diff --git a/autotests/fixtures/keyresolvercoretest/.gitignore b/autotests/fixtures/keyresolvercoretest/.gitignore
index 895a1a3c..b8c2f45a 100644
--- a/autotests/fixtures/keyresolvercoretest/.gitignore
+++ b/autotests/fixtures/keyresolvercoretest/.gitignore
@@ -1,3 +1,4 @@
+demoCA/*.old
 openpgp-revocs.d/
 random_seed
 tofu.db
diff --git a/autotests/fixtures/keyresolvercoretest/demoCA/index.txt b/autotests/fixtures/keyresolvercoretest/demoCA/index.txt
new file mode 100644
index 00000000..db35668a
--- /dev/null
+++ b/autotests/fixtures/keyresolvercoretest/demoCA/index.txt
@@ -0,0 +1,5 @@
+V	21210329120247Z		70CEEBA710B7FBF41184FBB6A50AC89D459E574D	unknown	/C=DE/O=example/CN=Sender Mixed
+V	21210329134834Z		6237D5880ABA855CBF3829FF0DE1FF96BF7FDE60	unknown	/C=DE/O=example/CN=Sender S/MIME
+V	21210330080656Z		6C48CCE8716D1609D0D1075F4D582C8DC307D1EE	unknown	/C=DE/O=example/CN=Trusted S/MIME
+V	21210330085240Z		4C46CCE3B1A7F1F911C49A9148FF546F9CCF11EB	unknown	/C=DE/O=example/CN=S/MIME w/ same validity as OpenPGP
+V	21210330085312Z		53CE2C8DA0B767B450824278C15373FBD8CFF6B5	unknown	/C=DE/O=example/CN=S/MIME w/ lower validity than OpenPGP
diff --git a/autotests/fixtures/keyresolvercoretest/demoCA/index.txt.attr b/autotests/fixtures/keyresolvercoretest/demoCA/index.txt.attr
new file mode 100644
index 00000000..8f7e63a3
--- /dev/null
+++ b/autotests/fixtures/keyresolvercoretest/demoCA/index.txt.attr
@@ -0,0 +1 @@
+unique_subject = yes
diff --git a/autotests/fixtures/keyresolvercoretest/demoCA/newcerts/4C46CCE3B1A7F1F911C49A9148FF546F9CCF11EB.pem b/autotests/fixtures/keyresolvercoretest/demoCA/newcerts/4C46CCE3B1A7F1F911C49A9148FF546F9CCF11EB.pem
new file mode 100644
index 00000000..31b8d04c
--- /dev/null
+++ b/autotests/fixtures/keyresolvercoretest/demoCA/newcerts/4C46CCE3B1A7F1F911C49A9148FF546F9CCF11EB.pem
@@ -0,0 +1,75 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number:
+            4c:46:cc:e3:b1:a7:f1:f9:11:c4:9a:91:48:ff:54:6f:9c:cf:11:eb
+        Signature Algorithm: sha256WithRSAEncryption
+        Issuer: CN=Test CA, O=example, C=DE
+        Validity
+            Not Before: Mar 30 08:52:40 2021 GMT
+            Not After : Mar 30 08:52:40 2121 GMT
+        Subject: C=DE, O=example, CN=S/MIME w/ same validity as OpenPGP
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                RSA Public-Key: (2048 bit)
+                Modulus:
+                    00:98:3a:0a:a8:d8:32:b7:af:d2:f6:bb:78:ae:1d:
+                    22:d6:4f:9e:29:20:7b:6e:d3:95:74:76:50:77:3c:
+                    09:8a:6b:1b:ff:33:11:59:10:33:e1:a6:51:72:59:
+                    59:76:df:5e:da:ed:47:c2:c1:c6:7c:04:33:25:e1:
+                    98:f3:90:1b:d2:da:a2:7b:c6:60:bb:5f:a8:d5:02:
+                    95:92:3d:83:aa:6f:ff:9a:12:8a:62:3c:cc:b5:eb:
+                    b8:be:91:39:21:fd:85:f9:85:5d:16:52:18:38:33:
+                    99:ce:fc:14:18:6b:0f:d1:a2:94:8a:55:75:71:77:
+                    50:c0:d5:24:73:59:f0:c6:4b:a8:dc:50:5d:6b:6f:
+                    ce:81:0c:0d:23:d1:6b:ee:b5:4d:c3:bf:4d:a1:61:
+                    cd:f2:bb:a1:ec:86:8c:0d:bc:9a:89:06:1f:da:f3:
+                    2c:11:bd:df:04:6c:1e:f4:ed:1b:27:6a:62:bc:98:
+                    e7:de:53:c8:b6:fb:20:f4:de:c8:7c:65:3b:57:07:
+                    66:de:f4:9d:7d:05:fc:7a:b2:b6:af:dd:cd:d6:ee:
+                    44:44:4a:a6:71:e7:0b:ce:61:17:c5:3a:a7:44:76:
+                    79:7c:1e:3a:5b:b1:5a:82:96:0c:db:d6:f0:9d:11:
+                    eb:95:2f:81:e4:71:2b:4f:f1:61:7f:73:5c:3d:21:
+                    b8:1b
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Subject Alternative Name: 
+                email:full-validity@example.net
+            X509v3 Key Usage: critical
+                Digital Signature, Non Repudiation, Key Encipherment, Data Encipherment
+    Signature Algorithm: sha256WithRSAEncryption
+         92:52:65:13:3c:03:f7:b0:53:8c:45:a6:46:13:06:9b:b7:3a:
+         13:06:cc:52:0d:20:10:ec:0a:ca:d3:85:8b:46:d0:6a:e5:50:
+         a8:d2:3c:61:62:9b:e2:c5:2b:d8:85:34:2a:96:2f:90:24:3a:
+         d9:b4:9a:3d:e5:a2:26:00:53:23:f9:b1:b2:cc:87:40:30:d6:
+         a6:7d:62:9e:7c:ef:ff:a4:78:84:6b:3d:fd:af:c6:7e:c7:90:
+         1c:12:ea:b9:af:a7:2f:a7:44:5f:8e:6e:ba:ea:e5:e9:ba:89:
+         74:5f:7a:77:ed:8e:df:0a:03:d8:67:bb:59:5b:c8:61:8f:78:
+         84:9d:fc:63:3e:78:7d:6f:81:01:85:ee:b2:64:9d:21:a4:1a:
+         84:11:04:bb:47:0f:83:54:e7:44:b0:bc:97:a5:85:7b:70:08:
+         9b:d1:31:01:6e:3b:cb:42:11:7d:50:13:a0:ff:6f:af:4a:30:
+         6f:c0:9b:17:74:71:b4:38:6b:1e:45:4c:f1:ab:99:47:51:a4:
+         e1:74:28:fa:ae:bd:98:5e:8a:a0:45:2a:d8:40:42:1f:29:45:
+         6b:73:7d:cc:07:37:a0:87:23:dd:24:bc:3c:e6:5c:a8:17:ba:
+         50:ab:64:78:35:03:d5:e1:ac:86:98:a4:b3:8d:c9:3b:da:37:
+         41:d9:ce:29
+-----BEGIN CERTIFICATE-----
+MIIDRTCCAi2gAwIBAgIUTEbM47Gn8fkRxJqRSP9Ub5zPEeswDQYJKoZIhvcNAQEL
+BQAwMTEQMA4GA1UEAwwHVGVzdCBDQTEQMA4GA1UECgwHZXhhbXBsZTELMAkGA1UE
+BhMCREUwIBcNMjEwMzMwMDg1MjQwWhgPMjEyMTAzMzAwODUyNDBaMEwxCzAJBgNV
+BAYTAkRFMRAwDgYDVQQKEwdleGFtcGxlMSswKQYDVQQDEyJTL01JTUUgdy8gc2Ft
+ZSB2YWxpZGl0eSBhcyBPcGVuUEdQMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
+CgKCAQEAmDoKqNgyt6/S9rt4rh0i1k+eKSB7btOVdHZQdzwJimsb/zMRWRAz4aZR
+cllZdt9e2u1HwsHGfAQzJeGY85Ab0tqie8Zgu1+o1QKVkj2Dqm//mhKKYjzMteu4
+vpE5If2F+YVdFlIYODOZzvwUGGsP0aKUilV1cXdQwNUkc1nwxkuo3FBda2/OgQwN
+I9Fr7rVNw79NoWHN8ruh7IaMDbyaiQYf2vMsEb3fBGwe9O0bJ2pivJjn3lPItvsg
+9N7IfGU7Vwdm3vSdfQX8erK2r93N1u5EREqmcecLzmEXxTqnRHZ5fB46W7FagpYM
+29bwnRHrlS+B5HErT/Fhf3NcPSG4GwIDAQABozgwNjAkBgNVHREEHTAbgRlmdWxs
+LXZhbGlkaXR5QGV4YW1wbGUubmV0MA4GA1UdDwEB/wQEAwIE8DANBgkqhkiG9w0B
+AQsFAAOCAQEAklJlEzwD97BTjEWmRhMGm7c6EwbMUg0gEOwKytOFi0bQauVQqNI8
+YWKb4sUr2IU0KpYvkCQ62bSaPeWiJgBTI/mxssyHQDDWpn1innzv/6R4hGs9/a/G
+fseQHBLqua+nL6dEX45uuurl6bqJdF96d+2O3woD2Ge7WVvIYY94hJ38Yz54fW+B
+AYXusmSdIaQahBEEu0cPg1TnRLC8l6WFe3AIm9ExAW47y0IRfVAToP9vr0owb8Cb
+F3RxtDhrHkVM8auZR1Gk4XQo+q69mF6KoEUq2EBCHylFa3N9zAc3oIcj3SS8POZc
+qBe6UKtkeDUD1eGshpiks43JO9o3QdnOKQ==
+-----END CERTIFICATE-----
diff --git a/autotests/fixtures/keyresolvercoretest/demoCA/newcerts/53CE2C8DA0B767B450824278C15373FBD8CFF6B5.pem b/autotests/fixtures/keyresolvercoretest/demoCA/newcerts/53CE2C8DA0B767B450824278C15373FBD8CFF6B5.pem
new file mode 100644
index 00000000..66236f62
--- /dev/null
+++ b/autotests/fixtures/keyresolvercoretest/demoCA/newcerts/53CE2C8DA0B767B450824278C15373FBD8CFF6B5.pem
@@ -0,0 +1,75 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number:
+            53:ce:2c:8d:a0:b7:67:b4:50:82:42:78:c1:53:73:fb:d8:cf:f6:b5
+        Signature Algorithm: sha256WithRSAEncryption
+        Issuer: CN=Test CA, O=example, C=DE
+        Validity
+            Not Before: Mar 30 08:53:12 2021 GMT
+            Not After : Mar 30 08:53:12 2121 GMT
+        Subject: C=DE, O=example, CN=S/MIME w/ lower validity than OpenPGP
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                RSA Public-Key: (2048 bit)
+                Modulus:
+                    00:b3:af:c4:e4:6e:89:f8:80:c4:22:0e:ae:c1:91:
+                    37:ee:fc:ab:30:12:fa:0d:d9:40:e6:c0:19:07:84:
+                    5a:6f:dd:e9:9a:35:6c:3b:45:ef:a3:99:1f:c5:aa:
+                    fb:81:66:85:d0:6d:92:2d:f8:f7:22:eb:1f:81:a9:
+                    55:5b:e7:61:6e:19:6d:6b:01:37:de:21:1a:c6:8a:
+                    42:c0:1e:5a:a5:b9:09:ee:b3:24:3b:8d:a7:18:57:
+                    92:be:24:d0:a3:7b:27:c0:b6:49:95:3e:22:06:28:
+                    9a:64:23:6c:82:ca:b9:27:4c:da:65:d3:42:40:17:
+                    71:89:7f:ae:d7:a7:74:ef:64:d5:54:12:0c:2f:06:
+                    36:9b:fe:34:46:16:33:e7:78:59:d9:62:12:1a:2b:
+                    29:ba:62:41:de:e0:62:67:36:24:36:40:85:14:ca:
+                    32:2f:bf:3d:b9:43:3d:40:61:a7:96:bc:95:09:42:
+                    61:d6:bb:b3:78:b2:26:63:be:42:c5:3e:8c:9b:90:
+                    cf:4e:d4:48:94:6c:f1:16:41:28:5a:66:96:8a:e3:
+                    a4:0b:d2:93:b8:3a:c0:fc:8e:bb:15:74:e8:75:e5:
+                    8f:6b:33:eb:58:41:9e:12:5f:57:4f:7a:15:8a:f6:
+                    bc:de:9e:42:69:eb:60:aa:5b:b1:75:d9:65:61:a8:
+                    39:2b
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Subject Alternative Name: 
+                email:prefer-openpgp@example.net
+            X509v3 Key Usage: critical
+                Digital Signature, Non Repudiation, Key Encipherment, Data Encipherment
+    Signature Algorithm: sha256WithRSAEncryption
+         a4:45:49:11:71:f6:be:67:7f:5a:7e:d4:93:eb:5f:db:85:78:
+         03:64:97:e3:db:69:8c:03:18:dd:32:c1:b0:39:aa:db:08:43:
+         2a:2f:d3:02:19:c8:af:ba:bb:86:c2:3c:fc:83:6d:84:c4:2d:
+         fe:e6:0d:05:3b:39:d3:49:b2:76:50:30:d0:5a:7e:b7:bc:e4:
+         ea:14:a3:bc:c8:65:9e:34:c2:7f:6a:f4:59:34:a7:bd:17:54:
+         ba:64:53:b3:28:1e:8c:1f:4d:10:4f:18:39:bc:52:46:fc:15:
+         f1:10:58:31:80:31:9e:6c:f0:59:01:48:f6:df:2c:8e:69:27:
+         77:45:c0:ca:de:78:03:f2:7c:cf:c5:50:31:38:fd:51:39:58:
+         a8:13:41:dd:14:11:08:9d:7f:a0:8a:45:74:69:c2:9d:26:63:
+         16:09:a4:de:63:96:c7:ec:6a:59:29:e0:02:de:ad:f8:d6:c1:
+         ed:15:4c:1a:3c:9d:be:b1:d4:3f:c8:bd:d4:90:e6:14:5d:da:
+         41:39:12:21:0c:5b:10:7f:63:89:32:ab:e8:ac:aa:36:e6:83:
+         f8:48:fe:ed:74:84:34:18:41:aa:20:96:c9:bf:80:c5:9c:3e:
+         85:64:5e:56:8b:22:80:d9:17:42:6f:a1:3b:24:60:50:da:b8:
+         4d:e8:05:bf
+-----BEGIN CERTIFICATE-----
+MIIDSTCCAjGgAwIBAgIUU84sjaC3Z7RQgkJ4wVNz+9jP9rUwDQYJKoZIhvcNAQEL
+BQAwMTEQMA4GA1UEAwwHVGVzdCBDQTEQMA4GA1UECgwHZXhhbXBsZTELMAkGA1UE
+BhMCREUwIBcNMjEwMzMwMDg1MzEyWhgPMjEyMTAzMzAwODUzMTJaME8xCzAJBgNV
+BAYTAkRFMRAwDgYDVQQKEwdleGFtcGxlMS4wLAYDVQQDEyVTL01JTUUgdy8gbG93
+ZXIgdmFsaWRpdHkgdGhhbiBPcGVuUEdQMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
+MIIBCgKCAQEAs6/E5G6J+IDEIg6uwZE37vyrMBL6DdlA5sAZB4Rab93pmjVsO0Xv
+o5kfxar7gWaF0G2SLfj3IusfgalVW+dhbhltawE33iEaxopCwB5apbkJ7rMkO42n
+GFeSviTQo3snwLZJlT4iBiiaZCNsgsq5J0zaZdNCQBdxiX+u16d072TVVBIMLwY2
+m/40RhYz53hZ2WISGispumJB3uBiZzYkNkCFFMoyL789uUM9QGGnlryVCUJh1ruz
+eLImY75CxT6Mm5DPTtRIlGzxFkEoWmaWiuOkC9KTuDrA/I67FXTodeWPazPrWEGe
+El9XT3oViva83p5CaetgqluxddllYag5KwIDAQABozkwNzAlBgNVHREEHjAcgRpw
+cmVmZXItb3BlbnBncEBleGFtcGxlLm5ldDAOBgNVHQ8BAf8EBAMCBPAwDQYJKoZI
+hvcNAQELBQADggEBAKRFSRFx9r5nf1p+1JPrX9uFeANkl+PbaYwDGN0ywbA5qtsI
+Qyov0wIZyK+6u4bCPPyDbYTELf7mDQU7OdNJsnZQMNBafre85OoUo7zIZZ40wn9q
+9Fk0p70XVLpkU7MoHowfTRBPGDm8Ukb8FfEQWDGAMZ5s8FkBSPbfLI5pJ3dFwMre
+eAPyfM/FUDE4/VE5WKgTQd0UEQidf6CKRXRpwp0mYxYJpN5jlsfsalkp4ALerfjW
+we0VTBo8nb6x1D/IvdSQ5hRd2kE5EiEMWxB/Y4kyq+isqjbmg/hI/u10hDQYQaog
+lsm/gMWcPoVkXlaLIoDZF0JvoTskYFDauE3oBb8=
+-----END CERTIFICATE-----
diff --git a/autotests/fixtures/keyresolvercoretest/demoCA/newcerts/6237D5880ABA855CBF3829FF0DE1FF96BF7FDE60.pem b/autotests/fixtures/keyresolvercoretest/demoCA/newcerts/6237D5880ABA855CBF3829FF0DE1FF96BF7FDE60.pem
new file mode 100644
index 00000000..8ab9c224
--- /dev/null
+++ b/autotests/fixtures/keyresolvercoretest/demoCA/newcerts/6237D5880ABA855CBF3829FF0DE1FF96BF7FDE60.pem
@@ -0,0 +1,75 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number:
+            62:37:d5:88:0a:ba:85:5c:bf:38:29:ff:0d:e1:ff:96:bf:7f:de:60
+        Signature Algorithm: sha256WithRSAEncryption
+        Issuer: CN=Test CA, O=example, C=DE
+        Validity
+            Not Before: Mar 29 13:48:34 2021 GMT
+            Not After : Mar 29 13:48:34 2121 GMT
+        Subject: C=DE, O=example, CN=Sender S/MIME
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                RSA Public-Key: (2048 bit)
+                Modulus:
+                    00:d6:80:03:3a:d9:31:cb:37:de:bd:89:77:c6:c5:
+                    c4:e0:b6:bc:7f:73:9a:7f:aa:d7:52:10:38:2b:d2:
+                    95:53:0d:3d:a1:c4:de:46:61:f3:6a:09:b3:29:11:
+                    94:9b:fa:09:c3:45:69:f9:1f:d5:5c:a5:c4:a5:bf:
+                    a6:92:91:10:95:b7:e8:0a:4b:d2:fb:27:d9:67:d3:
+                    fc:6f:d9:6d:71:9a:38:f5:84:93:e8:82:3b:91:46:
+                    9a:17:32:8a:bd:36:82:44:35:a4:df:1a:30:a5:45:
+                    8b:2a:49:f5:e7:c0:dc:4b:24:0c:f9:f2:e5:33:56:
+                    82:20:a1:a7:97:89:1e:be:15:f8:f0:b4:15:54:c4:
+                    16:05:31:b8:76:cf:5f:ab:05:66:20:5b:64:bd:21:
+                    f7:a2:60:81:1a:03:20:fe:dd:ad:82:da:56:6c:f4:
+                    d1:a4:e2:97:2c:18:fd:bc:e3:23:c9:4b:51:eb:f4:
+                    4c:62:5b:1d:98:29:12:f5:24:e9:02:96:91:3c:1b:
+                    8b:27:f0:c7:7f:9e:28:6a:b7:e5:82:ec:94:c8:9e:
+                    65:df:5a:76:bc:3c:30:69:66:bc:96:1f:2d:3e:35:
+                    6b:18:be:8a:e8:21:29:58:81:67:d9:65:4f:70:5d:
+                    82:56:2f:2b:5c:db:94:d1:34:01:1f:84:14:8d:e8:
+                    10:4f
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Subject Alternative Name: 
+                email:sender-smime@example.net
+            X509v3 Key Usage: critical
+                Digital Signature, Non Repudiation, Key Encipherment, Data Encipherment
+    Signature Algorithm: sha256WithRSAEncryption
+         a2:53:89:92:9a:6f:57:63:38:22:0b:03:80:1d:ba:f8:9a:dc:
+         7c:d6:44:9e:1d:eb:20:fa:3b:7c:17:46:95:17:91:d9:c6:61:
+         c8:78:ed:1c:3e:38:6e:46:e3:45:5a:9e:e5:b6:f3:ac:65:d8:
+         5d:1e:bb:71:cb:52:22:c7:51:c1:13:11:dd:09:cc:87:d7:aa:
+         47:f3:92:b0:2a:5c:c4:ce:30:97:b3:66:16:ed:55:19:d8:fe:
+         29:c2:7f:bf:25:dd:d4:c3:32:54:9b:fe:46:5a:75:39:93:d1:
+         db:d8:6d:83:e5:8f:f3:9f:2b:47:a6:24:cc:88:70:b8:7c:fd:
+         70:25:28:c0:48:43:e3:be:9f:35:bf:47:54:73:18:af:82:0a:
+         41:e2:16:89:a7:b0:0e:e4:fa:ef:c7:09:6e:90:03:b4:3d:fb:
+         93:93:52:29:f6:16:b3:2e:86:b0:61:36:15:e1:2e:26:4f:03:
+         ec:af:6f:d1:33:16:a4:1f:03:03:ef:d7:ba:17:53:8a:93:fa:
+         ff:86:39:e0:73:fc:df:59:5b:1d:94:21:db:48:71:51:ba:f8:
+         e3:69:b3:43:10:b4:38:44:e9:28:16:63:d5:25:9e:87:49:34:
+         bd:b5:44:6b:a6:3c:13:bb:8f:18:6b:6f:27:3b:02:7f:1e:30:
+         3f:21:7f:77
+-----BEGIN CERTIFICATE-----
+MIIDLzCCAhegAwIBAgIUYjfViAq6hVy/OCn/DeH/lr9/3mAwDQYJKoZIhvcNAQEL
+BQAwMTEQMA4GA1UEAwwHVGVzdCBDQTEQMA4GA1UECgwHZXhhbXBsZTELMAkGA1UE
+BhMCREUwIBcNMjEwMzI5MTM0ODM0WhgPMjEyMTAzMjkxMzQ4MzRaMDcxCzAJBgNV
+BAYTAkRFMRAwDgYDVQQKEwdleGFtcGxlMRYwFAYDVQQDEw1TZW5kZXIgUy9NSU1F
+MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA1oADOtkxyzfevYl3xsXE
+4La8f3Oaf6rXUhA4K9KVUw09ocTeRmHzagmzKRGUm/oJw0Vp+R/VXKXEpb+mkpEQ
+lbfoCkvS+yfZZ9P8b9ltcZo49YST6II7kUaaFzKKvTaCRDWk3xowpUWLKkn158Dc
+SyQM+fLlM1aCIKGnl4kevhX48LQVVMQWBTG4ds9fqwVmIFtkvSH3omCBGgMg/t2t
+gtpWbPTRpOKXLBj9vOMjyUtR6/RMYlsdmCkS9STpApaRPBuLJ/DHf54oarflguyU
+yJ5l31p2vDwwaWa8lh8tPjVrGL6K6CEpWIFn2WVPcF2CVi8rXNuU0TQBH4QUjegQ
+TwIDAQABozcwNTAjBgNVHREEHDAagRhzZW5kZXItc21pbWVAZXhhbXBsZS5uZXQw
+DgYDVR0PAQH/BAQDAgTwMA0GCSqGSIb3DQEBCwUAA4IBAQCiU4mSmm9XYzgiCwOA
+Hbr4mtx81kSeHesg+jt8F0aVF5HZxmHIeO0cPjhuRuNFWp7ltvOsZdhdHrtxy1Ii
+x1HBExHdCcyH16pH85KwKlzEzjCXs2YW7VUZ2P4pwn+/Jd3UwzJUm/5GWnU5k9Hb
+2G2D5Y/znytHpiTMiHC4fP1wJSjASEPjvp81v0dUcxivggpB4haJp7AO5Prvxwlu
+kAO0PfuTk1Ip9hazLoawYTYV4S4mTwPsr2/RMxakHwMD79e6F1OKk/r/hjngc/zf
+WVsdlCHbSHFRuvjjabNDELQ4ROkoFmPVJZ6HSTS9tURrpjwTu48Ya28nOwJ/HjA/
+IX93
+-----END CERTIFICATE-----
diff --git a/autotests/fixtures/keyresolvercoretest/demoCA/newcerts/6C48CCE8716D1609D0D1075F4D582C8DC307D1EE.pem b/autotests/fixtures/keyresolvercoretest/demoCA/newcerts/6C48CCE8716D1609D0D1075F4D582C8DC307D1EE.pem
new file mode 100644
index 00000000..300bc20c
--- /dev/null
+++ b/autotests/fixtures/keyresolvercoretest/demoCA/newcerts/6C48CCE8716D1609D0D1075F4D582C8DC307D1EE.pem
@@ -0,0 +1,75 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number:
+            6c:48:cc:e8:71:6d:16:09:d0:d1:07:5f:4d:58:2c:8d:c3:07:d1:ee
+        Signature Algorithm: sha256WithRSAEncryption
+        Issuer: CN=Test CA, O=example, C=DE
+        Validity
+            Not Before: Mar 30 08:06:56 2021 GMT
+            Not After : Mar 30 08:06:56 2121 GMT
+        Subject: C=DE, O=example, CN=Trusted S/MIME
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                RSA Public-Key: (2048 bit)
+                Modulus:
+                    00:bd:3b:af:ed:43:6c:4a:06:37:9d:76:41:7d:20:
+                    c0:20:d8:25:62:5c:03:55:8c:e8:49:bd:b8:29:3b:
+                    90:3d:8b:8b:5d:0e:b2:d8:a0:39:ea:e7:ce:c5:e8:
+                    8f:c4:c8:55:a8:8f:9d:b5:4a:ba:60:ce:09:a7:ab:
+                    4d:3c:fd:f0:71:52:69:41:fa:e9:cc:a7:42:b3:2a:
+                    66:08:83:53:e0:03:58:67:ff:4f:9e:50:da:b2:57:
+                    aa:f0:0c:9d:61:eb:0b:da:a0:0c:e0:43:11:87:4a:
+                    62:1a:37:ba:95:41:52:e5:9e:de:25:5a:70:4c:06:
+                    09:02:5a:ff:2a:3c:5c:b2:b5:b0:20:76:62:64:0e:
+                    16:21:9a:5d:a9:5c:79:13:5b:ee:bb:be:4f:66:e3:
+                    9d:62:88:28:50:d3:dc:d9:bd:29:31:6c:cd:da:7b:
+                    d4:f6:5f:49:21:85:54:09:56:29:83:5d:e7:43:8e:
+                    e8:7d:6e:08:f4:43:9f:d5:ed:6b:13:8b:98:1d:58:
+                    5c:11:b1:c6:98:33:c4:ca:4f:2b:b5:b9:54:40:d0:
+                    ab:6b:d9:11:76:26:49:65:5a:7e:05:09:3a:bd:04:
+                    dc:05:57:dd:c9:a3:c7:2d:8c:c4:ec:45:9b:8f:04:
+                    c9:de:12:6d:f9:14:c7:62:6b:fd:6c:32:20:8a:ca:
+                    e4:27
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Subject Alternative Name: 
+                email:prefer-smime@example.net
+            X509v3 Key Usage: critical
+                Digital Signature, Non Repudiation, Key Encipherment, Data Encipherment
+    Signature Algorithm: sha256WithRSAEncryption
+         75:2a:a7:09:d2:c4:5a:f3:51:e4:12:41:4f:9a:fd:14:39:64:
+         57:3c:9c:e1:04:6c:89:56:c6:b4:b5:7f:1d:cd:a3:e8:d0:6b:
+         fb:29:4c:d1:37:ea:81:4e:24:a7:e7:76:17:7b:e6:0c:f1:61:
+         dc:19:65:f6:c4:e2:86:60:79:ae:1f:93:f9:52:78:5c:83:21:
+         6c:d5:4f:62:e7:28:66:77:64:ee:2f:bd:6c:51:69:98:5c:b3:
+         1e:6c:fb:dc:bd:5a:79:d4:22:7d:e1:90:8f:98:01:f7:99:bc:
+         07:bc:5d:f6:00:6b:12:3c:c8:6d:20:a9:68:b3:01:f4:0d:23:
+         ed:d8:35:3e:49:04:98:5c:6d:14:69:60:75:fb:b9:26:d4:91:
+         57:3a:c8:6f:80:b2:83:03:f9:99:58:45:59:8d:3a:82:1d:04:
+         2a:db:83:da:22:f9:e9:5a:c1:0b:49:a2:21:18:53:c3:fe:f8:
+         fc:cb:be:ee:f6:12:10:49:9e:9a:86:f8:ca:34:2d:96:41:ed:
+         51:29:12:73:3f:08:4e:4b:c1:7d:7f:29:9e:38:96:26:ef:2b:
+         df:ab:79:90:42:52:9c:cf:0e:04:d4:38:39:70:93:2a:cc:a5:
+         8d:83:e0:2d:c5:f6:e6:0b:a4:6a:16:07:8e:fd:49:91:11:b5:
+         b5:b6:b5:ab
+-----BEGIN CERTIFICATE-----
+MIIDMDCCAhigAwIBAgIUbEjM6HFtFgnQ0QdfTVgsjcMH0e4wDQYJKoZIhvcNAQEL
+BQAwMTEQMA4GA1UEAwwHVGVzdCBDQTEQMA4GA1UECgwHZXhhbXBsZTELMAkGA1UE
+BhMCREUwIBcNMjEwMzMwMDgwNjU2WhgPMjEyMTAzMzAwODA2NTZaMDgxCzAJBgNV
+BAYTAkRFMRAwDgYDVQQKEwdleGFtcGxlMRcwFQYDVQQDEw5UcnVzdGVkIFMvTUlN
+RTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAL07r+1DbEoGN512QX0g
+wCDYJWJcA1WM6Em9uCk7kD2Li10OstigOernzsXoj8TIVaiPnbVKumDOCaerTTz9
+8HFSaUH66cynQrMqZgiDU+ADWGf/T55Q2rJXqvAMnWHrC9qgDOBDEYdKYho3upVB
+UuWe3iVacEwGCQJa/yo8XLK1sCB2YmQOFiGaXalceRNb7ru+T2bjnWKIKFDT3Nm9
+KTFszdp71PZfSSGFVAlWKYNd50OO6H1uCPRDn9XtaxOLmB1YXBGxxpgzxMpPK7W5
+VEDQq2vZEXYmSWVafgUJOr0E3AVX3cmjxy2MxOxFm48Eyd4SbfkUx2Jr/WwyIIrK
+5CcCAwEAAaM3MDUwIwYDVR0RBBwwGoEYcHJlZmVyLXNtaW1lQGV4YW1wbGUubmV0
+MA4GA1UdDwEB/wQEAwIE8DANBgkqhkiG9w0BAQsFAAOCAQEAdSqnCdLEWvNR5BJB
+T5r9FDlkVzyc4QRsiVbGtLV/Hc2j6NBr+ylM0TfqgU4kp+d2F3vmDPFh3Bll9sTi
+hmB5rh+T+VJ4XIMhbNVPYucoZndk7i+9bFFpmFyzHmz73L1aedQifeGQj5gB95m8
+B7xd9gBrEjzIbSCpaLMB9A0j7dg1PkkEmFxtFGlgdfu5JtSRVzrIb4CygwP5mVhF
+WY06gh0EKtuD2iL56VrBC0miIRhTw/74/Mu+7vYSEEmemob4yjQtlkHtUSkScz8I
+TkvBfX8pnjiWJu8r36t5kEJSnM8OBNQ4OXCTKsyljYPgLcX25gukahYHjv1JkRG1
+tba1qw==
+-----END CERTIFICATE-----
diff --git a/autotests/fixtures/keyresolvercoretest/demoCA/newcerts/70CEEBA710B7FBF41184FBB6A50AC89D459E574D.pem b/autotests/fixtures/keyresolvercoretest/demoCA/newcerts/70CEEBA710B7FBF41184FBB6A50AC89D459E574D.pem
new file mode 100644
index 00000000..0fb11ac8
--- /dev/null
+++ b/autotests/fixtures/keyresolvercoretest/demoCA/newcerts/70CEEBA710B7FBF41184FBB6A50AC89D459E574D.pem
@@ -0,0 +1,75 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number:
+            70:ce:eb:a7:10:b7:fb:f4:11:84:fb:b6:a5:0a:c8:9d:45:9e:57:4d
+        Signature Algorithm: sha256WithRSAEncryption
+        Issuer: CN=Test CA, O=example, C=DE
+        Validity
+            Not Before: Mar 29 12:02:47 2021 GMT
+            Not After : Mar 29 12:02:47 2121 GMT
+        Subject: C=DE, O=example, CN=Sender Mixed
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                RSA Public-Key: (2048 bit)
+                Modulus:
+                    00:b3:0f:02:88:b9:2b:0d:8a:d8:a5:84:12:e9:50:
+                    60:33:2f:61:db:a6:86:a7:b9:a5:00:71:de:13:65:
+                    a3:d0:08:3a:4e:29:52:67:07:78:89:52:ca:f5:79:
+                    ef:6e:20:93:23:87:72:06:e1:ce:e3:10:92:d1:44:
+                    ee:de:64:27:f1:0c:10:26:47:82:aa:1f:01:b2:24:
+                    f8:ad:95:76:0b:e2:f0:27:9b:c2:24:6b:d1:34:cc:
+                    9d:78:d0:a0:82:ec:97:31:e0:4d:79:f7:d9:57:56:
+                    59:9c:d5:f0:61:1f:bf:24:29:cd:1d:11:ac:f5:c6:
+                    90:ec:cc:6e:be:f8:e4:78:d6:f7:9f:db:e6:77:23:
+                    7b:54:e8:01:22:50:bc:a0:1d:5f:76:1c:f8:13:6b:
+                    e5:44:10:c8:75:92:22:0e:b1:4e:79:75:c4:5e:af:
+                    4c:b7:89:2a:6f:f9:fb:3d:30:a0:ed:cc:97:bf:6a:
+                    19:6e:fe:00:e6:7e:ff:63:d0:cd:8b:02:3c:fb:ba:
+                    77:61:4a:60:fe:19:57:a6:b8:46:cc:b5:f9:39:ec:
+                    84:2f:cb:59:98:85:79:98:19:25:1a:d9:79:23:b2:
+                    2e:2c:84:24:c7:52:65:3d:f5:17:41:b4:4f:b1:d4:
+                    f7:37:7b:37:a4:f6:4f:82:56:60:4c:34:a3:5a:26:
+                    cb:05
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Subject Alternative Name: 
+                email:sender-mixed@example.net
+            X509v3 Key Usage: critical
+                Digital Signature, Non Repudiation, Key Encipherment, Data Encipherment
+    Signature Algorithm: sha256WithRSAEncryption
+         09:5d:c4:a9:c9:30:ea:0f:bc:80:1d:5b:a9:ee:78:02:bc:ac:
+         07:c1:0c:16:25:c3:80:a2:10:bd:be:a5:32:de:c9:5f:fe:9b:
+         20:91:6e:71:68:f6:b0:9a:9f:59:ed:57:a0:b0:27:1d:fd:9a:
+         18:36:87:f0:02:6d:9f:c8:8b:c4:e9:37:a6:80:f2:66:9d:8f:
+         55:8f:8a:7e:ba:92:c1:a1:d1:3d:f9:71:be:2a:82:e0:2f:30:
+         5c:c9:2a:02:71:a6:3c:be:34:c6:ee:f2:3d:5b:19:59:06:7c:
+         01:d3:f3:4a:fb:a4:6b:c2:1a:29:4e:b7:7b:51:7e:f5:86:5c:
+         b2:65:97:a7:fc:43:a4:6f:2e:ec:2c:a5:44:04:db:6b:57:9b:
+         8e:4b:5d:da:39:09:00:08:7b:f4:2c:13:70:57:31:33:94:10:
+         61:60:9b:41:d5:85:ec:05:b8:c3:fa:ac:de:ac:08:e6:a9:a3:
+         d9:34:2a:3a:e2:12:9c:0e:50:7b:02:60:cb:1d:f6:d0:68:c9:
+         e5:70:ed:53:c7:93:a9:74:5f:7d:53:8e:8a:81:be:27:f9:d6:
+         2f:0a:2a:c5:0b:25:5b:c0:bb:0b:c0:6a:fd:3f:b8:5a:52:b4:
+         d5:21:0e:ae:85:5e:dd:d9:1d:c5:3c:ff:12:e5:6b:25:f9:7d:
+         98:8b:e8:b0
+-----BEGIN CERTIFICATE-----
+MIIDLjCCAhagAwIBAgIUcM7rpxC3+/QRhPu2pQrInUWeV00wDQYJKoZIhvcNAQEL
+BQAwMTEQMA4GA1UEAwwHVGVzdCBDQTEQMA4GA1UECgwHZXhhbXBsZTELMAkGA1UE
+BhMCREUwIBcNMjEwMzI5MTIwMjQ3WhgPMjEyMTAzMjkxMjAyNDdaMDYxCzAJBgNV
+BAYTAkRFMRAwDgYDVQQKEwdleGFtcGxlMRUwEwYDVQQDEwxTZW5kZXIgTWl4ZWQw
+ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCzDwKIuSsNitilhBLpUGAz
+L2HbpoanuaUAcd4TZaPQCDpOKVJnB3iJUsr1ee9uIJMjh3IG4c7jEJLRRO7eZCfx
+DBAmR4KqHwGyJPitlXYL4vAnm8Ika9E0zJ140KCC7Jcx4E1599lXVlmc1fBhH78k
+Kc0dEaz1xpDszG6++OR41vef2+Z3I3tU6AEiULygHV92HPgTa+VEEMh1kiIOsU55
+dcRer0y3iSpv+fs9MKDtzJe/ahlu/gDmfv9j0M2LAjz7undhSmD+GVemuEbMtfk5
+7IQvy1mYhXmYGSUa2Xkjsi4shCTHUmU99RdBtE+x1Pc3ezek9k+CVmBMNKNaJssF
+AgMBAAGjNzA1MCMGA1UdEQQcMBqBGHNlbmRlci1taXhlZEBleGFtcGxlLm5ldDAO
+BgNVHQ8BAf8EBAMCBPAwDQYJKoZIhvcNAQELBQADggEBAAldxKnJMOoPvIAdW6nu
+eAK8rAfBDBYlw4CiEL2+pTLeyV/+myCRbnFo9rCan1ntV6CwJx39mhg2h/ACbZ/I
+i8TpN6aA8madj1WPin66ksGh0T35cb4qguAvMFzJKgJxpjy+NMbu8j1bGVkGfAHT
+80r7pGvCGilOt3tRfvWGXLJll6f8Q6RvLuwspUQE22tXm45LXdo5CQAIe/QsE3BX
+MTOUEGFgm0HVhewFuMP6rN6sCOapo9k0KjriEpwOUHsCYMsd9tBoyeVw7VPHk6l0
+X31TjoqBvif51i8KKsULJVvAuwvAav0/uFpStNUhDq6FXt3ZHcU8/xLlayX5fZiL
+6LA=
+-----END CERTIFICATE-----
diff --git a/autotests/fixtures/keyresolvercoretest/openssl.cnf b/autotests/fixtures/keyresolvercoretest/openssl.cnf
new file mode 100644
index 00000000..b5819561
--- /dev/null
+++ b/autotests/fixtures/keyresolvercoretest/openssl.cnf
@@ -0,0 +1,34 @@
+[ ca ]
+default_ca      = CA_default            # The default ca section
+
+[ CA_default ]
+
+dir             = ./demoCA              # Where everything is kept
+database        = $dir/index.txt        # database index file.
+new_certs_dir   = $dir/newcerts         # default place for new certs.
+
+certificate     = ./test-ca.cert.pem    # The CA certificate
+#serial          = $dir/serial           # The current serial number
+rand_serial     = yes                   # for random serial#'s
+private_key     = ./test-ca.key.pem     # The private key
+#RANDFILE        = $dir/.rand            # random number file
+
+default_days    = 36524                 # how long to certify for
+default_crl_days= 30                    # how long before next CRL
+default_md      = default               # use public key default MD
+
+policy          = policy_anything
+email_in_dn     = no                    # Don't add the email into cert DN
+
+name_opt        = ca_default            # Subject Name options
+cert_opt        = ca_default            # Certificate field options
+copy_extensions = copy
+
+[ policy_anything ]
+countryName             = optional
+stateOrProvinceName     = optional
+localityName            = optional
+organizationName        = optional
+organizationalUnitName  = optional
+commonName              = supplied
+emailAddress            = optional
diff --git a/autotests/fixtures/keyresolvercoretest/private-keys-v1.d/068B3A87EB6029DC958371D42A8CF22913F792BA.key b/autotests/fixtures/keyresolvercoretest/private-keys-v1.d/068B3A87EB6029DC958371D42A8CF22913F792BA.key
deleted file mode 100644
index e2f6aa6e..00000000
--- a/autotests/fixtures/keyresolvercoretest/private-keys-v1.d/068B3A87EB6029DC958371D42A8CF22913F792BA.key
+++ /dev/null
@@ -1,32 +0,0 @@
-Created: 20210322T135004
-Key: (protected-private-key (rsa (n #00D93727139ED5044AEEB02BD9D2096F2C
- 76BBEBFB7E64E51592C81D11A44AE96B14E6DD2F333ABA41FCD24860932859CBEFA0C5
- FA22EC3F5085CB0F7BC1D61F1C8FA1CADC04A916ADECB576250E02D6FB0FB8AA8C6347
- 08B2ABDFDB0059D634B045AADF69E20E3E97A13110CB6436CA0A1881070ED14D2EC482
- 09BEAB0DE56B6DE178236AAA0314A7474EC85314857856633BC572A864EE2571C157B8
- B944B5ECB3C85B5CEEBB4FF42928DA57DA45658D9268DED792B818F0CF83ECB5ED97AC
- DB5A10F1F1E800565D70D5FE175C93EF3E4468765015DEBB768A5F53C061756F128181
- D6DA2B08ED396E7765C58659B4EF37173CE33E6CD7DD0BAD2793C4F88B75#)(e
-  #010001#)(protected openpgp-s2k3-ocb-aes ((sha1 "\fT5g���?"
-  "53686272")#D98B1FCB502A730F10473897#)#146BB2167B12E4703EDD7F8A7C5F63
- C68DC63536E6C98DCB8A16BC1D948F366D74F9B991C6050B79BC521B767E9A67BB095E
- C117900C945DAC62EC4913DAFEC40D1E2B6C698F0028981D9E927D2BC0D84305DBA84B
- 480BE98E7B438BB304A96596A21B4FDC7A2BC65E8A0428D2A48D99D3845FE4E31E5B81
- 655F89F551873526B1FF4BB3DA0DA81959F64D4730E09DBF3A20D739AF09AEF8D39E70
- 51D422A0692DF157D14879D66BF5A6463EC9CF1249B2382D954CC1C2C7944C22DC3E06
- 7E7752D1D38CAE872AF357373FA69279B392EFC3134ADA09D3DD18B38D1AFABDD434AD
- E6E8C83FE4A0B7451591C785983D1FCB949B4C1070D6DF84B34241E08E75549FC4C3E6
- F983D729BC5F3577830EAD736EA8A8A05ED2E95D855C4083DC6396B252CA23C807D0AC
- 66AD91EE4003D0EBF979A316663A14B3D175D5E270308C68E0E708E7813A070ECC6404
- 688E9944EC055669D7B1CC07B2A50096C515B6F8E9EB8A928DBAB0037056062D816410
- 100EF8A74B01D988D51D917D758185C51E423B49E23545A959A8E9678265ADAFFB0670
- 4C168C384280ADC4990356A7EF01DD0AC0FACADB447F57AD7CF3F71DA694A1CB23E9D1
- DF514921D0B903BEA56EC990F2B4A351B172671873D4CB375800E4E41DC5FD889B9CBC
- DC868AEE0298C07BA5E1D0B88F4808014D743E138B883905634EB0A1184ACA435EFA4E
- 7152C9DA0D87E1B37255AFF2B0F44E73ACB3690BD0A54469C6F27A0FAD8C8D6D36E143
- EB44742F94DC0B5974443967434CEAFF0832D922EA3CDE600459297DCE28EEBB833A66
- 1E31140A826561F9713DD3BF0E4B5A82A69A89F1A98D69F06DC9719520F714FE7D008A
- F0D3307B857B39484C0AEB602B9C61D9A5844A0AD9C166C0B6E9626938F13F93A9FC87
- A8D4F0E06F919D16E0D4ABB252AB729E217619AD33D5644A7803CBFB2D29C87BB2BA5F
- 12F0850DFD2BEE9FAB592A3529DDEE9E9A4D#)(protected-at
-  "20210322T135004")))
diff --git a/autotests/fixtures/keyresolvercoretest/private-keys-v1.d/0B767151C33FEE7708F7035860A4D2025C801000.key b/autotests/fixtures/keyresolvercoretest/private-keys-v1.d/0B767151C33FEE7708F7035860A4D2025C801000.key
deleted file mode 100644
index 39be69f7..00000000
--- a/autotests/fixtures/keyresolvercoretest/private-keys-v1.d/0B767151C33FEE7708F7035860A4D2025C801000.key
+++ /dev/null
@@ -1,32 +0,0 @@
-Created: 20210322T134956
-Key: (protected-private-key (rsa (n #00D787B9940C8083BA526A58C9CB55FA34
- 9BD8267C30D1FA6D116DBEE5CDC1BD21B27D54EF5AEBE253B64A3CA518375716B2A48E
- DF23A737A227251802AE43BB1839ADA0443F6EFB02040D21D0C753B1B3581F469B2BCD
- 22FBBF7A7A108E56CE80ECC85D2CD8A7158903887E8AEF0D3E8BB2524752F8D5CDB285
- EFAA90EBA0E9CCB039DCFBC7AD3B618047077599E28A9424DBF20DC8212B57E7F0906A
- 0AB48678462C1FEBA6E5B0B1DE9902F52C56CB46AFCF8BCACC61D4891424C59FF04514
- B0E36BD14A45E1982DF6A480649BF4FAF41759B83624909DE64CA0CF478CBEC6BB389A
- 128D70DE51564BCB0F7EF2D89546E7FBB99DF66985B06BFF8DC811B67BC5#)(e
-  #010001#)(protected openpgp-s2k3-ocb-aes ((sha1 #1FF718CDDA024F83#
-  "53686272")#F8F33DD09D5D50563E0940D7#)#987A0F3D878875F6F9E1B62237DBC1
- D888212F697E9AAB7F5177B2F832086181B2571F151FB2461B13C5EFEC499707E7B1A8
- C380BD05DCFA2D899056ECCF25B2F32D167C0B79C7390CB2D94637701ACDE7B1D67C3D
- AE479504319BD6844C1B2671263A676F862B5A9636FC56C0EF5DCDDB534F985A8B705E
- E1D6BEC02F1CBBB197E2953666FE802918E9888323947B8677CF5E67F426D41F0C10E5
- 9699C1FE5A1D6F9A242C6D26C7AACB86BF54B163CE9189A961093E49665B9C2603BD4E
- 08225A58378E88420E6EB366B15025414010D2FD235CC935A76661DEF928E8110FF07D
- 9B0CC1E1133D1D7686AFD24C85487363F63C7B7816B887672F74922590B54306DE2F15
- C29F3CED3B3C64E641F30207590DD5DE1853141493115CD946E010A9E8E55E9D4B7C6B
- 438B0C78835807FE7309AC8A8BF17E9951BA9707575D7CDDADA684DECD446D9DF4263E
- 5803716FAF31B279FB8214209458EE055A04247C21F5298C73C6037AECA2624071F0AE
- A8817979908EB4CA190D069F65B214CC6ACA88A48D0C09874644E13904C6A53948F601
- 77D9C15C450CEFA75E1AC7E851239E1374012E89B21F6FF9B038F7034E210D989F2462
- 69E914A75AE3449C6C2B95E1CE5C3F956322074AF0FB78ADDDB1FACDB7D0A6641EE436
- 5BE00472B246431A25018E5D6DAA8CBF419D7CDAE1997DA67715A8BC403EB7EFA81C7E
- 0C8018FA9156B2B5BA310BF5C8AF5AFF4E0F7F3D80D25855D4F0AB571580D66297C682
- D4913E9B51F1B1CFE1E8D4CAEFB42632728EDF802C4666200E334EBE590577D9D866EC
- D7B972D8DFE348C1E47C5F71D1324AC5064217709319487255E9C231A06B69F39DD107
- 47322B6926F8CEAFE16F47ECDA4177B6FB7319B1E14BDBAA8AAF349C824D9C78932EB4
- 8C2201D7698F798D1812D53FAB7F4DC967C64DF5AE582EF218BEE1BCF0C1832A5E823E
- 3BA133AD82E86270320619686CCD0B915C8C#)(protected-at
-  "20210322T134956")))
diff --git a/autotests/fixtures/keyresolvercoretest/private-keys-v1.d/2B38646AEC0F0D6AE2EEF714963722C0E58BF95F.key b/autotests/fixtures/keyresolvercoretest/private-keys-v1.d/2B38646AEC0F0D6AE2EEF714963722C0E58BF95F.key
deleted file mode 100644
index d3d268da..00000000
--- a/autotests/fixtures/keyresolvercoretest/private-keys-v1.d/2B38646AEC0F0D6AE2EEF714963722C0E58BF95F.key
+++ /dev/null
@@ -1,32 +0,0 @@
-Created: 20210322T135027
-Key: (protected-private-key (rsa (n #00CB691B6AF9496B3B30D1262C5924A5F4
- 75AB3A0BBBDED7283254DAAF66AEAA20D3B142883959E1D382D7D9480A79B6070CAF44
- E60861A0939C191302B0BBF9837821B141EBEAF8DCD17C074B13A5459D90E7BD8F3E82
- BD98F542CC76E4F8038726C1671023CF49CBCEAE937DCCA14A2CDD8C12EA1269898229
- 4108D76E6432D17AA5CB50C2D94F57ED312B1B8C352873E543867E019C93AC26EADB8F
- 1047939C2C8BF7C9A5FD42F7BDAFB48ED267F729980B35D8448A64B7BAD0FD8885041A
- 6728AAAF1155D328F01F11ADBE0FBC591D08723E5B0270FC703DE3B075D072FEDC420C
- FE8901339C133E333A697424A8F530C4A6A79CA9B0734E066068915F4E07#)(e
-  #010001#)(protected openpgp-s2k3-ocb-aes ((sha1 #E5CD258D08FA0B17#
-  "53686272")#E359E322AE99FE55AB12C20B#)#12425AFB59FFBD153A29D61B063756
- CA14F2FA802485A108C01BECCD21DDFE2192E4B14ECDF644D229AF6427644B86493544
- D55CFFE2E992EEC419EFCCC641A0B4431D9EB3090C4034A9F9E51486E30D1892DE64F8
- EB365EC0D65C245E3030A9D9724D3F26A7DE980CF1074D1574D3B982C6C4FDEC4C20CA
- 93CF315325210E00B9F6916AF4175A100D8D67A94833757470C8EACA75FDF611B81245
- 0B8F0A8E8BA6E7DFA4BA937B750C5E5F863AB28612D50A330450D6EB7534AEF23BCD5C
- 7D9E74D7B71B1201921909295FC30F82512F6D610F267A5F971ABE5D156114B1A4A2E8
- 945A8E19CBA734EDCD461E4D593BEC3C01B068041079233FF3F63A919030AE8C32ED4E
- 4FE58DC350D32ADE953C0A6481DAC100ECEF27FE6BB96AAF96B2D49541825A4266A85F
- 6CB9E8E004E7E6C87A3980D0EB513ED06A622C8B14EEC2C1DF473EB5BF133B29DA54C9
- 22060A4369E17288D8048B5725A413548541BF4EB656843C2C9B2120CD1C49B5DAA4FB
- 6892E9795F06508303539A5F345584E0E44A7B323CCEF80C6CFC0CFE3342E929344986
- 8D84B82F7CB2B005B72C1A2A85CB13ADDDFE00207F63B306464539D1CEE017C9E7F9C1
- C4DD789F98F5306975015076DC752840F71B654A6F23ED0BFA1F5D06F1F760B97E30FE
- 89560A8BE3D5BFB76B3476D9B58D5BA61C7F9145395CD248905206958D4579AD1444F9
- 591CE5ADBD61330D3D5883293AD142CB8D5C01AF30B0F83AE3C90042848BF0ABF6A937
- A8D000DA8ECEA9037E31BB13090C498A148CD8E032649A96E4D9A0E23360FDC52D4E00
- CA020455B3D117B9D3DA198D34C0C9F7C445436E7CD248EE4C4B3F04B5E0A98DA0DF08
- E946494D683E0BDB25E49FAAD397B7B76BF855FED0D7ED72E1747C331ED923A2C76B11
- 77DE39C6AF783A61CD46CCD73DC529EC30176C7F3900410944240B91C492C8BAAF3CF6
- 55B7848230F5A76B7AF90E44AC825C4645B0#)(protected-at
-  "20210322T135027")))
diff --git a/autotests/fixtures/keyresolvercoretest/private-keys-v1.d/82E263F0451C25D17100C2BAC06F1867B9E183E1.key b/autotests/fixtures/keyresolvercoretest/private-keys-v1.d/82E263F0451C25D17100C2BAC06F1867B9E183E1.key
new file mode 100644
index 00000000..ace31b13
--- /dev/null
+++ b/autotests/fixtures/keyresolvercoretest/private-keys-v1.d/82E263F0451C25D17100C2BAC06F1867B9E183E1.key
@@ -0,0 +1,32 @@
+Created: 20210329T132221
+Key: (protected-private-key (rsa (n #00D680033AD931CB37DEBD8977C6C5C4E0
+ B6BC7F739A7FAAD75210382BD295530D3DA1C4DE4661F36A09B32911949BFA09C34569
+ F91FD55CA5C4A5BFA692911095B7E80A4BD2FB27D967D3FC6FD96D719A38F58493E882
+ 3B91469A17328ABD36824435A4DF1A30A5458B2A49F5E7C0DC4B240CF9F2E533568220
+ A1A797891EBE15F8F0B41554C4160531B876CF5FAB0566205B64BD21F7A260811A0320
+ FEDDAD82DA566CF4D1A4E2972C18FDBCE323C94B51EBF44C625B1D982912F524E90296
+ 913C1B8B27F0C77F9E286AB7E582EC94C89E65DF5A76BC3C306966BC961F2D3E356B18
+ BE8AE82129588167D9654F705D82562F2B5CDB94D134011F84148DE8104F#)(e
+  #010001#)(protected openpgp-s2k3-ocb-aes ((sha1 #C9DCC503635E9D1F#
+  "53686272")#EA63AD9C3D5ED6129A77700B#)#2034D0EAD39198546EA8C80BD75917
+ 499902298ED0683CA3E47882B6E4A1D14B615741E5C35E7C7694ED2EAAC05298796C2E
+ 466A48BA9717AD7DD9C29113B6B5743A01456BAD7F4F1FE9C4AC7EE904A48EA2335E22
+ 508E8A04C478E88A4F2F3DD4C0696A37C5BAD654C35CE4B399D35CAB20BDFF4E3FE1E7
+ D1108C42E7B66B4EFF2288D89A8EED3026B2A38463CE50E204F4EBE169D394D6DC7A61
+ D85B3CE27C27C77DDC19BC0E3353A577EDF6EF8200C24559E06369270E6BFA38E5B835
+ 2C797839AF2A46E3E85A2EC53321ADD50FBE1FA2CDFE2388B57A92E5788AD13C28AEC8
+ F9E3AC43D0933A557F0693210AA2387675EFEB469BEFCD7B40D71B8789B61C8C2C1BE5
+ 3079B61A38AB7F1767119E751E01D032B0438B32074EBD3023B1FEA9B867E5C16FBBF6
+ 4CDD0219F008BC274617CC996BC2C1DBE2F73C05E7074839AE15A639B7838E2B49A4EE
+ E98DCF96176F13B13E62953A955C7BBDA8FD0084D1FCF847EB623D88A73902C04A15B6
+ 3B56E0DEB56F648D44CFF1A62ED77ADD077ECAEE96CA4BF0ABD58BC8A5AD6D09679930
+ FC25A8588CD86D9D70224256BC2CF1C73410B652903FE98A24C441AD75BE037B886FD4
+ 4C59DF33A8E114F346B25191ACDB2CC67FB7DDDDF2861E4A7F6F2AE546E6E16CAF6479
+ 0C6EA380E55C93912AEB88D9DEF1776F34FA17F5278A2C7ABCCE818C72CFF8118D1268
+ 47034F93F236D2EACB20704C493FBB7DD9D1BA742026EEE433C3C5F79E86A739A0D22A
+ 2A94985AFB37223A9C613878EDEAAFC11DDC61D56EA92313B8221CE867E73EE641FED7
+ BC6734775672AFED161EDE2179866DEBDC1C34E8EF82D9347DF8DE4867595F4649A403
+ 9103B36A50B1D9A3F4EAC0885F11608F05E5198D12AF4D82C72A2AE1DC5E37187715AD
+ D402A06B099521B21BDEE1CEEDBE40C2DBF2B43EEEECFB46AACD5CC1F4DBA4B0527B05
+ 331A4FFD38A407A13B691D7C798541D2686733#)(protected-at
+  "20210329T132221")))
diff --git a/autotests/fixtures/keyresolvercoretest/private-keys-v1.d/878E0CC6690155A5B79124D0F79D0363B6E41E4B.key b/autotests/fixtures/keyresolvercoretest/private-keys-v1.d/878E0CC6690155A5B79124D0F79D0363B6E41E4B.key
new file mode 100644
index 00000000..60bfc1f3
--- /dev/null
+++ b/autotests/fixtures/keyresolvercoretest/private-keys-v1.d/878E0CC6690155A5B79124D0F79D0363B6E41E4B.key
@@ -0,0 +1,32 @@
+Created: 20210329T101929
+Key: (protected-private-key (rsa (n #00B30F0288B92B0D8AD8A58412E9506033
+ 2F61DBA686A7B9A50071DE1365A3D0083A4E29526707788952CAF579EF6E2093238772
+ 06E1CEE31092D144EEDE6427F10C10264782AA1F01B224F8AD95760BE2F0279BC2246B
+ D134CC9D78D0A082EC9731E04D79F7D95756599CD5F0611FBF2429CD1D11ACF5C690EC
+ CC6EBEF8E478D6F79FDBE677237B54E8012250BCA01D5F761CF8136BE54410C8759222
+ 0EB14E7975C45EAF4CB7892A6FF9FB3D30A0EDCC97BF6A196EFE00E67EFF63D0CD8B02
+ 3CFBBA77614A60FE1957A6B846CCB5F939EC842FCB599885799819251AD97923B22E2C
+ 8424C752653DF51741B44FB1D4F7377B37A4F64F8256604C34A35A26CB05#)(e
+  #010001#)(protected openpgp-s2k3-ocb-aes ((sha1 #24F22D89024E1897#
+  "53260288")#A647BCD410DA14FDE2EDDC78#)#B2B49C3D7E665F6023279764E42C8A
+ 2B0FE3BB25AD1AE72B04C5CCD5E28B225F45CB5CE6C2C164A94D7C3BDFB9C87E367BB4
+ 8ECA2D72106C5E335F03A554B7FB5C558CD389BBE61530CFE0F8155D919DCB3E351628
+ DCD0E2FE9182F08D14A3589903560B50CD29058B0DA51E89F6F77AA9A523AAB74AE448
+ BA888CF34F535F9BBF2EB71193E83FD8BABC115224D961BACD48C9833A4157A20CC094
+ ABC286D355BD42FB189F9B2E6AC9B866FA2457C4D8ADEDB5EE5DB68E1B7842159214A4
+ 96BB2DCAC9D1AF60CE496BB3A852DB864288DF0CBDA78CDC6A5976FC24CAFF7582A49F
+ 0BEA7B1FB5AD5A9061642062D7916AA49AB78B0ECEA673CF7C2B523BFF0EA4E3D663A3
+ C0F932123E73E97F2931C790FEC4A0404833540AFE9C1FB1642BE522AF499CB35B5566
+ A229138C699B652A0126B0D3655C3E907EA31D9EEBF5E32A55FA9CD2527B3DD1C13CF9
+ 4715899CC0E1FE9CBF4A5BDC9A31B69E8428B2827A4A66C0BE841B95514B46803A0998
+ B6FE75758676A6B3FD96E9ADE67280AF18079B27546CFD15675C0D40B68D005FD865DB
+ CC1C8D5513AEC51A87911EE182274F2AB5224793309CDF10EED16D078128703F2E8886
+ DDA5C2F41FAA2F3FBC73ED29ABA5A2A273984F067861A08E63194DC89D5FBD9A239924
+ 62ABA890F008E909CE869C81F5B03F08D44F1D33DFDCD3A79259E21E6239D18B9A0296
+ 8ECEF6DDA64D3C53DBAAC2CE842966F0FBF6798EC8CD1A0E53C32C6E45AAB86403C8CE
+ 374931CCA1D2C1930F44B637D4856502EA6A384C832D70EADA2ACB10728940767391F7
+ 491441748F51841A36F0F5F8A6738B47304140D2A9762B659203C9A06ADC380657E9B8
+ 583438B268B267328AB919326C5B2E4A8D6A0CD2E96BADDD29BA90196FEE54DE564EBE
+ 114F92A140C52E4189728EADB6F8CB38A4C693AE59A87254CCA8CC095879931935CAF5
+ 1C45E64A412DBF61301D61BC488C0AD4CF9855#)(protected-at
+  "20210329T101929")))
diff --git a/autotests/fixtures/keyresolvercoretest/pubring.kbx b/autotests/fixtures/keyresolvercoretest/pubring.kbx
index ee1ac71e..56aef5e0 100644
Binary files a/autotests/fixtures/keyresolvercoretest/pubring.kbx and b/autotests/fixtures/keyresolvercoretest/pubring.kbx differ
diff --git a/autotests/fixtures/keyresolvercoretest/readme.md b/autotests/fixtures/keyresolvercoretest/readme.md
index 233c86c5..4c259c4f 100644
--- a/autotests/fixtures/keyresolvercoretest/readme.md
+++ b/autotests/fixtures/keyresolvercoretest/readme.md
@@ -1,118 +1,168 @@
 # Fixture for KeyResolverTest
 
 ## Setup
 
 Set the `GNUPGHOME` environment variable to this folder:
 ```
 export GNUPGHOME=$(pwd)
 ```
 
 ## Generate OpenPGP test keys
 
 Note: gpg 2.3 is needed for the --no-auto-trust-new-key option.
 
 ```
 # Create an ultimately trusted CA key
 gpg --quick-gen-key --batch --pinentry-mode loopback --passphrase "" "Ultimately trusted CA <ca-ultimate@example.net>" default default never
 
 # Create a fully trusted CA key
 gpg --quick-gen-key --batch --pinentry-mode loopback --passphrase "" "Fully trusted CA <ca-full@example.net>" default default never
 gpg --edit-key --command-fd 0 ca-full@example.net <<eof
 trust
 4
 save
 eof
 gpg --quick-sign-key --default-key $(gpg -K --batch --with-colons ca-ultimate@example.net | grep fpr | head -1 | cut -d ':' -f 10) --batch --pinentry-mode loopback --passphrase "" $(gpg -k --batch --with-colons ca-full@example.net | grep fpr | head -1 | cut -d ':' -f 10)
 
 # Create a marginally trusted CA key
 gpg --quick-gen-key --batch --pinentry-mode loopback --passphrase "" "Marginally trusted CA <ca-marginal@example.net>" default default never
 gpg --edit-key --command-fd 0 ca-marginal@example.net <<eof
 trust
 3
 save
 eof
 gpg --quick-sign-key --default-key $(gpg -K --batch --with-colons ca-ultimate@example.net | grep fpr | head -1 | cut -d ':' -f 10) --batch --pinentry-mode loopback --passphrase "" $(gpg -k --batch --with-colons ca-marginal@example.net | grep fpr | head -1 | cut -d ':' -f 10)
 
-# Sender with OpenPGP and S/MIME key
+# Sender with OpenPGP and S/MIME certificate
 gpg --quick-gen-key --batch --pinentry-mode loopback --passphrase "" sender-mixed@example.net default default never
 
 # Sender with OpenPGP key only
 gpg --quick-gen-key --batch --pinentry-mode loopback --passphrase "" sender-openpgp@example.net default default never
 
-# Recipient with full validity
-gpg --quick-gen-key --batch --pinentry-mode loopback --passphrase "" --no-auto-trust-new-key "prefer-openpgp@example.net" default default never
+# Recipient with ultimate validity (higher than corresponding S/MIME certificate)
+gpg --quick-gen-key --batch --pinentry-mode loopback --passphrase "" "prefer-openpgp@example.net" default default never
 gpg --delete-secret-keys --batch --yes $(gpg -K --batch --with-colons prefer-openpgp@example.net | grep fpr | head -1 | cut -d ':' -f 10)
-gpg --quick-sign-key --default-key $(gpg -K --batch --with-colons ca-full@example.net | grep fpr | head -1 | cut -d ':' -f 10) --batch --pinentry-mode loopback --passphrase "" $(gpg -k --batch --with-colons prefer-openpgp@example.net | grep fpr | head -1 | cut -d ':' -f 10)
 
-# Recipient with marginal validity
+# Recipient with full validity (same as corresponding S/MIME certificate)
+gpg --quick-gen-key --batch --pinentry-mode loopback --passphrase "" --no-auto-trust-new-key "full-validity@example.net" default default never
+gpg --delete-secret-keys --batch --yes $(gpg -K --batch --with-colons full-validity@example.net | grep fpr | head -1 | cut -d ':' -f 10)
+gpg --quick-sign-key --default-key $(gpg -K --batch --with-colons ca-full@example.net | grep fpr | head -1 | cut -d ':' -f 10) --batch --pinentry-mode loopback --passphrase "" $(gpg -k --batch --with-colons full-validity@example.net | grep fpr | head -1 | cut -d ':' -f 10)
+
+# Recipient with marginal validity (lower than corresponding S/MIME certificate)
 gpg --quick-gen-key --batch --pinentry-mode loopback --passphrase "" --no-auto-trust-new-key "prefer-smime@example.net" default default never
 gpg --delete-secret-keys --batch --yes $(gpg -K --batch --with-colons prefer-smime@example.net | grep fpr | head -1 | cut -d ':' -f 10)
 gpg --quick-sign-key --default-key $(gpg -K --batch --with-colons ca-marginal@example.net | grep fpr | head -1 | cut -d ':' -f 10) --batch --pinentry-mode loopback --passphrase "" $(gpg -k --batch --with-colons prefer-smime@example.net | grep fpr | head -1 | cut -d ':' -f 10)
 ```
 
 ### Unused OpenPGP keys
 ```
 gpg --quick-gen-key --batch --pinentry-mode loopback --passphrase "" "Untrusted OpenPGP 1 <untrusted-openpgp@example.net>" default default never
 gpg --delete-secret-keys --batch --yes $(gpg -K --batch --with-colons "Untrusted OpenPGP 1 <untrusted-openpgp@example.net>" | grep fpr | head -1 | cut -d ':' -f 10)
 gpg --edit-key --command-fd 0 "Untrusted OpenPGP 1 <untrusted-openpgp@example.net>" <<eof
 trust
 1
 save
 eof
 
 gpg --quick-gen-key --batch --pinentry-mode loopback --passphrase "" "Untrusted OpenPGP 2 <untrusted-openpgp@example.net>" default default never
 gpg --delete-secret-keys --batch --yes $(gpg -K --batch --with-colons "Untrusted OpenPGP 2 <untrusted-openpgp@example.net>" | grep fpr | head -1 | cut -d ':' -f 10)
 gpg --edit-key --command-fd 0 "Untrusted OpenPGP 2 <untrusted-openpgp@example.net>" <<eof
 trust
 1
 save
 eof
 
 gpg --quick-gen-key --batch --pinentry-mode loopback --passphrase "" "Untrusted Mixed OpenPGP <untrusted-mixed@example.net>" default default never
 gpg --delete-secret-keys --batch --yes $(gpg -K --batch --with-colons untrusted-mixed@example.net | grep fpr | head -1 | cut -d ':' -f 10)
 gpg --edit-key --command-fd 0 untrusted-mixed@example.net <<eof
 trust
 1
 save
 eof
 
 gpg --quick-gen-key --batch --pinentry-mode loopback --passphrase "" "Expired <expired@example.net>" default default seconds=1
 gpg --delete-secret-keys --batch --yes $(gpg -K --batch --with-colons expired@example.net | grep fpr | head -1 | cut -d ':' -f 10)
 ```
 
 ## Generate S/MIME test keys
 
+### Generate a Test CA certificate and mark it as trusted
+
+```
+mkdir -p demoCA/newcerts
+touch demoCA/index.txt
+echo test | openssl req -x509 \
+    --passout stdin \
+    -subj "/CN=Test CA/O=example/C=DE" \
+    --addext "keyUsage = critical, Certificate Sign, CRL Sign" \
+    -days 36524 \
+    -newkey rsa:2048 \
+    -keyout test-ca.key.pem \
+    -out test-ca.cert.pem
+gpgsm --import test-ca.cert.pem
+gpgsm -k "Test CA" | grep 'sha1 fpr' | sed 's/\s*sha1 fpr:\s*\([0-9A-F].*\)/\1 S relax/' >>trustlist.txt
 ```
-gpgsm --gen-key --batch --pinentry-mode loopback --passphrase "" <<eof | gpgsm --import
+
+### Generate some test keys certified by the Test CA
+
+```
+# Sender with OpenPGP and S/MIME certificate
+gpgsm --gen-key --armor --batch --pinentry-mode loopback --passphrase "" <<eof >sender-mixed.req.pem
 dummy
 Key-Type: RSA
 Key-Length: 2048
 Key-Usage: sign, encrypt
-Serial: random
 Name-DN: CN=Sender Mixed,O=example,C=DE
 Name-Email: sender-mixed@example.net
 eof
-gpgsm -k sender-mixed@example.net | grep 'sha1 fpr' | sed 's/\s*sha1 fpr:\s*\([0-9A-F].*\)/\1 S relax/' >>trustlist.txt
+echo test | openssl ca -config ./openssl.cnf -batch --passin stdin -keyfile test-ca.key.pem -in sender-mixed.req.pem -out sender-mixed.cert.pem
+gpgsm --import sender-mixed.cert.pem
 
-gpgsm --gen-key --batch --pinentry-mode loopback --passphrase "" <<eof | gpgsm --import
+# Sender with S/MIME certificate only
+gpgsm --gen-key --armor --batch --pinentry-mode loopback --passphrase "" <<eof >sender-smime.req.pem
 dummy
 Key-Type: RSA
 Key-Length: 2048
 Key-Usage: sign, encrypt
-Serial: random
 Name-DN: CN=Sender S/MIME,O=example,C=DE
 Name-Email: sender-smime@example.net
 eof
-gpgsm -k sender-smime@example.net | grep 'sha1 fpr' | sed 's/\s*sha1 fpr:\s*\([0-9A-F].*\)/\1 S relax/' >>trustlist.txt
+echo test | openssl ca -config ./openssl.cnf -batch --passin stdin -keyfile test-ca.key.pem -in sender-smime.req.pem -out sender-smime.cert.pem
+gpgsm --import sender-smime.cert.pem
 
-gpgsm --gen-key --batch --pinentry-mode loopback --passphrase "" <<eof | gpgsm --import
+# Recipient with full validity (higher than corresponding OpenPGP key)
+gpgsm --gen-key --armor --batch --pinentry-mode loopback --passphrase "" <<eof >prefer-smime.req.pem
 dummy
 Key-Type: RSA
 Key-Length: 2048
 Key-Usage: sign, encrypt
-Serial: random
 Name-DN: CN=Trusted S/MIME,O=example,C=DE
 Name-Email: prefer-smime@example.net
 eof
-gpgsm -k prefer-smime@example.net | grep 'sha1 fpr' | sed 's/\s*sha1 fpr:\s*\([0-9A-F].*\)/\1 S relax/' >>trustlist.txt
+echo test | openssl ca -config ./openssl.cnf -batch --passin stdin -keyfile test-ca.key.pem -in prefer-smime.req.pem -out prefer-smime.cert.pem
+gpgsm --import prefer-smime.cert.pem
+
+# Recipient with full validity (same as corresponding S/MIME certificate)
+gpgsm --gen-key --armor --batch --pinentry-mode loopback --passphrase "" <<eof >full-validity.req.pem
+dummy
+Key-Type: RSA
+Key-Length: 2048
+Key-Usage: sign, encrypt
+Name-DN: CN=S/MIME w/ same validity as OpenPGP,O=example,C=DE
+Name-Email: full-validity@example.net
+eof
+echo test | openssl ca -config ./openssl.cnf -batch --passin stdin -keyfile test-ca.key.pem -in full-validity.req.pem -out full-validity.cert.pem
+gpgsm --import full-validity.cert.pem
+
+# Recipient with full validity (lower than corresponding OpenPGP key)
+gpgsm --gen-key --armor --batch --pinentry-mode loopback --passphrase "" <<eof >prefer-openpgp.req.pem
+dummy
+Key-Type: RSA
+Key-Length: 2048
+Key-Usage: sign, encrypt
+Name-DN: CN=S/MIME w/ lower validity than OpenPGP,O=example,C=DE
+Name-Email: prefer-openpgp@example.net
+eof
+echo test | openssl ca -config ./openssl.cnf -batch --passin stdin -keyfile test-ca.key.pem -in prefer-openpgp.req.pem -out prefer-openpgp.cert.pem
+gpgsm --import prefer-openpgp.cert.pem
 ```
diff --git a/autotests/fixtures/keyresolvercoretest/test-ca.cert.pem b/autotests/fixtures/keyresolvercoretest/test-ca.cert.pem
new file mode 100644
index 00000000..ca9df492
--- /dev/null
+++ b/autotests/fixtures/keyresolvercoretest/test-ca.cert.pem
@@ -0,0 +1,20 @@
+-----BEGIN CERTIFICATE-----
+MIIDVTCCAj2gAwIBAgIUczUDipiMZzDmfwvNag+mLKccYJMwDQYJKoZIhvcNAQEL
+BQAwMTEQMA4GA1UEAwwHVGVzdCBDQTEQMA4GA1UECgwHZXhhbXBsZTELMAkGA1UE
+BhMCREUwIBcNMjEwMzI5MTEyMTAxWhgPMjEyMTAzMjkxMTIxMDFaMDExEDAOBgNV
+BAMMB1Rlc3QgQ0ExEDAOBgNVBAoMB2V4YW1wbGUxCzAJBgNVBAYTAkRFMIIBIjAN
+BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxJyOK+haUrvj3wH94L4iagIzLsMl
+jWFtzKuvP3jTsYDtLocmkL5moXXSbDWUEEGPQOd/DbhQMQAGSCo3AjzoDueBL9Ow
+vihOvueOb7NuZyvTN7TDBfxIjf0CkpYcNv2nYgrtc3eHQF/gTZ8FEH9bJ45Cuwcn
+99FdSHahHStm83u8kntyGYlyvClamMELyO53/6n/yojynPGiQH6WVneRDZk1yvB8
+KDMIReOULqhRMGqHscDW0xTMImSaLbkzGbXd8U15psQaRDrtiYzW8JUiBrtVua5k
+xI8bKAY39xf5VAeROgKE1gTmAnJetUFqDGDYWb3m83O7QSR4gPmG9o/SPwIDAQAB
+o2MwYTAdBgNVHQ4EFgQUZ67yoGh/PbSRt4nV1R1VrMok8+gwHwYDVR0jBBgwFoAU
+Z67yoGh/PbSRt4nV1R1VrMok8+gwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8E
+BAMCAQYwDQYJKoZIhvcNAQELBQADggEBAEkb7ikFS6UxHca20bKGTVgd9t3OnQ3J
+CGwlyHfqOPFXJrbbQA93FbH3kkVkHQmsdAVvIK6QlmHlTmDsLd0XtV2QE4xg2jWA
+LqDbWu73xalJ1PWgvsTja7SuZSnmGcP2WTKRqNCHozEBHUXKkpTn19tBZLF41gGy
+p/NS5X5baPJWEKJuZtHHga8TdU9tWibsZOJ49xIaEzYjJMvwCVxgHFh9w+rUAkt6
+ICsbC2EFNQyQ4Idd31krxdWzDtl2hkWFxW6DV0nugojIngM0l4IoWBjoyC//zNmV
+o7u4K7Qxdlml92lroXvPXpw+OylHVXL2CdaLhL4SD6UTKi1bPxBO4VY=
+-----END CERTIFICATE-----
diff --git a/autotests/fixtures/keyresolvercoretest/test-ca.cert.srl b/autotests/fixtures/keyresolvercoretest/test-ca.cert.srl
new file mode 100644
index 00000000..a319a290
--- /dev/null
+++ b/autotests/fixtures/keyresolvercoretest/test-ca.cert.srl
@@ -0,0 +1 @@
+60E88D23A52E336FE62EB280A5CE3487ED1A0584
diff --git a/autotests/fixtures/keyresolvercoretest/test-ca.key.pem b/autotests/fixtures/keyresolvercoretest/test-ca.key.pem
new file mode 100644
index 00000000..aadeaacd
--- /dev/null
+++ b/autotests/fixtures/keyresolvercoretest/test-ca.key.pem
@@ -0,0 +1,30 @@
+-----BEGIN ENCRYPTED PRIVATE KEY-----
+MIIFHDBOBgkqhkiG9w0BBQ0wQTApBgkqhkiG9w0BBQwwHAQI6lSuWSFyetICAggA
+MAwGCCqGSIb3DQIJBQAwFAYIKoZIhvcNAwcECAybDJXauGYiBIIEyEi3QncuWMTF
+ln/5Ntx2l1FmM0zbHqGx8GPiFtgKmlCgqFvDAjG9I/7CFhEdEDUitaFg4ZLi+Ohe
+0axrVypdVVStSDi+bE6gRkayhBAVOls6U1H3IV0kAetzcB8xI7RS1LscMyq8mQcK
+MlF1ZGixxmFf3jLZKFOsmY/UjXGmCPd5IE1RBJKbJ8wRDkPbavicfxZXmDEN+CDD
+15VCXUh+3or7kviX4B0gLK/HELmmZZ9hKCwpWZqFxRyexFU/PyF9ODBv+wAbd0Bc
+am8ESUf4UU45P8HBD9Zn47Rr7A+AbVQe/cXepIFYe0OinvSjWbc1vfkH95mjkKnI
+/pKuFBkv2zxNY+OKY43+siKv/rbvWbW9n6EYp9UoA8Y4CylOtWbRHlTM3hdhO2NU
+c4EGxKI0EWB5NPSa2meC6q2eKlnvj/r9IFxFI1lZxva/Titb47NevXIlJGjgUdFQ
+6Imz8M69mRl6o9zFj8QiHTzAU6tWjHOH/tu+axjJrg+3NEuj1iZTlSsj0qihskBM
+D2J6qNuQpvVgTd+247vAVX+NK56gcYhewqiV6QuFwBhJpaVt3QwtfQPgtMD6x+iI
+uFUdFnMTG75fOsiBRz6cA3DtFjxaWEHg+7ygvDOtVoYMvTtVTtfmFVsMSAwgeQi9
+P2NYdI9NLrMiK0CVD4C9sZH5Ch9VFW/D83vS+gLT8tL/toNaf9k//eSJShmvBQmp
+b84hN4T9n8VJyDOsBUw5NMODPaLXLKRF2iJefH9BMUV1PmuvCwnseVVbPpOLPIXC
+wkoWh3IEL6+6tPLlp+vccxryE5ngLu36ci/WiBvSmUchAAcxkRyY2B6ks1ZMJWYD
+NbJGotWb1rPhwiuOWjGd68kWYeGQJNwtrU0OtpdsbLsV8zunXPEKbluGKsaHH44l
+CiAZGSWC87AkORzZ4rwJWYKbVD65HaPXVZrESmROlQs9o8dDV002q/ebWrzlXsPB
+6zdh8dTXS0xWROSIj3fkivZzGOJV43X4pDjENfA7xlCBSDRnI0Jt2sMVANSgDYKn
+9SBMHXgqmHOLjoVwTLXzCDwmXSbuNOu0gdLCGdpeF46Uro5l661lS4zmzakwapN8
+gubkgCwRP+6Dz32fyTR+sq13Z5cuCFpmg7GaFfZSnYHyPbgwTD5BUqrdKCAikqS3
+br+FPz+iUSzLZ0UbJ+HzD1ah8wW7MREwBKCcQ7G2s9fCsQtgMekGS0NWzkZ/erLI
+1oTQz90mOoGdofLzko/m6/q8ux5qw/g5evpumL06DmpYT0mf+w/rwGB0ZqBgsUsB
+thlsG/qs8S265ZLT0wJFBhB4ExMfGkEflCUOBh2qKMz7upYvvi+wmzSgp2mojyWn
+KI6nqggC13ztmkVW+/6yyllzVUiv/2Gn2xL8I9IjCLuCiJrDtxsa5T/8BVZHyrM3
+F19fV+t61WsWCg16gQ0ReGUYgUtLzF0cs3rpj/yKbTkIY5Xnhk0VcBkTZDLhZeq/
+VKVT7GqbQcpHnm69hFi3ilF3TMifxD12as4zIersvlz2LkbwQ4I/I5rYgR2mbPvC
+y4yVJJw5BtBgd9NTGazmuFyBv5fMMuUfu/KpsOe8MzCqA2pb0RITbpRDaEC93ZBz
+EnIXia+PTQM2RrUtnO+8HQ==
+-----END ENCRYPTED PRIVATE KEY-----
diff --git a/autotests/fixtures/keyresolvercoretest/trustdb.gpg b/autotests/fixtures/keyresolvercoretest/trustdb.gpg
index 10aa26f0..225265a1 100644
Binary files a/autotests/fixtures/keyresolvercoretest/trustdb.gpg and b/autotests/fixtures/keyresolvercoretest/trustdb.gpg differ
diff --git a/autotests/fixtures/keyresolvercoretest/trustlist.txt b/autotests/fixtures/keyresolvercoretest/trustlist.txt
index 1e19e32d..2e43bb57 100644
--- a/autotests/fixtures/keyresolvercoretest/trustlist.txt
+++ b/autotests/fixtures/keyresolvercoretest/trustlist.txt
@@ -1,3 +1 @@
-60:E1:96:4D:9C:EA:44:8E:76:E7:66:42:47:3D:56:7F:FE:95:8E:8A S relax
-06:A2:67:BE:B6:04:6A:13:DC:D2:26:56:A6:F4:9D:8B:6E:B3:7A:16 S relax
-B8:26:00:8F:4F:5E:8A:86:E3:8A:CD:45:AF:FC:81:AD:01:36:BD:A0 S relax
+C8:1E:8B:B6:63:99:E4:01:C5:AF:33:7A:68:D5:71:07:C6:CC:95:AC S relax
diff --git a/autotests/keyresolvercoretest.cpp b/autotests/keyresolvercoretest.cpp
index f23b55b9..c4d14a45 100644
--- a/autotests/keyresolvercoretest.cpp
+++ b/autotests/keyresolvercoretest.cpp
@@ -1,216 +1,235 @@
 /*
     autotests/keyresolvercoretest.cpp
 
     This file is part of libkleopatra's test suite.
     SPDX-FileCopyrightText: 2021 g10 Code GmbH
     SPDX-FileContributor: Ingo Klöcker <dev@ingo-kloecker.de>
 
     SPDX-License-Identifier: GPL-2.0-or-later
 */
 
 #include <Libkleo/KeyCache>
 #include <Libkleo/KeyResolverCore>
 
 #include <QObject>
 #include <QTest>
 
 #include <gpgme++/key.h>
 
 #include <memory>
 
 using namespace Kleo;
 using namespace GpgME;
 
 class KeyResolverCoreTest: public QObject
 {
     Q_OBJECT
 private Q_SLOTS:
     void init()
     {
         mGnupgHome = QTest::qExtractTestData("/fixtures/keyresolvercoretest");
         qputenv("GNUPGHOME", mGnupgHome->path().toLocal8Bit());
 
         // hold a reference to the key cache to avoid rebuilding while the test is running
         mKeyCache = KeyCache::instance();
     }
 
     void cleanup()
     {
         // verify that nobody else holds a reference to the key cache
         QVERIFY(mKeyCache.use_count() == 1);
         mKeyCache.reset();
 
         mGnupgHome.reset();
     }
 
     void test_verify_test_keys()
     {
         {
             const Key openpgp = testKey("sender-mixed@example.net", OpenPGP);
             QVERIFY(openpgp.hasSecret() && openpgp.canEncrypt() && openpgp.canSign());
             QCOMPARE(openpgp.userID(0).validity(), UserID::Ultimate);
             const Key smime = testKey("sender-mixed@example.net", CMS);
             QVERIFY(smime.hasSecret() && smime.canEncrypt() && smime.canSign());
-            QCOMPARE(smime.userID(0).validity(), UserID::Ultimate);
+            QCOMPARE(smime.userID(0).validity(), UserID::Full);
         }
         {
             const Key openpgp = testKey("sender-openpgp@example.net", OpenPGP);
             QVERIFY(openpgp.hasSecret() && openpgp.canEncrypt() && openpgp.canSign());
             QCOMPARE(openpgp.userID(0).validity(), UserID::Ultimate);
         }
+        {
+            const Key smime = testKey("sender-smime@example.net", CMS);
+            QVERIFY(smime.hasSecret() && smime.canEncrypt() && smime.canSign());
+            QCOMPARE(smime.userID(0).validity(), UserID::Full);
+        }
         {
             const Key openpgp = testKey("prefer-openpgp@example.net", OpenPGP);
             QVERIFY(openpgp.canEncrypt());
+            QCOMPARE(openpgp.userID(0).validity(), UserID::Ultimate);
+            const Key smime = testKey("prefer-openpgp@example.net", CMS);
+            QVERIFY(smime.canEncrypt());
+            QCOMPARE(smime.userID(0).validity(), UserID::Full);
+        }
+        {
+            const Key openpgp = testKey("full-validity@example.net", OpenPGP);
+            QVERIFY(openpgp.canEncrypt());
             QCOMPARE(openpgp.userID(0).validity(), UserID::Full);
+            const Key smime = testKey("full-validity@example.net", CMS);
+            QVERIFY(smime.canEncrypt());
+            QCOMPARE(smime.userID(0).validity(), UserID::Full);
         }
         {
             const Key openpgp = testKey("prefer-smime@example.net", OpenPGP);
             QVERIFY(openpgp.canEncrypt());
             QCOMPARE(openpgp.userID(0).validity(), UserID::Marginal);
             const Key smime = testKey("prefer-smime@example.net", CMS);
             QVERIFY(smime.canEncrypt());
-            QVERIFY(smime.userID(0).validity() >= UserID::Full);
+            QCOMPARE(smime.userID(0).validity(), UserID::Full);
         }
     }
 
     void test_openpgp_is_used_if_openpgp_only_and_smime_only_are_both_possible()
     {
         KeyResolverCore resolver(/*encrypt=*/ true, /*sign=*/ true);
         resolver.setSender(QStringLiteral("sender-mixed@example.net"));
 
         const bool success = resolver.resolve();
 
         QVERIFY(success);
         QCOMPARE(resolver.signingKeys().value(OpenPGP).size(), 1);
         QCOMPARE(resolver.signingKeys().value(OpenPGP)[0].primaryFingerprint(),
                  testKey("sender-mixed@example.net", OpenPGP).primaryFingerprint());
         QCOMPARE(resolver.signingKeys().value(CMS).size(), 0);
         QCOMPARE(resolver.encryptionKeys().value(OpenPGP).size(), 1);
         QCOMPARE(resolver.encryptionKeys().value(OpenPGP).value("sender-mixed@example.net").size(), 1);
         QCOMPARE(resolver.encryptionKeys().value(OpenPGP).value("sender-mixed@example.net")[0].primaryFingerprint(),
                  testKey("sender-mixed@example.net", OpenPGP).primaryFingerprint());
         QCOMPARE(resolver.encryptionKeys().value(CMS).size(), 0);
     }
 
     void test_openpgp_is_used_if_openpgp_only_and_smime_only_are_both_possible_with_preference_for_openpgp()
     {
         KeyResolverCore resolver(/*encrypt=*/ true, /*sign=*/ true);
         resolver.setPreferredProtocol(OpenPGP);
         resolver.setSender(QStringLiteral("sender-mixed@example.net"));
 
         const bool success = resolver.resolve();
 
         QVERIFY(success);
         QCOMPARE(resolver.signingKeys().value(OpenPGP).size(), 1);
         QCOMPARE(resolver.signingKeys().value(OpenPGP)[0].primaryFingerprint(),
                  testKey("sender-mixed@example.net", OpenPGP).primaryFingerprint());
         QCOMPARE(resolver.signingKeys().value(CMS).size(), 0);
         QCOMPARE(resolver.encryptionKeys().value(OpenPGP).size(), 1);
         QCOMPARE(resolver.encryptionKeys().value(OpenPGP).value("sender-mixed@example.net").size(), 1);
         QCOMPARE(resolver.encryptionKeys().value(OpenPGP).value("sender-mixed@example.net")[0].primaryFingerprint(),
                  testKey("sender-mixed@example.net", OpenPGP).primaryFingerprint());
         QCOMPARE(resolver.encryptionKeys().value(CMS).size(), 0);
     }
 
     void test_smime_is_used_if_openpgp_only_and_smime_only_are_both_possible_with_preference_for_smime()
     {
         KeyResolverCore resolver(/*encrypt=*/ true, /*sign=*/ true);
         resolver.setPreferredProtocol(CMS);
         resolver.setSender(QStringLiteral("sender-mixed@example.net"));
 
         const bool success = resolver.resolve();
 
         QVERIFY(success);
         QCOMPARE(resolver.signingKeys().value(OpenPGP).size(), 0);
         QCOMPARE(resolver.signingKeys().value(CMS).size(), 1);
         QCOMPARE(resolver.signingKeys().value(CMS)[0].primaryFingerprint(),
                  testKey("sender-mixed@example.net", CMS).primaryFingerprint());
         QCOMPARE(resolver.encryptionKeys().value(OpenPGP).size(), 0);
         QCOMPARE(resolver.encryptionKeys().value(CMS).size(), 1);
         QCOMPARE(resolver.encryptionKeys().value(CMS).value("sender-mixed@example.net").size(), 1);
         QCOMPARE(resolver.encryptionKeys().value(CMS).value("sender-mixed@example.net")[0].primaryFingerprint(),
                  testKey("sender-mixed@example.net", CMS).primaryFingerprint());
     }
 
-    void test_in_mixed_mode_smime_key_with_higher_validity_is_preferred_over_openpgp_key()
+    void test_in_mixed_mode_keys_with_higher_validity_are_preferred()
     {
         KeyResolverCore resolver(/*encrypt=*/ true, /*sign=*/ false);
-        resolver.setRecipients({"sender-openpgp@example.net", "sender-smime@example.net", "prefer-smime@example.net"});
+        resolver.setRecipients({"sender-openpgp@example.net", "sender-smime@example.net", "prefer-openpgp@example.net", "prefer-smime@example.net"});
 
         const bool success = resolver.resolve();
 
         QVERIFY(success);
-        QCOMPARE(resolver.encryptionKeys().value(UnknownProtocol).size(), 3);
+        QCOMPARE(resolver.encryptionKeys().value(UnknownProtocol).size(), 4);
         QVERIFY(resolver.encryptionKeys().value(UnknownProtocol).contains("sender-openpgp@example.net"));
         QVERIFY(resolver.encryptionKeys().value(UnknownProtocol).contains("sender-smime@example.net"));
+        QCOMPARE(resolver.encryptionKeys().value(UnknownProtocol).value("prefer-openpgp@example.net").size(), 1);
+        QCOMPARE(resolver.encryptionKeys().value(UnknownProtocol).value("prefer-openpgp@example.net")[0].primaryFingerprint(),
+                 testKey("prefer-openpgp@example.net", OpenPGP).primaryFingerprint());
         QCOMPARE(resolver.encryptionKeys().value(UnknownProtocol).value("prefer-smime@example.net").size(), 1);
         QCOMPARE(resolver.encryptionKeys().value(UnknownProtocol).value("prefer-smime@example.net")[0].primaryFingerprint(),
                  testKey("prefer-smime@example.net", CMS).primaryFingerprint());
     }
 
     void test_encryption_keys_result_has_no_entry_for_unresolved_recipients()
     {
         KeyResolverCore resolver(/*encrypt=*/ true, /*sign=*/ false);
         resolver.setRecipients({"prefer-smime@example.net", "unknown@example.net"});
 
         const bool success = resolver.resolve();
 
         QVERIFY(!success);
         QCOMPARE(resolver.encryptionKeys().value(OpenPGP).size(), 1);
         QVERIFY(resolver.encryptionKeys().value(OpenPGP).contains("prefer-smime@example.net"));
         QVERIFY(!resolver.encryptionKeys().value(OpenPGP).contains("unknown@example.net"));
         QCOMPARE(resolver.encryptionKeys().value(CMS).size(), 1);
         QVERIFY(resolver.encryptionKeys().value(CMS).contains("prefer-smime@example.net"));
         QVERIFY(!resolver.encryptionKeys().value(CMS).contains("unknown@example.net"));
     }
 
     void test_overrides_openpgp()
     {
         const QString override = testKey("prefer-openpgp@example.net", OpenPGP).primaryFingerprint();
         KeyResolverCore resolver(/*encrypt=*/ true, /*sign=*/ true);
         resolver.setSender(QStringLiteral("sender-mixed@example.net"));
         resolver.setOverrideKeys({{OpenPGP, {{QStringLiteral("Needs to be normalized <sender-mixed@example.net>"), {override}}}}});
 
         const bool success = resolver.resolve();
 
         QVERIFY(success);
         QCOMPARE(resolver.encryptionKeys().value(OpenPGP).size(), 1);
         QCOMPARE(resolver.encryptionKeys().value(OpenPGP).value("sender-mixed@example.net").size(), 1);
         QCOMPARE(resolver.encryptionKeys().value(OpenPGP).value("sender-mixed@example.net")[0].primaryFingerprint(), override);
     }
 
     void test_overrides_smime()
     {
         const QString override = testKey("prefer-smime@example.net", CMS).primaryFingerprint();
         KeyResolverCore resolver(/*encrypt=*/ true, /*sign=*/ true);
         resolver.setPreferredProtocol(CMS);
         resolver.setSender(QStringLiteral("sender-mixed@example.net"));
         resolver.setOverrideKeys({{CMS, {{QStringLiteral("Needs to be normalized <sender-mixed@example.net>"), {override}}}}});
 
         const bool success = resolver.resolve();
 
         QVERIFY(success);
         QCOMPARE(resolver.encryptionKeys().value(CMS).size(), 1);
         QCOMPARE(resolver.encryptionKeys().value(CMS).value("sender-mixed@example.net").size(), 1);
         QCOMPARE(resolver.encryptionKeys().value(CMS).value("sender-mixed@example.net")[0].primaryFingerprint(), override);
     }
 
 private:
     Key testKey(const char *email, Protocol protocol = UnknownProtocol)
     {
         const std::vector<Key> keys = KeyCache::instance()->findByEMailAddress(email);
         for (const auto &key: keys) {
             if (protocol == UnknownProtocol || key.protocol() == protocol) {
                 return key;
             }
         }
         return Key();
     }
 
 private:
     QSharedPointer<QTemporaryDir> mGnupgHome;
     std::shared_ptr<const KeyCache> mKeyCache;
 };
 
 QTEST_MAIN(KeyResolverCoreTest)
 #include "keyresolvercoretest.moc"
diff --git a/autotests/keyresolvercoretest.qrc b/autotests/keyresolvercoretest.qrc
index 8a600c6f..89c8ef87 100644
--- a/autotests/keyresolvercoretest.qrc
+++ b/autotests/keyresolvercoretest.qrc
@@ -1,21 +1,20 @@
 <!DOCTYPE RCC>
 <RCC version="1.0">
     <qresource>
-        <file>fixtures/keyresolvercoretest/private-keys-v1.d/F769B16A6206E8F17D0AFB99EDB44BE813943A2C.key</file>
+        <file>fixtures/keyresolvercoretest/private-keys-v1.d/029551BEA335EC0F84109F1EDD23E0FA44FEB336.key</file>
         <file>fixtures/keyresolvercoretest/private-keys-v1.d/07E5EE9F946A1760EC7E3DEC3E8665415BF8E5F0.key</file>
-        <file>fixtures/keyresolvercoretest/private-keys-v1.d/A4E6D1CEBA63087E47B84863BF16D8E81F0B7629.key</file>
+        <file>fixtures/keyresolvercoretest/private-keys-v1.d/4205C2F4EC7F5C7FBD175C5025A74E374E768B17.key</file>
+        <file>fixtures/keyresolvercoretest/private-keys-v1.d/82E263F0451C25D17100C2BAC06F1867B9E183E1.key</file>
+        <file>fixtures/keyresolvercoretest/private-keys-v1.d/878E0CC6690155A5B79124D0F79D0363B6E41E4B.key</file>
+        <file>fixtures/keyresolvercoretest/private-keys-v1.d/8CD2635EB4B7766E0C174E62853FCE072795D304.key</file>
         <file>fixtures/keyresolvercoretest/private-keys-v1.d/93FBC8415935DD866AEAE179D70A58B1BEE7EA85.key</file>
-        <file>fixtures/keyresolvercoretest/private-keys-v1.d/B9E7A40AA2CE1512A3270374D05AB0A74F98E54E.key</file>
         <file>fixtures/keyresolvercoretest/private-keys-v1.d/9A54238A5B7D396D48A584255A1DE5622FBF8B99.key</file>
-        <file>fixtures/keyresolvercoretest/private-keys-v1.d/029551BEA335EC0F84109F1EDD23E0FA44FEB336.key</file>
-        <file>fixtures/keyresolvercoretest/private-keys-v1.d/4205C2F4EC7F5C7FBD175C5025A74E374E768B17.key</file>
+        <file>fixtures/keyresolvercoretest/private-keys-v1.d/A4E6D1CEBA63087E47B84863BF16D8E81F0B7629.key</file>
         <file>fixtures/keyresolvercoretest/private-keys-v1.d/B185B49FC722A9C92F8C2C30438BA225363F0A6B.key</file>
-        <file>fixtures/keyresolvercoretest/private-keys-v1.d/8CD2635EB4B7766E0C174E62853FCE072795D304.key</file>
-        <file>fixtures/keyresolvercoretest/private-keys-v1.d/0B767151C33FEE7708F7035860A4D2025C801000.key</file>
-        <file>fixtures/keyresolvercoretest/private-keys-v1.d/068B3A87EB6029DC958371D42A8CF22913F792BA.key</file>
-        <file>fixtures/keyresolvercoretest/private-keys-v1.d/2B38646AEC0F0D6AE2EEF714963722C0E58BF95F.key</file>
+        <file>fixtures/keyresolvercoretest/private-keys-v1.d/B9E7A40AA2CE1512A3270374D05AB0A74F98E54E.key</file>
+        <file>fixtures/keyresolvercoretest/private-keys-v1.d/F769B16A6206E8F17D0AFB99EDB44BE813943A2C.key</file>
         <file>fixtures/keyresolvercoretest/pubring.kbx</file>
         <file>fixtures/keyresolvercoretest/trustdb.gpg</file>
         <file>fixtures/keyresolvercoretest/trustlist.txt</file>
     </qresource>
 </RCC>