        mock_serial.return_value = 'mock_serial'
+        self.assertEqual('mock_serial', self.cahandler._cert_id_lookup('cert_raw'))
+        self.assertTrue(mock_serial.called)
+
+    @patch('examples.ca_handler.nclm_ca_handler.CAhandler._certid_get_from_serial')
+    @patch('examples.ca_handler.nclm_ca_handler.header_info_get')
+    @patch('examples.ca_handler.nclm_ca_handler.b64_url_recode')
+    def test_086__cert_id_lookup(self, mock_enc, mock_info, mock_serial):
+        """ test _cert_id_lookup() """
+        mock_enc.return_value = 'mock_enc'
+        mock_info.return_value = [{'foo': 'bar'}]
+        mock_serial.return_value = 'mock_serial'
+        self.assertEqual('mock_serial', self.cahandler._cert_id_lookup('cert_raw'))
+        self.assertTrue(mock_serial.called)
+
+    @patch('time.sleep')
+    @patch('requests.get')
+    def test_087__revocation_status_poll(self, mock_req, mock_sleep):
+        """ test _revocation_status_poll() """
         mockresponse = Mock()
-        mockresponse.json = lambda: {'ca': ['foo', 'bar', 'foo', 'bar']}
+        mockresponse.json = lambda: {'status': 'done'}
         mock_req.return_value = mockresponse
-        mock_caid.return_value = 10
-        self.assertEqual(10, self.cahandler._ca_policylink_id_lookup())
-        self.assertTrue(mock_caid.called)
+        err_dic = {'serverinternal': 'serverinternal'}
+        self.assertEqual((200, None, None), self.cahandler._revocation_status_poll('cert_id', err_dic))
 
-    @patch('examples.ca_handler.nclm_ca_handler.CAhandler._ca_id_get')
+    @patch('time.sleep')
     @patch('requests.get')
-    def test_148__ca_policylink_id_lookup(self, mock_req, mock_caid):
-        """ test _ca_policylink_id_lookup() """
-        self.cahandler.api_host = 'api_host'
-        self.cahandler.tsg_info_dic = {'id': 'id'}
+    def test_088__revocation_status_poll(self, mock_req, mock_sleep):
+        """ test _revocation_status_poll() """
         mockresponse = Mock()
-        mockresponse.json = lambda: {'ca': ['foo', 'bar', 'foo', 'bar']}
+        mockresponse.json = lambda: {'status': 'failed'}
         mock_req.return_value = mockresponse
-        mock_caid.return_value = None
-        with self.assertLogs('test_a2c', level='INFO') as lcm:
-            self.assertFalse(self.cahandler._ca_policylink_id_lookup())
-        self.assertIn('ERROR:test_a2c:CAhandler_ca_policylink_id_lookup(): no policylink id found for None', lcm.output)
-        self.assertTrue(mock_caid.called)
+        err_dic = {'serverinternal': 'serverinternal'}
+        self.assertEqual((500, 'serverinternal', 'Revocation operation failed: error from API'), self.cahandler._revocation_status_poll('cert_id', err_dic))
 
-    @patch('examples.ca_handler.nclm_ca_handler.CAhandler._ca_id_get')
+    @patch('time.sleep')
     @patch('requests.get')
-    def test_149__ca_policylink_id_lookup(self, mock_req, mock_caid):
-        """ test _ca_policylink_id_lookup() """
-        self.cahandler.api_host = 'api_host'
-        self.cahandler.tsg_info_dic = {'id': 'id'}
+    def test_089__revocation_status_poll(self, mock_req, mock_sleep):
+        """ test _revocation_status_poll() """
+        mockresponse1 = Mock()
+        mockresponse1.json = lambda: {'status': 'pending'}
+        mockresponse2 = Mock()
+        mockresponse2.json = lambda: {'status': 'done'}
+        mock_req.side_effect = [mockresponse2, mockresponse2]
+        err_dic = {'serverinternal': 'serverinternal'}
+        self.assertEqual((200, None, None), self.cahandler._revocation_status_poll('cert_id', err_dic))
+
+    @patch('time.sleep')
+    @patch('requests.get')
+    def test_090__revocation_status_poll(self, mock_req, mock_sleep):
+        """ test _revocation_status_poll() """
+        mockresponse1 = Mock()
+        mockresponse1.json = lambda: {'status': 'pending'}
+        mockresponse2 = Mock()
+        mockresponse2.json = lambda: {'status': 'failed'}
+        mock_req.side_effect = [mockresponse2, mockresponse2]
+        err_dic = {'serverinternal': 'serverinternal'}
+        self.assertEqual((500, 'serverinternal', 'Revocation operation failed: error from API'), self.cahandler._revocation_status_poll('cert_id', err_dic))
+
+    @patch('time.sleep')
+    @patch('requests.get')
+    def test_091__revocation_status_poll(self, mock_req, mock_sleep):
+        """ test _revocation_status_poll() """
         mockresponse = Mock()
-        mockresponse.json = lambda: {'foo': ['foo', 'bar', 'foo', 'bar']}
+        mockresponse.json = lambda: {'status': 'pending'}
         mock_req.return_value = mockresponse
-        mock_caid.return_value = None
-        with self.assertLogs('test_a2c', level='INFO') as lcm:
-            self.assertFalse(self.cahandler._ca_policylink_id_lookup())
-        self.assertIn('ERROR:test_a2c:CAhandler_ca_policylink_id_lookup(): no policylink id found for None', lcm.output)
-        self.assertIn('ERROR:test_a2c:ca_id.lookup() no CAs found in response ...', lcm.output)
-        self.assertFalse(mock_caid.called)
+        err_dic = {'serverinternal': 'serverinternal'}
+        self.assertEqual((500, 'serverinternal', 'Revocation operation failed: Timeout'), self.cahandler._revocation_status_poll('cert_id', err_dic))
+
+    @patch('examples.ca_handler.nclm_ca_handler.CAhandler._cert_enroll')
+    @patch('examples.ca_handler.nclm_ca_handler.CAhandler._template_id_lookup')
+    @patch('examples.ca_handler.nclm_ca_handler.CAhandler._ca_policylink_id_lookup')
+    @patch('examples.ca_handler.nclm_ca_handler.b64_url_recode')
+    def test_092_enroll(self, mock_recode, mock_policy, mock_template, mock_enroll):
+        """ test enroll """
+        mock_recode.return_value = 'csr'
+        mock_policy.return_value = 'policylink_id'
+        mock_template.return_value = 'template_id'
+        mock_enroll.return_value = ('error', 'bundle', 'raw', 'cert_id')
+        self.cahandler.template_info_dic = {'name': 'name', 'id': None}
+        self.cahandler.container_info_dic = {'name': 'name', 'id': 'id'}
+        self.assertEqual(('error', 'bundle', 'raw', 'cert_id'), self.cahandler.enroll('csr'))
+        self.assertTrue(mock_recode.called)
+        self.assertTrue(mock_policy.called)
+        self.assertTrue(mock_template.called)
+        self.assertTrue(mock_enroll.called)
+
+    @patch('examples.ca_handler.nclm_ca_handler.CAhandler._cert_enroll')
+    @patch('examples.ca_handler.nclm_ca_handler.CAhandler._template_id_lookup')
+    @patch('examples.ca_handler.nclm_ca_handler.CAhandler._ca_policylink_id_lookup')
+    @patch('examples.ca_handler.nclm_ca_handler.b64_url_recode')
+    def test_093_enroll(self, mock_recode, mock_policy, mock_template, mock_enroll):
+        """ test enroll """
+        mock_recode.return_value = 'csr'
+        mock_policy.return_value = 'policylink_id'
+        mock_template.return_value = 'template_id'
+        mock_enroll.return_value = ('error', 'bundle', 'raw', 'cert_id')
+        self.cahandler.template_info_dic = {'name': 'name', 'id': None}
+        self.cahandler.container_info_dic = {'name': 'name', 'id': None}
+        self.assertEqual(('CAhandler.eroll(): ID lookup for container"name" failed.', None, None, None), self.cahandler.enroll('csr'))
+        self.assertTrue(mock_recode.called)
+        self.assertFalse(mock_policy.called)
+        self.assertFalse(mock_template.called)
+        self.assertFalse(mock_enroll.called)
+
+    @patch('examples.ca_handler.nclm_ca_handler.CAhandler._cert_enroll')
+    @patch('examples.ca_handler.nclm_ca_handler.CAhandler._template_id_lookup')
+    @patch('examples.ca_handler.nclm_ca_handler.CAhandler._ca_policylink_id_lookup')
+    @patch('examples.ca_handler.nclm_ca_handler.b64_url_recode')
+    def test_094_enroll(self, mock_recode, mock_policy, mock_template, mock_enroll):
+        """ test enroll """
+        mock_recode.return_value = 'csr'
+        mock_policy.return_value = None
+        mock_template.return_value = 'template_id'
+        mock_enroll.return_value = ('error', 'bundle', 'raw', 'cert_id')
+        self.cahandler.template_info_dic = {'name': 'name', 'id': None}
+        self.cahandler.container_info_dic = {'name': 'name', 'id': 'id'}
+        self.assertEqual(('Enrollment aborted. ca: None, tsg_id: id', None, None, None), self.cahandler.enroll('csr'))
+        self.assertTrue(mock_recode.called)
+        self.assertTrue(mock_policy.called)
+        self.assertFalse(mock_template.called)
+        self.assertFalse(mock_enroll.called)
+
+    @patch('examples.ca_handler.nclm_ca_handler.CAhandler._cert_enroll')
+    @patch('examples.ca_handler.nclm_ca_handler.CAhandler._template_id_lookup')
+    @patch('examples.ca_handler.nclm_ca_handler.CAhandler._ca_policylink_id_lookup')
+    @patch('examples.ca_handler.nclm_ca_handler.b64_url_recode')
+    def test_095_enroll(self, mock_recode, mock_policy, mock_template, mock_enroll):
+        """ test enroll """
+        mock_recode.return_value = 'csr'
+        mock_policy.return_value = None
+        mock_template.return_value = 'template_id'
+        mock_enroll.return_value = ('error', 'bundle', 'raw', 'cert_id')
+        self.cahandler.template_info_dic = {'name': 'name', 'id': None}
+        self.cahandler.container_info_dic = {'name': 'name', 'id': 'id'}
+        self.cahandler.error = 'error'
+        self.assertEqual(('error', None, None, None), self.cahandler.enroll('csr'))
+        self.assertTrue(mock_recode.called)
+        self.assertFalse(mock_policy.called)
+        self.assertFalse(mock_template.called)
+        self.assertFalse(mock_enroll.called)
+
+    @patch('examples.ca_handler.nclm_ca_handler.eab_profile_header_info_check')
+    @patch('examples.ca_handler.nclm_ca_handler.CAhandler._cert_enroll')
+    @patch('examples.ca_handler.nclm_ca_handler.CAhandler._template_id_lookup')
+    @patch('examples.ca_handler.nclm_ca_handler.CAhandler._ca_policylink_id_lookup')
+    @patch('examples.ca_handler.nclm_ca_handler.b64_url_recode')
+    def test_096_enroll(self, mock_recode, mock_policy, mock_template, mock_enroll, mock_eab):
+        """ test enroll """
+        mock_recode.return_value = 'csr'
+        mock_policy.return_value = 'policylink_id'
+        mock_template.return_value = 'template_id'
+        mock_enroll.return_value = ('error', 'bundle', 'raw', 'cert_id')
+        mock_eab.return_value = 'eab'
+        self.cahandler.template_info_dic = {'name': 'name', 'id': None}
+        self.cahandler.container_info_dic = {'name': 'name', 'id': 'id'}
+        self.assertEqual(('eab', None, None, None), self.cahandler.enroll('csr'))
+        self.assertTrue(mock_recode.called)
+        self.assertTrue(mock_policy.called)
+        self.assertTrue(mock_template.called)
+        self.assertFalse(mock_enroll.called)
+
+    @patch('examples.ca_handler.nclm_ca_handler.CAhandler._revocation_status_poll')
+    @patch('examples.ca_handler.nclm_ca_handler.CAhandler._api_post')
+    @patch('examples.ca_handler.nclm_ca_handler.CAhandler._cert_id_lookup')
+    @patch('examples.ca_handler.nclm_ca_handler.error_dic_get')
+    def test_097_revoke(self, mock_err, mock_idl, mock_post, mock_poll):
+        """ test revoke """
+        mock_err.return_value = {'foo': 'bar', 'serverinternal': 'serverinternal'}
+        mock_idl.return_value = 'cert_id'
+        mock_post.return_value = {'urls': {'job': 'foo/v2/jobs/'}}
+        mock_poll.return_value = (200, 'message', 'detail')
+        self.assertEqual((200, 'message', 'detail'), self.cahandler.revoke('cert_raw'))
+        self.assertTrue(mock_err.called)
+        self.assertTrue(mock_idl.called)
+        self.assertTrue(mock_post.called)
+        self.assertTrue(mock_poll.called)
+
+    @patch('examples.ca_handler.nclm_ca_handler.CAhandler._revocation_status_poll')
+    @patch('examples.ca_handler.nclm_ca_handler.CAhandler._api_post')
+    @patch('examples.ca_handler.nclm_ca_handler.CAhandler._cert_id_lookup')
+    @patch('examples.ca_handler.nclm_ca_handler.error_dic_get')
+    def test_098_revoke(self, mock_err, mock_idl, mock_post, mock_poll):
+        """ test revoke """
+        mock_err.return_value = {'foo': 'bar', 'serverinternal': 'serverinternal'}
+        mock_idl.return_value = 'cert_id'
+        mock_post.return_value = {'urls': {'foo': 'foo'}}
+        mock_poll.return_value = (200, 'message', 'detail')
+        self.assertEqual((500, 'serverinternal', 'Revocation operation failed'), self.cahandler.revoke('cert_raw'))
+        self.assertTrue(mock_err.called)
+        self.assertTrue(mock_idl.called)
+        self.assertTrue(mock_post.called)
+        self.assertFalse(mock_poll.called)
 
 if __name__ == '__main__':
 
diff --git a/test/test_order.py b/test/test_order.py
index 09e0fe5b..97ead73d 100644
--- a/test/test_order.py
+++ b/test/test_order.py
@@ -101,7 +101,7 @@ def test_006_order_new(self, mock_mcheck, mock_orderadd, mock_nnonce):
         mock_orderadd.return_value = ('urn:ietf:params:acme:error:malformed', None, None, None)
         mock_nnonce.return_value = 'new_nonce'
         message = '{"foo" : "bar"}'
-        self.assertEqual({'header': {'Replay-Nonce': 'new_nonce'}, 'code': 400, 'data': {'status': 400, 'type': 'urn:ietf:params:acme:error:malformed', 'detail': 'could not process order'}}, self.order.new(message))
+        self.assertEqual({'header': {'Replay-Nonce': 'new_nonce'}, 'code': 400, 'data': {'status': 400, 'type': 'urn:ietf:params:acme:error:malformed', 'detail': 'Could not process order'}}, self.order.new(message))
         self.assertTrue(mock_nnonce.called)
 
     @patch('acme_srv.nonce.Nonce.generate_and_add')
@@ -124,10 +124,7 @@ def test_008_order_new(self, mock_mcheck, mock_orderadd, mock_nnonce):
         mock_orderadd.return_value = (None, 'foo_order', {'foo_auth1': {u'type': u'dns', u'value': u'acme1.nclm-samba.local'}, 'foo_auth2': {u'type': u'dns', u'value': u'acme2.nclm-samba.local'}}, 'expires')
         mock_nnonce.return_value = 'new_nonce'
         message = '{"foo" : "bar"}'
-        if sys.version_info[0] < 3:
-            self.assertEqual({'header': {'Location': 'http://tester.local/acme/order/foo_order', 'Replay-Nonce': 'new_nonce'}, 'code': 201, 'data': {'status': 'pending', 'identifiers': [{'type': 'dns', 'value': 'acme2.nclm-samba.local'}, {'type': 'dns', 'value': 'acme1.nclm-samba.local'}], 'authorizations': ['http://tester.local/acme/authz/foo_auth2', 'http://tester.local/acme/authz/foo_auth1'], 'finalize': 'http://tester.local/acme/order/foo_order/finalize', 'expires': 'expires'}}, self.order.new(message))
-        else:
-            self.assertEqual({'header': {'Location': 'http://tester.local/acme/order/foo_order', 'Replay-Nonce': 'new_nonce'}, 'code': 201, 'data': {'status': 'pending', 'identifiers': [{'type': 'dns', 'value': 'acme1.nclm-samba.local'}, {'type': 'dns', 'value': 'acme2.nclm-samba.local'}], 'authorizations': ['http://tester.local/acme/authz/foo_auth1', 'http://tester.local/acme/authz/foo_auth2'], 'finalize': 'http://tester.local/acme/order/foo_order/finalize', 'expires': 'expires'}}, self.order.new(message))
+        self.assertEqual({'header': {'Location': 'http://tester.local/acme/order/foo_order', 'Replay-Nonce': 'new_nonce'}, 'code': 201, 'data': {'status': 'pending', 'identifiers': [{'type': 'dns', 'value': 'acme1.nclm-samba.local'}, {'type': 'dns', 'value': 'acme2.nclm-samba.local'}], 'authorizations': ['http://tester.local/acme/authz/foo_auth1', 'http://tester.local/acme/authz/foo_auth2'], 'finalize': 'http://tester.local/acme/order/foo_order/finalize', 'expires': 'expires'}}, self.order.new(message))
 
     @patch('acme_srv.nonce.Nonce.generate_and_add')
     @patch('acme_srv.order.Order._add')
@@ -140,35 +137,47 @@ def test_009_order_new(self, mock_mcheck, mock_orderadd, mock_nnonce):
         message = '{"foo" : "bar"}'
         self.assertEqual({'header': {'Location': 'http://tester.local/acme/order/foo_order', 'Replay-Nonce': 'new_nonce'}, 'code': 201, 'data': {'status': 'pending', 'identifiers': [], 'authorizations': [], 'finalize': 'http://tester.local/acme/order/foo_order/finalize', 'expires': 'expires'}}, self.order.new(message))
 
+    @patch('acme_srv.nonce.Nonce.generate_and_add')
+    @patch('acme_srv.order.Order._add')
+    @patch('acme_srv.message.Message.check')
+    def test_010_order_new(self, mock_mcheck, mock_orderadd, mock_nnonce):
+        """ Order.new() failed bcs of db_add failed """
+        mock_mcheck.return_value = (200, None, None, 'protected', {"status" : "foo"}, 'account_name')
+        mock_orderadd.return_value = ('urn:ietf:params:acme:error:rejectedIdentifier', None, None, None)
+        mock_nnonce.return_value = 'new_nonce'
+        message = '{"foo" : "bar"}'
+        self.assertEqual({'header': {'Replay-Nonce': 'new_nonce'}, 'code': 403, 'data': {'status': 403, 'type': 'urn:ietf:params:acme:error:rejectedIdentifier', 'detail': 'Some of the requested identifiers got rejected'}}, self.order.new(message))
+        self.assertTrue(mock_nnonce.called)
+
     @patch('acme_srv.order.Order._info')
-    def test_010_order__lookup(self, mock_oinfo):
+    def test_011_order__lookup(self, mock_oinfo):
         """ test order lookup with empty hash """
         mock_oinfo.return_value = {}
         self.assertEqual({}, self.order._lookup('foo'))
 
     @patch('acme_srv.order.Order._info')
-    def test_011_order__lookup(self, mock_oinfo):
+    def test_012_order__lookup(self, mock_oinfo):
         """ test order lookup with wrong hash and wrong authorization hash"""
         self.order.dbstore.authorization_lookup.return_value = [{'identifier_key' : 'identifier_value'}]
         mock_oinfo.return_value = {'status_key' : 'status_value'}
         self.assertEqual({'authorizations': []}, self.order._lookup('foo'))
 
     @patch('acme_srv.order.Order._info')
-    def test_012_order__lookup(self, mock_oinfo):
+    def test_013_order__lookup(self, mock_oinfo):
         """ test order lookup with wrong hash and correct authorization hash"""
         self.order.dbstore.authorization_lookup.return_value = [{'name' : 'name', 'identifier_key' : 'identifier_value'}]
         mock_oinfo.return_value = {'status_key' : 'status_value'}
         self.assertEqual({'authorizations': ['http://tester.local/acme/authz/name']}, self.order._lookup('foo'))
 
     @patch('acme_srv.order.Order._info')
-    def test_013_order__lookup(self, mock_oinfo):
+    def test_014_order__lookup(self, mock_oinfo):
         """ test order lookup with wrong hash and authorization hash having multiple entries"""
         self.order.dbstore.authorization_lookup.return_value = [{'name' : 'name', 'identifier_key' : 'identifier_value'}, {'name' : 'name2', 'identifier_key' : 'identifier_value2'}]
         mock_oinfo.return_value = {'status_key' : 'status_value'}
         self.assertEqual({'authorizations': ['http://tester.local/acme/authz/name', 'http://tester.local/acme/authz/name2']}, self.order._lookup('foo'))
 
     @patch('acme_srv.order.Order._info')
-    def test_014_order__lookup(self, mock_oinfo):
+    def test_015_order__lookup(self, mock_oinfo):
         """ test order lookup status in dict and authorization dict having multiple entries"""
         self.order.dbstore.authorization_lookup.return_value = [{'name' : 'name', 'identifier_key' : 'identifier_value'}, {'name' : 'name2', 'identifier_key' : 'identifier_value2'}]
         mock_oinfo.return_value = {'status' : 'status_value'}
@@ -176,7 +185,7 @@ def test_014_order__lookup(self, mock_oinfo):
         self.assertEqual(e_result, self.order._lookup('foo'))
 
     @patch('acme_srv.order.Order._info')
-    def test_015_order__lookup(self, mock_oinfo):
+    def test_016_order__lookup(self, mock_oinfo):
         """ test order lookup status, expires in dict and authorization dict having multiple entries"""
         self.order.dbstore.authorization_lookup.return_value = [{'name' : 'name', 'identifier_key' : 'identifier_value'}, {'name' : 'name2', 'identifier_key' : 'identifier_value2'}]
         mock_oinfo.return_value = {'status' : 'status_value', 'expires' : 1543640400}
@@ -184,7 +193,7 @@ def test_015_order__lookup(self, mock_oinfo):
         self.assertEqual(e_result, self.order._lookup('foo'))
 
     @patch('acme_srv.order.Order._info')
-    def test_016_order__lookup(self, mock_oinfo):
+    def test_017_order__lookup(self, mock_oinfo):
         """ test order lookup status, expires, notbefore (0) in dict and authorization dict having multiple entries"""
         self.order.dbstore.authorization_lookup.return_value = [{'name' : 'name', 'identifier_key' : 'identifier_value'}, {'name' : 'name2', 'identifier_key' : 'identifier_value2'}]
         mock_oinfo.return_value = {'status' : 'status_value', 'expires' : 1543640400, 'notbefore' : 0}
@@ -192,7 +201,7 @@ def test_016_order__lookup(self, mock_oinfo):
         self.assertEqual(e_result, self.order._lookup('foo'))
 
     @patch('acme_srv.order.Order._info')
-    def test_017_order__lookup(self, mock_oinfo):
+    def test_018_order__lookup(self, mock_oinfo):
         """ test order lookup status, expires, notbefore and notafter (0) in dict and authorization dict having multiple entries"""
         self.order.dbstore.authorization_lookup.return_value = [{'name' : 'name', 'identifier_key' : 'identifier_value'}, {'name' : 'name2', 'identifier_key' : 'identifier_value2'}]
         mock_oinfo.return_value = {'status' : 'status_value', 'expires' : 1543640400, 'notbefore' : 0, 'notafter' : 0}
@@ -200,7 +209,7 @@ def test_017_order__lookup(self, mock_oinfo):
         self.assertEqual(e_result, self.order._lookup('foo'))
 
     @patch('acme_srv.order.Order._info')
-    def test_018_order__lookup(self, mock_oinfo):
+    def test_019_order__lookup(self, mock_oinfo):
         """ test order lookup status, expires, notbefore and notafter (valid) in dict and authorization dict having multiple entries"""
         self.order.dbstore.authorization_lookup.return_value = [{'name' : 'name', 'identifier_key' : 'identifier_value'}, {'name' : 'name2', 'identifier_key' : 'identifier_value2'}]
         mock_oinfo.return_value = {'status' : 'status_value', 'expires' : 1543640400, 'notbefore' : 1543640400, 'notafter' : 1543640400}
@@ -208,7 +217,7 @@ def test_018_order__lookup(self, mock_oinfo):
         self.assertEqual(e_result, self.order._lookup('foo'))
 
     @patch('acme_srv.order.Order._info')
-    def test_019_order__lookup(self, mock_oinfo):
+    def test_020_order__lookup(self, mock_oinfo):
         """ test order lookup status, expires, notbefore and notafter (valid), identifier, in dict and authorization dict having multiple entries"""
         self.order.dbstore.authorization_lookup.return_value = [{'name' : 'name', 'identifier_key' : 'identifier_value'}, {'name' : 'name2', 'identifier_key' : 'identifier_value2'}]
         mock_oinfo.return_value = {'status' : 'status_value', 'expires' : 1543640400, 'notbefore' : 1543640400, 'notafter' : 1543640400, 'identifier': '"{"foo" : "bar"}"'}
@@ -216,7 +225,7 @@ def test_019_order__lookup(self, mock_oinfo):
         self.assertEqual(e_result, self.order._lookup('foo'))
 
     @patch('acme_srv.order.Order._info')
-    def test_020_order__lookup(self, mock_oinfo):
+    def test_021_order__lookup(self, mock_oinfo):
         """ test order lookup status, expires, notbefore and notafter (valid), identifier, in dict and worng authorization"""
         self.order.dbstore.authorization_lookup.return_value = 'foo'
         mock_oinfo.return_value = {'status' : 'status_value', 'expires' : 1543640400, 'notbefore' : 1543640400, 'notafter' : 1543640400, 'identifier': '"{"foo" : "bar"}"'}
@@ -224,7 +233,7 @@ def test_020_order__lookup(self, mock_oinfo):
         self.assertEqual(e_result, self.order._lookup('foo'))
 
     @patch('acme_srv.order.Order._info')
-    def test_021_order__lookup(self, mock_oinfo):
+    def test_022_order__lookup(self, mock_oinfo):
         """ test order lookup correct identifier for oder info"""
         self.order.dbstore.authorization_lookup.return_value = 'foo'
         mock_oinfo.return_value = {'status' : 'status_value', 'expires' : 1543640400, 'notbefore' : 1543640400, 'notafter' : 1543640400, 'identifiers': '{"foo": "bar"}'}
@@ -232,7 +241,7 @@ def test_021_order__lookup(self, mock_oinfo):
         self.assertEqual(e_result, self.order._lookup('foo'))
 
     @patch('acme_srv.order.Order._info')
-    def test_022_order__lookup(self, mock_oinfo):
+    def test_023_order__lookup(self, mock_oinfo):
         """ test order lookup incorrect identifier for oder info"""
         self.order.dbstore.authorization_lookup.return_value = 'foo'
         mock_oinfo.return_value = {'status' : 'status_value', 'expires' : 1543640400, 'notbefore' : 1543640400, 'notafter' : 1543640400, 'identifiers': 'wrongvalue'}
@@ -243,7 +252,7 @@ def test_022_order__lookup(self, mock_oinfo):
 
     @patch('acme_srv.order.Order._update')
     @patch('acme_srv.order.Order._info')
-    def test_023_order__lookup(self, mock_oinfo, mock_update):
+    def test_024_order__lookup(self, mock_oinfo, mock_update):
         """ test order lookup correct identifier for oder info status - pending order-update """
         self.order.dbstore.authorization_lookup.return_value = [{'name': 'name', 'status__name': 'valid'}]
         mock_oinfo.return_value = {'status' : 'pending', 'expires' : 1543640400, 'notbefore' : 1543640400, 'notafter' : 1543640400, 'identifiers': '{"foo": "bar"}'}
@@ -253,7 +262,7 @@ def test_023_order__lookup(self, mock_oinfo, mock_update):
 
     @patch('acme_srv.order.Order._update')
     @patch('acme_srv.order.Order._info')
-    def test_024_order__lookup(self, mock_oinfo, mock_update):
+    def test_025_order__lookup(self, mock_oinfo, mock_update):
         """ test order lookup correct identifier for oder info status - pending order-update """
         self.order.dbstore.authorization_lookup.return_value = [{'name': 'name', 'status__name': 'valid'}]
         mock_oinfo.return_value = {'status' : 'notpending', 'expires' : 1543640400, 'notbefore' : 1543640400, 'notafter' : 1543640400, 'identifiers': '{"foo": "bar"}'}
@@ -263,7 +272,7 @@ def test_024_order__lookup(self, mock_oinfo, mock_update):
 
     @patch('acme_srv.order.Order._update')
     @patch('acme_srv.order.Order._info')
-    def test_025_order__lookup(self, mock_oinfo, mock_update):
+    def test_026_order__lookup(self, mock_oinfo, mock_update):
         """ test order lookup correct identifier for oder info status - invalid statusname """
         self.order.dbstore.authorization_lookup.return_value = [{'name': 'name', 'status__name': 'invalid'}]
         mock_oinfo.return_value = {'status' : 'pending', 'expires' : 1543640400, 'notbefore' : 1543640400, 'notafter' : 1543640400, 'identifiers': '{"foo": "bar"}'}
@@ -272,7 +281,7 @@ def test_025_order__lookup(self, mock_oinfo, mock_update):
         self.assertFalse(mock_update.called)
 
     @patch('acme_srv.order.Order._info')
-    def test_026_order__csr_process(self, mock_oinfo):
+    def test_027_order__csr_process(self, mock_oinfo):
         """ test order prcoess_csr with empty order_dic """
         mock_oinfo.return_value = {}
         self.assertEqual((400, 'urn:ietf:params:acme:error:unauthorized', 'order: order_name not found'), self.order._csr_process('order_name', 'csr', 'header_info'))
@@ -280,7 +289,7 @@ def test_026_order__csr_process(self, mock_oinfo):
     @patch('importlib.import_module')
     @patch('acme_srv.certificate.Certificate.store_csr')
     @patch('acme_srv.order.Order._info')
-    def test_027_order__csr_process(self, mock_oinfo, mock_certname, mock_import):
+    def test_028_order__csr_process(self, mock_oinfo, mock_certname, mock_import):
         """ test order prcoess_csr with failed csr dbsave"""
         mock_oinfo.return_value = {'foo', 'bar'}
         mock_certname.return_value = None
@@ -291,7 +300,7 @@ def test_027_order__csr_process(self, mock_oinfo, mock_certname, mock_import):
     @patch('acme_srv.certificate.Certificate.enroll_and_store')
     @patch('acme_srv.certificate.Certificate.store_csr')
     @patch('acme_srv.order.Order._info')
-    def test_028_order__csr_process(self, mock_oinfo, mock_certname, mock_enroll, mock_import):
+    def test_029_order__csr_process(self, mock_oinfo, mock_certname, mock_enroll, mock_import):
         """ test order prcoess_csr with failed cert enrollment"""
         mock_oinfo.return_value = {'foo', 'bar'}
         mock_certname.return_value = 'foo'
@@ -303,7 +312,7 @@ def test_028_order__csr_process(self, mock_oinfo, mock_certname, mock_enroll, mo
     @patch('acme_srv.certificate.Certificate.enroll_and_store')
     @patch('acme_srv.certificate.Certificate.store_csr')
     @patch('acme_srv.order.Order._info')
-    def test_029_order__csr_process(self, mock_oinfo, mock_certname, mock_enroll, mock_import):
+    def test_030_order__csr_process(self, mock_oinfo, mock_certname, mock_enroll, mock_import):
         """ test order prcoess_csr with successful cert enrollment"""
         mock_oinfo.return_value = {'foo', 'bar'}
         mock_certname.return_value = 'foo'
@@ -311,29 +320,29 @@ def test_029_order__csr_process(self, mock_oinfo, mock_certname, mock_enroll, mo
         mock_import.return_value = importlib.import_module('examples.ca_handler.skeleton_ca_handler')
         self.assertEqual((200, 'foo', None), self.order._csr_process('order_name', 'csr', 'header_info'))
 
-    def test_030_order__name_get(self):
+    def test_031_order__name_get(self):
         """ Order.name_get() http"""
         self.assertEqual('foo', self.order._name_get('http://tester.local/acme/order/foo'))
 
-    def test_031_order__name_get(self):
+    def test_032_order__name_get(self):
         """ Order.name_get() http with further path (finalize)"""
         self.assertEqual('foo', self.order._name_get('http://tester.local/acme/order/foo/bar'))
 
-    def test_032_order__name_get(self):
+    def test_033_order__name_get(self):
         """ Order.name_get() http with parameters"""
         self.assertEqual('foo', self.order._name_get('http://tester.local/acme/order/foo?bar'))
 
-    def test_033_order__name_get(self):
+    def test_034_order__name_get(self):
         """ Order.name_get() http with key/value parameters"""
         self.assertEqual('foo', self.order._name_get('http://tester.local/acme/order/foo?key=value'))
 
-    def test_034_order__name_get(self):
+    def test_035_order__name_get(self):
         """ Order.name_get() https with key/value parameters"""
         self.assertEqual('foo', self.order._name_get('https://tester.local/acme/order/foo?key=value'))
 
     @patch('acme_srv.nonce.Nonce.generate_and_add')
     @patch('acme_srv.message.Message.check')
-    def test_035_order_parse(self, mock_mcheck, mock_nnonce):
+    def test_036_order_parse(self, mock_mcheck, mock_nnonce):
         """ Order.parse() failed bcs. of failed message check """
         mock_mcheck.return_value = (400, 'message', 'detail', None, None, 'account_name')
         message = '{"foo" : "bar"}'
@@ -343,7 +352,7 @@ def test_035_order_parse(self, mock_mcheck, mock_nnonce):
 
     @patch('acme_srv.nonce.Nonce.generate_and_add')
     @patch('acme_srv.message.Message.check')
-    def test_036_order_parse(self, mock_mcheck, mock_nnonce):
+    def test_037_order_parse(self, mock_mcheck, mock_nnonce):
         """ Order.parse() failed bcs. no url key in protected """
         mock_mcheck.return_value = (200, None, None, {'foo_protected' : 'bar_protected'}, {"foo_payload" : "bar_payload"}, 'account_name')
         message = '{"foo" : "bar"}'
@@ -354,7 +363,7 @@ def test_036_order_parse(self, mock_mcheck, mock_nnonce):
     @patch('acme_srv.nonce.Nonce.generate_and_add')
     @patch('acme_srv.order.Order._name_get')
     @patch('acme_srv.message.Message.check')
-    def test_037_order_parse(self, mock_mcheck, mock_oname, mock_nnonce):
+    def test_038_order_parse(self, mock_mcheck, mock_oname, mock_nnonce):
         """ Order.parse() name_get failed """
         mock_mcheck.return_value = (200, None, None, {'url' : 'bar_url/finalize'}, {"foo_payload" : "bar_payload"}, 'account_name')
         mock_oname.return_value = None
@@ -367,7 +376,7 @@ def test_037_order_parse(self, mock_mcheck, mock_oname, mock_nnonce):
     @patch('acme_srv.order.Order._lookup')
     @patch('acme_srv.order.Order._name_get')
     @patch('acme_srv.message.Message.check')
-    def test_038_order_parse(self, mock_mcheck, mock_oname, mock_lookup, mock_nnonce):
+    def test_039_order_parse(self, mock_mcheck, mock_oname, mock_lookup, mock_nnonce):
         """ Order.parse() failed as order lookup failed """
         mock_mcheck.return_value = (200, None, None, {'url' : 'bar_url/finalize'}, {"foo_payload" : "bar_payload"}, 'account_name')
         mock_oname.return_value = 'foo'
@@ -382,7 +391,7 @@ def test_038_order_parse(self, mock_mcheck, mock_oname, mock_lookup, mock_nnonce
     @patch('acme_srv.order.Order._lookup')
     @patch('acme_srv.order.Order._name_get')
     @patch('acme_srv.message.Message.check')
-    def test_039_order_parse(self, mock_mcheck, mock_oname, mock_lookup, mock_process, mock_nnonce):
+    def test_040_order_parse(self, mock_mcheck, mock_oname, mock_lookup, mock_process, mock_nnonce):
         """ Order.parse() succ, oder process returned non 200 """
         mock_mcheck.return_value = (200, None, None, {'url' : 'bar_url/finalize'}, {"foo_payload" : "bar_payload"}, 'account_name')
         mock_oname.return_value = 'foo'
@@ -398,7 +407,7 @@ def test_039_order_parse(self, mock_mcheck, mock_oname, mock_lookup, mock_proces
     @patch('acme_srv.order.Order._lookup')
     @patch('acme_srv.order.Order._name_get')
     @patch('acme_srv.message.Message.check')
-    def test_040_order_parse(self, mock_mcheck, mock_oname, mock_lookup, mock_process, mock_nnonce):
+    def test_041_order_parse(self, mock_mcheck, mock_oname, mock_lookup, mock_process, mock_nnonce):
         """ Order.parse() succ, oder process returned 200 and no certname """
         mock_mcheck.return_value = (200, None, None, {'url' : 'bar_url/finalize'}, {"foo_payload" : "bar_payload"}, 'account_name')
         mock_oname.return_value = 'foo'
@@ -413,7 +422,7 @@ def test_040_order_parse(self, mock_mcheck, mock_oname, mock_lookup, mock_proces
     @patch('acme_srv.order.Order._lookup')
     @patch('acme_srv.order.Order._name_get')
     @patch('acme_srv.message.Message.check')
-    def test_041_order_parse(self, mock_mcheck, mock_oname, mock_lookup, mock_process, mock_nnonce):
+    def test_042_order_parse(self, mock_mcheck, mock_oname, mock_lookup, mock_process, mock_nnonce):
         """ Order.parse() succ, oder process returned 200 and certname and valid status """
         mock_mcheck.return_value = (200, None, None, {'url' : 'bar_url/finalize'}, {"foo_payload" : "bar_payload"}, 'account_name')
         mock_oname.return_value = 'foo'
@@ -428,7 +437,7 @@ def test_041_order_parse(self, mock_mcheck, mock_oname, mock_lookup, mock_proces
     @patch('acme_srv.order.Order._lookup')
     @patch('acme_srv.order.Order._name_get')
     @patch('acme_srv.message.Message.check')
-    def test_042_order_parse(self, mock_mcheck, mock_oname, mock_lookup, mock_process, mock_nnonce):
+    def test_043_order_parse(self, mock_mcheck, mock_oname, mock_lookup, mock_process, mock_nnonce):
         """ Order.parse() succ, oder process returned 200 and certname without status """
         mock_mcheck.return_value = (200, None, None, {'url' : 'bar_url/finalize'}, {"foo_payload" : "bar_payload"}, 'account_name')
         mock_oname.return_value = 'foo'
@@ -443,7 +452,7 @@ def test_042_order_parse(self, mock_mcheck, mock_oname, mock_lookup, mock_proces
     @patch('acme_srv.order.Order._lookup')
     @patch('acme_srv.order.Order._name_get')
     @patch('acme_srv.message.Message.check')
-    def test_043_order_parse(self, mock_mcheck, mock_oname, mock_lookup, mock_process, mock_nnonce):
+    def test_044_order_parse(self, mock_mcheck, mock_oname, mock_lookup, mock_process, mock_nnonce):
         """ Order.parse() succ, oder process returned 200 and certname and non-valid status """
         mock_mcheck.return_value = (200, None, None, {'url' : 'bar_url/finalize'}, {"foo_payload" : "bar_payload"}, 'account_name')
         mock_oname.return_value = 'foo'
@@ -453,80 +462,118 @@ def test_043_order_parse(self, mock_mcheck, mock_oname, mock_lookup, mock_proces
         message = '{"foo" : "bar"}'
         self.assertEqual({'code': 200, 'data': {'finalize': 'http://tester.local/acme/order/foo/finalize', 'foo': 'bar', 'status': 'foobar'}, 'header': {'Location': 'http://tester.local/acme/order/foo', 'Replay-Nonce': 'nonce'}}, self.order.parse(message))
 
-    def test_044_order__identifiers_check(self):
+    def test_045_order__identifiers_check(self):
         """ order identifers check with empty identifer list"""
         self.assertEqual('urn:ietf:params:acme:error:malformed', self.order._identifiers_check([]))
 
-    def test_045_order__identifiers_check(self):
+    def test_046_order__identifiers_check(self):
         """ order identifers check with string identifier """
         self.assertEqual('urn:ietf:params:acme:error:malformed', self.order._identifiers_check('foo'))
 
-    def test_046_order__identifiers_check(self):
+    def test_047_order__identifiers_check(self):
         """ order identifers check with dictionary identifier """
         self.assertEqual('urn:ietf:params:acme:error:malformed', self.order._identifiers_check({'type': 'dns', 'value': 'foo.bar'}))
 
-    def test_047_order__identifiers_check(self):
+    def test_048_order__identifiers_check(self):
         """ order identifers check with correct identifer but case-insensitive """
         self.assertEqual('urn:ietf:params:acme:error:malformed', self.order._identifiers_check([{'Type': 'dns', 'value': 'value'}]))
 
-    def test_048_order__identifiers_check(self):
+    def test_049_order__identifiers_check(self):
         """ order identifers check with wrong identifer in list"""
         self.assertEqual('urn:ietf:params:acme:error:unsupportedIdentifier', self.order._identifiers_check([{'type': 'foo', 'value': 'value'}]))
 
-    def test_049_order__identifiers_check(self):
+    def test_050_order__identifiers_check(self):
         """ order identifers check with correct identifer in list"""
         self.assertEqual(None, self.order._identifiers_check([{'type': 'dns', 'value': 'value'}]))
 
-    def test_050_order__identifiers_check(self):
+    def test_051_order__identifiers_check(self):
         """ order identifers check with two identifers in list (one wrong) """
         self.assertEqual('urn:ietf:params:acme:error:unsupportedIdentifier', self.order._identifiers_check([{'type': 'dns', 'value': 'value'}, {'type': 'foo', 'value': 'value'}]))
 
-    def test_051_order__identifiers_check(self):
+    def test_052_order__identifiers_check(self):
         """ order identifers check with two identifers in list (one wrong) """
         self.assertEqual('urn:ietf:params:acme:error:unsupportedIdentifier', self.order._identifiers_check([{'type': 'foo', 'value': 'value'}, {'type': 'dns', 'value': 'value'}]))
 
-    def test_052_order__identifiers_check(self):
+    def test_053_order__identifiers_check(self):
         """ order identifers check with two identifers in list (one wrong) """
         self.assertEqual(None, self.order._identifiers_check([{'type': 'dns', 'value': 'value'}, {'type': 'dns', 'value': 'value'}]))
 
-    def test_053_order__identifiers_check(self):
+    def test_054_order__identifiers_check(self):
         """ order identifers check with tnauthlist identifier and support false """
         self.order.tnauthlist_support = False
         self.assertEqual('urn:ietf:params:acme:error:unsupportedIdentifier', self.order._identifiers_check([{'type': 'TNAuthList', 'value': 'value'}, {'type': 'dns', 'value': 'value'}]))
 
-    def test_054_order__identifiers_check(self):
+    def test_055_order__identifiers_check(self):
         """ order identifers check with tnauthlist identifier and support True """
         self.order.tnauthlist_support = True
-        self.assertEqual(None, self.order._identifiers_check([{'type': 'TNAuthList', 'value': 'value'}, {'type': 'dns', 'value': 'value'}]))
+        self.assertEqual(None, self.order._identifiers_check([{'type': 'TNAuthList', 'value': 'value'}, {'type': 'dns', 'value': 'foo.bar.local'}]))
 
-    def test_055_order__identifiers_check(self):
+    def test_056_order__identifiers_check(self):
         """ order identifers check with tnauthlist identifier and support True """
         self.order.tnauthlist_support = True
         self.assertEqual(None, self.order._identifiers_check([{'type': 'TNAuthList', 'value': 'value'}]))
 
-    def test_056_order__identifiers_check(self):
+    def test_057_order__identifiers_check(self):
         """ order identifers check with tnauthlist identifier a wrong identifer and support True """
         self.order.tnauthlist_support = True
         self.assertEqual('urn:ietf:params:acme:error:unsupportedIdentifier', self.order._identifiers_check([{'type': 'TNAuthList', 'value': 'value'}, {'type': 'type', 'value': 'value'}]))
 
-    def test_057_order__identifiers_check(self):
+    def test_058_order__identifiers_check(self):
         """ order identifers check with wrong identifer in list and tnauthsupport true"""
         self.order.tnauthlist_support = True
         self.assertEqual('urn:ietf:params:acme:error:unsupportedIdentifier', self.order._identifiers_check([{'type': 'foo', 'value': 'value'}]))
 
-    def test_058_order__identifiers_check(self):
+    def test_059_order__identifiers_check(self):
         """ order identifers check with correct identifer in list and tnauthsupport true"""
         self.order.tnauthlist_support = True
         self.assertEqual(None, self.order._identifiers_check([{'type': 'dns', 'value': 'value'}]))
 
-    def test_059_order__process(self):
+    def test_060_order__identifiers_check(self):
+        """ order identifers check with 3 identifiers and no indentifier limit """
+        self.assertEqual(None, self.order._identifiers_check([{'type': 'dns', 'value': 'value'}, {'type': 'dns', 'value': 'value'}, {'type': 'dns', 'value': 'value'}]))
+
+    def test_061_order__identifiers_check(self):
+        """ order identifers check with 3 identifiers and identifier limit of 3 """
+        self.order.identifier_limit = 3
+        self.assertEqual(None, self.order._identifiers_check([{'type': 'dns', 'value': 'value'}, {'type': 'dns', 'value': 'value'}, {'type': 'dns', 'value': 'value'}]))
+
+    def test_062_order__identifiers_check(self):
+        """ order identifers check with 3 identifiers and identifier limit of 2 """
+        self.order.identifier_limit = 2
+        self.assertEqual('urn:ietf:params:acme:error:rejectedIdentifier', self.order._identifiers_check([{'type': 'dns', 'value': 'value'}, {'type': 'dns', 'value': 'value'}, {'type': 'dns', 'value': 'value'}]))
+
+    @patch('acme_srv.order.validate_identifier')
+    def test_063_order__identifiers_check(self, mock_vali):
+        """ order identifers check with correct identifer """
+        mock_vali.side_effect = [True]
+        self.assertEqual(None, self.order._identifiers_check([{'type': 'dns', 'value': 'value'}]))
+
+    @patch('acme_srv.order.validate_identifier')
+    def test_064_order__identifiers_check(self, mock_vali):
+        """ order identifers check with correct identifer """
+        mock_vali.side_effect = [False]
+        self.assertEqual('urn:ietf:params:acme:error:rejectedIdentifier', self.order._identifiers_check([{'type': 'dns', 'value': 'value'}]))
+
+    @patch('acme_srv.order.validate_identifier')
+    def test_065_order__identifiers_check(self, mock_vali):
+        """ order identifers check with correct identifer """
+        mock_vali.side_effect = [True, False]
+        self.assertEqual('urn:ietf:params:acme:error:rejectedIdentifier', self.order._identifiers_check([{'type': 'dns', 'value': 'value'}, {'type': 'dns', 'value': 'value'}]))
+
+    @patch('acme_srv.order.validate_identifier')
+    def test_066_order__identifiers_check(self, mock_vali):
+        """ order identifers check with correct identifer """
+        mock_vali.side_effect = [False, True]
+        self.assertEqual('urn:ietf:params:acme:error:rejectedIdentifier', self.order._identifiers_check([{'type': 'dns', 'value': 'value'}, {'type': 'dns', 'value': 'value'}]))
+
+    def test_067_order__process(self):
         """ Order.prcoess() without url in protected header """
         order_name = 'order_name'
         protected = 'protected'
         payload = 'payload'
         self.assertEqual((400, 'urn:ietf:params:acme:error:malformed', 'url is missing in protected', None), self.order._process(order_name, protected, payload))
 
-    def test_060_order__process(self):
+    def test_068_order__process(self):
         """ Order.prcoess() polling request with failed certificate lookup """
         order_name = 'order_name'
         protected = {'url': 'foo'}
@@ -534,7 +581,7 @@ def test_060_order__process(self):
         self.order.dbstore.certificate_lookup.return_value = {}
         self.assertEqual((200, None, None, None), self.order._process(order_name, protected, payload))
 
-    def test_061_order__process(self):
+    def test_069_order__process(self):
         """ Order.prcoess() polling request with successful certificate lookup """
         order_name = 'order_name'
         protected = {'url': 'foo'}
@@ -543,7 +590,7 @@ def test_061_order__process(self):
         self.assertEqual((200, None, None, 'cert_name'), self.order._process(order_name, protected, payload))
 
     @patch('acme_srv.order.Order._info')
-    def test_062_order__process(self, mock_info):
+    def test_070_order__process(self, mock_info):
         """ Order.prcoess() finalize request with empty orderinfo """
         mock_info.return_value = {}
         order_name = 'order_name'
@@ -552,7 +599,7 @@ def test_062_order__process(self, mock_info):
         self.assertEqual((403, 'urn:ietf:params:acme:error:orderNotReady', 'Order is not ready', None), self.order._process(order_name, protected, payload))
 
     @patch('acme_srv.order.Order._info')
-    def test_063_order__process(self, mock_info):
+    def test_071_order__process(self, mock_info):
         """ Order.prcoess() finalize request with orderinfo without status"""
         mock_info.return_value = {'foo': 'bar'}
         order_name = 'order_name'
@@ -561,7 +608,7 @@ def test_063_order__process(self, mock_info):
         self.assertEqual((403, 'urn:ietf:params:acme:error:orderNotReady', 'Order is not ready', None), self.order._process(order_name, protected, payload))
 
     @patch('acme_srv.order.Order._info')
-    def test_064_order__process(self, mock_info):
+    def test_072_order__process(self, mock_info):
         """ Order.prcoess() finalize request with orderinfo with wrong status"""
         mock_info.return_value = {'status': 'bar'}
         order_name = 'order_name'
@@ -570,7 +617,7 @@ def test_064_order__process(self, mock_info):
         self.assertEqual((403, 'urn:ietf:params:acme:error:orderNotReady', 'Order is not ready', None), self.order._process(order_name, protected, payload))
 
     @patch('acme_srv.order.Order._info')
-    def test_065_order__process(self, mock_info):
+    def test_073_order__process(self, mock_info):
         """ Order.prcoess() finalize request without CSR """
         mock_info.return_value = {'status': 'ready'}
         order_name = 'order_name'
@@ -580,7 +627,7 @@ def test_065_order__process(self, mock_info):
 
     @patch('acme_srv.order.Order._csr_process')
     @patch('acme_srv.order.Order._info')
-    def test_066_order__process(self, mock_info, mock_process_csr):
+    def test_074_order__process(self, mock_info, mock_process_csr):
         """ Order.prcoess() finalize request with CSR but csr_process failed """
         mock_info.return_value = {'status': 'ready'}
         order_name = 'order_name'
@@ -592,7 +639,7 @@ def test_066_order__process(self, mock_info, mock_process_csr):
     @patch('acme_srv.order.Order._update')
     @patch('acme_srv.order.Order._csr_process')
     @patch('acme_srv.order.Order._info')
-    def test_067_order__process(self, mock_info, mock_process_csr, mock_update):
+    def test_075_order__process(self, mock_info, mock_process_csr, mock_update):
         """ Order.prcoess() finalize request with CSR but all good """
         mock_info.return_value = {'status': 'ready'}
         order_name = 'order_name'
@@ -606,7 +653,7 @@ def test_067_order__process(self, mock_info, mock_process_csr, mock_update):
     @patch('acme_srv.order.Order._update')
     @patch('acme_srv.order.Order._csr_process')
     @patch('acme_srv.order.Order._info')
-    def test_068_order__process(self, mock_info, mock_process_csr, mock_update):
+    def test_076_order__process(self, mock_info, mock_process_csr, mock_update):
         """ Order.prcoess() timeout in csr processing """
         mock_info.return_value = {'status': 'ready'}
         order_name = 'order_name'
@@ -620,7 +667,7 @@ def test_068_order__process(self, mock_info, mock_process_csr, mock_update):
     @patch('acme_srv.order.Order._update')
     @patch('acme_srv.order.Order._csr_process')
     @patch('acme_srv.order.Order._info')
-    def test_069_order__process(self, mock_info, mock_process_csr, mock_update):
+    def test_077_order__process(self, mock_info, mock_process_csr, mock_update):
         """ Order.prcoess() finalize request with detail none """
         mock_info.return_value = {'status': 'ready'}
         order_name = 'order_name'
@@ -635,7 +682,7 @@ def test_069_order__process(self, mock_info, mock_process_csr, mock_update):
     @patch('acme_srv.certificate.Certificate.enroll_and_store')
     @patch('acme_srv.certificate.Certificate.store_csr')
     @patch('acme_srv.order.Order._info')
-    def test_070_order__csr_process(self, mock_oinfo, mock_certname, mock_enroll, mock_import):
+    def test_078_order__csr_process(self, mock_oinfo, mock_certname, mock_enroll, mock_import):
         """ test order prcoess_csr with failed cert enrollment with internal error (response code must be corrected by 500)"""
         mock_oinfo.return_value = {'foo', 'bar'}
         mock_certname.return_value = 'foo'
@@ -648,7 +695,7 @@ def test_070_order__csr_process(self, mock_oinfo, mock_certname, mock_enroll, mo
     @patch('acme_srv.order.Order._lookup')
     @patch('acme_srv.order.Order._name_get')
     @patch('acme_srv.message.Message.check')
-    def test_071_order_parse(self, mock_mcheck, mock_oname, mock_lookup, mock_process, mock_nnonce):
+    def test_079_order_parse(self, mock_mcheck, mock_oname, mock_lookup, mock_process, mock_nnonce):
         """ Order.parse() succ, oder process returned 200 and certname processing status default retry after-header """
         mock_mcheck.return_value = (200, None, None, {'url' : 'bar_url/finalize'}, {"foo_payload" : "bar_payload"}, 'account_name')
         mock_oname.return_value = 'foo'
@@ -663,7 +710,7 @@ def test_071_order_parse(self, mock_mcheck, mock_oname, mock_lookup, mock_proces
     @patch('acme_srv.order.Order._lookup')
     @patch('acme_srv.order.Order._name_get')
     @patch('acme_srv.message.Message.check')
-    def test_072_order_parse(self, mock_mcheck, mock_oname, mock_lookup, mock_process, mock_nnonce):
+    def test_080_order_parse(self, mock_mcheck, mock_oname, mock_lookup, mock_process, mock_nnonce):
         """ Order.parse() succ, oder process returned 200 and certname processing status configurable retry after-header """
         self.order.retry_after = 60
         mock_mcheck.return_value = (200, None, None, {'url' : 'bar_url/finalize'}, {"foo_payload" : "bar_payload"}, 'account_name')
@@ -674,38 +721,38 @@ def test_072_order_parse(self, mock_mcheck, mock_oname, mock_lookup, mock_proces
         message = '{"foo" : "bar"}'
         self.assertEqual({'code': 200, 'data': {'finalize': 'http://tester.local/acme/order/foo/finalize', 'foo': 'bar', 'status': 'processing'}, 'header': {'Location': 'http://tester.local/acme/order/foo', 'Replay-Nonce': 'nonce', 'Retry-After': '60'}}, self.order.parse(message))
 
-    def test_073_order_invalidate(self):
+    def test_081_order_invalidate(self):
         """ test Order.invalidate() empty order list """
         self.order.dbstore.orders_invalid_search.return_value = []
         self.assertEqual((['id', 'name', 'expires', 'identifiers', 'created_at', 'status__id', 'status__name', 'account__id', 'account__name', 'account__contact'], []), self.order.invalidate())
 
-    def test_074_order_invalidate(self):
+    def test_082_order_invalidate(self):
         """ test Certificate._fieldlist_normalize() - wrong return list (no status__name included) """
         self.order.dbstore.orders_invalid_search.return_value = [{'foo': 'bar'}]
         self.assertEqual((['id', 'name', 'expires', 'identifiers', 'created_at', 'status__id', 'status__name', 'account__id', 'account__name', 'account__contact'], []), self.order.invalidate())
 
-    def test_075_order_invalidate(self):
+    def test_083_order_invalidate(self):
         """ test Certificate._fieldlist_normalize() - no name but status__name """
         self.order.dbstore.orders_invalid_search.return_value = [{'foo': 'bar', 'status__name': 'foo'}]
         self.assertEqual((['id', 'name', 'expires', 'identifiers', 'created_at', 'status__id', 'status__name', 'account__id', 'account__name', 'account__contact'], []), self.order.invalidate())
 
-    def test_076_order_invalidate(self):
+    def test_084_order_invalidate(self):
         """ test Certificate._fieldlist_normalize() - name but no status__name """
         self.order.dbstore.orders_invalid_search.return_value = [{'foo': 'bar', 'name': 'foo'}]
         self.assertEqual((['id', 'name', 'expires', 'identifiers', 'created_at', 'status__id', 'status__name', 'account__id', 'account__name', 'account__contact'], []), self.order.invalidate())
 
-    def test_077_order_invalidate(self):
+    def test_085_order_invalidate(self):
         """ test Certificate._fieldlist_normalize() - name and status__name but invalid """
         self.order.dbstore.orders_invalid_search.return_value = [{'foo': 'bar', 'name': 'foo', 'status__name': 'invalid'}]
         self.assertEqual((['id', 'name', 'expires', 'identifiers', 'created_at', 'status__id', 'status__name', 'account__id', 'account__name', 'account__contact'], []), self.order.invalidate())
 
-    def test_078_order_invalidate(self):
+    def test_086_order_invalidate(self):
         """ test Certificate._fieldlist_normalize() - name and status__name but invalid """
         self.order.dbstore.orders_invalid_search.return_value = [{'foo': 'bar', 'name': 'foo', 'status__name': 'foobar'}]
         self.assertEqual((['id', 'name', 'expires', 'identifiers', 'created_at', 'status__id', 'status__name', 'account__id', 'account__name', 'account__contact'], [{'foo': 'bar', 'name': 'foo', 'status__name': 'foobar'}]), self.order.invalidate())
 
     @patch('acme_srv.order.Order._identifiers_check')
-    def test_079_order__add(self, mock_idchk):
+    def test_087_order__add(self, mock_idchk):
         """ test Order._add - dbstore.authorization_add() raises an exception  """
         self.order.dbstore.authorization_add.side_effect = Exception('exc_order_add')
         self.order.dbstore.order_add.return_value = 'oid'
@@ -715,7 +762,7 @@ def test_079_order__add(self, mock_idchk):
         self.assertIn('CRITICAL:test_a2c:acme2certifier database error in Order._add() authz: exc_order_add', lcm.output)
 
     @patch('acme_srv.order.Order._identifiers_check')
-    def test_080_order__add(self, mock_idchk):
+    def test_088_order__add(self, mock_idchk):
         """ test Order._add - dbstore.order_add() raises an exception  """
         self.order.dbstore.order_add.side_effect = Exception('exc_order_add')
         mock_idchk.return_value = False
@@ -723,21 +770,21 @@ def test_080_order__add(self, mock_idchk):
             self.order._add({'foo': 'bar', 'identifiers': 'identifiers'}, 'aname')
         self.assertIn('CRITICAL:test_a2c:acme2certifier database error in Order._add() order: exc_order_add', lcm.output)
 
-    def test_081_order__info(self):
+    def test_089_order__info(self):
         """ test Order._info - dbstore.order_lookup() raises an exception  """
         self.order.dbstore.order_lookup.side_effect = Exception('exc_order_info')
         with self.assertLogs('test_a2c', level='INFO') as lcm:
             self.order._info('oname')
         self.assertIn('CRITICAL:test_a2c:acme2certifier database error in Order._info(): exc_order_info', lcm.output)
 
-    def test_082_order__process(self):
+    def test_090_order__process(self):
         """ test Order._process - dbstore.order_lookup() raises an exception  """
         self.order.dbstore.certificate_lookup.side_effect = Exception('exc_order_process')
         with self.assertLogs('test_a2c', level='INFO') as lcm:
             self.order._process('oname', {'url': 'url'}, 'payload')
         self.assertIn('CRITICAL:test_a2c:acme2certifier database error in Order._process(): exc_order_process', lcm.output)
 
-    def test_083_order__update(self):
+    def test_091_order__update(self):
         """ test Order._update - dbstore.order_update() raises an exception  """
         self.order.dbstore.order_update.side_effect = Exception('exc_order_upd')
         with self.assertLogs('test_a2c', level='INFO') as lcm:
@@ -745,7 +792,7 @@ def test_083_order__update(self):
         self.assertIn('CRITICAL:test_a2c:acme2certifier database error in Order._update(): exc_order_upd', lcm.output)
 
     @patch('acme_srv.order.Order._info')
-    def test_084_order__lookup(self, mock_info):
+    def test_092_order__lookup(self, mock_info):
         """ test Order._lookup - dbstore.authorization_lookup() raises an exception  """
         self.order.dbstore.authorization_lookup.side_effect = Exception('exc_authz_lookup')
         mock_info.return_value = {'status': 'valid'}
@@ -753,7 +800,7 @@ def test_084_order__lookup(self, mock_info):
             self.order._lookup('oname')
         self.assertIn('CRITICAL:test_a2c:acme2certifier database error in Order._authz_list_lookup(): exc_authz_lookup', lcm.output)
 
-    def test_085_order_invalidate(self):
+    def test_093_order_invalidate(self):
         """ test Order.invalidate - dbstore.order_update() raises an exception  """
         self.order.dbstore.order_update.side_effect = Exception('exc_order_upd')
         self.order.dbstore.order_invalid_search.return_value = ['foo']
@@ -762,7 +809,7 @@ def test_085_order_invalidate(self):
             self.order.invalidate(timestamp)
         self.assertIn('CRITICAL:test_a2c:acme2certifier database error in Order._invalidate() upd: exc_order_upd', lcm.output)
 
-    def test_086_order_invalidate(self):
+    def test_094_order_invalidate(self):
         """ test Order.invalidate - dbstore.order_update() raises an exception  """
         self.order.dbstore.orders_invalid_search.side_effect = Exception('exc_order_search')
         timestamp = 1543640400
@@ -771,14 +818,14 @@ def test_086_order_invalidate(self):
         self.assertIn('CRITICAL:test_a2c:acme2certifier database error in Order._invalidate() search: exc_order_search', lcm.output)
 
     @patch('acme_srv.order.Order._config_load')
-    def test_087__enter__(self, mock_cfg):
+    def test_095__enter__(self, mock_cfg):
         """ test enter """
         mock_cfg.return_value = True
         self.order.__enter__()
         self.assertTrue(mock_cfg.called)
 
     @patch('acme_srv.order.load_config')
-    def test_088_config_load(self, mock_load_cfg):
+    def test_096_config_load(self, mock_load_cfg):
         """ test _config_load empty config """
         parser = configparser.ConfigParser()
         mock_load_cfg.return_value = parser
@@ -787,7 +834,7 @@ def test_088_config_load(self, mock_load_cfg):
         self.assertFalse(self.order.header_info_list)
 
     @patch('acme_srv.order.load_config')
-    def test_089_config_load(self, mock_load_cfg):
+    def test_097_config_load(self, mock_load_cfg):
         """ test _config_load """
         parser = configparser.ConfigParser()
         parser['Order'] = {'foo': 'bar'}
@@ -797,7 +844,7 @@ def test_089_config_load(self, mock_load_cfg):
         self.assertFalse(self.order.header_info_list)
 
     @patch('acme_srv.order.load_config')
-    def test_090_config_load(self, mock_load_cfg):
+    def test_098_config_load(self, mock_load_cfg):
         """ test _config_load """
         parser = configparser.ConfigParser()
         parser['Order'] = {'tnauthlist_support': False}
@@ -807,7 +854,7 @@ def test_090_config_load(self, mock_load_cfg):
         self.assertFalse(self.order.header_info_list)
 
     @patch('acme_srv.order.load_config')
-    def test_091_config_load(self, mock_load_cfg):
+    def test_099_config_load(self, mock_load_cfg):
         """ test _config_load """
         parser = configparser.ConfigParser()
         parser['Order'] = {'tnauthlist_support': True}
@@ -821,7 +868,7 @@ def test_091_config_load(self, mock_load_cfg):
         self.assertFalse(self.order.header_info_list)
 
     @patch('acme_srv.order.load_config')
-    def test_092_config_load(self, mock_load_cfg):
+    def test_100_config_load(self, mock_load_cfg):
         """ test _config_load """
         parser = configparser.ConfigParser()
         parser['Order'] = {'expiry_check_disable': False}
@@ -834,9 +881,10 @@ def test_092_config_load(self, mock_load_cfg):
         self.assertEqual(86400, self.order.validity)
         self.assertEqual(86400, self.order.authz_validity)
         self.assertFalse(self.order.header_info_list)
+        self.assertEqual(20, self.order.identifier_limit)
 
     @patch('acme_srv.order.load_config')
-    def test_093_config_load(self, mock_load_cfg):
+    def test_101_config_load(self, mock_load_cfg):
         """ test _config_load """
         parser = configparser.ConfigParser()
         parser['Order'] = {'expiry_check_disable': True}
@@ -849,9 +897,10 @@ def test_093_config_load(self, mock_load_cfg):
         self.assertEqual(86400, self.order.validity)
         self.assertEqual(86400, self.order.authz_validity)
         self.assertFalse(self.order.header_info_list)
+        self.assertEqual(20, self.order.identifier_limit)
 
     @patch('acme_srv.order.load_config')
-    def test_094_config_load(self, mock_load_cfg):
+    def test_102_config_load(self, mock_load_cfg):
         """ test _config_load """
         parser = configparser.ConfigParser()
         parser['Order'] = {'retry_after_timeout': 1200}
@@ -864,9 +913,10 @@ def test_094_config_load(self, mock_load_cfg):
         self.assertEqual(86400, self.order.validity)
         self.assertEqual(86400, self.order.authz_validity)
         self.assertFalse(self.order.header_info_list)
+        self.assertEqual(20, self.order.identifier_limit)
 
     @patch('acme_srv.order.load_config')
-    def test_095_config_load(self, mock_load_cfg):
+    def test_103_config_load(self, mock_load_cfg):
         """ test _config_load """
         parser = configparser.ConfigParser()
         parser['Order'] = {'retry_after_timeout': '1200'}
@@ -879,9 +929,10 @@ def test_095_config_load(self, mock_load_cfg):
         self.assertEqual(86400, self.order.validity)
         self.assertEqual(86400, self.order.authz_validity)
         self.assertFalse(self.order.header_info_list)
+        self.assertEqual(20, self.order.identifier_limit)
 
     @patch('acme_srv.order.load_config')
-    def test_096_config_load(self, mock_load_cfg):
+    def test_104_config_load(self, mock_load_cfg):
         """ test _config_load """
         parser = configparser.ConfigParser()
         parser['Order'] = {'retry_after_timeout': 'foo'}
@@ -896,9 +947,10 @@ def test_096_config_load(self, mock_load_cfg):
         self.assertEqual(86400, self.order.authz_validity)
         self.assertIn('WARNING:test_a2c:Order._config_load(): failed to parse retry_after: foo', lcm.output)
         self.assertFalse(self.order.header_info_list)
+        self.assertEqual(20, self.order.identifier_limit)
 
     @patch('acme_srv.order.load_config')
-    def test_097_config_load(self, mock_load_cfg):
+    def test_105_config_load(self, mock_load_cfg):
         """ test _config_load """
         parser = configparser.ConfigParser()
         parser['Order'] = {'validity': 1200}
@@ -911,9 +963,10 @@ def test_097_config_load(self, mock_load_cfg):
         self.assertEqual(1200, self.order.validity)
         self.assertEqual(86400, self.order.authz_validity)
         self.assertFalse(self.order.header_info_list)
+        self.assertEqual(20, self.order.identifier_limit)
 
     @patch('acme_srv.order.load_config')
-    def test_098_config_load(self, mock_load_cfg):
+    def test_106_config_load(self, mock_load_cfg):
         """ test _config_load """
         parser = configparser.ConfigParser()
         parser['Order'] = {'validity': '1200'}
@@ -926,9 +979,10 @@ def test_098_config_load(self, mock_load_cfg):
         self.assertEqual(1200, self.order.validity)
         self.assertEqual(86400, self.order.authz_validity)
         self.assertFalse(self.order.header_info_list)
+        self.assertEqual(20, self.order.identifier_limit)
 
     @patch('acme_srv.order.load_config')
-    def test_099_config_load(self, mock_load_cfg):
+    def test_107_config_load(self, mock_load_cfg):
         """ test _config_load """
         parser = configparser.ConfigParser()
         parser['Order'] = {'validity': 'foo'}
@@ -943,9 +997,10 @@ def test_099_config_load(self, mock_load_cfg):
         self.assertEqual(86400, self.order.authz_validity)
         self.assertIn('WARNING:test_a2c:Order._config_load(): failed to parse validity: foo', lcm.output)
         self.assertFalse(self.order.header_info_list)
+        self.assertEqual(20, self.order.identifier_limit)
 
     @patch('acme_srv.order.load_config')
-    def test_100_config_load(self, mock_load_cfg):
+    def test_108_config_load(self, mock_load_cfg):
         """ test _config_load """
         parser = configparser.ConfigParser()
         parser['Authorization'] = {'validity': 1200}
@@ -958,9 +1013,10 @@ def test_100_config_load(self, mock_load_cfg):
         self.assertEqual(86400, self.order.validity)
         self.assertEqual(1200, self.order.authz_validity)
         self.assertFalse(self.order.header_info_list)
+        self.assertEqual(20, self.order.identifier_limit)
 
     @patch('acme_srv.order.load_config')
-    def test_101_config_load(self, mock_load_cfg):
+    def test_109_config_load(self, mock_load_cfg):
         """ test _config_load """
         parser = configparser.ConfigParser()
         parser['Authorization'] = {'validity': '1200'}
@@ -973,9 +1029,10 @@ def test_101_config_load(self, mock_load_cfg):
         self.assertEqual(86400, self.order.validity)
         self.assertEqual(1200, self.order.authz_validity)
         self.assertFalse(self.order.header_info_list)
+        self.assertEqual(20, self.order.identifier_limit)
 
     @patch('acme_srv.order.load_config')
-    def test_102_config_load(self, mock_load_cfg):
+    def test_110_config_load(self, mock_load_cfg):
         """ test _config_load """
         parser = configparser.ConfigParser()
         parser['Authorization'] = {'validity': 'foo'}
@@ -990,9 +1047,10 @@ def test_102_config_load(self, mock_load_cfg):
         self.assertEqual(86400, self.order.authz_validity)
         self.assertIn('WARNING:test_a2c:Order._config_load(): failed to parse authz validity: foo', lcm.output)
         self.assertFalse(self.order.header_info_list)
+        self.assertEqual(20, self.order.identifier_limit)
 
     @patch('acme_srv.order.load_config')
-    def test_103_config_load(self, mock_load_cfg):
+    def test_111_config_load(self, mock_load_cfg):
         """ test _config_load """
         parser = configparser.ConfigParser()
         parser['Directory'] = {'url_prefix': 'url_prefix'}
@@ -1001,9 +1059,10 @@ def test_103_config_load(self, mock_load_cfg):
         self.assertFalse(self.order.tnauthlist_support)
         self.assertEqual({'authz_path': 'url_prefix/acme/authz/', 'cert_path': 'url_prefix/acme/cert/', 'order_path': 'url_prefix/acme/order/'}, self.order.path_dic)
         self.assertFalse(self.order.header_info_list)
+        self.assertEqual(20, self.order.identifier_limit)
 
     @patch('acme_srv.order.load_config')
-    def test_104_config_load(self, mock_load_cfg):
+    def test_112_config_load(self, mock_load_cfg):
         """ test _config_load """
         parser = configparser.ConfigParser()
         parser['Challenge'] = {'sectigo_sim': True}
@@ -1016,9 +1075,10 @@ def test_104_config_load(self, mock_load_cfg):
         self.assertEqual(86400, self.order.validity)
         self.assertEqual(86400, self.order.authz_validity)
         self.assertFalse(self.order.header_info_list)
+        self.assertEqual(20, self.order.identifier_limit)
 
     @patch('acme_srv.order.load_config')
-    def test_105_config_load(self, mock_load_cfg):
+    def test_113_config_load(self, mock_load_cfg):
         """ test _config_load """
         parser = configparser.ConfigParser()
         parser['Challenge'] = {'sectigo_sim': False}
@@ -1031,9 +1091,10 @@ def test_105_config_load(self, mock_load_cfg):
         self.assertEqual(86400, self.order.validity)
         self.assertEqual(86400, self.order.authz_validity)
         self.assertFalse(self.order.header_info_list)
+        self.assertEqual(20, self.order.identifier_limit)
 
     @patch('acme_srv.order.load_config')
-    def test_106_config_load(self, mock_load_cfg):
+    def test_114_config_load(self, mock_load_cfg):
         """ test _config_load """
         parser = configparser.ConfigParser()
         parser['Order'] = {'header_info_list': '["foo", "bar"]'}
@@ -1046,9 +1107,10 @@ def test_106_config_load(self, mock_load_cfg):
         self.assertEqual(86400, self.order.validity)
         self.assertEqual(86400, self.order.authz_validity)
         self.assertEqual(['foo', 'bar'], self.order.header_info_list)
+        self.assertEqual(20, self.order.identifier_limit)
 
     @patch('acme_srv.order.load_config')
-    def test_107_config_load(self, mock_load_cfg):
+    def test_115_config_load(self, mock_load_cfg):
         """ test _config_load """
         parser = configparser.ConfigParser()
         parser['Order'] = {'header_info_list': 'foo'}
@@ -1063,10 +1125,77 @@ def test_107_config_load(self, mock_load_cfg):
         self.assertEqual(86400, self.order.authz_validity)
         self.assertFalse(self.order.header_info_list)
         self.assertIn('WARNING:test_a2c:Order._config_orderconfig_load() header_info_list failed with error: Expecting value: line 1 column 1 (char 0)', lcm.output)
+        self.assertEqual(20, self.order.identifier_limit)
+
+    @patch('acme_srv.order.load_config')
+    def test_116_config_load(self, mock_load_cfg):
+        """ test _config_load """
+        parser = configparser.ConfigParser()
+        parser['Challenge'] = {'sectigo_sim': False}
+        mock_load_cfg.return_value = parser
+        self.order._config_load()
+        self.assertFalse(self.order.tnauthlist_support)
+        self.assertFalse(self.order.sectigo_sim)
+        self.assertFalse(self.order.expiry_check_disable)
+        self.assertEqual(600, self.order.retry_after)
+        self.assertEqual(86400, self.order.validity)
+        self.assertEqual(86400, self.order.authz_validity)
+        self.assertFalse(self.order.header_info_list)
+        self.assertEqual(20, self.order.identifier_limit)
+
+    @patch('acme_srv.order.load_config')
+    def test_117_config_load(self, mock_load_cfg):
+        """ test _config_load """
+        parser = configparser.ConfigParser()
+        parser['Order'] = {'identifier_limit': 40}
+        mock_load_cfg.return_value = parser
+        self.order._config_load()
+        self.assertFalse(self.order.tnauthlist_support)
+        self.assertFalse(self.order.sectigo_sim)
+        self.assertFalse(self.order.expiry_check_disable)
+        self.assertEqual(600, self.order.retry_after)
+        self.assertEqual(86400, self.order.validity)
+        self.assertEqual(86400, self.order.authz_validity)
+        self.assertFalse(self.order.header_info_list)
+        self.assertEqual(40, self.order.identifier_limit)
+
+    @patch('acme_srv.order.load_config')
+    def test_118_config_load(self, mock_load_cfg):
+        """ test _config_load """
+        parser = configparser.ConfigParser()
+        parser['Order'] = {'identifier_limit': '40'}
+        mock_load_cfg.return_value = parser
+        self.order._config_load()
+        self.assertFalse(self.order.tnauthlist_support)
+        self.assertFalse(self.order.sectigo_sim)
+        self.assertFalse(self.order.expiry_check_disable)
+        self.assertEqual(600, self.order.retry_after)
+        self.assertEqual(86400, self.order.validity)
+        self.assertEqual(86400, self.order.authz_validity)
+        self.assertFalse(self.order.header_info_list)
+        self.assertEqual(40, self.order.identifier_limit)
+
+    @patch('acme_srv.order.load_config')
+    def test_119_config_load(self, mock_load_cfg):
+        """ test _config_load """
+        parser = configparser.ConfigParser()
+        parser['Order'] = {'identifier_limit': 'aa'}
+        mock_load_cfg.return_value = parser
+        with self.assertLogs('test_a2c', level='INFO') as lcm:
+            self.order._config_load()
+        self.assertFalse(self.order.tnauthlist_support)
+        self.assertFalse(self.order.sectigo_sim)
+        self.assertFalse(self.order.expiry_check_disable)
+        self.assertEqual(600, self.order.retry_after)
+        self.assertEqual(86400, self.order.validity)
+        self.assertEqual(86400, self.order.authz_validity)
+        self.assertFalse(self.order.header_info_list)
+        self.assertEqual(20, self.order.identifier_limit)
+        self.assertIn('WARNING:test_a2c:Order._config_load(): failed to parse identifier_limit: aa', lcm.output)
 
     @patch('acme_srv.order.DBstore.authorization_add')
     @patch('acme_srv.order.generate_random_string')
-    def test_106__auth_add(self, mock_name, mock_order_add):
+    def test_120__auth_add(self, mock_name, mock_order_add):
         """ test _auth_add() """
         mock_name.return_value = 'name'
         auth_dic = {}
@@ -1075,7 +1204,7 @@ def test_106__auth_add(self, mock_name, mock_order_add):
         self.assertFalse(mock_order_add.called)
 
     @patch('acme_srv.order.generate_random_string')
-    def test_107__auth_add(self, mock_name):
+    def test_121__auth_add(self, mock_name):
         """ test _auth_add() """
         mock_name.return_value = 'name'
         auth_dic = {}
@@ -1086,7 +1215,7 @@ def test_107__auth_add(self, mock_name):
         self.assertFalse(self.order.dbstore.authorization_update.called)
 
     @patch('acme_srv.order.generate_random_string')
-    def test_108__auth_add(self, mock_name):
+    def test_122__auth_add(self, mock_name):
         """ test _auth_add() """
         mock_name.return_value = 'name'
         auth_dic = {}
@@ -1097,37 +1226,37 @@ def test_108__auth_add(self, mock_name):
         self.assertTrue(self.order.dbstore.authorization_add.called)
         self.assertTrue(self.order.dbstore.authorization_update.called)
 
-    def test_109__header_info_lookup(self):
+    def test_123__header_info_lookup(self):
         """ test _header_info_lookup() """
         header = {'foo1': 'bar1', 'foo2': 'bar2'}
         self.order.header_info_list = ['foo1', 'foo2']
         self.assertEqual('{"foo1": "bar1", "foo2": "bar2"}', self.order._header_info_lookup(header))
 
-    def test_110__header_info_lookup(self):
+    def test_124__header_info_lookup(self):
         """ test _header_info_lookup() """
         header = {'foo1': 'bar1', 'foo2': 'bar2'}
         self.order.header_info_list = ['foo2']
         self.assertEqual('{"foo2": "bar2"}', self.order._header_info_lookup(header))
 
-    def test_111__header_info_lookup(self):
+    def test_125__header_info_lookup(self):
         """ test _header_info_lookup() """
         header = {'foo1': 'bar1', 'foo2': 'bar2'}
         self.order.header_info_list = ['foo1']
         self.assertEqual('{"foo1": "bar1"}', self.order._header_info_lookup(header))
 
-    def test_112__header_info_lookup(self):
+    def test_126__header_info_lookup(self):
         """ test _header_info_lookup() """
         header = {'foo1': 'bar1', 'foo2': 'bar2'}
         self.order.header_info_list = ['foo1', 'foo3']
         self.assertEqual('{"foo1": "bar1"}', self.order._header_info_lookup(header))
 
-    def test_113__header_info_lookup(self):
+    def test_127__header_info_lookup(self):
         """ test _header_info_lookup() """
         header = None
         self.order.header_info_list = ['foo1', 'foo3']
         self.assertFalse(self.order._header_info_lookup(header))
 
-    def test_114__header_info_lookup(self):
+    def test_128__header_info_lookup(self):
         """ test _header_info_lookup() """
         header = {'foo1': 'bar1', 'foo2': 'bar2'}
         self.order.header_info_list = False
diff --git a/test/test_renewalinfo.py b/test/test_renewalinfo.py
index ebcdcc31..814883f1 100644
--- a/test/test_renewalinfo.py
+++ b/test/test_renewalinfo.py
@@ -159,168 +159,312 @@ def test_011_config_enter(self, mock_load_cfg):
         self.renewalinfo.__enter__()
         self.assertTrue(mock_load_cfg.called)
 
-    def test_012_lookup(self):
-        """ test _lookup() """
-        self.renewalinfo.dbstore.certificate_lookup.return_value = {'foo': 'bar'}
-        self.assertEqual({'foo': 'bar'}, self.renewalinfo._lookup('foo1'))
-
-    def test_013_lookup(self):
-        """ test _lookup() """
-        self.renewalinfo.dbstore.certificate_lookup.side_effect = Exception('cert_lookup')
-        with self.assertLogs('test_a2c', level='INFO') as lcm:
-            self.assertFalse(self.renewalinfo._lookup('foo1'))
-        self.assertIn('CRITICAL:test_a2c:acme2certifier database error in Renewalinfo._lookup(): cert_lookup', lcm.output)
-
-    @patch('acme_srv.renewalinfo.Renewalinfo._lookup')
-    def test_014_renewalinfo_get(self, mock_lookup):
-        """ test _renewalinfo_get() """
-        mock_lookup.return_value = {}
-        self.assertFalse(self.renewalinfo._renewalinfo_get('1a2b3c4d5e6f'))
-
-    @patch('acme_srv.renewalinfo.Renewalinfo._lookup')
-    def test_015_renewalinfo_get(self, mock_lookup):
+    @patch('acme_srv.renewalinfo.Renewalinfo._renewalinfo_generate')
+    @patch('acme_srv.renewalinfo.Renewalinfo._cert_dic_lookup')
+    def test_012_renewalinfo_get(self, mock_lookup, mock_gen):
         """ test _renewalinfo_get() """
-        mock_lookup.return_value = {'foo': 'bar'}
-        self.assertFalse(self.renewalinfo._renewalinfo_get('1a2b3c4d5e6f'))
-
-    @patch('acme_srv.renewalinfo.Renewalinfo._lookup')
-    def test_016_renewalinfo_get(self, mock_lookup):
-        """ test _renewalinfo_get() """
-        mock_lookup.return_value = {'expire_uts': 0}
-        self.assertFalse(self.renewalinfo._renewalinfo_get('1a2b3c4d5e6f'))
+        mock_gen.return_value = {'foo': 'bar'}
+        self.assertEqual({'foo': 'bar'}, self.renewalinfo._renewalinfo_get('1a2b3c4d5e6f'))
+        self.assertTrue(mock_lookup.called)
 
-    @patch('acme_srv.renewalinfo.Renewalinfo._lookup')
-    def test_017_renewalinfo_get(self, mock_lookup):
-        """ test _renewalinfo_get() """
-        mock_lookup.return_value = {'expire_uts': 1000, 'issue_uts': 100}
-        self.assertEqual({'suggestedWindow': {'start': '1970-01-01T00:14:25Z', 'end': '1970-01-01T00:16:40Z'}}, self.renewalinfo._renewalinfo_get('1a2b3c4d5e6f'))
-
-    @patch('acme_srv.renewalinfo.uts_now')
-    @patch('acme_srv.renewalinfo.Renewalinfo._lookup')
-    def test_018_renewalinfo_get(self, mock_lookup, mock_uts):
-        """ test _renewalinfo_get() """
-        mock_uts.return_value = 100
-        mock_lookup.return_value = {'expire_uts': 1000}
-        self.assertEqual({'suggestedWindow': {'start': '1970-01-01T00:14:25Z', 'end': '1970-01-01T00:16:40Z'}}, self.renewalinfo._renewalinfo_get('1a2b3c4d5e6f'))
-        self.assertTrue(mock_uts.called)
-
-    @patch('acme_srv.renewalinfo.uts_now')
-    @patch('acme_srv.renewalinfo.Renewalinfo._lookup')
-    def test_019_renewalinfo_get(self, mock_lookup, mock_uts):
-        """ test _renewalinfo_get() """
-        mock_uts.return_value = 86400000
-        mock_lookup.return_value = {'expire_uts': 1000, 'issue_uts': 200}
-        self.renewalinfo.renewal_force = True
-        self.assertEqual({'suggestedWindow': {'start': '1971-09-29T00:00:00Z', 'end': '1972-09-28T00:00:00Z'}}, self.renewalinfo._renewalinfo_get('1a2b3c4d5e6f'))
-        self.assertTrue(mock_uts.called)
+    @patch('acme_srv.renewalinfo.Renewalinfo._renewalinfo_get')
+    @patch('acme_srv.renewalinfo.Renewalinfo._renewalinfo_string_get')
+    @patch('acme_srv.renewalinfo.Renewalinfo._cert_table_update')
+    def test_013_get(self, mock_update, mock_renstr_get, mock_renget):
+        """ test get() """
+        mock_renget.return_value = {'foo': 'bar'}
+        mock_renstr_get.return_value = 'mock_renstr_get'
+        self.renewalinfo.dbstore.hkparameter_get.return_value = None
+        self.assertEqual({'code': 200, 'data': {'foo': 'bar'}, 'header': {'Retry-After': '86400'}}, self. renewalinfo.get('url'))
+        self.assertTrue(mock_update.called)
 
     @patch('acme_srv.renewalinfo.Renewalinfo._renewalinfo_get')
-    @patch('acme_srv.renewalinfo.certid_hex_get')
-    @patch('acme_srv.renewalinfo.string_sanitize')
-    def test_020_get(self, mock_sanitize, mock_hexget, mock_renget):
+    @patch('acme_srv.renewalinfo.Renewalinfo._renewalinfo_string_get')
+    @patch('acme_srv.renewalinfo.Renewalinfo._cert_table_update')
+    def test_014_get(self, mock_update, mock_renstr_get, mock_renget):
         """ test get() """
         mock_renget.return_value = {'foo': 'bar'}
-        mock_hexget.return_value = ('300b0609608648016503040201', 'bar')
+        mock_renstr_get.return_value = 'mock_renstr_get'
+        self.renewalinfo.dbstore.hkparameter_get.return_value = {'foo': 'bar'}
         self.assertEqual({'code': 200, 'data': {'foo': 'bar'}, 'header': {'Retry-After': '86400'}}, self. renewalinfo.get('url'))
-        self.assertTrue(mock_sanitize.called)
-        self.assertTrue(mock_hexget.called)
+        self.assertFalse(mock_update.called)
 
     @patch('acme_srv.renewalinfo.Renewalinfo._renewalinfo_get')
-    @patch('acme_srv.renewalinfo.certid_hex_get')
-    @patch('acme_srv.renewalinfo.string_sanitize')
-    def test_021_get(self, mock_sanitize, mock_hexget, mock_renget):
+    @patch('acme_srv.renewalinfo.Renewalinfo._renewalinfo_string_get')
+    @patch('acme_srv.renewalinfo.Renewalinfo._cert_table_update')
+    def test_015_get(self, mock_update, mock_renstr_get, mock_renget):
         """ test get() """
         mock_renget.return_value = None
-        mock_hexget.return_value = ('300b0609608648016503040201', 'bar')
+        self.renewalinfo.dbstore.hkparameter_get.return_value = None
         self.assertEqual({'code': 404, 'data': 'urn:ietf:params:acme:error:malformed'}, self. renewalinfo.get('url'))
-        self.assertTrue(mock_sanitize.called)
-        self.assertTrue(mock_hexget.called)
+        self.assertTrue(mock_update.called)
+        self.assertTrue(mock_renstr_get.called)
 
     @patch('acme_srv.renewalinfo.Renewalinfo._renewalinfo_get')
-    @patch('acme_srv.renewalinfo.certid_hex_get')
-    @patch('acme_srv.renewalinfo.string_sanitize')
-    def test_022_get(self, mock_sanitize, mock_hexget, mock_renget):
+    @patch('acme_srv.renewalinfo.Renewalinfo._renewalinfo_string_get')
+    @patch('acme_srv.renewalinfo.Renewalinfo._cert_table_update')
+    def test_016_get(self, mock_update, mock_renstr_get, mock_renget):
         """ test get() """
-        mock_renget.return_value = None
-        mock_hexget.return_value = (None, 'bar')
-        self.assertEqual({'code': 400, 'data': 'urn:ietf:params:acme:error:malformed'}, self. renewalinfo.get('url'))
-        self.assertTrue(mock_sanitize.called)
-        self.assertTrue(mock_hexget.called)
+        mock_renget.side_effect = Exception('renewalinfo_get')
+        self.renewalinfo.dbstore.hkparameter_get.return_value = None
+        with self.assertLogs('test_a2c', level='INFO') as lcm:
+            self.assertEqual({'code': 400, 'data': 'urn:ietf:params:acme:error:malformed'}, self. renewalinfo.get('url'))
+        self.assertTrue(mock_update.called)
+        self.assertTrue(mock_renstr_get.called)
+        self.assertIn('ERROR:test_a2c:Renewalinfo.get() - error: renewalinfo_get', lcm.output)
 
     @patch('acme_srv.message.Message.check')
-    def test_023_update(self, mock_mcheck):
+    def test_017_update(self, mock_mcheck):
         """ test update() """
         mock_mcheck.return_value = (400, 'message', 'detail', 'protected', 'payload', 'account_name')
         self.assertEqual({'code': 400}, self.renewalinfo.update('content'))
 
     @patch('acme_srv.message.Message.check')
-    def test_024_update(self, mock_mcheck):
+    def test_018_update(self, mock_mcheck):
         """ test update() """
         mock_mcheck.return_value = (200, 'message', 'detail', 'protected', {'certid': 'certid'}, 'account_name')
         self.assertEqual({'code': 400}, self.renewalinfo.update('content'))
 
-    @patch('acme_srv.renewalinfo.Renewalinfo._lookup')
-    @patch('acme_srv.renewalinfo.certid_hex_get')
+    @patch('acme_srv.renewalinfo.Renewalinfo._cert_dic_lookup')
     @patch('acme_srv.message.Message.check')
-    def test_025_update(self, mock_mcheck, mock_hex, mock_lookup):
+    def test_019_update(self, mock_mcheck, mock_lookup):
         """ test update() """
         mock_mcheck.return_value = (200, 'message', 'detail', 'protected', {'certid': 'certid', 'replaced': True}, 'account_name')
-        mock_hex.return_value = ('300b0609608648016503040201', 'certhex')
         mock_lookup.return_value = None
         self.assertEqual({'code': 400}, self.renewalinfo.update('content'))
 
-    @patch('acme_srv.renewalinfo.Renewalinfo._lookup')
-    @patch('acme_srv.renewalinfo.certid_hex_get')
+    @patch('acme_srv.renewalinfo.Renewalinfo._cert_dic_lookup')
     @patch('acme_srv.message.Message.check')
-    def test_026_update(self, mock_mcheck, mock_hex, mock_lookup):
+    def test_020_update(self, mock_mcheck, mock_lookup):
         """ test update() """
         mock_mcheck.return_value = (200, 'message', 'detail', 'protected', {'certid': 'certid', 'replaced': False}, 'account_name')
-        mock_hex.return_value = ('300b0609608648016503040201', 'certhex')
         mock_lookup.return_value = {'foo': 'bar'}
         self.assertEqual({'code': 400}, self.renewalinfo.update('content'))
 
-    @patch('acme_srv.renewalinfo.Renewalinfo._lookup')
-    @patch('acme_srv.renewalinfo.certid_hex_get')
+    @patch('acme_srv.renewalinfo.Renewalinfo._cert_dic_lookup')
     @patch('acme_srv.message.Message.check')
-    def test_027_update(self, mock_mcheck, mock_hex, mock_lookup):
+    def test_021_update(self, mock_mcheck, mock_lookup):
         """ test update() """
         mock_mcheck.return_value = (200, 'message', 'detail', 'protected', {'certid': 'certid', 'replaced': True}, 'account_name')
-        mock_hex.return_value = ('300b0609608648016503040201', 'certhex')
         mock_lookup.return_value = {'foo': 'bar'}
         self.renewalinfo.dbstore.certificate_add.return_value = None
         self.assertEqual({'code': 400}, self.renewalinfo.update('content'))
 
-    @patch('acme_srv.renewalinfo.Renewalinfo._lookup')
-    @patch('acme_srv.renewalinfo.certid_hex_get')
+    @patch('acme_srv.renewalinfo.Renewalinfo._cert_dic_lookup')
     @patch('acme_srv.message.Message.check')
-    def test_028_update(self, mock_mcheck, mock_hex, mock_lookup):
+    def test_022_update(self, mock_mcheck, mock_lookup):
         """ test update() """
         mock_mcheck.return_value = (200, 'message', 'detail', 'protected', {'certid': 'certid', 'replaced': True}, 'account_name')
-        mock_hex.return_value = ('300b0609608648016503040201', 'certhex')
         mock_lookup.return_value = {'foo': 'bar'}
         self.renewalinfo.dbstore.certificate_add.return_value = 1
         self.assertEqual({'code': 200}, self.renewalinfo.update('content'))
 
-    def test_029_renewalinfo_string_get(self):
+    def test_023_renewalinfo_string_get(self):
         """ test update() """
         self.renewalinfo.server_name = 'http://server.name'
         self.renewalinfo.path_dic = {'renewalinfo': '/renewalinfo'}
         input_string = 'http://server.name/renewalinfo/foo'
-        self.assertEqual('foo', self.renewalinfo.renewalinfo_string_get(input_string))
+        self.assertEqual('foo', self.renewalinfo._renewalinfo_string_get(input_string))
 
-    def test_030_renewalinfo_string_get(self):
+    def test_024_renewalinfo_string_get(self):
         """ test update() """
         self.renewalinfo.server_name = 'http://server.name'
         self.renewalinfo.path_dic = {'renewalinfo': '/renewalinfo'}
         input_string = 'http://server.name/renewalinfofoo'
-        self.assertEqual('foo', self.renewalinfo.renewalinfo_string_get(input_string))
+        self.assertEqual('foo', self.renewalinfo._renewalinfo_string_get(input_string))
 
-    def test_031_renewalinfo_string_get(self):
+    def test_025_renewalinfo_string_get(self):
         """ test update() """
         self.renewalinfo.server_name = 'http://server.name'
         self.renewalinfo.path_dic = {'renewalinfo': '/renewalinfo/'}
         input_string = 'http://server.name/renewalinfo/foo'
-        self.assertEqual('foo', self.renewalinfo.renewalinfo_string_get(input_string))
+        self.assertEqual('foo', self.renewalinfo._renewalinfo_string_get(input_string))
+
+    @patch('acme_srv.renewalinfo.Renewalinfo._draft02_lookup')
+    @patch('acme_srv.renewalinfo.Renewalinfo._draft01_lookup')
+    @patch('acme_srv.renewalinfo.certid_hex_get')
+    @patch('acme_srv.renewalinfo.Renewalinfo._serial_aki_get')
+    def test_026_cert_dic_lookup(self, mock_aki, mock_certid, mock_draft01, mock_draft02):
+        """ test _cert_dic_lookup() """
+        mock_aki.return_value = ('serail', 'aki')
+        mock_draft01.return_value = {'foo': 'draft01'}
+        mock_draft02.return_value = {'foo': 'draft02'}
+        self.assertEqual({'foo': 'draft02'}, self.renewalinfo._cert_dic_lookup('cert.id'))
+        self.assertTrue(mock_aki.called)
+        self.assertFalse(mock_certid.called)
+        self.assertFalse(mock_draft01.called)
+        self.assertTrue(mock_draft02.called)
+
+    @patch('acme_srv.renewalinfo.Renewalinfo._draft02_lookup')
+    @patch('acme_srv.renewalinfo.Renewalinfo._draft01_lookup')
+    @patch('acme_srv.renewalinfo.certid_hex_get')
+    @patch('acme_srv.renewalinfo.Renewalinfo._serial_aki_get')
+    def test_027_cert_dic_lookup(self, mock_aki, mock_certid, mock_draft01, mock_draft02):
+        """ test _cert_dic_lookup() """
+        mock_aki.return_value = ('serail', 'aki')
+        mock_certid.return_value = ('mda', 'certid')
+        mock_draft01.return_value = {'foo': 'draft01'}
+        mock_draft02.return_value = {'foo': 'draft02'}
+        self.assertEqual({'foo': 'draft01'}, self.renewalinfo._cert_dic_lookup('certid'))
+        self.assertFalse(mock_aki.called)
+        self.assertTrue(mock_certid.called)
+        self.assertTrue(mock_draft01.called)
+        self.assertFalse(mock_draft02.called)
+
+    def test_028_draft01_lookup(self):
+        """ test _draft01_lookup() """
+        self.renewalinfo.dbstore.certificate_lookup.return_value = {'foo': 'bar'}
+        self.assertEqual({'foo': 'bar'}, self.renewalinfo._draft01_lookup('certid_hex'))
+
+    @patch('acme_srv.renewalinfo.cert_aki_get')
+    @patch('acme_srv.renewalinfo.cert_serial_get')
+    def test_029_cert_table_update(self, mock_serial, mock_aki):
+        """ test _cert_table_update() """
+        self.renewalinfo.dbstore.certificates_search.return_value = [{'foo': 'bar', 'cert_raw': 'cert_raw', 'name': 'name', 'cert': 'cert'}]
+        self.assertFalse(self.renewalinfo._cert_table_update())
+        self.assertTrue(mock_serial.called)
+        self.assertTrue(mock_aki.called)
+
+    @patch('acme_srv.renewalinfo.cert_aki_get')
+    @patch('acme_srv.renewalinfo.cert_serial_get')
+    def test_030_cert_table_update(self, mock_serial, mock_aki):
+        """ test _cert_table_update() """
+        self.renewalinfo.dbstore.certificates_search.return_value = [{'foo': 'bar', 'cert_raw': None, 'name': 'name', 'cert': 'cert'}]
+        self.assertFalse(self.renewalinfo._cert_table_update())
+        self.assertFalse(mock_serial.called)
+        self.assertFalse(mock_aki.called)
+
+    @patch('acme_srv.renewalinfo.cert_aki_get')
+    @patch('acme_srv.renewalinfo.cert_serial_get')
+    def test_031_cert_table_update(self, mock_serial, mock_aki):
+        """ test _cert_table_update() """
+        self.renewalinfo.dbstore.certificates_search.return_value = [{'foo': 'bar', 'name': 'name', 'cert': 'cert'}]
+        self.assertFalse(self.renewalinfo._cert_table_update())
+        self.assertFalse(mock_serial.called)
+        self.assertFalse(mock_aki.called)
+
+    def test_032_draft02_lookup(self):
+        """ test _draft02_lookup() """
+        self.renewalinfo.dbstore.certificates_search.return_value = [{'foo': 'bar01', 'aki': 'aki01'}, {'foo': 'bar02', 'aki': 'aki02'}]
+        self.assertFalse(self.renewalinfo._draft02_lookup('serial', 'aki03'))
+
+    def test_033_draft01_lookup(self):
+        """ test _draft01_lookup() """
+        self.renewalinfo.dbstore.certificate_lookup.side_effect = Exception('cert_lookup')
+        with self.assertLogs('test_a2c', level='INFO') as lcm:
+            self.assertFalse(self.renewalinfo._draft01_lookup('certid_hex'))
+        self.assertIn('CRITICAL:test_a2c:acme2certifier database error in Renewalinfo._draft01_lookup(): cert_lookup', lcm.output)
+
+    def test_034_draft02_lookup(self):
+        """ test _draft02_lookup() """
+        self.renewalinfo.dbstore.certificates_search.return_value = [{'foo': 'bar01', 'aki': 'aki01'}, {'foo': 'bar02', 'aki': 'aki02'}]
+        self.assertEqual({'aki': 'aki01', 'foo': 'bar01'}, self.renewalinfo._draft02_lookup('serial', 'aki01'))
+
+    def test_035_draft02_lookup(self):
+        """ test _draft02_lookup() """
+        self.renewalinfo.dbstore.certificates_search.return_value = [{'foo': 'bar01', 'aki': 'aki01'}, {'foo': 'bar02', 'aki': 'aki02'}]
+        self.assertEqual({'aki': 'aki02', 'foo': 'bar02'}, self.renewalinfo._draft02_lookup('serial', 'aki02'))
+
+    def test_036_draft02_lookup(self):
+        """ test _draft02_lookup() failed with leading zero """
+        self.renewalinfo.dbstore.certificates_search.side_effect = [[], [{'foo': 'bar01', 'aki': 'aki01'}, {'foo': 'bar02', 'aki': 'aki02'}]]
+        self.assertEqual({'aki': 'aki02', 'foo': 'bar02'}, self.renewalinfo._draft02_lookup('00serial', 'aki02'))
+
+    def test_037_draft02_lookup(self):
+        """ test _draft02_lookup() without leading zero"""
+        self.renewalinfo.dbstore.certificates_search.side_effect = [[], [{'foo': 'bar01', 'aki': 'aki01'}, {'foo': 'bar02', 'aki': 'aki02'}]]
+        self.assertFalse(self.renewalinfo._draft02_lookup('serial', 'aki02'))
+
+    @patch('acme_srv.renewalinfo.cert_aki_get')
+    @patch('acme_srv.renewalinfo.cert_serial_get')
+    def test_038_cert_table_update(self, mock_serial, mock_aki):
+        """ test _cert_table_update() """
+        self.renewalinfo.dbstore.certificates_search.side_effect = Exception('certificates_search')
+        with self.assertLogs('test_a2c', level='INFO') as lcm:
+            self.assertFalse(self.renewalinfo._cert_table_update())
+        self.assertIn('CRITICAL:test_a2c:acme2certifier database error in Renewalinfo._cert_table_update(): certificates_search', lcm.output)
+        self.assertFalse(mock_serial.called)
+        self.assertFalse(mock_aki.called)
+
+    def test_039_draft02_lookup(self):
+        """ test _draft02_lookup() """
+        self.renewalinfo.dbstore.certificates_search.return_value = [{'foo': 'bar01', }, {'foo': 'bar02', 'aki': 'aki02'}]
+        with self.assertLogs('test_a2c', level='INFO') as lcm:
+            self.assertFalse(self.renewalinfo._draft02_lookup('serial', 'aki03'))
+        self.assertIn('CRITICAL:test_a2c:acme2certifier database error in Renewalinfo._draft02_lookup(): certificates_search', lcm.output)
+
+    def test_040_draft02_lookup(self):
+        """ test _draft02_lookup() """
+        self.renewalinfo.dbstore.certificates_search.side_effect = Exception('certificates_search')
+        with self.assertLogs('test_a2c', level='INFO') as lcm:
+            self.assertFalse(self.renewalinfo._draft02_lookup('serial', 'aki03'))
+        self.assertIn('CRITICAL:test_a2c:acme2certifier database error in Renewalinfo._draft02_lookup(): certificates_search', lcm.output)
+
+    @patch('acme_srv.renewalinfo.b64_url_recode')
+    @patch('acme_srv.renewalinfo.b64_decode')
+    def test_041_serial_aki_get(self, mock_dec, mock_rec):
+        """ test _serial_aki_get() """
+        mock_dec.side_effect = [b'aki', b'serial']
+        mock_rec.side_effect = ['foo1', 'foo2']
+        self.assertEqual(('616b69', '73657269616c'), self.renewalinfo._serial_aki_get('renewal.info'))
+        self.assertEqual(2, mock_dec.call_count)
+        self.assertEqual(2, mock_rec.call_count)
+
+    @patch('acme_srv.renewalinfo.b64_url_recode')
+    @patch('acme_srv.renewalinfo.b64_decode')
+    def test_042_serial_aki_get(self, mock_dec, mock_rec):
+        """ test _serial_aki_get() """
+        mock_dec.side_effect = [b'aki', b'serial']
+        mock_rec.side_effect = ['foo1', 'foo2']
+        self.assertEqual((None, None), self.renewalinfo._serial_aki_get('ren.ewal.info'))
+        self.assertFalse(mock_dec.called)
+        self.assertFalse(mock_rec.called)
+
+    @patch('acme_srv.renewalinfo.b64_url_recode')
+    @patch('acme_srv.renewalinfo.b64_decode')
+    def test_043_serial_aki_get(self, mock_dec, mock_rec):
+        """ test _serial_aki_get() """
+        mock_dec.side_effect = [b'aki', b'serial']
+        mock_rec.side_effect = ['foo1', 'foo2']
+        self.assertEqual((None, None), self.renewalinfo._serial_aki_get('renewalinfo'))
+        self.assertFalse(mock_dec.called)
+        self.assertFalse(mock_rec.called)
+
+    def test_044_renewalinfo_generate(self):
+        """ test _renewalinfo_generate() """
+        self.assertFalse(self.renewalinfo._renewalinfo_generate({}))
+
+    def test_045_renewalinfo_generate(self):
+        """ test _renewalinfo_generate() """
+        cert_dic = {'foo': 'bar'}
+        self.assertFalse(self.renewalinfo._renewalinfo_generate(cert_dic))
+
+    def test_046_renewalinfo_generate(self):
+        """ test _renewalinfo_generate() """
+        cert_dic  = {'expire_uts': 0}
+        self.assertFalse(self.renewalinfo._renewalinfo_generate(cert_dic))
+
+    def test_047_renewalinfo_generate(self):
+        """ test _renewalinfo_generate() """
+        cert_dic = {'expire_uts': 1000, 'issue_uts': 100}
+        self.assertEqual({'suggestedWindow': {'start': '1970-01-01T00:14:25Z', 'end': '1970-01-01T00:16:40Z'}}, self.renewalinfo._renewalinfo_generate(cert_dic))
+
+    @patch('acme_srv.renewalinfo.uts_now')
+    def test_048_renewalinfo_generate(self, mock_uts):
+        """ test _renewalinfo_generate() """
+        mock_uts.return_value = 100
+        cert_dic = {'expire_uts': 1000}
+        self.assertEqual({'suggestedWindow': {'start': '1970-01-01T00:14:25Z', 'end': '1970-01-01T00:16:40Z'}}, self.renewalinfo._renewalinfo_generate(cert_dic))
+        self.assertTrue(mock_uts.called)
+
+    @patch('acme_srv.renewalinfo.uts_now')
+    def test_049_renewalinfo_generate(self, mock_uts):
+        """ test _renewalinfo_generate() """
+        mock_uts.return_value = 86400000
+        cert_dic = {'expire_uts': 1000, 'issue_uts': 200}
+        self.renewalinfo.renewal_force = True
+        self.assertEqual({'suggestedWindow': {'start': '1971-09-29T00:00:00Z', 'end': '1972-09-28T00:00:00Z'}}, self.renewalinfo._renewalinfo_generate(cert_dic))
+        self.assertTrue(mock_uts.called)
 
 if __name__ == '__main__':
     unittest.main()
diff --git a/test/test_wsgi_acme2certifier.py b/test/test_wsgi_acme2certifier.py
index 38a80ee6..65a5cec0 100644
--- a/test/test_wsgi_acme2certifier.py
+++ b/test/test_wsgi_acme2certifier.py
@@ -586,6 +586,7 @@ def test_051_application(self):
         environ = {'REQUEST_METHOD': 'UNK', 'REMOTE_ADDR': 'REMOTE_ADDR', 'PATH_INFO': 'url_prefix/directory'}
         result_expected = {"newAuthz": "http://localhost/acme/new-authz", "newNonce": "http://localhost/acme/newnonce", "newAccount": "http://localhost/acme/newaccount", "newOrder": "http://localhost/acme/neworders", "revokeCert": "http://localhost/acme/revokecert", "keyChange": "http://localhost/acme/key-change", "meta": {"home": "https://github.com/grindsa/acme2certifier", "author": "grindsa <grindelsack@gmail.com>", "name": "acme2certifier"}}
         result_func = json.loads(self.application(environ, Mock())[0])
+        print(result_func)
         del(result_func['meta']['version'])
         self.assertTrue(result_expected['meta'].items() <= result_func['meta'].items())
         self.assertEqual(result_expected['newAuthz'], result_func['newAuthz'])
diff --git a/tools/a2c_cli.py b/tools/a2c_cli.py
index d180b1c0..0f6bb141 100644
--- a/tools/a2c_cli.py
+++ b/tools/a2c_cli.py
@@ -1,6 +1,5 @@
 #!/usr/bin/python3
 # -*- coding: utf-8 -*-
-# pylint: disable=c0209
 """ acme2certifier cli client """
 import logging
 import datetime
@@ -35,7 +34,7 @@
 
 def csv_dump(logger, filename, content):
     """ dump content csv file """
-    logger.debug('csv_dump({0})'.format(filename))
+    logger.debug('csv_dump(%s)', filename)
     with open(filename, 'w', newline='', encoding='utf-8') as file_:
         writer = csv.writer(file_, delimiter=',', quotechar='"', quoting=csv.QUOTE_NONNUMERIC)
         writer.writerows(content)
@@ -50,14 +49,14 @@ def generate_random_string(logger, length):
 
 def file_dump(logger, filename, data_):
     """ dump content to  file """
-    logger.debug('file_dump({0})'.format(filename))
+    logger.debug('file_dump(%s)', filename)
     with open(filename, 'w', encoding='utf8') as file_:
         file_.write(data_)  # lgtm [py/clear-text-storage-sensitive-data]
 
 
 def file_load(logger, filename):
     """ load file at once """
-    logger.debug('file_open({0})'.format(filename))
+    logger.debug('file_open(%s)', filename)
     with open(filename, encoding='utf8') as _file:
         lines = _file.read()
     return lines
@@ -102,33 +101,33 @@ def __init__(self, logger=None, printcommand=None):
 
     def generate(self, filename):
         """ generate and store key """
-        self.logger.debug('KeyOperations.generate({0})'.format(filename))
+        self.logger.debug('KeyOperations.generate(%s)', filename)
         self.print('generating keys...', printreturn=False)
         key = jwk.JWK.generate(kty='RSA', size=2048, alg='RSA-OAEP-256', use='sig', kid=generate_random_string(self.logger, 12))
         public_key = key.export_public(as_dict=True)
         private_key = key.export_private(as_dict=True)
 
         try:
-            file_dump(self.logger, '{0}.pub'.format(filename), json.dumps(public_key, indent=4, sort_keys=True))
-            file_dump(self.logger, '{0}.private'.format(filename), json.dumps(private_key, indent=4, sort_keys=True))
+            file_dump(self.logger, f'{filename}.pub', json.dumps(public_key, indent=4, sort_keys=True))
+            file_dump(self.logger, f'{filename}.private', json.dumps(private_key, indent=4, sort_keys=True))
             self.print('done...', printreturn=False)
-            self.print('Keep the private key {0}.pub for yourself'.format(filename), printreturn=False)
-            self.print('Give the public key {0}.pub to your acme2certifier administrator'.format(filename))
+            self.print(f'Keep the private key {filename}.pub for yourself', printreturn=False)
+            self.print(f'Give the public key {filename}.pub to your acme2certifier administrator')
         except Exception as err_:
-            self.logger.error('KeyOperations.generate() failed with err: {0}'.format(err_))
-            self.print('Key generation failed with error: {0}'.format(err_))
+            self.logger.error('KeyOperations.generate() failed with err: %s', err_)
+            self.print('Key generation failed with error: %s', err_)
         return key
 
     def load(self, filename):
         """ load existing key """
-        self.logger.debug('KeyOperations.load({0})'.format(filename))
+        self.logger.debug('KeyOperations.load(%s)', filename)
         if os.path.exists(filename):
-            self.print('loading {0}'.format(filename), printreturn=False)
+            self.print(f'loading {filename}', printreturn=False)
             content = file_load(self.logger, filename)
             key = jwk.JWK.from_json(content)
             self.print('done...', printreturn=False)
         else:
-            self.print('Could not find {0}'.format(filename))
+            self.print(f'Could not find {filename}')
             key = None
         return key
 
@@ -140,13 +139,13 @@ def __init__(self, logger=None, printcommand=None):
         self.logger = logger
         self.print = printcommand
 
-    def sign(self, key, data, type='Unknown'):
+    def sign(self, key, data, cli_type='Unknown'):
         """ sign message """
         self.logger.debug('MessageOperations.sign()')
         protected = {"typ": "JOSE+JSON",
                      "kid": key['kid'],
                      "alg": "RS256"}
-        plaintext = {"data": data, 'type': type,
+        plaintext = {"data": data, 'type': cli_type,
                      "exp": int(time.time()) + (5 * 60)}
         mjws = jws.JWS(payload=json_encode(plaintext))
         mjws.add_signature(key, None, json_encode(protected))
@@ -154,8 +153,8 @@ def sign(self, key, data, type='Unknown'):
 
     def send(self, server=None, message=None):
         """ send message """
-        self.logger.debug('MessageOperations.send({0})'.format(server))
-        req = requests.post('{0}/housekeeping'.format(server), data=message, timeout=20)
+        self.logger.debug(f'MessageOperations.send({server})')
+        req = requests.post(f'{server}/housekeeping', data=message, timeout=20)
         return req
 
 
@@ -208,16 +207,16 @@ def _cli_print(self, text, date_print=True, printreturn=True):
             if date_print:
                 now = datetime.datetime.now().strftime('%H:%M:%S')
                 if printreturn:
-                    print('{0} {1}\n'.format(now, text))
+                    print(f'{now} {text}\n')
                 else:
-                    print('{0} {1}'.format(now, text))
+                    print(f'{now} {text}')
             else:
                 print(text)
 
     def _command_check(self, command):
         """ check command """
         # pylint: disable=c0325
-        self.logger.debug('CommandLineInterface._commend_check(): {0}'.format(command))
+        self.logger.debug('CommandLineInterface._commend_check(): %s', command)
         if command in ('help', 'H'):
             self.help_print()
         elif command.startswith('server'):
@@ -237,24 +236,24 @@ def _command_check(self, command):
                 self._certificate_operations(command)
             else:
                 if command:
-                    self._cli_print('unknown command: "/{0}"'.format(command))
+                    self._cli_print(f'unknown command: "/{command}"')
                     self.help_print()
         else:
-            self._cli_print('Unknown command: "{0}'.format(command))
+            self._cli_print(f'Unknown command: "{command}"')
             self.help_print()
 
     def _certificate_operations(self, command):
-        self.logger.debug('CommandLineInterface._certificate_operations(): {0}'.format(command))
+        self.logger.debug('CommandLineInterface._certificate_operations(): %s', command)
 
     def _config_operations(self, command):
-        self.logger.debug('CommandLineInterface._config_operations(): {0}'.format(command))
-        self._cli_print('server: {0}'.format(self.server), printreturn=False)
-        self._cli_print('key: {0}'.format(self.key), printreturn=False)
-        self._cli_print('status: {0}'.format(self.status), printreturn=False)
+        self.logger.debug('CommandLineInterface._config_operations(): %s', command)
+        self._cli_print(f'server: {self.server}', printreturn=False)
+        self._cli_print(f'key: {self.key}', printreturn=False)
+        self._cli_print(f'status: {self.status}', printreturn=False)
 
     def _exec_cmd(self, cmdinput):
         """ execute command """
-        self.logger.debug('CommandLineInterface._exec_cmd(): {0}'.format(cmdinput))
+        self.logger.debug('CommandLineInterface._exec_cmd(): %s', cmdinput)
         cmdinput = cmdinput.rstrip()
         # skip empty commands
         if len(cmdinput) <= 1:
@@ -276,12 +275,12 @@ def _intro_print(self):
 
     def _key_operations(self, command):
         """ key operations """
-        self.logger.debug('CommandLineInterface._key_operations({0})'.format(command))
+        self.logger.debug('CommandLineInterface._key_operations(%s)', command)
 
         try:
             (_key, command, argument) = command.split(' ', 2)
         except Exception:
-            self._cli_print('incomplete key-operations command: "{0}"'.format(command))
+            self._cli_print(f'incomplete key-operations command: "{command}"')
             _key = None  # lgtm [py/unused-local-variable]
             command = None
             argument = None  # lgtm [py/unused-local-variable]
@@ -293,7 +292,7 @@ def _key_operations(self, command):
             elif command == 'load':
                 self.key = key.load(argument)
             else:
-                self._cli_print('unknown key command: "{0}"'.format(command))
+                self._cli_print(f'unknown key command: "{command}"')
 
             if self.server:
                 self.status = 'Configured'
@@ -305,7 +304,7 @@ def _message_operations(self, command):
         try:
             (_key, command, argument) = command.split(' ', 2)
         except Exception:
-            self._cli_print('incomplete message-operations command: "{0}"'.format(command))
+            self._cli_print(f'incomplete message-operations command: "{command}"')
             _key = None  # lgtm [py/unused-local-variable]
             command = None
             argument = None  # lgtm [py/unused-local-variable]
@@ -326,7 +325,7 @@ def _report_operations(self, command):
         try:
             (_key, command, filename) = command.split(' ', 2)
         except Exception:
-            self._cli_print('incomplete report-operations command: "{0}"'.format(command))
+            self._cli_print(f'incomplete report-operations command: "{command}"')
             command = None
             filename = None  # lgtm [py/unused-local-variable]
 
@@ -334,13 +333,13 @@ def _report_operations(self, command):
             try:
                 (_filename, format_) = filename.lower().split('.', 2)
             except Exception:
-                self._cli_print('incomplete filename: "{0}"'.format(command))
+                self._cli_print(f'incomplete filename: "{command}"')
                 format_ = None
 
             if format_ in ('csv', 'json'):
                 self._report_generate(filename, format_, command)
             else:
-                self._cli_print('Unknown report format "{0}". Must be either "csv" or "json"'.format(format))
+                self._cli_print(f'Unknown report format "{format_}". Must be either "csv" or "json"')
 
     def _report_generate(self, filename, format_, command):
         """ generate report """
@@ -348,14 +347,14 @@ def _report_generate(self, filename, format_, command):
 
         # process report request
         message = MessageOperations(self.logger, self._cli_print)
-        signed_message = message.sign(key=self.key, type='report', data={'name': command, 'format': format_})
+        signed_message = message.sign(key=self.key, cli_type='report', data={'name': command, 'format': format_})
         response = message.send(server=self.server, message=signed_message)
         if response.status_code == 200:
             if format_ == 'csv':
                 csv_dump(self.logger, filename, response.json())
             else:
                 file_dump(self.logger, filename, json.dumps(response.json(), indent=4, sort_keys=True))
-            self._cli_print('saving report to {0}'.format(filename))
+            self._cli_print(f'saving report to {filename}')
         else:
             if 'message' in response.json():
                 message = response.json()['message']
@@ -363,12 +362,12 @@ def _report_generate(self, filename, format_, command):
                 message = response.json()['detail']
             else:
                 message = None
-            self._cli_print('ERROR: {0} - {1}'.format(response.status_code, message))
+            self._cli_print(f'ERROR: {response.status_code} - {message}')
 
     def _prompt_get(self):
         """ get prompt """
         self.logger.debug('CommandLineInterface._prompt_get()')
-        return '[{0}]:'.format(self.status)
+        return f'[{self.status}]:'
 
     def _quit(self):
         """ quit (whatever) """
@@ -377,7 +376,7 @@ def _quit(self):
 
     def _server_set(self, server):
         """ configure server """
-        self.logger.debug('CommandLineInterface._server_set({0})'.format(server))
+        self.logger.debug('CommandLineInterface._server_set(%s)', server)
 
         (_command, url) = server.split(' ')
         if is_url(url):
@@ -387,7 +386,7 @@ def _server_set(self, server):
             else:
                 self.status = 'Key missing'
         else:
-            self._cli_print('{0} is not a valid url'.format(url))
+            self._cli_print(f'{url} is not a valid url')
 
     def help_print(self):
         """ help screen """
diff --git a/tools/cliuser_mgmt.py b/tools/cliuser_mgmt.py
index 22324b93..4dede077 100644
--- a/tools/cliuser_mgmt.py
+++ b/tools/cliuser_mgmt.py
@@ -1,6 +1,6 @@
 #!/usr/bin/python
 """ database updater """
-# pylint: disable=E0401, C0413, C0209
+# pylint: disable=E0401, C0413
 import sys
 import json
 import argparse
@@ -47,7 +47,7 @@ def arg_parse():
         if os.path.exists(args.keyfile):
             config_dic['jwk'] = json.loads(file_load(args.keyfile))
         else:
-            print('Error: keyfile "{0}" does not exist'.format(args.keyfile))
+            print(f'Error: keyfile "{args.keyfile}" does not exist')
 
     return (debug, config_dic)
 
diff --git a/tools/eab_chk.py b/tools/eab_chk.py
new file mode 100644
index 00000000..c9b632b5
--- /dev/null
+++ b/tools/eab_chk.py
@@ -0,0 +1,116 @@
+#!/usr/bin/python3
+""" database updater """
+# pylint: disable=E0401, C0413
+import sys
+import os.path
+import argparse
+from typing import Tuple, Dict
+import yaml
+sys.path.append(os.path.abspath(os.path.join(os.path.dirname(__file__), os.path.pardir)))
+sys.path.append(os.path.abspath(os.path.join(os.path.dirname(__file__), os.path.pardir, os.path.pardir)))
+from acme_srv.db_handler import initialize  # nopep8
+initialize()
+from acme_srv.helper import logger_setup, load_config, config_eab_profile_load, eab_handler_load, print_debug  # nopep8
+
+
+def _eab_dic_print(logger, eab_dic: Dict[str, str], config_dic: Dict[str, str]) -> None:
+    """ print eab dic """
+    logger.debug('eab_print_dic()')
+
+    if config_dic['summary'] or config_dic['verbose'] or config_dic['veryverbose']:
+        _summary_print(logger, eab_dic)
+
+    if config_dic['verbose']:
+        for key, value in eab_dic.items():
+            if 'hmac' in value:
+                print(f'{key}: {value["hmac"]}')
+            else:
+                print(f'{key}: {value}')
+    elif config_dic['veryverbose']:
+        print(yaml.dump(eab_dic, default_flow_style=False, default_style=''))
+
+
+def _summary_print(logger, eab_dic: Dict[str, str]) -> None:
+    """ print summary of eab dic """
+    logger.debug('summary_print()')
+    print(f'Summary: {len(eab_dic.keys())} entries in kid_file')
+
+
+def _filter_eab_dic(logger, eab_dic: Dict[str, str], keyid: str) -> Dict[str, str]:
+    """ filter eab dic """
+    logger.debug('_filter_eab_dic(%s)', keyid)
+    return {k: v for k, v in eab_dic.items() if k == keyid}
+
+
+def arg_parse() -> Tuple[bool, Dict[str, Dict[str, str]]]:
+    """ simple argparser """
+    parser = argparse.ArgumentParser(description='eab_chk.py - verify eab keyfile')
+    parser.add_argument('-c', '--configfile', help='configfile', required=True)
+    parser.add_argument('-d', '--debug', help='debug mode', action="store_true", default=False)
+    parser.add_argument('-v', '--verbose', help='verbose', action="store_true", default=False)
+    parser.add_argument('-vv', '--veryverbose', help='show enrollment profile', action="store_true", default=False)
+    clist = parser.add_mutually_exclusive_group()
+    clist.add_argument('-k', '--keyid', help='keyid to filter', default=None)
+    clist.add_argument('-s', '--summary', help='summary', default=False, action="store_true")
+
+    args = parser.parse_args()
+
+    debug = args.debug
+    config_dic = {
+        'debug': args.debug,
+        'verbose': args.verbose,
+        'veryverbose': args.veryverbose,
+        'keyid': args.keyid,
+        'summary': args.summary,
+        'configfile': args.configfile
+    }
+
+    if not config_dic['summary'] and not config_dic['keyid']:
+        config_dic['summary'] = True
+
+    return (debug, config_dic)
+
+
+def eab_dic_load(logger, acme_srv_dic: Dict[str, Dict[str, str]]) -> Dict[str, str]:
+    """ load eabhandler """
+    logger.debug('eab_dic_load()')
+
+    eab_profiling, eab_module = config_eab_profile_load(logger, acme_srv_dic)
+    if not eab_profiling:
+        eab_handler_module = eab_handler_load(logger, acme_srv_dic)
+        eab_module = eab_handler_module.EABhandler
+
+    with eab_module(logger) as eab_handler:
+        eab_dic = eab_handler.key_file_load()
+
+    return eab_dic
+
+
+if __name__ == '__main__':
+
+    DEBUG, CONFIG_DIC = arg_parse()
+
+    # setup logging
+    LOGGER = logger_setup(DEBUG)
+
+    # load config
+    if os.path.exists(CONFIG_DIC['configfile']):
+        ACME_SRV_DIC = load_config(cfg_file=CONFIG_DIC['configfile'])
+    else:
+        ACME_SRV_DIC = {}
+        error_text = f'Configfile {CONFIG_DIC["configfile"]} not found.'
+        LOGGER.debug(error_text)
+        print_debug(True, error_text)
+
+    if 'EABhandler' in ACME_SRV_DIC:
+        EAB_DIC = eab_dic_load(LOGGER, ACME_SRV_DIC)
+
+        if 'keyid' in CONFIG_DIC and CONFIG_DIC['keyid']:
+            EAB_DIC = _filter_eab_dic(LOGGER, EAB_DIC, CONFIG_DIC['keyid'])
+
+    else:
+        EAB_DIC = None
+        print_debug(True, 'No EABhandler section in configfile')
+
+    if EAB_DIC:
+        _eab_dic_print(LOGGER, EAB_DIC, CONFIG_DIC)
diff --git a/tools/entrust_mgr.py b/tools/entrust_mgr.py
new file mode 100644
index 00000000..8feb358e
--- /dev/null
+++ b/tools/entrust_mgr.py
@@ -0,0 +1,65 @@
+#!/usr/bin/python3
+# -*- coding: utf-8 -*-
+""" entrust manager """
+from __future__ import print_function
+import sys
+import os
+import argparse
+sys.path.append(os.path.abspath(os.path.join(os.path.dirname(__file__), os.path.pardir)))
+sys.path.append(os.path.abspath(os.path.join(os.path.dirname(__file__), os.path.pardir, os.path.pardir)))
+# pylint: disable=E0401, E0611, C0209, C0413
+from acme_srv.helper import logger_setup  # nopep8
+from examples.ca_handler.entrust_ca_handler import CAhandler  # nopep8
+
+
+def arg_parse():
+    """ simple argparser """
+
+    parser = argparse.ArgumentParser(description='enturst_mgr.py - a simple enturst certificate mananger')
+    parser.add_argument('-d', '--debug', help='debug mode', action="store_true", default=False)
+    parser.add_argument('-p', '--pagination', help='amout of certificates to be fetch with a single rest-call', default=200)
+    parser.add_argument('-s', '--sortby', help='sortby fieldname [trackigId, status, serialNumber, expiresAfter]', default='trackingId')
+    clist = parser.add_mutually_exclusive_group()
+    clist.add_argument('-a', '--filteractive', help='filter output to active accounts', action="store_true", default=False)
+    clist.add_argument('-r', '--revoke', help='revoke <transaction_id>', default=None)
+
+    args = parser.parse_args()
+
+    debug = args.debug
+    config_dic = {
+        'debug': args.debug,
+        'filteractive': args.filteractive,
+        'revoke': args.revoke,
+        'pagination': int(args.pagination),
+        'sortby': args.sortby
+    }
+    return (debug, config_dic)
+
+
+if __name__ == '__main__':
+
+    DEBUG, CONFIG_DIC = arg_parse()
+
+    # initialize logger
+    LOGGER = logger_setup(DEBUG)
+
+    with CAhandler(logger=LOGGER) as ca_handler:
+        result = ca_handler.credential_check()
+        if not result:
+
+            if CONFIG_DIC['revoke']:
+                print("Revoking certificate with transaction_id: ", CONFIG_DIC['revoke'])
+                CODE, CONTENT = ca_handler.revoke_by_trackingid(CONFIG_DIC['revoke'])
+                if CODE == 200:
+                    print("Revocation successful")
+                else:
+                    print(f"Revocation failed with error: {CONTENT}")
+            else:
+                # get list of certificates
+                cert_list = ca_handler.certificates_get(limit=CONFIG_DIC['pagination'])
+                for cert in sorted(cert_list, key=lambda k: k[CONFIG_DIC['sortby']]):
+                    if (CONFIG_DIC['filteractive'] and cert['status'] == 'ACTIVE') or not CONFIG_DIC['filteractive']:
+                        print(cert)
+        else:
+            print("Credential check failed: ", result)
+            sys.exit(1)
diff --git a/tools/invalidator.py b/tools/invalidator.py
index 4248a357..d9659054 100644
--- a/tools/invalidator.py
+++ b/tools/invalidator.py
@@ -1,6 +1,6 @@
 #!/usr/bin/python
 """ database updater """
-# pylint: disable=C0209, E0401, C0413
+# pylint: disable=E0401, C0413
 import sys
 sys.path.insert(0, '..')
 sys.path.insert(1, '.')
@@ -20,10 +20,10 @@
     with Housekeeping(DEBUG, LOGGER) as housekeeping:
 
         # manual order invalidation
-        order_list = housekeeping.orders_invalidate(report_format='csv', report_name='orders_invalidate_{0}'.format(SUFFIX))
+        order_list = housekeeping.orders_invalidate(report_format='csv', report_name=f'orders_invalidate_{SUFFIX}')
 
         # manual authorization invalidation
-        authorization_list = housekeeping.authorizations_invalidate(report_format='csv', report_name='authorization_expire_{0}'.format(SUFFIX))
+        authorization_list = housekeeping.authorizations_invalidate(report_format='csv', report_name=f'authorization_expire_{SUFFIX}')
 
         # update issue_uts and expire_uts in certificates table
         housekeeping.certificate_dates_update()
diff --git a/tools/report_generator.py b/tools/report_generator.py
index 63600730..36529f9d 100644
--- a/tools/report_generator.py
+++ b/tools/report_generator.py
@@ -1,6 +1,6 @@
 #!/usr/bin/python
 """ database updater """
-# pylint: disable=C0209, E0401, C0413
+# pylint: disable=E0401, C0413
 import sys
 sys.path.insert(0, '..')
 sys.path.insert(1, '.')
@@ -26,22 +26,22 @@
     with Housekeeping(DEBUG, LOGGER) as housekeeping:
 
         # certificate report in json format
-        cert_report = housekeeping.certreport_get(report_name='certificate_report_{0}'.format(SUFFIX), report_format='json')
+        cert_report = housekeeping.certreport_get(report_name=f'certificate_report_{SUFFIX}', report_format='json')
         # certificate report in csv format
-        housekeeping.certreport_get(report_name='certificate_report_{0}'.format(SUFFIX))
+        housekeeping.certreport_get(report_name=f'certificate_report_{SUFFIX}')
 
         # account report in json format
-        account_report = housekeeping.accountreport_get(report_name='account_report_{0}'.format(SUFFIX), report_format='json', nested=True)
+        account_report = housekeeping.accountreport_get(report_name=f'account_report_{SUFFIX}', report_format='json', nested=True)
         # account report in csv report_format
-        housekeeping.accountreport_get(report_name='account_report_{0}'.format(SUFFIX))
+        housekeeping.accountreport_get(report_name=f'account_report_{SUFFIX}')
 
         # certifiate cleanup (no delete) dump in json
-        cleanup_report = housekeeping.certificates_cleanup(report_format='json', report_name='certificate_cleanup_{0}'.format(SUFFIX))
+        cleanup_report = housekeeping.certificates_cleanup(report_format='json', report_name=f'certificate_cleanup_{SUFFIX}')
         # certifiate cleanup (including delete) dump in csv
         # housekeeping.certificates_cleanup(report_format='csv', report_name='certificate_cleanup_{0}'.format(SUFFIX), purge=True)
 
         # manual order invalidation
-        order_list = housekeeping.orders_invalidate(report_format='csv', report_name='orders_invalidate_{0}'.format(SUFFIX))
+        order_list = housekeeping.orders_invalidate(report_format='csv', report_name=f'orders_invalidate_{SUFFIX}')
 
         # manual authorization invalidation
-        authorization_list = housekeeping.authorizations_invalidate(report_format='csv', report_name='authorization_expire_{0}'.format(SUFFIX))
+        authorization_list = housekeeping.authorizations_invalidate(report_format='csv', report_name=f'authorization_expire_{SUFFIX}')