commit f9d514663d8be9e98cd9fe200c09180cbc209818
Author: pstruebi <struebin.patrick@gmail.com>
Date:   Wed Mar 4 16:36:09 2026 +0100

    basic working buildroot - rauc example

diff --git a/Config.in b/Config.in
new file mode 100644
index 0000000..32cc7e0
--- /dev/null
+++ b/Config.in
@@ -0,0 +1,2 @@
+# Nothing to see here (yet)
+#source "$BR2_EXTERNAL_BEACON_PATH/package/blah/Config.in"
diff --git a/agents.md b/agents.md
new file mode 100644
index 0000000..33d2c1f
--- /dev/null
+++ b/agents.md
@@ -0,0 +1,99 @@
+# Beacon CM4 Agent Cheat Sheet
+
+## Automated Flash (jumper bridged, fully scripted)
+
+**One command** — bridge the EMMC_DISABLE jumper, then run from repo root:
+```bash
+cd ~/repos/buildroot-beacon
+./beacon-buildroot/scripts/flash-cm4.sh
+```
+The script:
+1. Builds `usbboot/rpiboot` from source if not already compiled
+2. Runs `rpiboot -d mass-storage-gadget64` to expose eMMC over USB
+3. Auto-detects the CM4 USB block device (~7.3 GiB)
+4. Unmounts any auto-mounted partitions
+5. Flashes `output/images/sdcard.img.xz` via `bmaptool` (sparse, fast)
+6. Prints "Flash complete — remove jumper and power-cycle"
+
+Override device explicitly if auto-detect picks wrong disk:
+```bash
+./beacon-buildroot/scripts/flash-cm4.sh /dev/sda
+```
+
+## UART Console (interactive)
+
+UART probe on GPIO14 (TX) / GPIO15 (RX), 115200 baud:
+```bash
+picocom -b 115200 /dev/ttyUSB1
+# or with log capture:
+picocom -b 115200 --logfile /tmp/uart-$(date +%s).log /dev/ttyUSB1
+```
+Exit: `Ctrl-A Ctrl-X`
+
+## UART Log Capture (non-interactive, agent-readable)
+
+Use `socat` — truly headless, no terminal required, clean line endings:
+```bash
+# Start BEFORE power-cycling the CM4:
+socat -u /dev/ttyUSB1,b115200,rawer,crnl OPEN:/tmp/uart-boot.log,creat,trunc &
+# Stop capture after boot is done:
+kill %1
+# Read the log:
+cat /tmp/uart-boot.log
+```
+**Notes**:
+- `picocom` backgrounded with `&` gets stopped by job control (SIGTTOU) — do not use it headlessly
+- `cat /dev/ttyUSB1` with `stty raw` produces garbled output — do not use it
+
+## SSH Access
+
+Login: `user` / `beacon`  (root login disabled — use `sudo su -`)
+```bash
+# Find CM4 IP (DHCP, changes on reboot):
+ip neigh show dev enp0s31f6 | grep e4:5f:01:e9:13:96
+# SSH:
+sshpass -p beacon ssh user@<cm4-ip>
+```
+**Note**: Dropbear has no sftp-server — `scp` does NOT work. Transfer files via stdin pipe:
+```bash
+sshpass -p beacon ssh user@<cm4-ip> 'sudo tee /upload/rootfs.raucb > /dev/null' < output/images/rootfs.raucb
+```
+
+## OTA Update (fully scripted from host)
+
+```bash
+CM4=10.11.0.xx  # find via: ip neigh show dev enp0s31f6
+
+# 1. Transfer bundle (~51 MB, ~5s on LAN):
+sshpass -p beacon ssh user@$CM4 'sudo tee /upload/rootfs.raucb > /dev/null' \
+  < output/images/rootfs.raucb
+
+# 2. Install:
+sshpass -p beacon ssh user@$CM4 'rauc install /upload/rootfs.raucb'
+
+# 3. Reboot into slot B:
+sshpass -p beacon ssh user@$CM4 'sudo reboot'
+
+# 4. After reboot (new IP — find again with ip neigh):
+sshpass -p beacon ssh user@$CM4_NEW 'rauc status mark-good && rauc status'
+```
+**Note**: ports 8080 and 9090 are taken by other host services — do NOT use HTTP for OTA.
+
+## RAUC Status
+
+```bash
+sshpass -p beacon ssh user@<cm4-ip> 'rauc status'
+sudo fw_printenv | grep BOOT_
+```
+
+## Rescue Mode
+
+Short GPIO4 (pin 7) to GND (pin 9) on 40-pin header during power-on.
+
+## Secure Boot Provision (Milestone 2)
+
+```bash
+update-pieeprom.sh -k private.pem
+rpiboot -d secure-boot-recovery
+```
+**rpi secure boot private key**: use `/buildroot-beacon/private.pem` — do NOT generate a fresh one. RAUC has its own key; keep both alongside each other.
\ No newline at end of file
diff --git a/board/beacon-cm4/busybox.fragment b/board/beacon-cm4/busybox.fragment
new file mode 100644
index 0000000..daf2b9b
--- /dev/null
+++ b/board/beacon-cm4/busybox.fragment
@@ -0,0 +1,15 @@
+CONFIG_BLKDISCARD=Y
+# CONFIG_WATCHDOG is not set
+# CONFIG_MOUNT is not set
+# CONFIG_KLOGD is not set
+# CONFIG_FEATURE_KLOGD_KLOGCTL is not set
+# CONFIG_SYSLOGD is not set
+# CONFIG_FEATURE_ROTATE_LOGFILE is not set
+# CONFIG_FEATURE_REMOTE_LOG is not set
+# CONFIG_FEATURE_SYSLOGD_DUP is not set
+# CONFIG_FEATURE_SYSLOGD_CFG is not set
+# CONFIG_FEATURE_SYSLOGD_PRECISE_TIMESTAMPS is not set
+CONFIG_FEATURE_SYSLOGD_READ_BUFFER_SIZE=0
+# CONFIG_FEATURE_IPC_SYSLOG is not set
+CONFIG_FEATURE_IPC_SYSLOG_BUFFER_SIZE=0
+# CONFIG_FEATURE_KMSG_SYSLOG is not set
diff --git a/board/beacon-cm4/cmdline.txt b/board/beacon-cm4/cmdline.txt
new file mode 100644
index 0000000..d135414
--- /dev/null
+++ b/board/beacon-cm4/cmdline.txt
@@ -0,0 +1 @@
+root=/dev/mmcblk0p2 rootwait console=tty1 console=ttyAMA0,115200 fw_dtb net.ifnames=0
diff --git a/board/beacon-cm4/config_cm4.txt b/board/beacon-cm4/config_cm4.txt
new file mode 100644
index 0000000..64e5169
--- /dev/null
+++ b/board/beacon-cm4/config_cm4.txt
@@ -0,0 +1,105 @@
+# For more options and information see
+# http://rpf.io/configtxt
+# Some settings may impact device functionality. See link above for details
+
+# uncomment if you get no picture on HDMI for a default "safe" mode
+#hdmi_safe=1
+
+# uncomment the following to adjust overscan. Use positive numbers if console
+# goes off screen, and negative if there is too much border
+#overscan_left=16
+#overscan_right=16
+#overscan_top=16
+#overscan_bottom=16
+
+# uncomment to force a console size. By default it will be display's size minus
+# overscan.
+#framebuffer_width=1280
+#framebuffer_height=720
+
+# uncomment if hdmi display is not detected and composite is being output
+#hdmi_force_hotplug=1
+
+# uncomment to force a specific HDMI mode (this will force VGA)
+#hdmi_group=1
+#hdmi_mode=1
+
+# uncomment to force a HDMI mode rather than DVI. This can make audio work in
+# DMT (computer monitor) modes
+#hdmi_drive=2
+
+# uncomment to increase signal to HDMI, if you have interference, blanking, or
+# no display
+#config_hdmi_boost=4
+
+# uncomment for composite PAL
+#sdtv_mode=2
+
+#uncomment to overclock the arm. 700 MHz is the default.
+#arm_freq=800
+
+# Uncomment some or all of these to enable the optional hardware interfaces
+#dtparam=i2c_arm=on
+#dtparam=i2s=on
+#dtparam=spi=on
+
+# Uncomment this to enable infrared communication.
+#dtoverlay=gpio-ir,gpio_pin=17
+#dtoverlay=gpio-ir-tx,gpio_pin=18
+
+# Additional overlays and parameters are documented /boot/overlays/README
+
+# Enable audio (loads snd_bcm2835)
+dtparam=audio=on
+
+# Automatically load overlays for detected cameras
+camera_auto_detect=1
+
+# Automatically load overlays for detected DSI displays
+display_auto_detect=1
+
+# Enable DRM VC4 V3D driver
+dtoverlay=vc4-kms-v3d
+max_framebuffers=2
+
+# Disable compensation for displays with overscan
+disable_overscan=1
+
+[cm4]
+# Enable host mode on the 2711 built-in XHCI USB controller.
+# This line should be removed if the legacy DWC2 controller is required
+# (e.g. for USB device mode) or if USB support is not required.
+otg_mode=1
+
+[all]
+
+[pi4]
+# Run as fast as firmware / board allows
+arm_boost=1
+
+[all]
+
+# End of the default Raspberry Pi config.txt file from:
+# https://github.com/RPi-Distro/pi-gen/blob/master/stage1/00-boot-files/files/config.txt
+
+# Load U-Boot instead of Linux
+kernel=u-boot.bin
+
+# Enable 64-bit support
+arm_64bit=1
+
+# fixes rpi (3B, 3B+, 3A+, 4B and Zero W) ttyAMA0 serial console
+dtoverlay=miniuart-bt
+
+# Enable watchdog, system will reset if U-Boot and Linux do not boot within 16 seconds
+# Requires fairly recent RPi Firmware:
+# https://github.com/raspberrypi/firmware/issues/1651
+# Comment this line if you expect to be able to use the U-Boot command prompt!
+dtparam=watchdog
+
+# GPIO 4 has a pull-up enabled at reset, but let's set it explicitly just to be sure
+gpio=4=ip,pu
+
+# Enable early debugging info
+uart_2ndstage=1
+
diff --git a/board/beacon-cm4/dts/bcm2711-rpi-cm4.dts b/board/beacon-cm4/dts/bcm2711-rpi-cm4.dts
new file mode 100644
index 0000000..0474db2
--- /dev/null
+++ b/board/beacon-cm4/dts/bcm2711-rpi-cm4.dts
@@ -0,0 +1,4 @@
+#include "../../../arm/boot/dts/bcm2711-rpi-cm4.dts"
+
+#include "custom-cm4.dtsi"
+
diff --git a/board/beacon-cm4/dts/custom-cm4.dtsi b/board/beacon-cm4/dts/custom-cm4.dtsi
new file mode 100644
index 0000000..f8ffdb4
--- /dev/null
+++ b/board/beacon-cm4/dts/custom-cm4.dtsi
@@ -0,0 +1,65 @@
+/**********************************************************************/
+/* WARNING:                                                           */
+/* This file and the resulting dtb installed to the rootfs will be    */
+/* IGNORED unless you edit config.txt on the boot partition and       */
+/* remove the fw_dtb argument from cmdline.txt!                       */
+/**********************************************************************/
+
+/* miniuart-bt-overlay to fix serial console on CM4 */
+
+&uart0 {
+	pinctrl-names = "default";
+	pinctrl-0 = <&uart0_pins>;
+	status = "okay";
+};
+
+&bt {
+	status = "disabled";
+};
+
+&uart1 {
+	pinctrl-names = "default";
+	pinctrl-0 = <&uart1_pins &bt_pins &fake_bt_cts>;
+	status = "okay";
+};
+
+&uart0_pins {
+	brcm,pins;
+	brcm,function;
+	brcm,pull;
+};
+
+&uart1_pins {
+	brcm,pins = <32 33>;
+	brcm,function = <2>; /* alt5=UART1 */
+	brcm,pull = <0 2>;
+};
+
+&gpio {
+	fake_bt_cts: fake_bt_cts {
+		brcm,pins = <31>;
+		brcm,function = <1>; /* output */
+	};
+};
+
+/ {
+	aliases {
+		serial0 = "/soc/serial@7e201000";
+		serial1 = "/soc/serial@7e215040";
+	};
+
+	__overrides__ {
+		krnbt = <&minibt>,"status";
+	};
+};
+
+/* otg_mode=1 */
+ 
+&usb { 
+	status = "disabled";
+};
+
+&xhci { 
+	status = "okay";
+};
+
diff --git a/board/beacon-cm4/genbootfs.cfg b/board/beacon-cm4/genbootfs.cfg
new file mode 100644
index 0000000..fcd659f
--- /dev/null
+++ b/board/beacon-cm4/genbootfs.cfg
@@ -0,0 +1,17 @@
+image boot.vfat {
+	vfat {
+		files = {
+			"bcm2711-rpi-cm4.dtb",
+			"custom/cmdline.txt",
+			"rpi-firmware/config.txt",
+			"rpi-firmware/fixup4.dat",
+			"rpi-firmware/start4.elf",
+			"rpi-firmware/overlays",
+			"u-boot.bin",
+			"boot.scr"
+		}
+	}
+
+	size = 256M
+}
+
diff --git a/board/beacon-cm4/genimage.cfg b/board/beacon-cm4/genimage.cfg
new file mode 100644
index 0000000..6fb5718
--- /dev/null
+++ b/board/beacon-cm4/genimage.cfg
@@ -0,0 +1,85 @@
+image data.ext4 {
+	name = "Data"
+	mountpoint = /data
+	ext4 {
+		use-mke2fs = true
+		label = "Data"
+		features = "^64bit"
+	}
+	size = 128M
+}
+
+image upload.ext4 {
+	name = "Upload"
+	empty = true
+	ext4 {
+		use-mke2fs = true
+		label = "Upload"
+		features = "^64bit"
+	}
+	size = 900M
+}
+
+image sdcard.img {
+	hdimage {
+		partition-table-type = mbr
+		extended-partition = 4
+	}
+
+	partition ubootenv0 {
+		image = "uboot-env.bin"
+		in-partition-table = false
+		offset = 1M
+	}
+
+	partition ubootenv1 {
+		image = "uboot-env.bin"
+		in-partition-table = false
+		offset = 2M
+	}
+
+	partition boot0 {
+		partition-type = 0xC
+		bootable = true
+		image = "boot.vfat"
+		# Leave room for U-Boot environment
+		offset = 4M
+	}
+
+	partition boot1 {
+		image = "boot.vfat"
+		in-partition-table = false
+		# 256M + 4M
+		offset = 260M
+	}
+
+	partition rescue {
+		partition-type = 0x83
+		image = "rootfs.squashfs"
+		size = 256M
+	}
+
+	partition data {
+		partition-type = 0x83
+		image = "data.ext4"
+		size = 128M
+	}
+
+	partition rootfs0 {
+		partition-type = 0x83
+		image = "rootfs.ext4"
+		size = 900M
+	}
+
+	partition rootfs1 {
+		partition-type = 0x83
+		image = "rootfs.ext4"
+		size = 900M
+	}
+
+	partition upload {
+		partition-type = 0x83
+		image = "upload.ext4"
+		size = 900M
+	}
+}
diff --git a/board/beacon-cm4/linux.fragment b/board/beacon-cm4/linux.fragment
new file mode 100644
index 0000000..fd03e0b
--- /dev/null
+++ b/board/beacon-cm4/linux.fragment
@@ -0,0 +1,9 @@
+CONFIG_MD=y
+CONFIG_BLK_DEV_DM=y
+CONFIG_BLK_DEV_LOOP=y
+CONFIG_DM_VERITY=y
+CONFIG_SQUASHFS=y
+CONFIG_CRYPTO_SHA256=y
+CONFIG_DM_CRYPT=y
+CONFIG_CRYPTO_AES=y
+CONFIG_CRYPTO_XTS=y
diff --git a/board/beacon-cm4/post-build.sh b/board/beacon-cm4/post-build.sh
new file mode 100755
index 0000000..c27b27e
--- /dev/null
+++ b/board/beacon-cm4/post-build.sh
@@ -0,0 +1,65 @@
+#!/bin/sh
+
+set -u
+set -e
+
+RAUC_COMPATIBLE="${2:-beacon-cm4}"
+BOARD_DIR="$(dirname $0)"
+BOARD_NAME="$(basename ${BOARD_DIR})"
+# Pass VERSION as an environment variable (eg: export from a top-level Makefile)
+# If VERSION is unset, fallback to the Buildroot version
+RAUC_VERSION=${VERSION:-${BR2_VERSION_FULL}}
+
+# Add a console on tty1
+if [ -e ${TARGET_DIR}/etc/inittab ]; then
+    grep -qE '^tty1::' ${TARGET_DIR}/etc/inittab || \
+	sed -i '/GENERIC_SERIAL/a\
+tty1::respawn:/sbin/getty -L  tty1 0 vt100 # HDMI console' ${TARGET_DIR}/etc/inittab
+# systemd doesn't use /etc/inittab, enable getty.tty1.service instead
+elif [ -d ${TARGET_DIR}/etc/systemd ]; then
+    mkdir -p "${TARGET_DIR}/etc/systemd/system/getty.target.wants"
+    ln -sf /lib/systemd/system/getty@.service \
+       "${TARGET_DIR}/etc/systemd/system/getty.target.wants/getty@tty1.service"
+fi
+
+
+# Mount persistent data partitions
+if [ -e ${TARGET_DIR}/etc/fstab ]; then
+	# For configuration data
+	# WARNING: data=journal is safest, but potentially slow!
+	grep -qE 'LABEL=Data' ${TARGET_DIR}/etc/fstab || \
+	echo "LABEL=Data /data ext4 defaults,data=journal,noatime 0 0" >> ${TARGET_DIR}/etc/fstab
+
+	# For bulk data (eg: firmware updates)
+	grep -qE 'LABEL=Upload' ${TARGET_DIR}/etc/fstab || \
+	echo "LABEL=Upload /upload ext4 defaults,noatime 0 0" >> ${TARGET_DIR}/etc/fstab
+fi
+
+# Copy custom cmdline.txt file
+install -D -m 0644 ${BR2_EXTERNAL_BEACON_PATH}/board/beacon-cm4/cmdline.txt ${BINARIES_DIR}/custom/cmdline.txt
+
+# Copy RAUC certificate
+if [ -e ${BR2_EXTERNAL_BEACON_PATH}/openssl-ca/dev/ca.cert.pem ]; then
+	install -D -m 0644 ${BR2_EXTERNAL_BEACON_PATH}/openssl-ca/dev/ca.cert.pem ${TARGET_DIR}/etc/rauc/keyring.pem
+else
+	echo "RAUC CA certificate not found!"
+	echo "...did you run the openssl-ca.sh script?"
+	exit 1
+fi
+
+# Update RAUC compatible string
+sed -i "/compatible/s/=.*\$/=${RAUC_COMPATIBLE}/" ${TARGET_DIR}/etc/rauc/system.conf
+
+# Create rauc version file
+echo "${RAUC_VERSION}" > ${TARGET_DIR}/etc/rauc/version
+
+# Customize login prompt with login hints
+cat <<- EOF >> ${TARGET_DIR}/etc/issue
+
+	Default username:password is [user:beacon]
+	Root login disabled, use sudo su -
+	With great power comes great responsibility!
+
+	eth0: \4{eth0}
+
+EOF
diff --git a/board/beacon-cm4/post-image.sh b/board/beacon-cm4/post-image.sh
new file mode 100755
index 0000000..1020e78
--- /dev/null
+++ b/board/beacon-cm4/post-image.sh
@@ -0,0 +1,140 @@
+#!/bin/bash
+
+set -e
+
+BOARD_DIR="$(dirname $0)"
+BOARD_NAME="$(basename ${BOARD_DIR})"
+GENIMAGE_CFG="${BOARD_DIR}/genimage.cfg"
+GENIMAGE_TMP="${BUILD_DIR}/genimage.tmp"
+GENBOOTFS_CFG="${BOARD_DIR}/genbootfs.cfg"
+RAUC_COMPATIBLE="${2:-beacon-cm4}"
+
+# Pass VERSION as an environment variable (eg: export from a top-level Makefile)
+# If VERSION is unset, fallback to the Buildroot version
+RAUC_VERSION=${VERSION:-${BR2_VERSION_FULL}}
+
+# Pass an empty rootpath. genimage makes a full copy of the given rootpath to
+# ${GENIMAGE_TMP}/root so passing TARGET_DIR would be a waste of time and disk
+# space. We don't rely on genimage to build the rootfs image, just to insert a
+# pre-built one in the disk image.
+
+trap 'rm -rf "${ROOTPATH_TMP}"' EXIT
+ROOTPATH_TMP="$(mktemp -d)"
+
+rm -rf "${GENIMAGE_TMP}"
+
+# Generate the boot filesystem image
+
+genimage \
+	--rootpath "${ROOTPATH_TMP}"   \
+	--tmppath "${GENIMAGE_TMP}"    \
+	--inputpath "${BINARIES_DIR}"  \
+	--outputpath "${BINARIES_DIR}" \
+	--config "${GENBOOTFS_CFG}"
+
+# Generate a RAUC update bundle for the full system (bootfs + rootfs)
+[ -e ${BINARIES_DIR}/update.raucb ] && rm -rf ${BINARIES_DIR}/update.raucb
+[ -e ${BINARIES_DIR}/temp-update ] && rm -rf ${BINARIES_DIR}/temp-update
+mkdir -p ${BINARIES_DIR}/temp-update
+
+cat >> ${BINARIES_DIR}/temp-update/manifest.raucm << EOF
+[update]
+compatible=${RAUC_COMPATIBLE}
+version=${RAUC_VERSION}
+[bundle]
+format=verity
+[image.bootloader]
+filename=boot.vfat
+[image.rootfs]
+filename=rootfs.ext4
+EOF
+
+ln -L ${BINARIES_DIR}/boot.vfat ${BINARIES_DIR}/temp-update/
+ln -L ${BINARIES_DIR}/rootfs.ext4 ${BINARIES_DIR}/temp-update/
+
+${HOST_DIR}/bin/rauc bundle \
+	--cert ${BR2_EXTERNAL_BEACON_PATH}/openssl-ca/dev/development-1.cert.pem \
+	--key ${BR2_EXTERNAL_BEACON_PATH}/openssl-ca/dev/private/development-1.key.pem \
+	--keyring ${BR2_EXTERNAL_BEACON_PATH}/openssl-ca/dev/ca.cert.pem \
+	${BINARIES_DIR}/temp-update/ \
+	${BINARIES_DIR}/update.raucb
+
+# Generate a RAUC update bundle for just the root filesystem
+[ -e ${BINARIES_DIR}/rootfs.raucb ] && rm -rf ${BINARIES_DIR}/rootfs.raucb
+[ -e ${BINARIES_DIR}/temp-rootfs ] && rm -rf ${BINARIES_DIR}/temp-rootfs
+mkdir -p ${BINARIES_DIR}/temp-rootfs
+
+cat >> ${BINARIES_DIR}/temp-rootfs/manifest.raucm << EOF
+[update]
+compatible=${RAUC_COMPATIBLE}
+version=${RAUC_VERSION}
+[bundle]
+format=verity
+[image.rootfs]
+filename=rootfs.ext4
+EOF
+
+ln -L ${BINARIES_DIR}/rootfs.ext4 ${BINARIES_DIR}/temp-rootfs/
+
+${HOST_DIR}/bin/rauc bundle \
+	--cert ${BR2_EXTERNAL_BEACON_PATH}/openssl-ca/dev/development-1.cert.pem \
+	--key ${BR2_EXTERNAL_BEACON_PATH}/openssl-ca/dev/private/development-1.key.pem \
+	--keyring ${BR2_EXTERNAL_BEACON_PATH}/openssl-ca/dev/ca.cert.pem \
+	${BINARIES_DIR}/temp-rootfs/ \
+	${BINARIES_DIR}/rootfs.raucb
+
+# Parse update.raucb and generate initial rauc.status file
+# FIXME: There is probably a MUCH better way to do this,
+#        suggestions welcome!
+eval $(rauc --keyring ${BR2_EXTERNAL_BEACON_PATH}/openssl-ca/dev/ca.cert.pem --output-format=shell info ${BINARIES_DIR}/update.raucb)
+
+cat > ${BINARIES_DIR}/rauc.status << EOF
+[slot.rescue.0]
+bundle.compatible=${RAUC_MF_COMPATIBLE}
+bundle.version=${RAUC_MF_VERSION}
+status=ok
+
+[slot.${RAUC_IMAGE_CLASS_0}.0]
+bundle.compatible=${RAUC_MF_COMPATIBLE}
+bundle.version=${RAUC_MF_VERSION}
+status=ok
+sha256=${RAUC_IMAGE_DIGEST_0}
+size=${RAUC_IMAGE_SIZE_0}
+
+[slot.${RAUC_IMAGE_CLASS_1}.0]
+bundle.compatible=${RAUC_MF_COMPATIBLE}
+bundle.version=${RAUC_MF_VERSION}
+status=ok
+sha256=${RAUC_IMAGE_DIGEST_1}
+size=${RAUC_IMAGE_SIZE_1}
+
+[slot.${RAUC_IMAGE_CLASS_1}.1]
+bundle.compatible=${RAUC_MF_COMPATIBLE}
+bundle.version=${RAUC_MF_VERSION}
+status=ok
+sha256=${RAUC_IMAGE_DIGEST_1}
+size=${RAUC_IMAGE_SIZE_1}
+EOF
+
+# Install rauc.status to genimage rootpath
+install -D -m 0644 ${BINARIES_DIR}/rauc.status ${ROOTPATH_TMP}/data/rauc.status
+
+
+# Generate the sdcard image
+
+rm -rf "${GENIMAGE_TMP}"
+
+genimage \
+	--rootpath "${ROOTPATH_TMP}"   \
+	--tmppath "${GENIMAGE_TMP}"    \
+	--inputpath "${BINARIES_DIR}"  \
+	--outputpath "${BINARIES_DIR}" \
+	--config "${GENIMAGE_CFG}"
+
+# Create a bmap file for the sdcard image
+bmaptool create "${BINARIES_DIR}/sdcard.img" -o "${BINARIES_DIR}/sdcard.img.bmap"
+
+# Compress the sdcard image
+[ -e "${BINARIES_DIR}/sdcard.img.xz" ] && rm "${BINARIES_DIR}/sdcard.img.xz"
+xz -v -T 0 "${BINARIES_DIR}/sdcard.img"
+
diff --git a/board/beacon-cm4/rootfs-overlay/boot/uEnv.txt b/board/beacon-cm4/rootfs-overlay/boot/uEnv.txt
new file mode 100644
index 0000000..bd2a81a
--- /dev/null
+++ b/board/beacon-cm4/rootfs-overlay/boot/uEnv.txt
@@ -0,0 +1,3 @@
+bootargs_force=
+bootargs_extra=
+
diff --git a/board/beacon-cm4/rootfs-overlay/data/.keep b/board/beacon-cm4/rootfs-overlay/data/.keep
new file mode 100644
index 0000000..e69de29
diff --git a/board/beacon-cm4/rootfs-overlay/etc/fw_env.config b/board/beacon-cm4/rootfs-overlay/etc/fw_env.config
new file mode 100644
index 0000000..24369e7
--- /dev/null
+++ b/board/beacon-cm4/rootfs-overlay/etc/fw_env.config
@@ -0,0 +1,2 @@
+/dev/mmcblk0	0x100000	0x8000
+/dev/mmcblk0	0x200000	0x8000
diff --git a/board/beacon-cm4/rootfs-overlay/etc/rauc/system.conf b/board/beacon-cm4/rootfs-overlay/etc/rauc/system.conf
new file mode 100644
index 0000000..ea1625a
--- /dev/null
+++ b/board/beacon-cm4/rootfs-overlay/etc/rauc/system.conf
@@ -0,0 +1,31 @@
+[system]
+compatible=beacon-cm4
+mountprefix=/run/rauc
+statusfile=/data/rauc.status
+bootloader=uboot
+bundle-formats=-plain
+
+[keyring]
+path=/etc/rauc/keyring.pem
+use-bundle-signing-time=true
+
+[slot.bootloader.0]
+device=/dev/mmcblk0
+type=boot-mbr-switch
+region-start=4M
+region-size=512M
+
+[slot.rescue.0]
+device=/dev/mmcblk0p2
+type=raw
+
+[slot.rootfs.0]
+device=/dev/mmcblk0p5
+type=ext4
+bootname=A
+
+[slot.rootfs.1]
+device=/dev/mmcblk0p6
+type=ext4
+bootname=B
+
diff --git a/board/beacon-cm4/rootfs-overlay/etc/sudoers.d/user b/board/beacon-cm4/rootfs-overlay/etc/sudoers.d/user
new file mode 100644
index 0000000..d9f5d70
--- /dev/null
+++ b/board/beacon-cm4/rootfs-overlay/etc/sudoers.d/user
@@ -0,0 +1 @@
+user	ALL=(ALL) NOPASSWD: ALL
diff --git a/board/beacon-cm4/rootfs-overlay/etc/systemd/system.conf.d/watchdog.conf b/board/beacon-cm4/rootfs-overlay/etc/systemd/system.conf.d/watchdog.conf
new file mode 100644
index 0000000..6da1615
--- /dev/null
+++ b/board/beacon-cm4/rootfs-overlay/etc/systemd/system.conf.d/watchdog.conf
@@ -0,0 +1,6 @@
+[Manager]
+RuntimeWatchdogSec=10
+#RebootWatchdogSec=10min
+#KExecWatchdogSec=off
+#WatchdogDevice=
+
diff --git a/board/beacon-cm4/rootfs-overlay/upload/.keep b/board/beacon-cm4/rootfs-overlay/upload/.keep
new file mode 100644
index 0000000..e69de29
diff --git a/board/beacon-cm4/u-boot.fragment b/board/beacon-cm4/u-boot.fragment
new file mode 100644
index 0000000..d81a1e7
--- /dev/null
+++ b/board/beacon-cm4/u-boot.fragment
@@ -0,0 +1,8 @@
+CONFIG_ENV_OFFSET=0x100000
+CONFIG_ENV_OFFSET_REDUND=0x200000
+CONFIG_ENV_SIZE=0x8000
+# CONFIG_ENV_IS_IN_FAT is not set
+CONFIG_ENV_IS_IN_MMC=y
+CONFIG_SYS_REDUNDAND_ENVIRONMENT=y
+CONFIG_CMD_SQUASHFS=y
+CONFIG_USB_XHCI_BRCM=y
diff --git a/board/beacon-cm4/u-boot_beacon.ush b/board/beacon-cm4/u-boot_beacon.ush
new file mode 100644
index 0000000..4cf4afe
--- /dev/null
+++ b/board/beacon-cm4/u-boot_beacon.ush
@@ -0,0 +1,114 @@
+test -n "${BOOT_ORDER}" || setenv BOOT_ORDER "A B"
+test -n "${BOOT_A_LEFT}" || setenv BOOT_A_LEFT 3
+test -n "${BOOT_B_LEFT}" || setenv BOOT_B_LEFT 3
+test -n "${bootargs_default}" || setenv bootargs_default coherent_pool=1M vc_mem.mem_base=0x3ec00000 vc_mem.mem_size=0x40000000 rootwait console=tty1 console=ttyAMA0,115200
+test -n "${DTB_FILE}" || setenv DTB_FILE bcm2711-rpi-cm4.dtb
+
+# RPi firmware uses a dynamic fdt_addr, but U-Boot does not use the fw
+# provided address if fdt_addr is already defined in the environment!
+# Copy fdt_addr to a local variable and delete the environment variable
+# so it never gets accidentally saved:
+fdt_addr=${fdt_addr}
+env delete fdt_addr
+
+# To boot from the rescue partition, tie GPIO4 (pin 7) to GND (pin 9)
+# The gpio input command will return an exit status of 0 (true)
+# If the pin is high (pulled up by default) the exit status is 1 (false)
+if gpio input gpio4 ; then
+	# GPIO4 is shorted to ground so boot in rescue mode
+	echo "Booting from rescue partition"
+	setenv load_uenv "load mmc 0:2 ${kernel_addr_r} /boot/uEnv.txt"
+	setenv load_fdt "load mmc 0:2 ${fdt_addr_r} /boot/${DTB_FILE}"
+	setenv load_kernel "load mmc 0:2 ${kernel_addr_r} /boot/Image"
+	raucargs="root=/dev/mmcblk0p2"
+	rescue=true
+else
+	raucargs=unset
+	for BOOT_SLOT in "${BOOT_ORDER}"; do
+		if test "x${raucargs}" != "xunset"; then
+			# skip remaining slots
+		elif test "x${BOOT_SLOT}" = "xA"; then
+			if test ${BOOT_A_LEFT} -gt 0; then
+				echo "Found valid slot A, ${BOOT_A_LEFT} attempts remaining"
+				setexpr BOOT_A_LEFT ${BOOT_A_LEFT} - 1
+				setenv load_uenv "load mmc 0:5 ${kernel_addr_r} /boot/uEnv.txt"
+				setenv load_fdt "load mmc 0:5 ${fdt_addr_r} /boot/${DTB_FILE}"
+				setenv load_kernel "load mmc 0:5 ${kernel_addr_r} /boot/Image"
+				raucargs="root=/dev/mmcblk0p5 rauc.slot=A"
+			fi
+		elif test "x${BOOT_SLOT}" = "xB"; then
+			if test ${BOOT_B_LEFT} -gt 0; then
+				echo "Found valid slot B, ${BOOT_B_LEFT} attempts remaining"
+				setexpr BOOT_B_LEFT ${BOOT_B_LEFT} - 1
+				setenv load_uenv "load mmc 0:6 ${kernel_addr_r} /boot/uEnv.txt"
+				setenv load_fdt "load mmc 0:6 ${fdt_addr_r} /boot/${DTB_FILE}"
+				setenv load_kernel "load mmc 0:6 ${kernel_addr_r} /boot/Image"
+				raucargs="root=/dev/mmcblk0p6 rauc.slot=B"
+			fi
+		fi
+	done
+fi
+
+if test "x${raucargs}" = "xunset"; then
+	echo "No valid slot found, resetting tries to 3"
+	setenv BOOT_A_LEFT 3
+	setenv BOOT_B_LEFT 3
+	saveenv
+	reset
+fi
+
+# Examine the fdt loaded by the firmware
+# Pass fw_dtb to use the dtb loaded by the firmware
+fdt_live=unset
+fdt addr ${fdt_addr}
+fdt get value bootargs_fw /chosen bootargs
+for arg in ${bootargs_fw} ; do
+	if test "x${arg}" = "xfw_dtb" ; then
+		fdt_live=${fdt_addr}
+	fi
+done
+
+# Save bootargs_fw in a local variable for later use
+bootargs_fw=${bootargs_fw}
+env del bootargs_fw
+
+if test "x${rescue}" = "xtrue" -o "x${fdt_live}" = "xunset"; then
+	# Using device-tree from rootfs
+	# Check to see if we have any customizations in a uEnv.txt file
+	env del bootargs_force bootargs_extra
+	echo "Checking for /boot/uEnv.txt"
+	if run load_uenv ; then
+		echo "Importing uEnv.txt"
+		env import -t -r ${fileaddr} ${filesize}
+	fi
+
+	# Load our actual device-tree file
+	echo "Loading device-tree"
+	run load_fdt
+
+	# Point to run-time device-tree
+	fdt_live=${fdt_addr_r}
+
+	# Setup kernel parameters
+	if test -n "${bootargs_force}" ; then
+		setenv bootargs "${bootargs_force} ${raucargs}"
+	else
+		setenv bootargs "${bootargs_default} ${bootargs_extra} ${raucargs}"
+	fi
+else
+	# Using FW provided device-tree
+	# Append rauc boot arguments to FW generated command line
+	# This setting will override /chosen/bootargs in the device-tree
+	echo "Using firmware device-tree"
+	setenv bootargs "${bootargs_fw} ${raucargs}"
+fi
+
+# Store updated boot state...
+# ...above code should have modified BOOT_(AB)_LEFT and bootargs
+saveenv
+
+echo "Loading kernel"
+run load_kernel
+
+echo "Starting kernel"
+booti ${kernel_addr_r} - ${fdt_live}
diff --git a/board/beacon-cm4/users b/board/beacon-cm4/users
new file mode 100644
index 0000000..7874c18
--- /dev/null
+++ b/board/beacon-cm4/users
@@ -0,0 +1,2 @@
+user 1000 user 1000 $6$XUtVBGdpmufH8R2H$olowG.5WTG7pEth5D..PyeKEmAze3SM9.I6Raf9k.OfS0OiS0wxbdOBJH.BgklLEKWH6REmXRUGyDylyWfDmg/ /home/user /bin/sh adm,audio,cdrom,dialout,floppy,plugdev,staff,sudo,video Default user
+
diff --git a/configs/beacon_cm4_rauc_defconfig b/configs/beacon_cm4_rauc_defconfig
new file mode 100644
index 0000000..a2a8560
--- /dev/null
+++ b/configs/beacon_cm4_rauc_defconfig
@@ -0,0 +1,62 @@
+BR2_aarch64=y
+BR2_cortex_a72=y
+BR2_GLOBAL_PATCH_DIR="$(BR2_EXTERNAL_BEACON_PATH)/patches"
+BR2_TOOLCHAIN_BUILDROOT_GLIBC=y
+BR2_PACKAGE_HOST_LINUX_HEADERS_CUSTOM_6_6=y
+BR2_TOOLCHAIN_BUILDROOT_CXX=y
+BR2_GCC_ENABLE_LTO=y
+BR2_TARGET_GENERIC_HOSTNAME="beacon"
+BR2_TARGET_GENERIC_ISSUE="Welcome to Beacon Buildroot+RAUC"
+BR2_INIT_SYSTEMD=y
+# BR2_TARGET_ENABLE_ROOT_LOGIN is not set
+# BR2_TARGET_GENERIC_REMOUNT_ROOTFS_RW is not set
+BR2_SYSTEM_DHCP="eth0"
+BR2_SYSTEM_DEFAULT_PATH="/bin:/sbin:/usr/bin:/usr/sbin"
+BR2_ROOTFS_USERS_TABLES="$(BR2_EXTERNAL_BEACON_PATH)/board/beacon-cm4/users"
+BR2_ROOTFS_OVERLAY="$(BR2_EXTERNAL_BEACON_PATH)/board/beacon-cm4/rootfs-overlay"
+BR2_ROOTFS_POST_BUILD_SCRIPT="$(BR2_EXTERNAL_BEACON_PATH)/board/beacon-cm4/post-build.sh"
+BR2_ROOTFS_POST_IMAGE_SCRIPT="$(BR2_EXTERNAL_BEACON_PATH)/board/beacon-cm4/post-image.sh"
+BR2_LINUX_KERNEL=y
+BR2_LINUX_KERNEL_CUSTOM_GIT=y
+BR2_LINUX_KERNEL_CUSTOM_REPO_URL="https://github.com/raspberrypi/linux"
+BR2_LINUX_KERNEL_CUSTOM_REPO_VERSION="rpi-6.6.y"
+BR2_LINUX_KERNEL_DEFCONFIG="bcm2711"
+BR2_LINUX_KERNEL_CONFIG_FRAGMENT_FILES="$(BR2_EXTERNAL_BEACON_PATH)/board/beacon-cm4/linux.fragment"
+BR2_LINUX_KERNEL_DTS_SUPPORT=y
+BR2_LINUX_KERNEL_INTREE_DTS_NAME="broadcom/bcm2711-rpi-cm4"
+BR2_LINUX_KERNEL_INSTALL_TARGET=y
+BR2_LINUX_KERNEL_NEEDS_HOST_OPENSSL=y
+BR2_PACKAGE_BUSYBOX_CONFIG_FRAGMENT_FILES="$(BR2_EXTERNAL_BEACON_PATH)/board/beacon-cm4/busybox.fragment"
+BR2_PACKAGE_RPI_FIRMWARE=y
+BR2_PACKAGE_RPI_FIRMWARE_VARIANT_PI4=y
+BR2_PACKAGE_RPI_FIRMWARE_VARIANT_PI4_X=y
+BR2_PACKAGE_RPI_FIRMWARE_CONFIG_FILE="$(BR2_EXTERNAL_BEACON_PATH)/board/beacon-cm4/config_cm4.txt"
+BR2_PACKAGE_DTC=y
+BR2_PACKAGE_DTC_PROGRAMS=y
+BR2_PACKAGE_SUDO=y
+BR2_PACKAGE_RAUC=y
+BR2_PACKAGE_RAUC_DBUS=y
+BR2_PACKAGE_RAUC_NETWORK=y
+BR2_PACKAGE_RAUC_JSON=y
+BR2_PACKAGE_DROPBEAR=y
+BR2_PACKAGE_CRYPTSETUP=y
+BR2_PACKAGE_UTIL_LINUX_WDCTL=y
+BR2_TARGET_ROOTFS_EXT2=y
+BR2_TARGET_ROOTFS_EXT2_4=y
+BR2_TARGET_ROOTFS_EXT2_SIZE="250M"
+BR2_TARGET_ROOTFS_SQUASHFS=y
+# BR2_TARGET_ROOTFS_TAR is not set
+BR2_TARGET_UBOOT=y
+BR2_TARGET_UBOOT_BOARD_DEFCONFIG="rpi_arm64"
+BR2_TARGET_UBOOT_CONFIG_FRAGMENT_FILES="$(BR2_EXTERNAL_BEACON_PATH)/board/beacon-cm4/u-boot.fragment"
+BR2_PACKAGE_HOST_DOSFSTOOLS=y
+BR2_PACKAGE_HOST_ENVIRONMENT_SETUP=y
+BR2_PACKAGE_HOST_GENIMAGE=y
+BR2_PACKAGE_HOST_MTOOLS=y
+BR2_PACKAGE_HOST_RAUC=y
+BR2_PACKAGE_HOST_UBOOT_TOOLS=y
+BR2_PACKAGE_HOST_UBOOT_TOOLS_ENVIMAGE=y
+BR2_PACKAGE_HOST_UBOOT_TOOLS_ENVIMAGE_SIZE="0x8000"
+BR2_PACKAGE_HOST_UBOOT_TOOLS_ENVIMAGE_REDUNDANT=y
+BR2_PACKAGE_HOST_UBOOT_TOOLS_BOOT_SCRIPT=y
+BR2_PACKAGE_HOST_UBOOT_TOOLS_BOOT_SCRIPT_SOURCE="$(BR2_EXTERNAL_BEACON_PATH)/board/beacon-cm4/u-boot_beacon.ush"
diff --git a/external.desc b/external.desc
new file mode 100644
index 0000000..ca40553
--- /dev/null
+++ b/external.desc
@@ -0,0 +1,2 @@
+name: BEACON
+desc: Beacon Buildroot + RAUC for RPi CM4
diff --git a/external.mk b/external.mk
new file mode 100644
index 0000000..e592d34
--- /dev/null
+++ b/external.mk
@@ -0,0 +1 @@
+include $(sort $(wildcard $(BR2_EXTERNAL_BEACON_PATH)/package/*/*.mk))
diff --git a/openssl-ca.sh b/openssl-ca.sh
new file mode 100755
index 0000000..6ffd21f
--- /dev/null
+++ b/openssl-ca.sh
@@ -0,0 +1,93 @@
+#!/bin/bash
+
+set -xe
+
+ORG="${1:-Test Org}"
+CA="${2:-rauc CA}"
+
+# After the CRL expires, signatures cannot be verified anymore
+CRL="-crldays 5000"
+
+BASE="$(pwd)/openssl-ca"
+
+if [ -e $BASE ]; then
+  echo "$BASE already exists"
+  exit 1
+fi
+
+mkdir -p $BASE/dev/{private,certs}
+touch $BASE/dev/index.txt
+echo 01 > $BASE/dev/serial
+
+cat > $BASE/openssl.cnf <<EOF
+[ ca ]
+default_ca      = CA_default            # The default ca section
+
+[ CA_default ]
+
+dir            = .                     # top dir
+database       = \$dir/index.txt        # index file.
+new_certs_dir  = \$dir/certs            # new certs dir
+
+certificate    = \$dir/ca.cert.pem       # The CA cert
+serial         = \$dir/serial           # serial no file
+private_key    = \$dir/private/ca.key.pem# CA private key
+RANDFILE       = \$dir/private/.rand    # random number file
+
+default_startdate = 19700101000000Z
+default_enddate = 99991231235959Z
+default_crl_days= 30                   # how long before next CRL
+default_md     = sha256                # md to use
+
+policy         = policy_any            # default policy
+email_in_dn    = no                    # Don't add the email into cert DN
+
+name_opt       = ca_default            # Subject name display option
+cert_opt       = ca_default            # Certificate display option
+copy_extensions = none                 # Don't copy extensions from request
+
+[ policy_any ]
+organizationName       = match
+commonName             = supplied
+
+[ req ]
+default_bits           = 2048
+distinguished_name     = req_distinguished_name
+x509_extensions        = v3_leaf
+encrypt_key = no
+default_md = sha256
+
+[ req_distinguished_name ]
+commonName                     = Common Name (eg, YOUR name)
+commonName_max                 = 64
+
+[ v3_ca ]
+
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid:always,issuer:always
+basicConstraints = CA:TRUE
+
+[ v3_inter ]
+
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid:always,issuer:always
+basicConstraints = CA:TRUE,pathlen:0
+
+[ v3_leaf ]
+
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid:always,issuer:always
+basicConstraints = CA:FALSE
+EOF
+
+export OPENSSL_CONF=$BASE/openssl.cnf
+
+echo "Development CA"
+cd $BASE/dev
+openssl req -newkey rsa:4096 -keyout private/ca.key.pem -out ca.csr.pem -subj "/O=$ORG/CN=$ORG $CA Development"
+openssl ca -batch -selfsign -extensions v3_ca -in ca.csr.pem -out ca.cert.pem -keyfile private/ca.key.pem
+
+echo "Development Signing Keys 1"
+cd $BASE/dev
+openssl req -newkey rsa:4096 -keyout private/development-1.key.pem -out development-1.csr.pem -subj "/O=$ORG/CN=$ORG Development-1"
+openssl ca -batch -extensions v3_leaf -in development-1.csr.pem -out development-1.cert.pem
diff --git a/openssl-ca/dev/ca.cert.pem b/openssl-ca/dev/ca.cert.pem
new file mode 100644
index 0000000..005ee95
--- /dev/null
+++ b/openssl-ca/dev/ca.cert.pem
@@ -0,0 +1,122 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number: 1 (0x1)
+        Signature Algorithm: sha256WithRSAEncryption
+        Issuer: O=Test Org, CN=Test Org rauc CA Development
+        Validity
+            Not Before: Jan  1 00:00:00 1970 GMT
+            Not After : Dec 31 23:59:59 9999 GMT
+        Subject: O=Test Org, CN=Test Org rauc CA Development
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                Public-Key: (4096 bit)
+                Modulus:
+                    00:93:a5:f9:78:b0:1c:ef:7c:2e:74:d1:59:ea:a7:
+                    ff:de:64:ea:c7:28:6f:b6:da:bb:f2:e3:0f:01:61:
+                    4f:dd:e5:ba:d1:a4:2f:b7:f1:5e:13:d6:9d:a4:ff:
+                    4e:b5:d3:be:13:42:26:08:aa:2a:3b:b0:f5:86:6a:
+                    f7:30:0e:81:8d:57:40:8b:77:72:46:cb:4b:12:22:
+                    92:4f:13:86:93:6b:16:b5:8b:6a:eb:f9:28:cf:4b:
+                    68:f7:63:72:61:79:88:e1:5d:2a:d2:86:5a:1d:11:
+                    2a:03:b6:5f:54:d9:a9:7b:c2:ee:64:d6:55:52:12:
+                    b3:92:46:2d:67:05:ab:e8:54:c6:a1:63:f9:57:c4:
+                    82:5e:fe:a4:fa:55:68:45:ff:31:9c:9a:63:26:39:
+                    17:15:56:18:49:3d:8d:c7:c3:f5:ee:b2:b4:73:ef:
+                    2c:9b:8a:95:11:bd:a6:4a:87:28:fc:55:be:8f:01:
+                    68:cb:0a:24:7c:b9:a5:5c:d8:3c:96:32:44:0f:13:
+                    de:4d:83:9e:3e:8e:9b:7d:a6:27:4b:c0:39:4e:0f:
+                    23:84:79:fb:c7:30:96:11:6a:2c:5a:d7:53:a7:ba:
+                    68:e4:2b:4d:db:a9:a1:c6:58:94:eb:a8:2c:6d:43:
+                    5a:20:88:28:35:14:17:ad:da:eb:a6:3e:82:4a:65:
+                    dd:2e:fd:8d:72:c0:81:62:45:e1:40:2b:19:8c:56:
+                    98:f7:4c:57:14:bb:18:42:3a:37:c9:d0:19:fd:25:
+                    0f:ca:3c:df:09:77:7c:01:28:02:a3:a6:9e:92:81:
+                    e0:1c:3f:c2:c2:a5:36:12:c3:4e:28:8d:82:af:21:
+                    e2:e6:6f:e4:96:60:10:5e:71:a1:41:e2:5c:92:ef:
+                    84:18:c9:6a:f6:82:79:a2:c8:0c:a6:d0:a2:85:a6:
+                    42:3e:54:b7:fd:91:84:7b:bb:7e:89:69:1c:39:68:
+                    bb:df:f9:f3:16:14:9c:7a:82:50:c3:6c:00:0d:61:
+                    6f:9a:c6:01:89:61:0c:cd:47:e2:b4:63:43:3a:1e:
+                    56:9c:2f:d4:35:87:01:ca:87:8b:d0:ce:b5:3e:fa:
+                    68:4b:c1:3b:ba:af:e0:20:07:a4:3a:54:b3:47:2e:
+                    72:e3:0e:a9:78:60:0e:7f:41:b9:bb:0d:b8:01:4c:
+                    11:e4:aa:4b:7f:1f:45:fc:5a:57:cb:10:99:22:33:
+                    60:8a:60:95:85:fd:77:ff:1f:19:1e:83:e6:a3:cd:
+                    25:41:51:19:7b:8b:d3:75:75:f4:77:d2:17:25:47:
+                    27:50:4c:bb:61:85:25:f5:a9:a7:4e:94:fa:24:1a:
+                    12:fb:9c:69:da:7a:9f:0f:cd:db:30:72:16:d8:49:
+                    6d:c0:ed
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Subject Key Identifier: 
+                1E:A9:92:E5:32:88:88:27:75:82:6B:7F:C0:63:8F:A2:F9:09:6B:E2
+            X509v3 Authority Key Identifier: 
+                keyid:1E:A9:92:E5:32:88:88:27:75:82:6B:7F:C0:63:8F:A2:F9:09:6B:E2
+                DirName:/O=Test Org/CN=Test Org rauc CA Development
+                serial:01
+            X509v3 Basic Constraints: 
+                CA:TRUE
+    Signature Algorithm: sha256WithRSAEncryption
+    Signature Value:
+        47:91:cb:4d:2f:19:20:96:65:2b:54:05:15:07:02:46:f0:33:
+        6f:84:e8:fc:32:04:43:5a:5a:90:3c:64:8b:8a:4e:19:73:ac:
+        11:62:79:93:d5:c3:61:c9:88:16:d6:84:f1:9c:ed:09:6c:55:
+        0b:ba:2d:a6:a6:bf:42:e3:6c:c4:90:69:43:22:aa:9d:6d:26:
+        a9:96:3f:9e:93:61:c4:ab:74:e1:0f:c9:30:1d:fa:2f:21:18:
+        a2:75:da:74:7c:48:40:4c:21:2d:42:a6:ba:2c:6a:d5:26:09:
+        6f:6a:84:71:a7:47:dd:a6:87:b2:37:50:f3:1b:24:84:ef:cd:
+        75:13:11:db:f8:ed:95:59:07:7b:a6:d6:fc:22:74:03:29:66:
+        70:77:e1:82:e7:cf:bd:33:31:b9:97:61:70:61:3c:b2:ae:4f:
+        45:73:92:75:8f:5b:15:25:54:8e:16:4e:6d:5f:3e:c4:8f:b2:
+        c4:70:14:83:e8:e9:61:e4:30:5b:da:24:e0:c8:34:ee:4d:4a:
+        53:49:c3:15:f8:94:19:f0:b5:7d:c7:13:a9:b7:6b:e3:c7:1d:
+        e4:1c:52:ef:d6:0f:2b:1a:18:ef:dd:ef:d2:ac:5c:18:6e:e0:
+        40:30:46:40:75:28:d2:ce:f0:96:90:35:15:04:83:5a:51:96:
+        3d:b7:ab:cc:07:c4:71:c4:93:72:4d:2a:ce:3c:ec:8c:d0:39:
+        5d:aa:e0:ac:9f:48:e3:53:01:12:ab:08:df:ae:92:54:7b:f1:
+        f1:28:7d:0a:00:20:ff:60:4a:ff:79:f9:cb:0f:ab:f9:12:ea:
+        d6:70:97:75:68:5e:12:6d:30:7e:c8:58:08:79:63:61:bb:5c:
+        eb:13:f6:f9:c1:a7:b2:d2:94:68:96:a6:ac:6f:e1:5e:76:66:
+        94:0b:e2:74:11:26:37:d5:7b:1f:48:a8:16:ca:95:5c:90:2a:
+        f5:83:70:ac:44:f6:b5:2e:c6:73:7c:b5:03:ba:c5:0a:8b:05:
+        ee:6d:85:bf:6a:96:d0:77:37:5a:8c:bb:70:42:e2:a2:26:cf:
+        cd:08:50:df:be:70:67:dc:a2:cc:7e:b3:eb:65:91:f8:0f:77:
+        52:85:8b:9a:9b:c6:11:43:1e:ed:05:34:a7:b3:6a:e5:73:4c:
+        bf:be:18:f0:60:c5:8d:a4:4b:5f:55:72:cb:13:b8:4b:e4:f2:
+        88:34:f5:57:58:ea:84:51:f4:95:ea:82:ca:d4:c8:e3:af:52:
+        f3:40:d6:04:da:4f:5d:50:4b:0a:2b:61:07:c9:ea:6c:0c:ec:
+        30:e5:52:95:21:ef:42:59:04:6d:8a:8c:3f:a1:08:51:f0:cb:
+        6d:a2:10:9d:20:4e:fb:1e
+-----BEGIN CERTIFICATE-----
+MIIFhjCCA26gAwIBAgIBATANBgkqhkiG9w0BAQsFADA6MREwDwYDVQQKDAhUZXN0
+IE9yZzElMCMGA1UEAwwcVGVzdCBPcmcgcmF1YyBDQSBEZXZlbG9wbWVudDAgFw03
+MDAxMDEwMDAwMDBaGA85OTk5MTIzMTIzNTk1OVowOjERMA8GA1UECgwIVGVzdCBP
+cmcxJTAjBgNVBAMMHFRlc3QgT3JnIHJhdWMgQ0EgRGV2ZWxvcG1lbnQwggIiMA0G
+CSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQCTpfl4sBzvfC500Vnqp//eZOrHKG+2
+2rvy4w8BYU/d5brRpC+38V4T1p2k/061074TQiYIqio7sPWGavcwDoGNV0CLd3JG
+y0sSIpJPE4aTaxa1i2rr+SjPS2j3Y3JheYjhXSrShlodESoDtl9U2al7wu5k1lVS
+ErOSRi1nBavoVMahY/lXxIJe/qT6VWhF/zGcmmMmORcVVhhJPY3Hw/XusrRz7yyb
+ipURvaZKhyj8Vb6PAWjLCiR8uaVc2DyWMkQPE95Ng54+jpt9pidLwDlODyOEefvH
+MJYRaixa11OnumjkK03bqaHGWJTrqCxtQ1ogiCg1FBet2uumPoJKZd0u/Y1ywIFi
+ReFAKxmMVpj3TFcUuxhCOjfJ0Bn9JQ/KPN8Jd3wBKAKjpp6SgeAcP8LCpTYSw04o
+jYKvIeLmb+SWYBBecaFB4lyS74QYyWr2gnmiyAym0KKFpkI+VLf9kYR7u36JaRw5
+aLvf+fMWFJx6glDDbAANYW+axgGJYQzNR+K0Y0M6HlacL9Q1hwHKh4vQzrU++mhL
+wTu6r+AgB6Q6VLNHLnLjDql4YA5/Qbm7DbgBTBHkqkt/H0X8WlfLEJkiM2CKYJWF
+/Xf/Hxkeg+ajzSVBURl7i9N1dfR30hclRydQTLthhSX1qadOlPokGhL7nGnaep8P
+zdswchbYSW3A7QIDAQABo4GUMIGRMB0GA1UdDgQWBBQeqZLlMoiIJ3WCa3/AY4+i
++Qlr4jBiBgNVHSMEWzBZgBQeqZLlMoiIJ3WCa3/AY4+i+Qlr4qE+pDwwOjERMA8G
+A1UECgwIVGVzdCBPcmcxJTAjBgNVBAMMHFRlc3QgT3JnIHJhdWMgQ0EgRGV2ZWxv
+cG1lbnSCAQEwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAgEAR5HLTS8Z
+IJZlK1QFFQcCRvAzb4To/DIEQ1pakDxki4pOGXOsEWJ5k9XDYcmIFtaE8ZztCWxV
+C7otpqa/QuNsxJBpQyKqnW0mqZY/npNhxKt04Q/JMB36LyEYonXadHxIQEwhLUKm
+uixq1SYJb2qEcadH3aaHsjdQ8xskhO/NdRMR2/jtlVkHe6bW/CJ0AylmcHfhgufP
+vTMxuZdhcGE8sq5PRXOSdY9bFSVUjhZObV8+xI+yxHAUg+jpYeQwW9ok4Mg07k1K
+U0nDFfiUGfC1fccTqbdr48cd5BxS79YPKxoY793v0qxcGG7gQDBGQHUo0s7wlpA1
+FQSDWlGWPberzAfEccSTck0qzjzsjNA5XargrJ9I41MBEqsI366SVHvx8Sh9CgAg
+/2BK/3n5yw+r+RLq1nCXdWheEm0wfshYCHljYbtc6xP2+cGnstKUaJamrG/hXnZm
+lAvidBEmN9V7H0ioFsqVXJAq9YNwrET2tS7Gc3y1A7rFCosF7m2Fv2qW0Hc3Woy7
+cELioibPzQhQ375wZ9yizH6z62WR+A93UoWLmpvGEUMe7QU0p7Nq5XNMv74Y8GDF
+jaRLX1VyyxO4S+TyiDT1V1jqhFH0leqCytTI469S80DWBNpPXVBLCithB8nqbAzs
+MOVSlSHvQlkEbYqMP6EIUfDLbaIQnSBO+x4=
+-----END CERTIFICATE-----
diff --git a/openssl-ca/dev/ca.csr.pem b/openssl-ca/dev/ca.csr.pem
new file mode 100644
index 0000000..1b69dba
--- /dev/null
+++ b/openssl-ca/dev/ca.csr.pem
@@ -0,0 +1,27 @@
+-----BEGIN CERTIFICATE REQUEST-----
+MIIEfzCCAmcCAQAwOjERMA8GA1UECgwIVGVzdCBPcmcxJTAjBgNVBAMMHFRlc3Qg
+T3JnIHJhdWMgQ0EgRGV2ZWxvcG1lbnQwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAw
+ggIKAoICAQCTpfl4sBzvfC500Vnqp//eZOrHKG+22rvy4w8BYU/d5brRpC+38V4T
+1p2k/061074TQiYIqio7sPWGavcwDoGNV0CLd3JGy0sSIpJPE4aTaxa1i2rr+SjP
+S2j3Y3JheYjhXSrShlodESoDtl9U2al7wu5k1lVSErOSRi1nBavoVMahY/lXxIJe
+/qT6VWhF/zGcmmMmORcVVhhJPY3Hw/XusrRz7yybipURvaZKhyj8Vb6PAWjLCiR8
+uaVc2DyWMkQPE95Ng54+jpt9pidLwDlODyOEefvHMJYRaixa11OnumjkK03bqaHG
+WJTrqCxtQ1ogiCg1FBet2uumPoJKZd0u/Y1ywIFiReFAKxmMVpj3TFcUuxhCOjfJ
+0Bn9JQ/KPN8Jd3wBKAKjpp6SgeAcP8LCpTYSw04ojYKvIeLmb+SWYBBecaFB4lyS
+74QYyWr2gnmiyAym0KKFpkI+VLf9kYR7u36JaRw5aLvf+fMWFJx6glDDbAANYW+a
+xgGJYQzNR+K0Y0M6HlacL9Q1hwHKh4vQzrU++mhLwTu6r+AgB6Q6VLNHLnLjDql4
+YA5/Qbm7DbgBTBHkqkt/H0X8WlfLEJkiM2CKYJWF/Xf/Hxkeg+ajzSVBURl7i9N1
+dfR30hclRydQTLthhSX1qadOlPokGhL7nGnaep8PzdswchbYSW3A7QIDAQABoAAw
+DQYJKoZIhvcNAQELBQADggIBAEI8f3e1wTAOwy6UjRCnDDjBteDA6bpJGxAX23FU
+S2nfQg1LdUdlegKYT8xqca6HuE3t3N7C0hb9qtIbTpLpYAsW94/apBLI96Fhx7c0
+Hiw7vqlwIEDx68Qpk9DjyeFYWmHQ9xcgURta2GdhjFdyiDU2KO5o8MSltzJ0d3fZ
+a99J+xKXTp1jSzc82Ttce5NHrEyFWZ2xUdTzVzSkH8n4XQu7ycGuy7+li+fSe2s1
+J66s7tRm6YGK8eAisTo2/lkv+rB0lEKfiq9xYWgeJVKNBrmXux2a4liElWRwX1ez
+EhJ+GV21q6QYHCIayyAmxHi6NPBOBCD8Ig5bJdOJWl5lCeRdw56NZdHPsBJrhYhu
+hRRiTSg9GpDIUuItLwAG+UwXDEMV5d3o/b1hG5XmB9QeDESjljfteECpuMHwTaCN
+A7RUhgLVhFezYjjrE4UF77mGdipS4jLpGn/4ZniFfBfSE/L8sVYnYxgU1Q2LgW9X
+wz4L+RpULTXBWalGG69eRx4CujrlS7OFE2KobXFEB8DoYAM4LRnlKyzeIVMtUnxI
+/bMp3zDKHuN2KF7mPSRW+/BSLPzrLvnk0+K/UM8u1xtjQpE33KfLb/pXumuiqBY4
+pEshKRopP3f9W6pBh6azGaniymsxiWoshU/yZ7kGB91UXLXXFDRcCEQHsz40vovs
+JHVo
+-----END CERTIFICATE REQUEST-----
diff --git a/openssl-ca/dev/certs/01.pem b/openssl-ca/dev/certs/01.pem
new file mode 100644
index 0000000..005ee95
--- /dev/null
+++ b/openssl-ca/dev/certs/01.pem
@@ -0,0 +1,122 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number: 1 (0x1)
+        Signature Algorithm: sha256WithRSAEncryption
+        Issuer: O=Test Org, CN=Test Org rauc CA Development
+        Validity
+            Not Before: Jan  1 00:00:00 1970 GMT
+            Not After : Dec 31 23:59:59 9999 GMT
+        Subject: O=Test Org, CN=Test Org rauc CA Development
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                Public-Key: (4096 bit)
+                Modulus:
+                    00:93:a5:f9:78:b0:1c:ef:7c:2e:74:d1:59:ea:a7:
+                    ff:de:64:ea:c7:28:6f:b6:da:bb:f2:e3:0f:01:61:
+                    4f:dd:e5:ba:d1:a4:2f:b7:f1:5e:13:d6:9d:a4:ff:
+                    4e:b5:d3:be:13:42:26:08:aa:2a:3b:b0:f5:86:6a:
+                    f7:30:0e:81:8d:57:40:8b:77:72:46:cb:4b:12:22:
+                    92:4f:13:86:93:6b:16:b5:8b:6a:eb:f9:28:cf:4b:
+                    68:f7:63:72:61:79:88:e1:5d:2a:d2:86:5a:1d:11:
+                    2a:03:b6:5f:54:d9:a9:7b:c2:ee:64:d6:55:52:12:
+                    b3:92:46:2d:67:05:ab:e8:54:c6:a1:63:f9:57:c4:
+                    82:5e:fe:a4:fa:55:68:45:ff:31:9c:9a:63:26:39:
+                    17:15:56:18:49:3d:8d:c7:c3:f5:ee:b2:b4:73:ef:
+                    2c:9b:8a:95:11:bd:a6:4a:87:28:fc:55:be:8f:01:
+                    68:cb:0a:24:7c:b9:a5:5c:d8:3c:96:32:44:0f:13:
+                    de:4d:83:9e:3e:8e:9b:7d:a6:27:4b:c0:39:4e:0f:
+                    23:84:79:fb:c7:30:96:11:6a:2c:5a:d7:53:a7:ba:
+                    68:e4:2b:4d:db:a9:a1:c6:58:94:eb:a8:2c:6d:43:
+                    5a:20:88:28:35:14:17:ad:da:eb:a6:3e:82:4a:65:
+                    dd:2e:fd:8d:72:c0:81:62:45:e1:40:2b:19:8c:56:
+                    98:f7:4c:57:14:bb:18:42:3a:37:c9:d0:19:fd:25:
+                    0f:ca:3c:df:09:77:7c:01:28:02:a3:a6:9e:92:81:
+                    e0:1c:3f:c2:c2:a5:36:12:c3:4e:28:8d:82:af:21:
+                    e2:e6:6f:e4:96:60:10:5e:71:a1:41:e2:5c:92:ef:
+                    84:18:c9:6a:f6:82:79:a2:c8:0c:a6:d0:a2:85:a6:
+                    42:3e:54:b7:fd:91:84:7b:bb:7e:89:69:1c:39:68:
+                    bb:df:f9:f3:16:14:9c:7a:82:50:c3:6c:00:0d:61:
+                    6f:9a:c6:01:89:61:0c:cd:47:e2:b4:63:43:3a:1e:
+                    56:9c:2f:d4:35:87:01:ca:87:8b:d0:ce:b5:3e:fa:
+                    68:4b:c1:3b:ba:af:e0:20:07:a4:3a:54:b3:47:2e:
+                    72:e3:0e:a9:78:60:0e:7f:41:b9:bb:0d:b8:01:4c:
+                    11:e4:aa:4b:7f:1f:45:fc:5a:57:cb:10:99:22:33:
+                    60:8a:60:95:85:fd:77:ff:1f:19:1e:83:e6:a3:cd:
+                    25:41:51:19:7b:8b:d3:75:75:f4:77:d2:17:25:47:
+                    27:50:4c:bb:61:85:25:f5:a9:a7:4e:94:fa:24:1a:
+                    12:fb:9c:69:da:7a:9f:0f:cd:db:30:72:16:d8:49:
+                    6d:c0:ed
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Subject Key Identifier: 
+                1E:A9:92:E5:32:88:88:27:75:82:6B:7F:C0:63:8F:A2:F9:09:6B:E2
+            X509v3 Authority Key Identifier: 
+                keyid:1E:A9:92:E5:32:88:88:27:75:82:6B:7F:C0:63:8F:A2:F9:09:6B:E2
+                DirName:/O=Test Org/CN=Test Org rauc CA Development
+                serial:01
+            X509v3 Basic Constraints: 
+                CA:TRUE
+    Signature Algorithm: sha256WithRSAEncryption
+    Signature Value:
+        47:91:cb:4d:2f:19:20:96:65:2b:54:05:15:07:02:46:f0:33:
+        6f:84:e8:fc:32:04:43:5a:5a:90:3c:64:8b:8a:4e:19:73:ac:
+        11:62:79:93:d5:c3:61:c9:88:16:d6:84:f1:9c:ed:09:6c:55:
+        0b:ba:2d:a6:a6:bf:42:e3:6c:c4:90:69:43:22:aa:9d:6d:26:
+        a9:96:3f:9e:93:61:c4:ab:74:e1:0f:c9:30:1d:fa:2f:21:18:
+        a2:75:da:74:7c:48:40:4c:21:2d:42:a6:ba:2c:6a:d5:26:09:
+        6f:6a:84:71:a7:47:dd:a6:87:b2:37:50:f3:1b:24:84:ef:cd:
+        75:13:11:db:f8:ed:95:59:07:7b:a6:d6:fc:22:74:03:29:66:
+        70:77:e1:82:e7:cf:bd:33:31:b9:97:61:70:61:3c:b2:ae:4f:
+        45:73:92:75:8f:5b:15:25:54:8e:16:4e:6d:5f:3e:c4:8f:b2:
+        c4:70:14:83:e8:e9:61:e4:30:5b:da:24:e0:c8:34:ee:4d:4a:
+        53:49:c3:15:f8:94:19:f0:b5:7d:c7:13:a9:b7:6b:e3:c7:1d:
+        e4:1c:52:ef:d6:0f:2b:1a:18:ef:dd:ef:d2:ac:5c:18:6e:e0:
+        40:30:46:40:75:28:d2:ce:f0:96:90:35:15:04:83:5a:51:96:
+        3d:b7:ab:cc:07:c4:71:c4:93:72:4d:2a:ce:3c:ec:8c:d0:39:
+        5d:aa:e0:ac:9f:48:e3:53:01:12:ab:08:df:ae:92:54:7b:f1:
+        f1:28:7d:0a:00:20:ff:60:4a:ff:79:f9:cb:0f:ab:f9:12:ea:
+        d6:70:97:75:68:5e:12:6d:30:7e:c8:58:08:79:63:61:bb:5c:
+        eb:13:f6:f9:c1:a7:b2:d2:94:68:96:a6:ac:6f:e1:5e:76:66:
+        94:0b:e2:74:11:26:37:d5:7b:1f:48:a8:16:ca:95:5c:90:2a:
+        f5:83:70:ac:44:f6:b5:2e:c6:73:7c:b5:03:ba:c5:0a:8b:05:
+        ee:6d:85:bf:6a:96:d0:77:37:5a:8c:bb:70:42:e2:a2:26:cf:
+        cd:08:50:df:be:70:67:dc:a2:cc:7e:b3:eb:65:91:f8:0f:77:
+        52:85:8b:9a:9b:c6:11:43:1e:ed:05:34:a7:b3:6a:e5:73:4c:
+        bf:be:18:f0:60:c5:8d:a4:4b:5f:55:72:cb:13:b8:4b:e4:f2:
+        88:34:f5:57:58:ea:84:51:f4:95:ea:82:ca:d4:c8:e3:af:52:
+        f3:40:d6:04:da:4f:5d:50:4b:0a:2b:61:07:c9:ea:6c:0c:ec:
+        30:e5:52:95:21:ef:42:59:04:6d:8a:8c:3f:a1:08:51:f0:cb:
+        6d:a2:10:9d:20:4e:fb:1e
+-----BEGIN CERTIFICATE-----
+MIIFhjCCA26gAwIBAgIBATANBgkqhkiG9w0BAQsFADA6MREwDwYDVQQKDAhUZXN0
+IE9yZzElMCMGA1UEAwwcVGVzdCBPcmcgcmF1YyBDQSBEZXZlbG9wbWVudDAgFw03
+MDAxMDEwMDAwMDBaGA85OTk5MTIzMTIzNTk1OVowOjERMA8GA1UECgwIVGVzdCBP
+cmcxJTAjBgNVBAMMHFRlc3QgT3JnIHJhdWMgQ0EgRGV2ZWxvcG1lbnQwggIiMA0G
+CSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQCTpfl4sBzvfC500Vnqp//eZOrHKG+2
+2rvy4w8BYU/d5brRpC+38V4T1p2k/061074TQiYIqio7sPWGavcwDoGNV0CLd3JG
+y0sSIpJPE4aTaxa1i2rr+SjPS2j3Y3JheYjhXSrShlodESoDtl9U2al7wu5k1lVS
+ErOSRi1nBavoVMahY/lXxIJe/qT6VWhF/zGcmmMmORcVVhhJPY3Hw/XusrRz7yyb
+ipURvaZKhyj8Vb6PAWjLCiR8uaVc2DyWMkQPE95Ng54+jpt9pidLwDlODyOEefvH
+MJYRaixa11OnumjkK03bqaHGWJTrqCxtQ1ogiCg1FBet2uumPoJKZd0u/Y1ywIFi
+ReFAKxmMVpj3TFcUuxhCOjfJ0Bn9JQ/KPN8Jd3wBKAKjpp6SgeAcP8LCpTYSw04o
+jYKvIeLmb+SWYBBecaFB4lyS74QYyWr2gnmiyAym0KKFpkI+VLf9kYR7u36JaRw5
+aLvf+fMWFJx6glDDbAANYW+axgGJYQzNR+K0Y0M6HlacL9Q1hwHKh4vQzrU++mhL
+wTu6r+AgB6Q6VLNHLnLjDql4YA5/Qbm7DbgBTBHkqkt/H0X8WlfLEJkiM2CKYJWF
+/Xf/Hxkeg+ajzSVBURl7i9N1dfR30hclRydQTLthhSX1qadOlPokGhL7nGnaep8P
+zdswchbYSW3A7QIDAQABo4GUMIGRMB0GA1UdDgQWBBQeqZLlMoiIJ3WCa3/AY4+i
++Qlr4jBiBgNVHSMEWzBZgBQeqZLlMoiIJ3WCa3/AY4+i+Qlr4qE+pDwwOjERMA8G
+A1UECgwIVGVzdCBPcmcxJTAjBgNVBAMMHFRlc3QgT3JnIHJhdWMgQ0EgRGV2ZWxv
+cG1lbnSCAQEwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAgEAR5HLTS8Z
+IJZlK1QFFQcCRvAzb4To/DIEQ1pakDxki4pOGXOsEWJ5k9XDYcmIFtaE8ZztCWxV
+C7otpqa/QuNsxJBpQyKqnW0mqZY/npNhxKt04Q/JMB36LyEYonXadHxIQEwhLUKm
+uixq1SYJb2qEcadH3aaHsjdQ8xskhO/NdRMR2/jtlVkHe6bW/CJ0AylmcHfhgufP
+vTMxuZdhcGE8sq5PRXOSdY9bFSVUjhZObV8+xI+yxHAUg+jpYeQwW9ok4Mg07k1K
+U0nDFfiUGfC1fccTqbdr48cd5BxS79YPKxoY793v0qxcGG7gQDBGQHUo0s7wlpA1
+FQSDWlGWPberzAfEccSTck0qzjzsjNA5XargrJ9I41MBEqsI366SVHvx8Sh9CgAg
+/2BK/3n5yw+r+RLq1nCXdWheEm0wfshYCHljYbtc6xP2+cGnstKUaJamrG/hXnZm
+lAvidBEmN9V7H0ioFsqVXJAq9YNwrET2tS7Gc3y1A7rFCosF7m2Fv2qW0Hc3Woy7
+cELioibPzQhQ375wZ9yizH6z62WR+A93UoWLmpvGEUMe7QU0p7Nq5XNMv74Y8GDF
+jaRLX1VyyxO4S+TyiDT1V1jqhFH0leqCytTI469S80DWBNpPXVBLCithB8nqbAzs
+MOVSlSHvQlkEbYqMP6EIUfDLbaIQnSBO+x4=
+-----END CERTIFICATE-----
diff --git a/openssl-ca/dev/certs/02.pem b/openssl-ca/dev/certs/02.pem
new file mode 100644
index 0000000..7002430
--- /dev/null
+++ b/openssl-ca/dev/certs/02.pem
@@ -0,0 +1,122 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number: 2 (0x2)
+        Signature Algorithm: sha256WithRSAEncryption
+        Issuer: O=Test Org, CN=Test Org rauc CA Development
+        Validity
+            Not Before: Jan  1 00:00:00 1970 GMT
+            Not After : Dec 31 23:59:59 9999 GMT
+        Subject: O=Test Org, CN=Test Org Development-1
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                Public-Key: (4096 bit)
+                Modulus:
+                    00:bd:1e:ce:0d:cc:c9:7c:05:dd:27:08:84:49:86:
+                    58:c2:ab:07:2d:5a:2c:a8:f7:a7:16:13:15:84:80:
+                    f5:0d:2b:0b:15:ba:e1:ba:51:8b:e9:bc:8b:d3:b5:
+                    5e:55:9e:6e:97:b3:15:f4:aa:7d:6a:bd:e6:ae:7b:
+                    71:d2:2f:1e:06:3b:7d:95:4e:1f:f6:4d:9e:a0:e5:
+                    45:aa:eb:b3:32:11:06:5c:b0:da:a0:c7:f1:f0:41:
+                    8b:f2:64:6f:b1:86:9a:e5:4a:00:9b:d1:05:e0:dc:
+                    27:50:0d:99:0f:80:66:99:b3:a0:ba:ea:a5:b9:3c:
+                    b4:5d:18:11:7a:53:87:c7:cb:9a:98:6b:4a:97:25:
+                    bc:f0:9d:74:b6:08:2d:2e:4e:b7:23:db:4f:e2:c6:
+                    0d:cc:b2:c2:f2:ff:2f:08:29:ad:b1:7e:29:9c:a2:
+                    48:d1:f4:1f:e9:b8:fa:22:93:91:5f:6a:26:47:da:
+                    05:e5:85:1e:f8:40:25:3c:e8:13:ad:2e:21:fa:dd:
+                    a8:58:8d:47:08:5f:ea:93:bb:8e:a1:1b:24:b5:0c:
+                    15:55:44:a0:3d:4e:45:2a:20:d4:09:3e:fc:6e:87:
+                    3c:90:97:8a:48:e2:d9:db:e5:3f:83:a6:fa:af:1e:
+                    ef:2c:21:a9:28:33:3f:ec:f2:ec:72:6c:9a:97:1d:
+                    e1:f9:36:a4:b3:07:2e:8a:50:74:bb:04:ab:07:b4:
+                    3d:fd:52:19:23:3a:be:85:ce:b9:eb:74:3b:22:f8:
+                    44:0a:f6:be:da:67:e4:7e:bd:c1:87:6b:0e:07:e9:
+                    13:c1:ce:80:40:61:f1:ca:a0:b1:b5:42:e0:b4:71:
+                    56:7e:a9:ad:64:ad:0a:3b:93:c2:da:10:b0:af:32:
+                    27:84:53:93:a8:d7:39:57:37:40:b7:2d:5c:b5:a1:
+                    d5:41:3a:3e:3f:3c:3e:ae:2f:2b:a4:54:5b:a8:82:
+                    16:0b:8f:bb:19:e6:ad:36:a8:ac:74:9c:57:ca:11:
+                    0f:19:10:49:98:b2:73:b5:4d:0c:68:bb:24:cf:98:
+                    e7:63:e0:37:af:fc:6f:5a:75:63:03:92:1d:f3:74:
+                    b5:e8:73:16:3f:04:2b:cc:45:12:33:32:97:0e:62:
+                    2c:17:29:1a:7a:fd:1b:ef:71:28:b8:0b:36:a6:dc:
+                    18:f4:4e:98:b7:39:1b:c8:fb:2b:dc:77:a3:b0:02:
+                    d2:39:ff:19:a0:35:94:96:2a:4e:29:8f:4d:59:a9:
+                    25:bf:e8:c0:56:21:be:4a:22:b8:5b:65:58:4e:c9:
+                    20:1d:3b:9f:3b:76:69:90:8a:ed:09:b7:d4:43:ab:
+                    01:0d:09:07:82:d4:1b:7c:8c:75:a8:53:ab:c7:68:
+                    52:2e:9d
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Subject Key Identifier: 
+                13:CE:22:18:20:53:57:B8:DE:63:7C:F2:50:A9:D0:18:5A:96:DD:6F
+            X509v3 Authority Key Identifier: 
+                keyid:1E:A9:92:E5:32:88:88:27:75:82:6B:7F:C0:63:8F:A2:F9:09:6B:E2
+                DirName:/O=Test Org/CN=Test Org rauc CA Development
+                serial:01
+            X509v3 Basic Constraints: 
+                CA:FALSE
+    Signature Algorithm: sha256WithRSAEncryption
+    Signature Value:
+        5e:6a:b0:a1:a4:d1:00:6f:ed:b2:fb:50:e8:62:e4:87:70:09:
+        8c:53:2b:e9:d4:fe:d0:96:6c:15:84:d0:b5:9f:40:a3:d6:e4:
+        80:a2:8b:2f:79:b1:a2:a5:fe:05:88:67:e5:1b:a3:a9:90:30:
+        fa:18:70:62:91:78:6f:e1:bd:13:b5:34:2b:43:71:06:20:86:
+        fe:6b:b8:9c:f9:aa:35:85:a6:9f:f0:c4:54:4c:e2:00:79:87:
+        c6:cd:7c:aa:3b:ae:ea:e8:67:54:c2:b4:be:7c:34:e9:23:70:
+        3a:79:ea:3c:3b:a9:69:3c:d5:de:01:a2:ee:cd:84:98:72:2f:
+        84:ab:13:b7:33:3e:ce:52:22:1e:00:34:cc:76:82:81:05:58:
+        5e:8d:3e:ee:1c:43:76:30:89:90:95:66:27:5f:9d:99:18:68:
+        0a:6c:30:0f:78:8e:14:ca:a8:d5:7d:85:f5:43:e6:a5:99:fc:
+        5f:32:7e:c1:62:8b:0e:da:aa:98:8c:df:fa:7b:f6:25:77:10:
+        30:2b:15:a7:d4:63:25:1d:b0:51:03:1e:57:a7:14:b7:4b:35:
+        51:c0:d4:fc:53:e1:29:f1:53:b0:74:7a:6e:6f:a8:fc:f4:39:
+        0d:d4:6b:6b:e7:03:47:0c:10:71:57:3a:5a:a0:1e:99:9d:05:
+        a4:88:5c:09:95:b2:a7:55:67:7b:6f:1f:3e:86:77:f0:b5:92:
+        c8:32:e1:22:9c:19:16:f6:69:68:cd:50:68:1e:42:6f:a7:b2:
+        c1:82:a1:c4:34:bf:ef:69:6f:bf:b4:5a:3c:c6:2a:51:43:9c:
+        99:ea:43:db:5c:42:d4:45:cf:06:20:57:a9:e4:66:05:20:01:
+        33:ce:f1:17:0a:26:36:ad:e7:8b:4e:53:31:13:c0:7d:2f:f5:
+        f9:5e:3c:16:23:70:91:cb:ab:4c:fb:ab:1c:35:41:db:f7:c3:
+        10:7b:17:0d:67:09:63:26:28:6a:57:d4:ab:fb:1c:83:a6:5e:
+        b7:7b:bb:fa:0f:2b:37:da:ae:85:f4:72:b7:c7:8e:eb:93:12:
+        6b:dc:94:96:1c:83:eb:69:f0:df:cc:29:46:56:05:93:7b:75:
+        41:6c:a3:e6:c8:57:78:b3:45:ab:07:b1:5a:6f:a0:1b:e6:73:
+        b5:39:3a:9b:67:25:3b:c7:d6:e6:02:a0:f0:15:d5:cb:6d:18:
+        c3:ae:a4:e9:8f:4b:ca:8a:c4:23:34:64:91:6d:44:39:f7:e3:
+        0a:ad:a2:f9:af:07:e2:2c:48:bd:26:18:70:ab:aa:87:0b:56:
+        e8:9b:b9:0d:31:a5:82:e1:9b:90:fb:73:da:ed:1a:b4:8e:12:
+        e0:f4:83:98:dd:79:a4:f1
+-----BEGIN CERTIFICATE-----
+MIIFfTCCA2WgAwIBAgIBAjANBgkqhkiG9w0BAQsFADA6MREwDwYDVQQKDAhUZXN0
+IE9yZzElMCMGA1UEAwwcVGVzdCBPcmcgcmF1YyBDQSBEZXZlbG9wbWVudDAgFw03
+MDAxMDEwMDAwMDBaGA85OTk5MTIzMTIzNTk1OVowNDERMA8GA1UECgwIVGVzdCBP
+cmcxHzAdBgNVBAMMFlRlc3QgT3JnIERldmVsb3BtZW50LTEwggIiMA0GCSqGSIb3
+DQEBAQUAA4ICDwAwggIKAoICAQC9Hs4NzMl8Bd0nCIRJhljCqwctWiyo96cWExWE
+gPUNKwsVuuG6UYvpvIvTtV5Vnm6XsxX0qn1qveaue3HSLx4GO32VTh/2TZ6g5UWq
+67MyEQZcsNqgx/HwQYvyZG+xhprlSgCb0QXg3CdQDZkPgGaZs6C66qW5PLRdGBF6
+U4fHy5qYa0qXJbzwnXS2CC0uTrcj20/ixg3MssLy/y8IKa2xfimcokjR9B/puPoi
+k5FfaiZH2gXlhR74QCU86BOtLiH63ahYjUcIX+qTu46hGyS1DBVVRKA9TkUqINQJ
+PvxuhzyQl4pI4tnb5T+DpvqvHu8sIakoMz/s8uxybJqXHeH5NqSzBy6KUHS7BKsH
+tD39UhkjOr6FzrnrdDsi+EQK9r7aZ+R+vcGHaw4H6RPBzoBAYfHKoLG1QuC0cVZ+
+qa1krQo7k8LaELCvMieEU5Oo1zlXN0C3LVy1odVBOj4/PD6uLyukVFuoghYLj7sZ
+5q02qKx0nFfKEQ8ZEEmYsnO1TQxouyTPmOdj4Dev/G9adWMDkh3zdLXocxY/BCvM
+RRIzMpcOYiwXKRp6/RvvcSi4Czam3Bj0Tpi3ORvI+yvcd6OwAtI5/xmgNZSWKk4p
+j01ZqSW/6MBWIb5KIrhbZVhOySAdO587dmmQiu0Jt9RDqwENCQeC1Bt8jHWoU6vH
+aFIunQIDAQABo4GRMIGOMB0GA1UdDgQWBBQTziIYIFNXuN5jfPJQqdAYWpbdbzBi
+BgNVHSMEWzBZgBQeqZLlMoiIJ3WCa3/AY4+i+Qlr4qE+pDwwOjERMA8GA1UECgwI
+VGVzdCBPcmcxJTAjBgNVBAMMHFRlc3QgT3JnIHJhdWMgQ0EgRGV2ZWxvcG1lbnSC
+AQEwCQYDVR0TBAIwADANBgkqhkiG9w0BAQsFAAOCAgEAXmqwoaTRAG/tsvtQ6GLk
+h3AJjFMr6dT+0JZsFYTQtZ9Ao9bkgKKLL3mxoqX+BYhn5RujqZAw+hhwYpF4b+G9
+E7U0K0NxBiCG/mu4nPmqNYWmn/DEVEziAHmHxs18qjuu6uhnVMK0vnw06SNwOnnq
+PDupaTzV3gGi7s2EmHIvhKsTtzM+zlIiHgA0zHaCgQVYXo0+7hxDdjCJkJVmJ1+d
+mRhoCmwwD3iOFMqo1X2F9UPmpZn8XzJ+wWKLDtqqmIzf+nv2JXcQMCsVp9RjJR2w
+UQMeV6cUt0s1UcDU/FPhKfFTsHR6bm+o/PQ5DdRra+cDRwwQcVc6WqAemZ0FpIhc
+CZWyp1Vne28fPoZ38LWSyDLhIpwZFvZpaM1QaB5Cb6eywYKhxDS/72lvv7RaPMYq
+UUOcmepD21xC1EXPBiBXqeRmBSABM87xFwomNq3ni05TMRPAfS/1+V48FiNwkcur
+TPurHDVB2/fDEHsXDWcJYyYoalfUq/scg6Zet3u7+g8rN9quhfRyt8eO65MSa9yU
+lhyD62nw38wpRlYFk3t1QWyj5shXeLNFqwexWm+gG+ZztTk6m2clO8fW5gKg8BXV
+y20Yw66k6Y9LyorEIzRkkW1EOffjCq2i+a8H4ixIvSYYcKuqhwtW6Ju5DTGlguGb
+kPtz2u0atI4S4PSDmN15pPE=
+-----END CERTIFICATE-----
diff --git a/openssl-ca/dev/development-1.cert.pem b/openssl-ca/dev/development-1.cert.pem
new file mode 100644
index 0000000..7002430
--- /dev/null
+++ b/openssl-ca/dev/development-1.cert.pem
@@ -0,0 +1,122 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number: 2 (0x2)
+        Signature Algorithm: sha256WithRSAEncryption
+        Issuer: O=Test Org, CN=Test Org rauc CA Development
+        Validity
+            Not Before: Jan  1 00:00:00 1970 GMT
+            Not After : Dec 31 23:59:59 9999 GMT
+        Subject: O=Test Org, CN=Test Org Development-1
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                Public-Key: (4096 bit)
+                Modulus:
+                    00:bd:1e:ce:0d:cc:c9:7c:05:dd:27:08:84:49:86:
+                    58:c2:ab:07:2d:5a:2c:a8:f7:a7:16:13:15:84:80:
+                    f5:0d:2b:0b:15:ba:e1:ba:51:8b:e9:bc:8b:d3:b5:
+                    5e:55:9e:6e:97:b3:15:f4:aa:7d:6a:bd:e6:ae:7b:
+                    71:d2:2f:1e:06:3b:7d:95:4e:1f:f6:4d:9e:a0:e5:
+                    45:aa:eb:b3:32:11:06:5c:b0:da:a0:c7:f1:f0:41:
+                    8b:f2:64:6f:b1:86:9a:e5:4a:00:9b:d1:05:e0:dc:
+                    27:50:0d:99:0f:80:66:99:b3:a0:ba:ea:a5:b9:3c:
+                    b4:5d:18:11:7a:53:87:c7:cb:9a:98:6b:4a:97:25:
+                    bc:f0:9d:74:b6:08:2d:2e:4e:b7:23:db:4f:e2:c6:
+                    0d:cc:b2:c2:f2:ff:2f:08:29:ad:b1:7e:29:9c:a2:
+                    48:d1:f4:1f:e9:b8:fa:22:93:91:5f:6a:26:47:da:
+                    05:e5:85:1e:f8:40:25:3c:e8:13:ad:2e:21:fa:dd:
+                    a8:58:8d:47:08:5f:ea:93:bb:8e:a1:1b:24:b5:0c:
+                    15:55:44:a0:3d:4e:45:2a:20:d4:09:3e:fc:6e:87:
+                    3c:90:97:8a:48:e2:d9:db:e5:3f:83:a6:fa:af:1e:
+                    ef:2c:21:a9:28:33:3f:ec:f2:ec:72:6c:9a:97:1d:
+                    e1:f9:36:a4:b3:07:2e:8a:50:74:bb:04:ab:07:b4:
+                    3d:fd:52:19:23:3a:be:85:ce:b9:eb:74:3b:22:f8:
+                    44:0a:f6:be:da:67:e4:7e:bd:c1:87:6b:0e:07:e9:
+                    13:c1:ce:80:40:61:f1:ca:a0:b1:b5:42:e0:b4:71:
+                    56:7e:a9:ad:64:ad:0a:3b:93:c2:da:10:b0:af:32:
+                    27:84:53:93:a8:d7:39:57:37:40:b7:2d:5c:b5:a1:
+                    d5:41:3a:3e:3f:3c:3e:ae:2f:2b:a4:54:5b:a8:82:
+                    16:0b:8f:bb:19:e6:ad:36:a8:ac:74:9c:57:ca:11:
+                    0f:19:10:49:98:b2:73:b5:4d:0c:68:bb:24:cf:98:
+                    e7:63:e0:37:af:fc:6f:5a:75:63:03:92:1d:f3:74:
+                    b5:e8:73:16:3f:04:2b:cc:45:12:33:32:97:0e:62:
+                    2c:17:29:1a:7a:fd:1b:ef:71:28:b8:0b:36:a6:dc:
+                    18:f4:4e:98:b7:39:1b:c8:fb:2b:dc:77:a3:b0:02:
+                    d2:39:ff:19:a0:35:94:96:2a:4e:29:8f:4d:59:a9:
+                    25:bf:e8:c0:56:21:be:4a:22:b8:5b:65:58:4e:c9:
+                    20:1d:3b:9f:3b:76:69:90:8a:ed:09:b7:d4:43:ab:
+                    01:0d:09:07:82:d4:1b:7c:8c:75:a8:53:ab:c7:68:
+                    52:2e:9d
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Subject Key Identifier: 
+                13:CE:22:18:20:53:57:B8:DE:63:7C:F2:50:A9:D0:18:5A:96:DD:6F
+            X509v3 Authority Key Identifier: 
+                keyid:1E:A9:92:E5:32:88:88:27:75:82:6B:7F:C0:63:8F:A2:F9:09:6B:E2
+                DirName:/O=Test Org/CN=Test Org rauc CA Development
+                serial:01
+            X509v3 Basic Constraints: 
+                CA:FALSE
+    Signature Algorithm: sha256WithRSAEncryption
+    Signature Value:
+        5e:6a:b0:a1:a4:d1:00:6f:ed:b2:fb:50:e8:62:e4:87:70:09:
+        8c:53:2b:e9:d4:fe:d0:96:6c:15:84:d0:b5:9f:40:a3:d6:e4:
+        80:a2:8b:2f:79:b1:a2:a5:fe:05:88:67:e5:1b:a3:a9:90:30:
+        fa:18:70:62:91:78:6f:e1:bd:13:b5:34:2b:43:71:06:20:86:
+        fe:6b:b8:9c:f9:aa:35:85:a6:9f:f0:c4:54:4c:e2:00:79:87:
+        c6:cd:7c:aa:3b:ae:ea:e8:67:54:c2:b4:be:7c:34:e9:23:70:
+        3a:79:ea:3c:3b:a9:69:3c:d5:de:01:a2:ee:cd:84:98:72:2f:
+        84:ab:13:b7:33:3e:ce:52:22:1e:00:34:cc:76:82:81:05:58:
+        5e:8d:3e:ee:1c:43:76:30:89:90:95:66:27:5f:9d:99:18:68:
+        0a:6c:30:0f:78:8e:14:ca:a8:d5:7d:85:f5:43:e6:a5:99:fc:
+        5f:32:7e:c1:62:8b:0e:da:aa:98:8c:df:fa:7b:f6:25:77:10:
+        30:2b:15:a7:d4:63:25:1d:b0:51:03:1e:57:a7:14:b7:4b:35:
+        51:c0:d4:fc:53:e1:29:f1:53:b0:74:7a:6e:6f:a8:fc:f4:39:
+        0d:d4:6b:6b:e7:03:47:0c:10:71:57:3a:5a:a0:1e:99:9d:05:
+        a4:88:5c:09:95:b2:a7:55:67:7b:6f:1f:3e:86:77:f0:b5:92:
+        c8:32:e1:22:9c:19:16:f6:69:68:cd:50:68:1e:42:6f:a7:b2:
+        c1:82:a1:c4:34:bf:ef:69:6f:bf:b4:5a:3c:c6:2a:51:43:9c:
+        99:ea:43:db:5c:42:d4:45:cf:06:20:57:a9:e4:66:05:20:01:
+        33:ce:f1:17:0a:26:36:ad:e7:8b:4e:53:31:13:c0:7d:2f:f5:
+        f9:5e:3c:16:23:70:91:cb:ab:4c:fb:ab:1c:35:41:db:f7:c3:
+        10:7b:17:0d:67:09:63:26:28:6a:57:d4:ab:fb:1c:83:a6:5e:
+        b7:7b:bb:fa:0f:2b:37:da:ae:85:f4:72:b7:c7:8e:eb:93:12:
+        6b:dc:94:96:1c:83:eb:69:f0:df:cc:29:46:56:05:93:7b:75:
+        41:6c:a3:e6:c8:57:78:b3:45:ab:07:b1:5a:6f:a0:1b:e6:73:
+        b5:39:3a:9b:67:25:3b:c7:d6:e6:02:a0:f0:15:d5:cb:6d:18:
+        c3:ae:a4:e9:8f:4b:ca:8a:c4:23:34:64:91:6d:44:39:f7:e3:
+        0a:ad:a2:f9:af:07:e2:2c:48:bd:26:18:70:ab:aa:87:0b:56:
+        e8:9b:b9:0d:31:a5:82:e1:9b:90:fb:73:da:ed:1a:b4:8e:12:
+        e0:f4:83:98:dd:79:a4:f1
+-----BEGIN CERTIFICATE-----
+MIIFfTCCA2WgAwIBAgIBAjANBgkqhkiG9w0BAQsFADA6MREwDwYDVQQKDAhUZXN0
+IE9yZzElMCMGA1UEAwwcVGVzdCBPcmcgcmF1YyBDQSBEZXZlbG9wbWVudDAgFw03
+MDAxMDEwMDAwMDBaGA85OTk5MTIzMTIzNTk1OVowNDERMA8GA1UECgwIVGVzdCBP
+cmcxHzAdBgNVBAMMFlRlc3QgT3JnIERldmVsb3BtZW50LTEwggIiMA0GCSqGSIb3
+DQEBAQUAA4ICDwAwggIKAoICAQC9Hs4NzMl8Bd0nCIRJhljCqwctWiyo96cWExWE
+gPUNKwsVuuG6UYvpvIvTtV5Vnm6XsxX0qn1qveaue3HSLx4GO32VTh/2TZ6g5UWq
+67MyEQZcsNqgx/HwQYvyZG+xhprlSgCb0QXg3CdQDZkPgGaZs6C66qW5PLRdGBF6
+U4fHy5qYa0qXJbzwnXS2CC0uTrcj20/ixg3MssLy/y8IKa2xfimcokjR9B/puPoi
+k5FfaiZH2gXlhR74QCU86BOtLiH63ahYjUcIX+qTu46hGyS1DBVVRKA9TkUqINQJ
+PvxuhzyQl4pI4tnb5T+DpvqvHu8sIakoMz/s8uxybJqXHeH5NqSzBy6KUHS7BKsH
+tD39UhkjOr6FzrnrdDsi+EQK9r7aZ+R+vcGHaw4H6RPBzoBAYfHKoLG1QuC0cVZ+
+qa1krQo7k8LaELCvMieEU5Oo1zlXN0C3LVy1odVBOj4/PD6uLyukVFuoghYLj7sZ
+5q02qKx0nFfKEQ8ZEEmYsnO1TQxouyTPmOdj4Dev/G9adWMDkh3zdLXocxY/BCvM
+RRIzMpcOYiwXKRp6/RvvcSi4Czam3Bj0Tpi3ORvI+yvcd6OwAtI5/xmgNZSWKk4p
+j01ZqSW/6MBWIb5KIrhbZVhOySAdO587dmmQiu0Jt9RDqwENCQeC1Bt8jHWoU6vH
+aFIunQIDAQABo4GRMIGOMB0GA1UdDgQWBBQTziIYIFNXuN5jfPJQqdAYWpbdbzBi
+BgNVHSMEWzBZgBQeqZLlMoiIJ3WCa3/AY4+i+Qlr4qE+pDwwOjERMA8GA1UECgwI
+VGVzdCBPcmcxJTAjBgNVBAMMHFRlc3QgT3JnIHJhdWMgQ0EgRGV2ZWxvcG1lbnSC
+AQEwCQYDVR0TBAIwADANBgkqhkiG9w0BAQsFAAOCAgEAXmqwoaTRAG/tsvtQ6GLk
+h3AJjFMr6dT+0JZsFYTQtZ9Ao9bkgKKLL3mxoqX+BYhn5RujqZAw+hhwYpF4b+G9
+E7U0K0NxBiCG/mu4nPmqNYWmn/DEVEziAHmHxs18qjuu6uhnVMK0vnw06SNwOnnq
+PDupaTzV3gGi7s2EmHIvhKsTtzM+zlIiHgA0zHaCgQVYXo0+7hxDdjCJkJVmJ1+d
+mRhoCmwwD3iOFMqo1X2F9UPmpZn8XzJ+wWKLDtqqmIzf+nv2JXcQMCsVp9RjJR2w
+UQMeV6cUt0s1UcDU/FPhKfFTsHR6bm+o/PQ5DdRra+cDRwwQcVc6WqAemZ0FpIhc
+CZWyp1Vne28fPoZ38LWSyDLhIpwZFvZpaM1QaB5Cb6eywYKhxDS/72lvv7RaPMYq
+UUOcmepD21xC1EXPBiBXqeRmBSABM87xFwomNq3ni05TMRPAfS/1+V48FiNwkcur
+TPurHDVB2/fDEHsXDWcJYyYoalfUq/scg6Zet3u7+g8rN9quhfRyt8eO65MSa9yU
+lhyD62nw38wpRlYFk3t1QWyj5shXeLNFqwexWm+gG+ZztTk6m2clO8fW5gKg8BXV
+y20Yw66k6Y9LyorEIzRkkW1EOffjCq2i+a8H4ixIvSYYcKuqhwtW6Ju5DTGlguGb
+kPtz2u0atI4S4PSDmN15pPE=
+-----END CERTIFICATE-----
diff --git a/openssl-ca/dev/development-1.csr.pem b/openssl-ca/dev/development-1.csr.pem
new file mode 100644
index 0000000..00aa997
--- /dev/null
+++ b/openssl-ca/dev/development-1.csr.pem
@@ -0,0 +1,26 @@
+-----BEGIN CERTIFICATE REQUEST-----
+MIIEeTCCAmECAQAwNDERMA8GA1UECgwIVGVzdCBPcmcxHzAdBgNVBAMMFlRlc3Qg
+T3JnIERldmVsb3BtZW50LTEwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoIC
+AQC9Hs4NzMl8Bd0nCIRJhljCqwctWiyo96cWExWEgPUNKwsVuuG6UYvpvIvTtV5V
+nm6XsxX0qn1qveaue3HSLx4GO32VTh/2TZ6g5UWq67MyEQZcsNqgx/HwQYvyZG+x
+hprlSgCb0QXg3CdQDZkPgGaZs6C66qW5PLRdGBF6U4fHy5qYa0qXJbzwnXS2CC0u
+Trcj20/ixg3MssLy/y8IKa2xfimcokjR9B/puPoik5FfaiZH2gXlhR74QCU86BOt
+LiH63ahYjUcIX+qTu46hGyS1DBVVRKA9TkUqINQJPvxuhzyQl4pI4tnb5T+Dpvqv
+Hu8sIakoMz/s8uxybJqXHeH5NqSzBy6KUHS7BKsHtD39UhkjOr6FzrnrdDsi+EQK
+9r7aZ+R+vcGHaw4H6RPBzoBAYfHKoLG1QuC0cVZ+qa1krQo7k8LaELCvMieEU5Oo
+1zlXN0C3LVy1odVBOj4/PD6uLyukVFuoghYLj7sZ5q02qKx0nFfKEQ8ZEEmYsnO1
+TQxouyTPmOdj4Dev/G9adWMDkh3zdLXocxY/BCvMRRIzMpcOYiwXKRp6/RvvcSi4
+Czam3Bj0Tpi3ORvI+yvcd6OwAtI5/xmgNZSWKk4pj01ZqSW/6MBWIb5KIrhbZVhO
+ySAdO587dmmQiu0Jt9RDqwENCQeC1Bt8jHWoU6vHaFIunQIDAQABoAAwDQYJKoZI
+hvcNAQELBQADggIBALD1oR5/KIYWLyB281Ayi6AxEEokUWYObDdP2OxCviJTRY4O
+0ltBVXemxqZLdsIg77RwzAgPUQEDPREIPM9qoiQnkwZ2+8LuplpHVjwvjf2eETEK
+W/weIijLDTGA1NFMjaHSCKbo98yTJ1VPaYzyxu5v3q1+MuSAy9EwVVG/tbXn1rbA
+ymDG2ycT/jRWH4hVWrY42cpMqr6IgrlbVQWY/Qh+2h/CymqkvoluVOcGOEdHhB0Q
+ku3n96Axssfff2XATzPquFbpHcGu86i83NXhwnGdQEvhPkw2du5WI3YpuRA/WHK1
+iTGVTWVrxgjBnjf5yAREpIlSTYrtmpM1zYXoMtFOMNZG6s2rwLqKwvySeDFzp8pE
+sTLiu9BRQVoNt/t+H6sjYGORUOTRow/UbFTN44mYcpeG763iM9vcOHOOGML3f0MC
+9VhmJePdOMHiXHebw0tFzEmULmS9bTC03NpkJeMeEGfvekl43YDamK99YgkZojwl
+Ok4FQHgBLOlb3ZjotssqZAF8V1kT155uzxcGenCUgm+MYEjhzYQ95hOtLsOrAmfC
+8dEPbfEMur9n3qQp2hD250sjgraQnbhZasDXg6Fk77PDEO0aE86xouLisYg7Th6o
+zsiApK7BxF6bBQoKaYoHvDVZnVKSBot/wTxKWBCOB7wizSineIkhSmWKyeFQ
+-----END CERTIFICATE REQUEST-----
diff --git a/openssl-ca/dev/index.txt b/openssl-ca/dev/index.txt
new file mode 100644
index 0000000..8ea5563
--- /dev/null
+++ b/openssl-ca/dev/index.txt
@@ -0,0 +1,2 @@
+V	99991231235959Z		01	unknown	/O=Test Org/CN=Test Org rauc CA Development
+V	99991231235959Z		02	unknown	/O=Test Org/CN=Test Org Development-1
diff --git a/openssl-ca/dev/index.txt.attr b/openssl-ca/dev/index.txt.attr
new file mode 100644
index 0000000..8f7e63a
--- /dev/null
+++ b/openssl-ca/dev/index.txt.attr
@@ -0,0 +1 @@
+unique_subject = yes
diff --git a/openssl-ca/dev/index.txt.attr.old b/openssl-ca/dev/index.txt.attr.old
new file mode 100644
index 0000000..8f7e63a
--- /dev/null
+++ b/openssl-ca/dev/index.txt.attr.old
@@ -0,0 +1 @@
+unique_subject = yes
diff --git a/openssl-ca/dev/index.txt.old b/openssl-ca/dev/index.txt.old
new file mode 100644
index 0000000..9381fda
--- /dev/null
+++ b/openssl-ca/dev/index.txt.old
@@ -0,0 +1 @@
+V	99991231235959Z		01	unknown	/O=Test Org/CN=Test Org rauc CA Development
diff --git a/openssl-ca/dev/private/ca.key.pem b/openssl-ca/dev/private/ca.key.pem
new file mode 100644
index 0000000..8650a4c
--- /dev/null
+++ b/openssl-ca/dev/private/ca.key.pem
@@ -0,0 +1,52 @@
+-----BEGIN PRIVATE KEY-----
+MIIJQgIBADANBgkqhkiG9w0BAQEFAASCCSwwggkoAgEAAoICAQCTpfl4sBzvfC50
+0Vnqp//eZOrHKG+22rvy4w8BYU/d5brRpC+38V4T1p2k/061074TQiYIqio7sPWG
+avcwDoGNV0CLd3JGy0sSIpJPE4aTaxa1i2rr+SjPS2j3Y3JheYjhXSrShlodESoD
+tl9U2al7wu5k1lVSErOSRi1nBavoVMahY/lXxIJe/qT6VWhF/zGcmmMmORcVVhhJ
+PY3Hw/XusrRz7yybipURvaZKhyj8Vb6PAWjLCiR8uaVc2DyWMkQPE95Ng54+jpt9
+pidLwDlODyOEefvHMJYRaixa11OnumjkK03bqaHGWJTrqCxtQ1ogiCg1FBet2uum
+PoJKZd0u/Y1ywIFiReFAKxmMVpj3TFcUuxhCOjfJ0Bn9JQ/KPN8Jd3wBKAKjpp6S
+geAcP8LCpTYSw04ojYKvIeLmb+SWYBBecaFB4lyS74QYyWr2gnmiyAym0KKFpkI+
+VLf9kYR7u36JaRw5aLvf+fMWFJx6glDDbAANYW+axgGJYQzNR+K0Y0M6HlacL9Q1
+hwHKh4vQzrU++mhLwTu6r+AgB6Q6VLNHLnLjDql4YA5/Qbm7DbgBTBHkqkt/H0X8
+WlfLEJkiM2CKYJWF/Xf/Hxkeg+ajzSVBURl7i9N1dfR30hclRydQTLthhSX1qadO
+lPokGhL7nGnaep8PzdswchbYSW3A7QIDAQABAoICACJu7sNKrzTazSrJOCMVkwKW
+nnpb39HRKUv30CQOQcYKMYt6svY/ACW4Q4ObVwvomcd8Acq7hKXvGxOCFqvKdkQ0
+OQVNkgUYnCVakqyGbTgsHVuxa/okXXQarhwjwSUiZt3IEJiQZKuquRWsjocHTBNk
+3pv9sGA3pFFUtHn2RKUmQDybSCdD2PO2h1sqV+sbHMLc7oqXfd6n+Xn7NPmFpfFJ
+E/SFru2HYESG6iUvaEuQ46QOPBY+A0xjL0F73IVaq6yogYuqSllkgLbI7RkpdzPR
+LANVP3awyg69qCJ3XTccriGoR7wWz3emaPScf9/reTVlC5t1WCBfkd1vbotTPkXA
+hSW0VfciDbkbIbK8y6zc1HmqBd9iq16UDRqI6oKr1WK52ldwEuh/jyBV2UkQ937S
+yKt1Y4tnZw6+gvdN/dGnbIDXQwGjdkIkDrxIvjGRmrFr2//L+wPWfvxQU6vls1Xj
+PPUBEK6xbPPo+2Dg/AZIw2eZ6z37EgDBn5hEslnK2CxsqbFOUhFAoymjeV42S81Z
+jRWPGCDfi/LutGPTvUigWsGIUl6tbu07gKI5XJxBO5bC2idb/1blds6uqX08NRbq
+iYiNWgm6j5Mz6HqQfdJVqsINzdctzoSZdSo4e1iAxJBxGLfPJzeKC+3JliDl3CX/
+3xVAEXT9oA/rBhshKmeBAoIBAQDDhacWuf6MgulDV1bqcQU+jkLJu0dywpkgA6Fm
+tSDEQkE/Tj4c7lAuia3JeAo0sXo9vHrBkZ8bPZpPNBAv5qMr2Gn6VUv5f8M/mwQ5
+F6dP4WnVSdbsS7RUCE5u9p+ATBFqlfcCtgFjHOWNHkrZHgIWHzlR/lF2llv+FRw9
+5BNhn26JVO6AsevXcCpMAGbeLE7XzNBYGkMG+TZ48sAGec7CoESlcjk0vhDcH4dL
+yJty/tfGkhWZXL9oji54df1WzPLrDvFRu//yFPMsDZZzbxK2neLpWLkUDQ2BIRSs
+a2OFkS/zjici6eksDCGFb4LGCThnGJB1CBzYrm/vg6TAdVt5AoIBAQDBUXTPCQ6A
+iiucNGjEr+yNMUui+6y3mZ3FQ5sXCs6dqVW7ei9n5knp/BsbRMfWqmCNZ4ihNXSP
+gb7nsRWdPBAxgKS9+3sPha/TALmWyGIpWDBDRNx86fLcqguDImCF8awQrTUazA9i
+wR/6i1Us8LbrMZmwo1XXJsPYd1lNDlqsz/szifdU9fb7qIt84ZqbEZhAkK3xvIO9
+3Sx4Md8qN4uzyODZvK1WpK04QuNtBGRQSns35mm6mAE5eEmadYlKz0gC1YhTv1e9
+HHfTOet5LcEiXoEq/MYGUZaFPoXTGlq2C3yk3Xwtlx8HKYzGlPkpvqjx1Q5GEEPX
+AgxeBvAlp0AVAoIBAQC4DpMyg7iqkXoBGLELVYW4U7dvrEsgLyxyxLgltZC48B33
++DHkjjsQ9C6TH9uLqx8GCu4MVodO33jp4nryfM1SMxHgxHcW0jz9HXKmRCwOuIYm
+cLJQExwYlxEuyB9yaSlkCvRSqv83TDaT19Zh+SvBo3cURrJtTjIfR8QkRxYvqiQm
+R7uVjugTENXgYeh0cYVvBLGEnoRGhkfPJ8W40uXetXypupM7oUjBzzRQFPKxGFIL
+7e1DR9owFNiOMZRhJ+HtgU2Owcm5HBumdswQspkNLCg1vn3L8FWsH3YUsasoS3q2
+bjVNWqFUA79ym3yh7IAaHTev1AlDuUJKWMS5IEERAoIBAHZGwSHel6nbX509j5Av
+Vpp4O5+nPeBDM306xMvPR+S8cwC2XATEqBppraf8aAwVx+ccHkMLspoOtt+IwAGo
+evveimzWTU+M6qs9eU8goLZNB5JQsloWxQlvXIXJ5aZt22mEn8YabZttL4SZ9O3/
+BNtXSIIDHQT66b4qH0/+5UlwInBBDDtGFeuZDmbEnVQc6rsuCc6qGSx0Ar4zPSfW
+PjosQC3Xu3IUZQrUGdNcaYeaWlM0PSH12GHyD45aNTq5IYTiYntiyWqh3Uo12LUW
+YmEF0x+a8glxp5c0Tqp/KFrTIlq4TD6UhF5cdI4XHW8GANWdFhOV5fvJfAmXUxym
+fJUCggEAYXHVZSn7W1ZGFU0VbkMQwJAYYak16oAGzOBqLUh2anwrk3C4XD7GK1nA
+rtN2LzSNfs7tW39/U+MgEXdwubDZb0YGG7ax2OTf5L6lvVyw/EZesryKLdMd4YwG
+VwnwlX27vGcCDqNtnbTF+6Coive3XYvzi2bhPX0whR0uR862sudZUURqdUn1pg1a
+IrGj3I1T+F9cAQIeUzbUtiS+2XYPeC5tjBU2Gp636Dgt7vnP7glCwgUHZNokYU3J
+Dxh/S6SJrwSFpjFxklMV0jIjxxPsY6eeaVXLQCbk0nVuBa4VLtE89g13uq6Simr6
+pxHD2g/xJRqzBLNbWb6JmTylSQc+0g==
+-----END PRIVATE KEY-----
diff --git a/openssl-ca/dev/private/development-1.key.pem b/openssl-ca/dev/private/development-1.key.pem
new file mode 100644
index 0000000..b0aa4dc
--- /dev/null
+++ b/openssl-ca/dev/private/development-1.key.pem
@@ -0,0 +1,52 @@
+-----BEGIN PRIVATE KEY-----
+MIIJQwIBADANBgkqhkiG9w0BAQEFAASCCS0wggkpAgEAAoICAQC9Hs4NzMl8Bd0n
+CIRJhljCqwctWiyo96cWExWEgPUNKwsVuuG6UYvpvIvTtV5Vnm6XsxX0qn1qveau
+e3HSLx4GO32VTh/2TZ6g5UWq67MyEQZcsNqgx/HwQYvyZG+xhprlSgCb0QXg3CdQ
+DZkPgGaZs6C66qW5PLRdGBF6U4fHy5qYa0qXJbzwnXS2CC0uTrcj20/ixg3MssLy
+/y8IKa2xfimcokjR9B/puPoik5FfaiZH2gXlhR74QCU86BOtLiH63ahYjUcIX+qT
+u46hGyS1DBVVRKA9TkUqINQJPvxuhzyQl4pI4tnb5T+DpvqvHu8sIakoMz/s8uxy
+bJqXHeH5NqSzBy6KUHS7BKsHtD39UhkjOr6FzrnrdDsi+EQK9r7aZ+R+vcGHaw4H
+6RPBzoBAYfHKoLG1QuC0cVZ+qa1krQo7k8LaELCvMieEU5Oo1zlXN0C3LVy1odVB
+Oj4/PD6uLyukVFuoghYLj7sZ5q02qKx0nFfKEQ8ZEEmYsnO1TQxouyTPmOdj4Dev
+/G9adWMDkh3zdLXocxY/BCvMRRIzMpcOYiwXKRp6/RvvcSi4Czam3Bj0Tpi3ORvI
++yvcd6OwAtI5/xmgNZSWKk4pj01ZqSW/6MBWIb5KIrhbZVhOySAdO587dmmQiu0J
+t9RDqwENCQeC1Bt8jHWoU6vHaFIunQIDAQABAoICAE7eIlsh7GKCxYPqKtTIqIpi
+LYeNw/Mg+Dad9crAxrDbou9IdKsxJ7JtdThwOetlu0QbJIxYbx4NHL7l7wUSrig2
+NfyGTJD4NK9vfZq2WZAHBoqwHDSRvYUOqLCIjwXPFxiIwHE6fYOU+/YH/a03xFHT
+1bMteLgjpyntiBhl7kl1UL7Ae6ZF0CHd4BarmT/nBrv20T1Gj+muINuabMAwNWXA
+MdVG3ixkbMyY3gN+W9EZIOa09uGNHumzQnRAajg99WC7gGGRZS6KZXZ/cI8iFTBF
+Xj4ldNesJO7ZKuPCNx5W2nyIHdygce8gjti10XQnZ+GVFgiUOtPzSIS9YsijZyFB
+zG17KzPmE2yPiGFkcXkWZTlJ9l8n5yjuRFjwEacTIBF4C1keU6snPhzmn+wEsJ1N
+z/cdjikjbqs2LzmqwNS3+DSmgm2gNEozIA2qfRWL9izNn/sVe+wpdbLG/09MYQpd
+3GoJVWoqykJsJQlD0W51kYOch+cPacANyY05vUipJ2OhMSRB+F2NgpMTJeekKOeA
+lutvy4W3JyY7Hvdom7IsVWQn8+VqLxVumU/aWwSTrQ9c6A/xJpzC7i2tkJR5Yz89
+CZ+5x/vbc8RbZmpfrpc6TM1yaro/IfU2qcr5v8PJ2WS1bZCuj2hFGHDkgjr184hl
+T34csKaMQFc3MJzqgzQXAoIBAQDfSE062HgZSKaJrffR1Ir34H+5PI1U20HGzEMY
+8iU8Go/QRYL1RaQs2gkwx3IebRkIFZkT2f2PaYFTDx2dymwNr3IgZRwz6itI0Pja
+ZwNjVrtnvFzPW1SMEWI4ddPWCyoTI6vN0CBYnT1Sh2jPcTfKrNqoPieIyhnQ8zrH
+ZSqTj16vgp/oremzpvbhTXfhfZwtpwCtN7ZHkoRszILwXfFiLzVVG58amfd8rqx9
+1wjtjERqOS5tQ8XK1gK3uyn7uNsOJDwoduPAHp3NWWEX5wOlafGJfyT9TvpXTlU5
+JafN7NYVr63wjvz4d4/sf6ZFlsmFIXtOw7il2xbURJ5f6MD/AoIBAQDY1QaS+z6/
+WnovkUFaLpvTRT6lmLi1dWP/k9pRj8EpvrlCn51AYs7k9n7qrxQThp0q6TzPE9r/
+wWqXCVlDRv/wmTc2uYCiibrscz32ZHex/8xAxfc0pWevX3wRa4Q/ZV+Ubf7Gjb9D
+3kinrf/6weMVzmVQ9A3pHpy0ENUGJURJYF6SJxQdt4RbY44xyUWuzBV1/Guxj5hB
+4kFZadtMT3tBgAYS+p9BjRxon5g4Q8n7mN5D421tYlHaOcxHgysQQMHaqiJ34QFp
+zq0AMafO3ODxwPNuDESTOncr7Ng1kS6R1MjsKwDGmeU7aAU6sjyNBKFkGWcHKiC6
+GS4WV3JKJHRjAoIBABa0O2YobM3lXUnSrshfXGIoKdSkG5rtUJruWkRHGxIpgUYk
+S1S1aCRHZ3fWT/xYC5uO1qn2GJpkmAniF5jb5HDfzjMNFPkSbqRQ230ZzHZlc1jx
+Bl7vYoF7owkqsgepyvV3QxkCeMeJ9ZpWuomdcZbiTLme2FZIdqeQlAGCf/nRMkeW
+eLwoMwNZjvEJ946uPxtFSARVDevpMh3+DbJzWwAo3Ltyu5Lw5QGAoXmKTBYblTlX
+5yilI4+kg1I7beFywpOFi7hxnmcCtfkThZPwoaZIR487pn87cKlABdpxwcZmtr4t
+xvoXEBIT1kauFDIvSv6GkQtJS5VR2dhrwc7u0/ECggEBAJKeQUrD/yLvMC3X/6PW
+XmHWsczR3xw8W7jnJjn+hbQPlj/5pCB0b8gc8acJaf7mCIKKoia4G17TT5r/pE88
+xDXRtKcZemTt0uqt5lkkiFdhS6EE++qqadkJLOCungcsKhw44I0sLgfbV6+ilbPe
+xQnqvVGnJXzbyURtGU6Fho5DTs9vA0gw3pvZTr5VhfvzXhOg8sVm/qKWNnAah0Ir
+gIHC6tiMhYGSxIHuYMSy+fJZ5Pls4IKVeBmi+YHlrQnZb/vHDXWYPRdpvEukR/82
+FhkCythADWKspwaZqX1XRXEwvAgN8AFa8Mlhxh9xhEYqumLwVl1e3DBadHKBAPQn
+gFcCggEBAIKyiZN+uNBVGkyFuTWgCK99Urc0P+tW2nGmLEMQIMWZONNnqifa/qA3
+Jkzwp9CkiNf1OBu69kNL8+VEv3hXrP/ImdrialqKjnpwGHVJLNfWfbh1ui2OaW8p
+0VBYPmcHvl8YfU+ACovDiLEPzW6+MJ3GT0gSLZmij/BjV928Jqs5DKocm804gMiL
+gvFyl42Cn7Y/yU0L4Y2IgO3eYppyOi4yzrXVJFGgOojlF5LR+MJKuye75mGKZ6+I
+n/GUJzWFr7h+BBfcUBq0XcfMPp5mi2+VauLKZUnDsGluK8qYHNFjjhyY6k52tpy2
+HASxYxukN5J2VrTleD1DiwAmETer0rA=
+-----END PRIVATE KEY-----
diff --git a/openssl-ca/dev/serial b/openssl-ca/dev/serial
new file mode 100644
index 0000000..75016ea
--- /dev/null
+++ b/openssl-ca/dev/serial
@@ -0,0 +1 @@
+03
diff --git a/openssl-ca/dev/serial.old b/openssl-ca/dev/serial.old
new file mode 100644
index 0000000..9e22bcb
--- /dev/null
+++ b/openssl-ca/dev/serial.old
@@ -0,0 +1 @@
+02
diff --git a/openssl-ca/openssl.cnf b/openssl-ca/openssl.cnf
new file mode 100644
index 0000000..c07f8a8
--- /dev/null
+++ b/openssl-ca/openssl.cnf
@@ -0,0 +1,58 @@
+[ ca ]
+default_ca      = CA_default            # The default ca section
+
+[ CA_default ]
+
+dir            = .                     # top dir
+database       = $dir/index.txt        # index file.
+new_certs_dir  = $dir/certs            # new certs dir
+
+certificate    = $dir/ca.cert.pem       # The CA cert
+serial         = $dir/serial           # serial no file
+private_key    = $dir/private/ca.key.pem# CA private key
+RANDFILE       = $dir/private/.rand    # random number file
+
+default_startdate = 19700101000000Z
+default_enddate = 99991231235959Z
+default_crl_days= 30                   # how long before next CRL
+default_md     = sha256                # md to use
+
+policy         = policy_any            # default policy
+email_in_dn    = no                    # Don't add the email into cert DN
+
+name_opt       = ca_default            # Subject name display option
+cert_opt       = ca_default            # Certificate display option
+copy_extensions = none                 # Don't copy extensions from request
+
+[ policy_any ]
+organizationName       = match
+commonName             = supplied
+
+[ req ]
+default_bits           = 2048
+distinguished_name     = req_distinguished_name
+x509_extensions        = v3_leaf
+encrypt_key = no
+default_md = sha256
+
+[ req_distinguished_name ]
+commonName                     = Common Name (eg, YOUR name)
+commonName_max                 = 64
+
+[ v3_ca ]
+
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid:always,issuer:always
+basicConstraints = CA:TRUE
+
+[ v3_inter ]
+
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid:always,issuer:always
+basicConstraints = CA:TRUE,pathlen:0
+
+[ v3_leaf ]
+
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid:always,issuer:always
+basicConstraints = CA:FALSE
diff --git a/patches/.keep b/patches/.keep
new file mode 100644
index 0000000..e69de29
diff --git a/scripts/flash-cm4.sh b/scripts/flash-cm4.sh
new file mode 100755
index 0000000..2378cb4
--- /dev/null
+++ b/scripts/flash-cm4.sh
@@ -0,0 +1,67 @@
+#!/bin/bash
+# flash-cm4.sh - Flash CM4 eMMC while EMMC_DISABLE jumper is bridged
+# Usage: ./scripts/flash-cm4.sh [/dev/sdX]
+#   If no device given, auto-detects the CM4 USB mass storage device.
+set -euo pipefail
+
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+BEACON_DIR="$(cd "$SCRIPT_DIR/.." && pwd)"
+REPO_ROOT="$(cd "$BEACON_DIR/.." && pwd)"
+USBBOOT_DIR="$REPO_ROOT/usbboot"
+IMAGE="$REPO_ROOT/output/images/sdcard.img.xz"
+
+# Build rpiboot from source if not already compiled
+if [ ! -x "$USBBOOT_DIR/rpiboot" ]; then
+    echo "==> Building rpiboot from source..."
+    make -C "$USBBOOT_DIR"
+fi
+
+# Step 1: Expose CM4 eMMC as USB mass storage
+echo "==> Running rpiboot to expose CM4 eMMC (EMMC_DISABLE jumper must be bridged)..."
+sudo "$USBBOOT_DIR/rpiboot" -d "$USBBOOT_DIR/mass-storage-gadget64"
+echo "==> rpiboot done, waiting for block device..."
+
+# Step 2: Find the device (explicit arg or auto-detect USB disk ~8 GiB)
+if [ -n "${1:-}" ]; then
+    DEVICE="$1"
+    echo "==> Using specified device: $DEVICE"
+else
+    DEVICE=""
+    for i in $(seq 1 30); do
+        sleep 1
+        # Detect USB block device of 7-8 GiB (CM4 eMMC)
+        DEVICE=$(lsblk -dno NAME,TRAN,SIZE \
+            | awk '$2=="usb" && ($3~/^7\.[0-9]+G$/ || $3~/^8\.[0-9]+G$/) {print "/dev/"$1}' \
+            | head -1)
+        [ -n "$DEVICE" ] && break
+        printf "  waiting... (%ds)\r" "$i"
+    done
+    if [ -z "$DEVICE" ]; then
+        echo "ERROR: CM4 eMMC did not appear as a USB block device within 30s."
+        echo "       Run 'lsblk' manually and re-run with explicit device: $0 /dev/sdX"
+        exit 1
+    fi
+    echo "==> Auto-detected CM4 eMMC at $DEVICE"
+fi
+
+# Step 3: Safety check - refuse to flash the host nvme/sata disk
+if echo "$DEVICE" | grep -qE '^/dev/(nvme|sd[a-z]{2,}|sda$)'; then
+    lsblk -dno TRAN "$DEVICE" | grep -qx usb || {
+        echo "ERROR: $DEVICE does not appear to be a USB device. Aborting."
+        exit 1
+    }
+fi
+
+# Step 4: Unmount any auto-mounted partitions
+echo "==> Unmounting $DEVICE partitions..."
+sudo umount "${DEVICE}"?* 2>/dev/null || true
+sudo umount "${DEVICE}"[0-9]* 2>/dev/null || true
+
+# Step 5: Flash via bmaptool
+echo "==> Flashing $IMAGE -> $DEVICE ..."
+sudo bmaptool copy "$IMAGE" "$DEVICE"
+sudo sync
+
+echo ""
+echo "==> Flash complete!"
+echo "    Remove the EMMC_DISABLE jumper, then power-cycle the CM4."