Generating the certs was very much trial and error. The net of a thousand lies may have led me astray a bit in that it may be possible to do this all with gpgsm and avoid the dependency on openssl. On the other hand, some tests is better than no tests.