subject_dn, _, _ = run_command('openssl', 'x509', '-noout', '-subject', '-in', '.gimmecert/ca/level1.cert.pem')

    issuer_dn = issuer_dn.replace('issuer=', '', 1)

    subject_dn = subject_dn.replace('subject=', '', 1)

    # He notices that the issuer and subject DN are identical (since

    # it's a root CA certificate), and can also see that the subject

    # DN has just the CN with working directory's name in it.

    assert issuer_dn == subject_dn

    # John has a quick look at generated certificate and chain, only

    # to realise they are identical.

    with open(".gimmecert/ca/level1.cert.pem") as cert_file, open(".gimmecert/ca/chain-full.cert.pem") as chain_file:

        assert cert_file.read() == chain_file.read()

def test_initialisation_on_existing_directory(tmpdir):

    issuer_dn, _, _ = run_command('openssl', 'x509', '-noout', '-issuer', '-in', '.gimmecert/ca/level1.cert.pem')

    subject_dn, _, _ = run_command('openssl', 'x509', '-noout', '-subject', '-in', '.gimmecert/ca/level1.cert.pem')

    issuer_dn = issuer_dn.replace('issuer=', '', 1)

    subject_dn = subject_dn.replace('subject=', '', 1)

    # To his delight, both the issuer and subject DN are identical,

    # and now they are based on his custom-provided name instead of

    # project name.

    assert tmpdir.basename not in issuer_dn

def test_initialisation_with_custom_hierarchy_depth(tmpdir):

    # John is now involved in a project where the CA hierarchy used

    # for issuing certificates is supposed to be deeper than 1. In

    # other words, he needs Level 1 CA -> Level 2 CA -> Level 3 CA ->

    # end entity certificates.

    issuer_dn3 = issuer_dn3.replace('issuer=', '', 1).rstrip().replace(' /CN=', 'CN = ', 1)  # OpenSSL 1.0 vs 1.1 formatting

    subject_dn3 = subject_dn3.replace('subject=', '', 1).rstrip().replace(' /CN=', 'CN = ', 1)  # OpenSSL 1.0 vs 1.1 formatting

    # He notices that the all certificates seem to be have been issued

    # by correct entity.

    assert issuer_dn1 == subject_dn1

    assert issuer_dn2 == subject_dn1

    assert issuer_dn3 == subject_dn2

    # John opens-up the chain file, and observes that all certificates

    # seem to be contained within.

    with open(".gimmecert/ca/level1.cert.pem", "r") as level1_cert_file:

        level1_cert = level1_cert_file.read()

    with open(".gimmecert/ca/level2.cert.pem", "r") as level2_cert_file:

        level2_cert = level2_cert_file.read()

    with open(".gimmecert/ca/level3.cert.pem", "r") as level3_cert_file:

    ]

    # We have not issued yet any certificate.

    issuer_dn = None

    issuer_private_key = None

    for level in range(1, depth+1):

        # Generate info for the new CA.

        private_key = generate_private_key()

        # First certificate issued needs to be self-signed.

        issuer_dn = issuer_dn or dn

        issuer_private_key = issuer_private_key or private_key

        certificate = issue_certificate(issuer_dn, dn, issuer_private_key, private_key.public_key(), not_before, not_after, extensions)

        hierarchy.append((private_key, certificate))

def test_generate_ca_hierarchy_subject_dns_have_correct_value():

    base_name = 'My Project'

    depth = 3

    level1, level2, level3 = [certificate for _, certificate in gimmecert.crypto.generate_ca_hierarchy(base_name, depth)]

def test_generate_ca_hierarchy_issuer_dns_have_correct_value():

    base_name = 'My Project'

    depth = 3

    hierarchy = gimmecert.crypto.generate_ca_hierarchy(base_name, depth)

    level1_key, level1_certificate = hierarchy[0]

    level2_key, level2_certificate = hierarchy[1]

    level3_key, level3_certificate = hierarchy[2]

def test_generate_ca_hierarchy_private_keys_match_with_public_keys_in_certificates():

    base_name = 'My Project'

    depth = 3

    hierarchy = gimmecert.crypto.generate_ca_hierarchy(base_name, depth)