diff --git a/.tool-versions b/.tool-versions
index 81a1df3..9fdaa96 100644
--- a/.tool-versions
+++ b/.tool-versions
@@ -1,2 +1,2 @@
 erlang 21.3.8
-rebar 3.9.1
+ruby 2.6.3
diff --git a/.travis.yml b/.travis.yml
index 5ad95be..d2d8a3a 100644
--- a/.travis.yml
+++ b/.travis.yml
@@ -3,6 +3,15 @@ language: erlang
 otp_release:
   - 21.3.8
 
+ruby:
+  - 2.6.3
+
+install:
+  - "rebar3 as test get-deps"
+  - "/bin/bash -l -c \"cd apps/epp_proxy/priv/test_backend_app && bundle install\""
+
 script:
-  - "rebar3 ct --sys_config config/test.config --readable=false --cover --verbose=true"
+  - "/bin/bash -l -c \"cd apps/epp_proxy/priv/test_backend_app && bundle exec rackup -D\""
+  - "rebar3 as test compile"
+  - "DEBUG=1 rebar3 ct --sys_config config/test.config --readable=false --cover --verbose=true"
   - "rebar3 cover --verbose"
diff --git a/Dockerfile b/Dockerfile
index 7a9d07e..c4fcd8e 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -54,6 +54,8 @@ WORKDIR /opt/erlang/epp_proxy
 COPY .tool-versions ./
 RUN asdf plugin-add erlang
 RUN asdf install
+RUN asdf plugin-add ruby
+RUN asdf install
 
 RUN curl https://s3.amazonaws.com/rebar3/rebar3 -o /rebar3
 RUN mv /rebar3 /usr/local/bin
diff --git a/apps/epp_proxy/priv/test_backend_app/Gemfile b/apps/epp_proxy/priv/test_backend_app/Gemfile
new file mode 100644
index 0000000..8f5818a
--- /dev/null
+++ b/apps/epp_proxy/priv/test_backend_app/Gemfile
@@ -0,0 +1,8 @@
+# frozen_string_literal: true
+
+source "https://rubygems.org"
+
+gem "puma"
+gem "roda"
+gem "rack-unreloader"
+gem "tilt"
diff --git a/apps/epp_proxy/priv/test_backend_app/Gemfile.lock b/apps/epp_proxy/priv/test_backend_app/Gemfile.lock
new file mode 100644
index 0000000..082e166
--- /dev/null
+++ b/apps/epp_proxy/priv/test_backend_app/Gemfile.lock
@@ -0,0 +1,23 @@
+GEM
+  remote: https://rubygems.org/
+  specs:
+    nio4r (2.4.0)
+    puma (4.0.0)
+      nio4r (~> 2.0)
+    rack (2.0.7)
+    rack-unreloader (1.7.0)
+    roda (3.21.0)
+      rack
+    tilt (2.0.9)
+
+PLATFORMS
+  ruby
+
+DEPENDENCIES
+  puma
+  rack-unreloader
+  roda
+  tilt
+
+BUNDLED WITH
+   1.17.2
diff --git a/apps/epp_proxy/priv/test_backend_app/backend_server.rb b/apps/epp_proxy/priv/test_backend_app/backend_server.rb
new file mode 100644
index 0000000..c72e8cc
--- /dev/null
+++ b/apps/epp_proxy/priv/test_backend_app/backend_server.rb
@@ -0,0 +1,37 @@
+require 'roda'
+
+class BackendServer < Roda
+  plugin :render
+
+  route do |r|
+    response['Content-Type'] = 'application/xml'
+    random_number = rand(2)
+    @success = random_number == 1
+
+    r.on "session" do
+      r.get "hello" do
+        render("session/hello")
+      end
+
+      r.post "login" do
+        if @success
+          render("session/login_successful")
+        else
+          render("session/login_failed")
+        end
+      end
+
+      r.post "logout" do
+      end
+    end
+
+    r.on "command" do
+      r.post "create" do
+      end
+
+    end
+
+    r.on "error" do
+    end
+  end
+end
diff --git a/apps/epp_proxy/priv/test_backend_app/config.ru b/apps/epp_proxy/priv/test_backend_app/config.ru
new file mode 100644
index 0000000..313f480
--- /dev/null
+++ b/apps/epp_proxy/priv/test_backend_app/config.ru
@@ -0,0 +1,8 @@
+# frozen_string_literal: true
+
+require "rack/unreloader"
+
+Unreloader = Rack::Unreloader.new() { BackendServer }
+Unreloader.require("backend_server.rb") { "BackendServer" }
+
+run(Unreloader)
diff --git a/apps/epp_proxy/priv/test_backend_app/views/session/hello.erb b/apps/epp_proxy/priv/test_backend_app/views/session/hello.erb
new file mode 100644
index 0000000..02373ba
--- /dev/null
+++ b/apps/epp_proxy/priv/test_backend_app/views/session/hello.erb
@@ -0,0 +1,36 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<epp xmlns="https://epp.tld.ee/schema/epp-ee-1.0.xsd" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="lib/schemas/epp-ee-1.0.xsd">
+    <greeting>
+        <svID>EPP server (EIS)</svID>
+        <svDate>2019-07-11T09:35:29Z</svDate>
+        <svcMenu>
+            <version>1.0</version>
+            <lang>en</lang>
+            <objURI>https://epp.tld.ee/schema/domain-eis-1.0.xsd</objURI>
+            <objURI>https://epp.tld.ee/schema/contact-ee-1.1.xsd</objURI>
+            <objURI>urn:ietf:params:xml:ns:host-1.0</objURI>
+            <objURI>urn:ietf:params:xml:ns:keyrelay-1.0</objURI>
+            <svcExtension>
+                <extURI>urn:ietf:params:xml:ns:secDNS-1.1</extURI>
+                <extURI>https://epp.tld.ee/schema/eis-1.0.xsd</extURI>
+            </svcExtension>
+        </svcMenu>
+        <dcp>
+            <access>
+                <all/>
+            </access>
+            <statement>
+                <purpose>
+                    <admin/>
+                    <prov/>
+                </purpose>
+                <recipient>
+                    <public/>
+                </recipient>
+                <retention>
+                    <stated/>
+                </retention>
+            </statement>
+        </dcp>
+    </greeting>
+</epp>
diff --git a/apps/epp_proxy/priv/test_ca/certs/apache.crt b/apps/epp_proxy/priv/test_ca/certs/apache.crt
new file mode 100644
index 0000000..60874ec
--- /dev/null
+++ b/apps/epp_proxy/priv/test_ca/certs/apache.crt
@@ -0,0 +1,31 @@
+-----BEGIN CERTIFICATE-----
+MIIFPTCCAyWgAwIBAgIJAIcovwhumxzlMA0GCSqGSIb3DQEBCwUAMIGVMQswCQYD
+VQQGEwJFRTERMA8GA1UECAwISGFyanVtYWExEDAOBgNVBAcMB1RhbGxpbm4xIzAh
+BgNVBAoMGkVlc3RpIEludGVybmV0aSBTaWh0YXN1dHVzMRowGAYDVQQDDBFlcHBf
+cHJveHkgdGVzdCBjYTEgMB4GCSqGSIb3DQEJARYRaGVsbG9AaW50ZXJuZXQuZWUw
+HhcNMTkwNzExMTM0MTQyWhcNMjkwNzA4MTM0MTQyWjCBkjELMAkGA1UEBhMCRUUx
+ETAPBgNVBAgMCEhhcmp1bWFhMRAwDgYDVQQHDAdUYWxsaW5uMRkwFwYDVQQKDBBF
+ZXN0aUludGVybmV0aVNBMRAwDgYDVQQLDAdBcmVuZHVzMSAwHgYJKoZIhvcNAQkB
+FhFoZWxsb0BpbnRlcm5ldC5lZTEPMA0GA1UEAwwGKi50ZXN0MIIBIjANBgkqhkiG
+9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqoZLIpFR96bIwxk9GvzTeTnsPMpTJ/fI+SWX
+Qh5UflAIG74Hl+aBW+k8jIZ+VxwXwn7uwY7fdtemu9CzCqYK4pqZg168IEC00Vne
+C7gifaMWgBd/DNiv3FafNpTihdMZrZi8xLJIuNw8XLaDebGQrrfOWw1Cewum/MJa
+IFnIBttsBq+jFwKtAJ9RgNg6Ul2xOGpqtrLmU21HmIzm9hqbeaWINIX1QDVC2ZWd
+gVXgoEID/RLUc8A+riVUdaKzG9kCrtuzGO8PhXoF5BJWtsrAcYFQev3jVRKplSFh
+whijh2MY14qA21wseNMF7+fSCjhuvEomxpzNQSH0UADHW0p17wIDAQABo4GQMIGN
+MB8GA1UdIwQYMBaAFP135kpzvaU8ZbO5z7UVlVkIZGgQMAkGA1UdEwQCMAAwCwYD
+VR0PBAQDAgTwMFIGA1UdEQRLMEmCBHRlc3SCDXJlZ2lzdHJ5LnRlc3SCDGF1Y3Rp
+b24udGVzdIIPcmVzdC13aG9pcy50ZXN0gghlcHAudGVzdIIJcmVwcC50ZXN0MA0G
+CSqGSIb3DQEBCwUAA4ICAQBvi2Uy0iYuMWyS8hdZOvp3jdTqq/HI0JfFlT5YUwv0
+ezkjyBLw4A9+dMvy8HELyzhUeHd09nmB+/TJ9RWQBCgIcHilQ5nFXd0h5hNX+rtC
+kdDd8x9QRBHN82EFIwXQ6/FXLz92DZ4Z5ZQOEGM5AFi02GwFI9fhvZg2vGL3aD5Q
+2V4OPulECPgVR/U6kbXQz6/Rg9DXbbMgHukLuglFIj3+dtvepp6DXYNZz6AhM64E
+4/K/55yKKFKRvOzw+K+CIX3qytTvYDutDfCA593Dp2BXjMb9CVGN+nKZr9sVrDlt
+qR9ya04MK/Ti0Nk8NN3ZHRASUJU3xk06/KriOj5tvVRgcqn/Jfh1JhOSULrKdx8B
+4u53pRn1SCCCWiXvUAnJL3TAi6TaXKoFN6GxQZMBCl0U0wQ2XIYOCzBs74YkWqOM
+1Mgq2dcX3m8GlZWzkKExc1wM+MlUmk0et8vJIgrTcIQGw0fn/TdvWy+iLNNYp0P9
+YkB0rGqN0KwkAHhKt+BrRtRHkEOxQcumgvLDkwTZpAJsbrPDMOajbzwpgwSQOE1i
+Z+RuZQktmZVJNJ3NPwloHZBolMnb9zDg3k3GP9+Lh1k6pDiFCf1A1QZKl52h3+kG
+IDFPCaoYexOLN86ebApMWglxPPvPnfQpi9F+PWYjR02DbgSWR+/EGxygOnzjOYmS
+gQ==
+-----END CERTIFICATE-----
diff --git a/apps/epp_proxy/priv/test_ca/certs/ca.crt.pem b/apps/epp_proxy/priv/test_ca/certs/ca.crt.pem
new file mode 100644
index 0000000..f03e09f
--- /dev/null
+++ b/apps/epp_proxy/priv/test_ca/certs/ca.crt.pem
@@ -0,0 +1,35 @@
+-----BEGIN CERTIFICATE-----
+MIIGDDCCA/SgAwIBAgIJAKaLNUIy97o1MA0GCSqGSIb3DQEBCwUAMIGVMQswCQYD
+VQQGEwJFRTERMA8GA1UECAwISGFyanVtYWExEDAOBgNVBAcMB1RhbGxpbm4xIzAh
+BgNVBAoMGkVlc3RpIEludGVybmV0aSBTaWh0YXN1dHVzMRowGAYDVQQDDBFlcHBf
+cHJveHkgdGVzdCBjYTEgMB4GCSqGSIb3DQEJARYRaGVsbG9AaW50ZXJuZXQuZWUw
+HhcNMTkwNzExMTMwMDEzWhcNMjAwNzEwMTMwMDEzWjCBlTELMAkGA1UEBhMCRUUx
+ETAPBgNVBAgMCEhhcmp1bWFhMRAwDgYDVQQHDAdUYWxsaW5uMSMwIQYDVQQKDBpF
+ZXN0aSBJbnRlcm5ldGkgU2lodGFzdXR1czEaMBgGA1UEAwwRZXBwX3Byb3h5IHRl
+c3QgY2ExIDAeBgkqhkiG9w0BCQEWEWhlbGxvQGludGVybmV0LmVlMIICIjANBgkq
+hkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA0PBwqZUeXZaR3mk3VTm7S78Xs4WDCfyi
+RocHDU7cWhrBvFD5ZXzmbUJPPJHmljYAOLWLEyMzw0bvYVz2FSOCkBerxGFA4T17
+RhjDEAmMMWiBAoFj6tNmxj3bq7nZfwaOY6KIxGiZcqx4usOQ3tQ+cxvrqzFVyX24
+KScmx4l2HlmJu2boF8/C4LSYvGPys+2WKXlLr73gL+cmM7Z2Y+mNgURCKT9ODpFp
+VdX9iTpmnF0UFmYq/cN8QFSNv0ErsMFDZWxAnDoy6gZzsUz3ZnznOdjB96PFV9aA
+Rm5BYr7jMhu7rJPOyQNd9SfD6QhlyCSjd68p6nMFvYLG5lL5QxJSTotr3VuH1uqJ
+kfFwlMPJZAj/SmFUnoIvWGCyujqx6ajVX8zBvmcalSp35LyDDCnlohorUuP9TNrI
+U+k/Ap6vxfxSSIOPhq6BoFxMYASp8jo+8HdFOWce5krQh/h3vvEhu015yEXH4Vgb
+6lL+nvUex35He1IQFERvRSj5IB1Yw6HpwYb7LIfjXYsfas3FuSxXz9Geb23dybYd
+2MlmKeGvTyjM60BNW2ZKKQ00KgnqR62bPALbDZ/AnkzxnLd7NLVqKiSBzOOkZfaO
+V7hDD78VzSklA2cSV1qaBPHUW4AgQkmDJIF/1H/K9nN/F6OWKSJ0Ug3XGwDjY3Ry
+X//K+E1UNWMCAwEAAaNdMFswHQYDVR0OBBYEFP135kpzvaU8ZbO5z7UVlVkIZGgQ
+MB8GA1UdIwQYMBaAFP135kpzvaU8ZbO5z7UVlVkIZGgQMAwGA1UdEwQFMAMBAf8w
+CwYDVR0PBAQDAgEGMA0GCSqGSIb3DQEBCwUAA4ICAQDF3s887Qj2eLeJln1Z/Nem
+ZR2tj0PvYEHEYKq9R8N8IM1ooZt475MgyYo7XDPcuG3MMaGY9WdjqoXlWSM7T518
+U9ajFLqwNEnlfjZ33SdVDskfoRsKiDKUlvTNngn19KtAp3SBmQS6fgghlgha3tb+
+W1fOgzCRwaVG4XcQfR+wijSSovFOp+5CY/FL6XUwtFCz4ZwnHgXciG91SjhEPB+J
+P8iHFr4f0qV4kKv0hPfjQ7tneeho0AzI4BXOgbRJmur6+SP/gmsgBeKr1sUHuD+d
+nIAlz4T2reV8FujcW3u8yT4PFIhi0mdnXKC6xKDFlmD9AQa7eUO1DHJiSZ7zAsLS
+drsqMu3GhM70Uw0Oqv2aInv8N4vwF6CJ6p/wEUXTVjkjH3U/ZzuOGcl1/5sAao0r
+APwRazSMcqrjc+JicpFZ6NGTwTs0G6KD0dqhhqoyoZzB/1UDR2cG5SsgSTqBUeGb
+0VMW4EYU+DG1HV+OdNrFA0RgDn5o0VF3LxwAs5ErItlojFPeBDYMJvPGsMEarNHN
+03JeeEK081gzLJQzFPQV1n6kE6CiGGTx4X3ptUtvvQBD/u6KNUwN5b6p5jOQBEdZ
+F4PJOVZePI/dBHr98/jlcHfCOmySc+7uzPhB86OtdF/yYabImpvQ0cypZkXwzL6l
+VgOJJfHQrIhSmCRVxCEJoQ==
+-----END CERTIFICATE-----
diff --git a/apps/epp_proxy/priv/test_ca/certs/ca.srl b/apps/epp_proxy/priv/test_ca/certs/ca.srl
new file mode 100644
index 0000000..7c1fd1b
--- /dev/null
+++ b/apps/epp_proxy/priv/test_ca/certs/ca.srl
@@ -0,0 +1 @@
+8728BF086E9B1CE5
diff --git a/apps/epp_proxy/priv/test_ca/certs/webclient.crt.pem b/apps/epp_proxy/priv/test_ca/certs/webclient.crt.pem
new file mode 100644
index 0000000..cc960f5
--- /dev/null
+++ b/apps/epp_proxy/priv/test_ca/certs/webclient.crt.pem
@@ -0,0 +1,35 @@
+-----BEGIN CERTIFICATE-----
+MIIGIjCCBAqgAwIBAgICEAcwDQYJKoZIhvcNAQELBQAwgZUxCzAJBgNVBAYTAkVF
+MREwDwYDVQQIDAhIYXJqdW1hYTEQMA4GA1UEBwwHVGFsbGlubjEjMCEGA1UECgwa
+RWVzdGkgSW50ZXJuZXRpIFNpaHRhc3V0dXMxGjAYBgNVBAMMEWVwcF9wcm94eSB0
+ZXN0IGNhMSAwHgYJKoZIhvcNAQkBFhFoZWxsb0BpbnRlcm5ldC5lZTAeFw0xOTA3
+MTExMzQxMDNaFw0yOTA3MDgxMzQxMDNaMIGFMQswCQYDVQQGEwJFRTERMA8GA1UE
+CAwISGFyanVtYWExIzAhBgNVBAoMGkVlc3RpIEludGVybmV0aSBTaWh0YXN1dHVz
+MRwwGgYDVQQDDBNsb2NhbGhvc3Qgd2ViY2xpZW50MSAwHgYJKoZIhvcNAQkBFhFo
+ZWxsb0BpbnRlcm5ldC5lZTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIB
+AJ69aNDgwI4bFSDoMB6WEqL7/zcMBQnVPj3fYEBLYxpo9TEvFlkybgs2JncC5tgW
+biIoE7fE/ObNt0bLnY/IKdRnMmOltnttbcAO/WmKQE2PPv/VVfGrfHi68IuVEN2b
+E9YZ7GNp3cudKl4dpGW6VQkyP9Kp2Gxa3a0+2WecSNrESNXzTWre9MRI0upjIwCD
+HZ9ip/4F6Lg0Z4zBa7rKXqRqR7rw8YM2LN9UvmBL6feCQdKExaJqAx0bp6ychwti
+s78tOVX47pdQxL3rRPmBuXjWMjpbSAPEdL/LhAh7LpD4EJk50s1K6qq8EZPCagta
+Crws2qu89MPD8MekIiM3Ygm+ouZbqySBjCHlSlVbLQ2aCpMHlSdaPWskYSJ1IXlb
+lqhdgIrUehfuthR/znFZ/L6Fkqzg0MauaF7aqsrg0UAuBrZ6TOxBZLCuftPnY8qN
+BUyEveKGI5Rij3JMaLuT9samBScbrOncWngFIsDrCUqpGNzkEIZQgECJtcKz1UW0
+RaXOibO3KQ8PMAlwGTQFqwg6VBdH1YxmnAlunvgh/biBV6vZWLeZWpN3bx1o6FcN
+30W44WQ7Hqrs58Qqq9pdlW4252iQ9XpVYP1Ps7adv9BoNX9pTxH7THUEo1y/wehh
+DcQ1FnuFAMeWGU2FpBwxBasiJTBCoWQp8zMlI+4ws7V7AgMBAAGjgYkwgYYwCQYD
+VR0TBAIwADALBgNVHQ8EBAMCBeAwLAYJYIZIAYb4QgENBB8WHU9wZW5TU0wgR2Vu
+ZXJhdGVkIENlcnRpZmljYXRlMB0GA1UdDgQWBBT7jUyzkYvC9H8s8kS7lr4jp4C9
+DjAfBgNVHSMEGDAWgBT9d+ZKc72lPGWzuc+1FZVZCGRoEDANBgkqhkiG9w0BAQsF
+AAOCAgEAwNXs6lvOexo/pmSzU1fqokxfxHbOSqxhH1R7x0+sfY6YufJmp2yhvb1j
+Kbw/YzVhxDA4UpcwS3Cm703tb4K9Lby6DWOlaIniqEIyctldNbK8ZUPLOMCDe9mx
+G4U366KtVqWt/rC7CZmDSIz8I0tXzIrMOM3xY51PY62xz8IDIILC0xkzUz30Set2
+IjwWQzzfakrE+xz9rdCX//BP3kyr3+HP9Aq7DJ7mxnzlV0YmdT6kyhVTSc3Im4eG
+GbtrFqLbb1AeX3tBpT/2gUuxRgYVVpY3oqVLBQMuUil1LnBH6JyO61KAgAYijwwP
+gOwmp7mE9QuIpXY8Sm2+Cre4MXBqdzybJ5syyI985bp9BT0EEXuCO2cKNzUMEOub
+FuNkIezW4FyApU5wdA6kn7mwELAk01hAQirh7+FQxGXAfZfTs4Bwg3F43t7KSdbO
+ayjKLYg7sS+yAMsSxUMkji0fKdal6Vq1qViKSOHV/85Ou2xa9pYFpv8jypJ2igF8
+LYREauAQiSMQTi5u2/pUqmPEUpC9mUjgRmoDnlHoKHM+Ma88NdpPHHdrFH4pEPVZ
+ul9kwg3yLbfeO1UECtdv79j5j6yS4OUxnNErqdvoFYlQfc8DOHgB853Ym0iOBEQ/
+KDNiD159/hn20mgmc5LMwY0+aPOanJpZ30AHOA9/yLpIE0/VkN0=
+-----END CERTIFICATE-----
diff --git a/apps/epp_proxy/priv/test_ca/crl/crl.pem b/apps/epp_proxy/priv/test_ca/crl/crl.pem
new file mode 100644
index 0000000..7efffce
--- /dev/null
+++ b/apps/epp_proxy/priv/test_ca/crl/crl.pem
@@ -0,0 +1,21 @@
+-----BEGIN X509 CRL-----
+MIIDfTCCAWUCAQEwDQYJKoZIhvcNAQELBQAwgZUxCzAJBgNVBAYTAkVFMREwDwYD
+VQQIDAhIYXJqdW1hYTEQMA4GA1UEBwwHVGFsbGlubjEjMCEGA1UECgwaRWVzdGkg
+SW50ZXJuZXRpIFNpaHRhc3V0dXMxGjAYBgNVBAMMEWVwcF9wcm94eSB0ZXN0IGNh
+MSAwHgYJKoZIhvcNAQkBFhFoZWxsb0BpbnRlcm5ldC5lZRcNMTkwNzExMTMxMTM0
+WhcNMjkwNzA4MTMxMTM0WjBpMBMCAhACFw0xOTA1MjkwNjM5MTJaMBMCAhADFw0x
+OTA1MjkwODQxMDJaMBMCAhAEFw0xOTA1MzExMTI0NTJaMBMCAhAFFw0xOTA1MzEx
+MTQyMjJaMBMCAhAGFw0xOTA1MzExMjQzNDlaoDAwLjAfBgNVHSMEGDAWgBT9d+ZK
+c72lPGWzuc+1FZVZCGRoEDALBgNVHRQEBAICEAgwDQYJKoZIhvcNAQELBQADggIB
+ACv4opvBcQoCEkiKhVlr5bSq0vAVaTu1FloKTay0xsgDGSqQDnPR/B7ELSyoYo2A
+iBuSrQREyvXOtZhlQyTHwCDnAjpgGDGdRbRJAhhbWA9/MC4oqyJLjOFxLspX2S7E
+Fq4F/DbUZaW8niGGCcAUf8QnilaJLEhUT7qIJW2DpyFLd/1qLK81PBO8VW4fbKQI
+z2LsrA3NijW+W192LMvHLKnE47ifW1PLM0dJimkVNrkS42ACuwnCOLfLJsIg9aRe
+QsI1CY+L1F2tROedUFo6noffnm+SyMapna4SEXlQTaA1kfLtLOGVhXpBAgcewIsY
+DQQCTn4oEAhZroZMPYJXYXC/pNSMUEBifXR2akO7eE5kLBgf11ZfhuEUqperviiJ
+yLNzoakh3eMazIo5Qr8ZinMWP8HHZJI8GmOvJtVKAvOFmXkVm++Cnl/Ovp8skrTD
+AibySMZSTgoAc+ynZYI5q6HZxJWXN/PQ/++hFyOW9aG1DTLGpV6rO+O4zNldmUIO
+DTu+dUmKNamp1a6GcaY5xLSQTfV8InetxwF+gazvcmtEnqagH64EseSz4RZQLtRc
+kAZLho1rPE35Ok/2eswMvQ9hOkQ7tX9dO35HYoHoVKUzdiBaPP3PCDeCC/Ei5C2n
+Z1rfbtOFwF/36qyz7o+YqHaWHVc9W/koRjtrmXA1soJ2
+-----END X509 CRL-----
diff --git a/apps/epp_proxy/priv/test_ca/crlnumber b/apps/epp_proxy/priv/test_ca/crlnumber
new file mode 100644
index 0000000..83b33d2
--- /dev/null
+++ b/apps/epp_proxy/priv/test_ca/crlnumber
@@ -0,0 +1 @@
+1000
diff --git a/apps/epp_proxy/priv/test_ca/csrs/webclient.csr.pem b/apps/epp_proxy/priv/test_ca/csrs/webclient.csr.pem
new file mode 100644
index 0000000..49dcbe3
--- /dev/null
+++ b/apps/epp_proxy/priv/test_ca/csrs/webclient.csr.pem
@@ -0,0 +1,29 @@
+-----BEGIN CERTIFICATE REQUEST-----
+MIIE3TCCAsUCAQAwgZcxCzAJBgNVBAYTAkVFMREwDwYDVQQIDAhIYXJqdW1hYTEQ
+MA4GA1UEBwwHVGFsbGlubjEjMCEGA1UECgwaRWVzdGkgSW50ZXJuZXRpIFNpaHRh
+c3V0dXMxHDAaBgNVBAMME2xvY2FsaG9zdCB3ZWJjbGllbnQxIDAeBgkqhkiG9w0B
+CQEWEWhlbGxvQGludGVybmV0LmVlMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIIC
+CgKCAgEAnr1o0ODAjhsVIOgwHpYSovv/NwwFCdU+Pd9gQEtjGmj1MS8WWTJuCzYm
+dwLm2BZuIigTt8T85s23Rsudj8gp1GcyY6W2e21twA79aYpATY8+/9VV8at8eLrw
+i5UQ3ZsT1hnsY2ndy50qXh2kZbpVCTI/0qnYbFrdrT7ZZ5xI2sRI1fNNat70xEjS
+6mMjAIMdn2Kn/gXouDRnjMFruspepGpHuvDxgzYs31S+YEvp94JB0oTFomoDHRun
+rJyHC2Kzvy05Vfjul1DEvetE+YG5eNYyOltIA8R0v8uECHsukPgQmTnSzUrqqrwR
+k8JqC1oKvCzaq7z0w8Pwx6QiIzdiCb6i5lurJIGMIeVKVVstDZoKkweVJ1o9ayRh
+InUheVuWqF2AitR6F+62FH/OcVn8voWSrODQxq5oXtqqyuDRQC4GtnpM7EFksK5+
+0+djyo0FTIS94oYjlGKPckxou5P2xqYFJxus6dxaeAUiwOsJSqkY3OQQhlCAQIm1
+wrPVRbRFpc6Js7cpDw8wCXAZNAWrCDpUF0fVjGacCW6e+CH9uIFXq9lYt5lak3dv
+HWjoVw3fRbjhZDsequznxCqr2l2VbjbnaJD1elVg/U+ztp2/0Gg1f2lPEftMdQSj
+XL/B6GENxDUWe4UAx5YZTYWkHDEFqyIlMEKhZCnzMyUj7jCztXsCAwEAAaAAMA0G
+CSqGSIb3DQEBCwUAA4ICAQBWZgoSw7JO5gaIziRqRqXPzxN+TLHps4ryYKyO31+F
+VvoC7mAhdUbVSEHEXRTQckIdlwnaYPAIeoWCQCZHDcvA3BbW5TC/KLoPCsJH/zhI
+OeoB2C3QDAifplNjZ/Una4tMyN4jOXDiwW2UKoCtjraXAyLI89q48k5e06xnTYpc
+zX23F/mZhheZoeaidqbdRtPemGDQg9KRp99f7ER10OqP5Les7TwVa9xZlyAg/ef8
+40sRVH+pPkYY14AccsPrGMr6dSphcPy1koQUp2ov6aUMJbDVs+sinoqBc8ixicLq
+AX+lLs/CZmf0LBjAdzg1P29R/tPS76zPv6bRUpp49H9sd/fJONR+6lgq3tSkvd+s
+MM9OK7zbs+1GUIiYEbCTdYe7UqSh6wfWfg7qrncWlLWFz+P6Yp7N+92hisDuDwTM
+en8fOG5029aqnq+SodYnfD8Idh+9YTza8S1qKi3u4Vf7PKsEr/0byAnm1rybOxyI
+PGGQ+H6kRQ+gCgZlD0NpVoOZvD3qriN0vxGSQUnsceMYAvRaf7v8i2FcaqsK6oK8
+YFnjpgxeY7Oowv5zEbeXJiqxLJBMj0AJYg8TUxkQofWKyZBEcxzeTzCQbkc4Dr0E
+6hqAqbAss6trTJXWOh4Ir3izT9Zb4oT+4i6u1NVxqou6dAWlqeh98dPBmh98Uy5q
+Ww==
+-----END CERTIFICATE REQUEST-----
diff --git a/apps/epp_proxy/priv/test_ca/generate_certificates.sh b/apps/epp_proxy/priv/test_ca/generate_certificates.sh
new file mode 100755
index 0000000..29625e0
--- /dev/null
+++ b/apps/epp_proxy/priv/test_ca/generate_certificates.sh
@@ -0,0 +1,9 @@
+# !/bin/sh
+# Use localhost as common name.
+openssl genrsa -out private/webclient.key.pem 4096
+openssl req -sha256 -config openssl.cnf -new -days 3650 -key private/webclient.key.pem -out csrs/webclient.csr.pem
+openssl ca -config openssl.cnf -keyfile private/ca.key.pem -cert certs/ca.crt.pem -extensions usr_cert -notext -md sha256 -in csrs/webclient.csr.pem -days 3650 -out certs/webclient.crt.pem
+openssl ca -keyfile private/ca.key.pem -cert certs/ca.crt.pem -gencrl -out crl/crl.pem
+openssl ca -config openssl.cnf -keyfile private/ca.key.pem -cert certs/ca.crt.pem -crldays 3650 -gencrl -out crl/crl.pem
+openssl req -config openssl.cnf -new -sha256 -nodes -out server.csr -newkey rsa:2048 -keyout private/apache.key -config server.csr.cnf
+openssl x509 -req -in server.csr -CA certs/ca.crt.pem  -CAkey private/ca.key.pem -CAcreateserial -out certs/apache.crt -days 3650 -sha256 -extfile v3.ext
diff --git a/apps/epp_proxy/priv/test_ca/index.txt b/apps/epp_proxy/priv/test_ca/index.txt
new file mode 100644
index 0000000..e69de29
diff --git a/apps/epp_proxy/priv/test_ca/openssl.cnf b/apps/epp_proxy/priv/test_ca/openssl.cnf
new file mode 100644
index 0000000..0397357
--- /dev/null
+++ b/apps/epp_proxy/priv/test_ca/openssl.cnf
@@ -0,0 +1,348 @@
+#
+# OpenSSL example configuration file.
+# This is mostly being used for generation of certificate requests.
+#
+
+# This definition stops the following lines choking if HOME isn't
+# defined.
+HOME			= .
+RANDFILE		= $ENV::HOME/.rnd
+
+# Extra OBJECT IDENTIFIER info:
+#oid_file		= $ENV::HOME/.oid
+oid_section		= new_oids
+
+# To use this configuration file with the "-extfile" option of the
+# "openssl x509" utility, name here the section containing the
+# X.509v3 extensions to use:
+# extensions		=
+# (Alternatively, use a configuration file that has only
+# X.509v3 extensions in its main [= default] section.)
+
+[ new_oids ]
+
+# We can add new OIDs in here for use by 'ca', 'req' and 'ts'.
+# Add a simple OID like this:
+# testoid1=1.2.3.4
+# Or use config file substitution like this:
+# testoid2=${testoid1}.5.6
+
+# Policies used by the TSA examples.
+tsa_policy1 = 1.2.3.4.1
+tsa_policy2 = 1.2.3.4.5.6
+tsa_policy3 = 1.2.3.4.5.7
+
+####################################################################
+[ ca ]
+default_ca	= CA_default		# The default ca section
+
+####################################################################
+[ CA_default ]
+
+dir		= /opt/ca               # Where everything is kept
+certs		= $dir/certs		# Where the issued certs are kept
+crl_dir		= $dir/crl		# Where the issued crl are kept
+database	= $dir/index.txt	# database index file.
+#unique_subject	= no			# Set to 'no' to allow creation of
+					# several certs with same subject.
+new_certs_dir	= $dir/newcerts		# default place for new certs.
+
+certificate	= $dir/cacert.pem 	# The CA certificate
+serial		= $dir/serial 		# The current serial number
+crlnumber	= $dir/crlnumber	# the current crl number
+					# must be commented out to leave a V1 CRL
+crl		= $dir/crl.pem 		# The current CRL
+private_key	= $dir/private/cakey.pem# The private key
+RANDFILE	= $dir/private/.rand	# private random number file
+
+x509_extensions	= usr_cert		# The extensions to add to the cert
+
+# Comment out the following two lines for the "traditional"
+# (and highly broken) format.
+name_opt 	= ca_default		# Subject Name options
+cert_opt 	= ca_default		# Certificate field options
+
+# Extension copying option: use with caution.
+# copy_extensions = copy
+
+# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
+# so this is commented out by default to leave a V1 CRL.
+# crlnumber must also be commented out to leave a V1 CRL.
+crl_extensions	= crl_ext
+
+default_days	= 365			# how long to certify for
+default_crl_days= 30			# how long before next CRL
+default_md	= default		# use public key default MD
+preserve	= no			# keep passed DN ordering
+
+# A few difference way of specifying how similar the request should look
+# For type CA, the listed attributes must be the same, and the optional
+# and supplied fields are just that :-)
+policy		= policy_match
+
+# For the CA policy
+[ policy_match ]
+countryName		= optional
+stateOrProvinceName	= optional
+organizationName	= optional
+organizationalUnitName	= optional
+commonName		= supplied
+emailAddress		= optional
+
+# For the 'anything' policy
+# At this point in time, you must list all acceptable 'object'
+# types.
+[ policy_anything ]
+countryName		= optional
+stateOrProvinceName	= optional
+localityName		= optional
+organizationName	= optional
+organizationalUnitName	= optional
+commonName		= supplied
+emailAddress		= optional
+
+####################################################################
+[ req ]
+default_bits		= 2048
+default_keyfile 	= privkey.pem
+distinguished_name	= req_distinguished_name
+attributes		= req_attributes
+x509_extensions	= v3_ca	# The extensions to add to the self signed cert
+
+# Passwords for private keys if not present they will be prompted for
+# input_password = secret
+# output_password = secret
+
+# This sets a mask for permitted string types. There are several options.
+# default: PrintableString, T61String, BMPString.
+# pkix	 : PrintableString, BMPString (PKIX recommendation before 2004)
+# utf8only: only UTF8Strings (PKIX recommendation after 2004).
+# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
+# MASK:XXXX a literal mask value.
+# WARNING: ancient versions of Netscape crash on BMPStrings or UTF8Strings.
+string_mask = utf8only
+
+# req_extensions = v3_req # The extensions to add to a certificate request
+
+[ req_distinguished_name ]
+countryName			= Country Name (2 letter code)
+countryName_default		= EE
+countryName_min			= 2
+countryName_max			= 2
+
+stateOrProvinceName		= State or Province Name (full name)
+stateOrProvinceName_default	= Harjumaa
+
+localityName			= Locality Name (eg, city)
+localityName_default      	= Tallinn
+
+0.organizationName		= Organization Name (eg, company)
+0.organizationName_default	= Eesti Interneti Sihtasutus
+
+# we can do this but it is not needed normally :-)
+#1.organizationName		= Second Organization Name (eg, company)
+#1.organizationName_default	= World Wide Web Pty Ltd
+
+organizationalUnitName		= Organizational Unit Name (eg, section)
+#organizationalUnitName_default	=
+
+commonName			= Common Name (e.g. server FQDN or YOUR name)
+commonName_max			= 64
+
+emailAddress			= Email Address
+emailAddress_default		= hello@internet.ee
+emailAddress_max		= 64
+
+# SET-ex3			= SET extension number 3
+
+[ req_attributes ]
+challengePassword		= A challenge password
+challengePassword_min		= 4
+challengePassword_max		= 20
+
+unstructuredName		= An optional company name
+
+[ usr_cert ]
+
+# These extensions are added when 'ca' signs a request.
+
+# This goes against PKIX guidelines but some CAs do it and some software
+# requires this to avoid interpreting an end user certificate as a CA.
+
+basicConstraints=CA:FALSE
+
+# Here are some examples of the usage of nsCertType. If it is omitted
+# the certificate can be used for anything *except* object signing.
+
+# This is OK for an SSL server.
+# nsCertType			= server
+
+# For an object signing certificate this would be used.
+# nsCertType = objsign
+
+# For normal client use this is typical
+# nsCertType = client, email
+
+# and for everything including object signing:
+# nsCertType = client, email, objsign
+
+# This is typical in keyUsage for a client certificate.
+keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+
+# This will be displayed in Netscape's comment listbox.
+nsComment			= "OpenSSL Generated Certificate"
+
+# PKIX recommendations harmless if included in all certificates.
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid,issuer
+
+# This stuff is for subjectAltName and issuerAltname.
+# Import the email address.
+# subjectAltName=email:copy
+# An alternative to produce certificates that aren't
+# deprecated according to PKIX.
+# subjectAltName=email:move
+
+# Copy subject details
+# issuerAltName=issuer:copy
+
+#nsCaRevocationUrl		= http://www.domain.dom/ca-crl.pem
+#nsBaseUrl
+#nsRevocationUrl
+#nsRenewalUrl
+#nsCaPolicyUrl
+#nsSslServerName
+
+# This is required for TSA certificates.
+# extendedKeyUsage = critical,timeStamping
+
+[ v3_req ]
+
+# Extensions to add to a certificate request
+
+basicConstraints = CA:FALSE
+keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+
+[ v3_ca ]
+
+
+# Extensions for a typical CA
+
+
+# PKIX recommendation.
+
+subjectKeyIdentifier=hash
+
+authorityKeyIdentifier=keyid:always,issuer
+
+basicConstraints = CA:true
+
+# Key usage: this is typical for a CA certificate. However since it will
+# prevent it being used as an test self-signed certificate it is best
+# left out by default.
+keyUsage = cRLSign, keyCertSign
+
+# Some might want this also
+# nsCertType = sslCA, emailCA
+
+# Include email address in subject alt name: another PKIX recommendation
+# subjectAltName=email:copy
+# Copy issuer details
+# issuerAltName=issuer:copy
+
+# DER hex encoding of an extension: beware experts only!
+# obj=DER:02:03
+# Where 'obj' is a standard or added object
+# You can even override a supported extension:
+# basicConstraints= critical, DER:30:03:01:01:FF
+
+[ crl_ext ]
+
+# CRL extensions.
+# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
+
+# issuerAltName=issuer:copy
+authorityKeyIdentifier=keyid:always
+
+[ proxy_cert_ext ]
+# These extensions should be added when creating a proxy certificate
+
+# This goes against PKIX guidelines but some CAs do it and some software
+# requires this to avoid interpreting an end user certificate as a CA.
+
+basicConstraints=CA:FALSE
+
+# Here are some examples of the usage of nsCertType. If it is omitted
+# the certificate can be used for anything *except* object signing.
+
+# This is OK for an SSL server.
+# nsCertType			= server
+
+# For an object signing certificate this would be used.
+# nsCertType = objsign
+
+# For normal client use this is typical
+# nsCertType = client, email
+
+# and for everything including object signing:
+# nsCertType = client, email, objsign
+
+# This is typical in keyUsage for a client certificate.
+# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+
+# This will be displayed in Netscape's comment listbox.
+nsComment			= "OpenSSL Generated Certificate"
+
+# PKIX recommendations harmless if included in all certificates.
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid,issuer
+
+# This stuff is for subjectAltName and issuerAltname.
+# Import the email address.
+# subjectAltName=email:copy
+# An alternative to produce certificates that aren't
+# deprecated according to PKIX.
+# subjectAltName=email:move
+
+# Copy subject details
+# issuerAltName=issuer:copy
+
+#nsCaRevocationUrl		= http://www.domain.dom/ca-crl.pem
+#nsBaseUrl
+#nsRevocationUrl
+#nsRenewalUrl
+#nsCaPolicyUrl
+#nsSslServerName
+
+# This really needs to be in place for it to be a proxy certificate.
+proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo
+
+####################################################################
+[ tsa ]
+
+default_tsa = tsa_config1	# the default TSA section
+
+[ tsa_config1 ]
+
+# These are used by the TSA reply generation only.
+dir		= /opt/ca           	# TSA root directory
+serial		= $dir/tsaserial	# The current serial number (mandatory)
+crypto_device	= builtin		# OpenSSL engine to use for signing
+signer_cert	= $dir/tsacert.pem 	# The TSA signing certificate
+					# (optional)
+certs		= $dir/cacert.pem	# Certificate chain to include in reply
+					# (optional)
+signer_key	= $dir/private/tsakey.pem # The TSA private key (optional)
+signer_digest  = sha256			# Signing digest to use. (Optional)
+default_policy	= tsa_policy1		# Policy if request did not specify it
+					# (optional)
+other_policies	= tsa_policy2, tsa_policy3	# acceptable policies (optional)
+digests     = sha1, sha256, sha384, sha512  # Acceptable message digests (mandatory)
+accuracy	= secs:1, millisecs:500, microsecs:100	# (optional)
+clock_precision_digits  = 0	# number of digits after dot. (optional)
+ordering		= yes	# Is ordering defined for timestamps?
+				# (optional, default: no)
+tsa_name		= yes	# Must the TSA name be included in the reply?
+				# (optional, default: no)
+ess_cert_id_chain	= no	# Must the ESS cert id chain be included?
+				# (optional, default: no)
diff --git a/apps/epp_proxy/priv/test_ca/prepare_root_ca.sh b/apps/epp_proxy/priv/test_ca/prepare_root_ca.sh
new file mode 100755
index 0000000..41725eb
--- /dev/null
+++ b/apps/epp_proxy/priv/test_ca/prepare_root_ca.sh
@@ -0,0 +1,8 @@
+# Prepare required files
+touch index.txt
+echo 1000 > serial
+echo 1000 > crlnumber
+
+# Generate Root CA.
+openssl genrsa -aes256 -out private/ca.key.pem 4096
+openssl req -config openssl.cnf -new -x509 -days 365 -key private/ca.key.pem -sha256 -extensions v3_ca -out certs/ca.crt.pem
diff --git a/apps/epp_proxy/priv/test_ca/private/apache.key b/apps/epp_proxy/priv/test_ca/private/apache.key
new file mode 100644
index 0000000..07aefa6
--- /dev/null
+++ b/apps/epp_proxy/priv/test_ca/private/apache.key
@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQCqhksikVH3psjD
+GT0a/NN5Oew8ylMn98j5JZdCHlR+UAgbvgeX5oFb6TyMhn5XHBfCfu7Bjt9216a7
+0LMKpgrimpmDXrwgQLTRWd4LuCJ9oxaAF38M2K/cVp82lOKF0xmtmLzEski43Dxc
+toN5sZCut85bDUJ7C6b8wlogWcgG22wGr6MXAq0An1GA2DpSXbE4amq2suZTbUeY
+jOb2Gpt5pYg0hfVANULZlZ2BVeCgQgP9EtRzwD6uJVR1orMb2QKu27MY7w+FegXk
+Ela2ysBxgVB6/eNVEqmVIWHCGKOHYxjXioDbXCx40wXv59IKOG68SibGnM1BIfRQ
+AMdbSnXvAgMBAAECggEASSYcevKdl7+a5V4hQT9tM9ZuCVG9RCrdskq2zO0Xz6tj
+HwtwVG/T0+qER7+12IY7hvpOTweLwn4VjwGinBHIH5az/Y+Y4bkAF8IWJy7Q1NYt
+47qwjIEzRzB9UbuiREfe/wHDEBluaqZG2nqMgZpy9w/v3E0e1IuWEV0JrlD1JkMs
+nW3RC2unrHjB1ySIdyV6otd/EOHkyd73fygjkA96sVLnv/olyaiW4n7Hlqn1j4it
+5Zuqdcaf/AqP+2ADPK+QeISEGYLM9dUeuBEYONkaEH7h5G0ojuxNz5cU7n6l0Hu7
+mWOhJFOgA/KRZVsHf+VsPOLGUizY5TjnIS0gyq/wQQKBgQDRkx7ufhYqa81PgQ9X
+r0D+D7NuJJxNxA7unU42fa86FWpjnBIxz8tlPM302g+cR6qSWygXcEaxr1CezkcX
+db/4MaiN3NWst7z2/dkOEO5Bv+54SzckxZt1QhkoUznxDMOqPdWIKIgjQEroIlHz
+TyHT+oF+zEBrNqKGexS11IYczwKBgQDQTKj4C0yfyuXIjwnhEJFqMFqGJsFD/mbL
+ca6mx5i/0tsN/HKCSWPza7gh0wiP28f1EULk2UkScHqvt5XBCDofPbr3bkipGy0V
+6x2NlOcdCMiFfcK15AIMMddiL9Be1pSTqUIQ1thUu4k0vfbu8LurchZIqjBtWaQK
+nrYNI5Oc4QKBgFR5+iDmQCcPVy3x9u5AXXFLgOcn6L1MBzzVub4rQWOnWEAYnBjq
+CrGfJeHJuDslhDMEfY+dGVHsOhIZUfy54Qy5b5jnaFX7pjblMgYCexeTtxtULkEr
+SjOk1iE0EwoAPCq2TAlbVSzocIlLtD7gKeGZe3NR/7F3z2Fn4Xw902VvAoGBAMQd
+GQ0IXmkn97Yfbha3qaFHy0L45AdnU1MCQoSF8bvRAysk3o7qGC/L4H4AGdSQAbAr
+Q0cBiLnSqsAb4ePvIgHd9dUVwVVt38H+LkHpyrrcVSbR4+uqs37VwkqQZ+eSsipg
+NnJyRRVpx+GfZQlMH/VoIbDig1vBBSB2k0LFlyohAoGBAIwt5E07ez+B0JihGE7F
+390gH57xS3M7G4iB1bEr4VyZmStOzNmA4hhz+pz8pnKxMu1bwZdsgvtmQDh59j3I
+AUaldDULGfSLQ5YJZ1apyAk2kIDF0Buhe2UtkHtnWG6PFSwEs0AKZeliyIpgZ9R4
+86eWGoSuHznP2faVslscZSyE
+-----END PRIVATE KEY-----
diff --git a/apps/epp_proxy/priv/test_ca/private/ca.key.pem b/apps/epp_proxy/priv/test_ca/private/ca.key.pem
new file mode 100644
index 0000000..c60b8a8
--- /dev/null
+++ b/apps/epp_proxy/priv/test_ca/private/ca.key.pem
@@ -0,0 +1,54 @@
+-----BEGIN RSA PRIVATE KEY-----
+Proc-Type: 4,ENCRYPTED
+DEK-Info: AES-256-CBC,AEB2DBECCB8452DE1D6E3F46B4AD32A8
+
+i/cuYpPW2lzi/spv5ZOvF5Fw19ZNOqIl42jdxyTKnEa51xKW7nlOUFvglzYiEMS5
+rP4TWqnlBdRl1QXUv9R9zsL6DaPXs0j1kX8OxsV8ZRF6Pzb0G0uJBF7xxKb7c/8j
+GP3uURESHhVc4ku6ctkChzTrUd7V4/pPEG5hLFdpgdTNodtfzDGWORFBDv2Jp0Mc
+hiJFKnLaCFItRpQnqGKfDwJPRUJIIwjH1EUx+U4WDzUI5z7LhNVZ9A/07hYvSh56
+bwZ4T4CXBXxVtBPhzb5aLigqs6CGfslsQnvoajdKEHq6B1j5Yj0aDG/IYG2jNSJM
+9rRbL/0/FPmKrjsbsyxskzp2vRKYOUA2G6SU4Q8db/OBwmaz7zQC+2Og6G115f6/
+TvBNsF+SfiP7YlaRs6qGJLk9NBqqdsTvTli8qGvOV3dAUp1EXB+MGsyQGitG+7+d
+7XSenjHN4Lxvb0o0BBHIDv6HScIB8a1ebtLDCV45NdYyM1lsx2rOQyKwVe++TVrH
+PI+vHoR+Qx1eC2m+UOzzjtRREXbwMZfe0ErvtTUC+LrU90J48u9lRZglxOR2VdjV
+/eHVlTbiWgR8fcbbbBxeVOwilwXC/vRtiYHjMkbAzul4VOPRc0gRJ4VED0mpRSf0
+/n82W9fJnqhWjEV/zoqYUCWaLG/Q/FXE9o81GeI5Av5HNF7SSy3pvxvt+dvU1Cxi
+mJGj/w3T5e4yAJi7tPYfRvjyD30WFgIDw3AmJly600B6QAQ2+xi1UPL5kew46haS
+Z+bdRb6lPGpDhZXPGRKnTYsoHFbpoE1tYWUMzFzBF1VeCPgPrmjoXzcWVD1tnzu7
+LV01qUfNL/SFnue7oa8xsZj4WMfhB6DsalDf30GdR4HFgswO3rPKWxP2r+tnOscv
+MBwlaSvzAY4bx8rLE5Yf46rDvoby/oy3P9ZGrLygraIG4QNOJvSB8esHfXTkT7Mb
+IAFPnYWc8CjwsfBTP1wl0qzgbx04FOQfmfqfS67KUcxCN2RSOidhmfrzpZhYSTli
+/qpbek3rRSssAZKkuN53ozW5gfwLJpeStuSM/or6C2EKEj7KWYkTEFTRxQtFDfZB
+uWdO5836XlsVZdm99OqRUlR4eLqtyGYpZjfaMcjSBbmTs8U7Xxixb6FcLyp6UbeQ
+Fa3RJQL3vkINuFzIsxjRi7AUjd18+pFjYC5nOEdoJQBAM83inBrjGyxSKKcdYlVt
+j4srLisCMrtDOfijyLzl+cwoUod5DUn8JhgHM1ypIPQ7pk8vYFo38I2YE4I/Djuo
+EO6l8SFaWRa6AI/gkBUazwPh2OX/41e/eGeRVbTgfuzlBwJHhW5hyKTD9/DSsSmU
+cC96Y9X8pwggPR8s5zLzheOCS9ysEJmgCgPgw02f/Nxydy4VWtEYlIv/C37a3JB5
+Kgtz2icD80vugSF8BkkFpQjwC8fU61pDZ0SdP5WYricakSXya46BUnZk6pS1HmZC
+iw6kUrPvQk8l6e0uuB2gWPIisvpoPDuxqccayUWSbZzkV+Q3t7Mjc1uTnVQDCSGo
+pdJfOr1asIBSsUzhYbvw5pDBrOTtNT6k3WAdwbhQ31q+jwhzq8ESj7UQ9klsFLlc
+nthCeTC6Wv0vNbIdf5YpCR21J1RxRv8XNO1HrN1/uJKcTvrpEVFopKTN5KYnOGlq
+rQdA3zetvsncmmOJe+/77pVZ/GT05yCGPlEtdjSb6RJQ3hmOZAeY/KpKh7nrYH7i
+Fk+N5EJJHdCbqFLQ//Xi/8Gx5wdpzJGfFx8R0XMkQ2mXwFmqYF/IFDLnMDfp0NWW
+A1SVYaQcjTOkOCdVN6CJcs8dfNo3Fm8zoo+8HMO9K1wLMiQopI+UZovIguCXELsC
+A+BuzsZsnSb4bFXVq4kXbHW86WfBwoPPjRtYgDXdRyOzEd4QY0wNyBn8Ab3ogJNJ
+JqNTic7N9Gg6y2GvGryiEpZL10DFUpsIIx3bdXuBOQTlDRNtj2WyQ+vpMpDwW6iQ
+u0zvpvZ60Qf+akU+Z6p/yLCQUZ4JNXsp6qUaEKG3WaIwlQh5bVeWEtAOAqFDS534
+4NZoW/MMpjErHcJcoi3WAVHyq03WlnaCHTRaA5KUgVhAJ+iPh49th7uDjaqlYvC2
+m+eedZuac0wrsPG0UuAZJSqtPpNL5H53WYnuGSUE3OkLxNau+9lEqG7M3lAn7/N3
+NjHiyNvT+3JHxDMK5icSQKvvjzscX57OLneF5jxufbDXCf4fZbnMgFDH0SXOJkxV
+ImGAIfaNnmBMz/mpvAGHOGUQxZDRHxvR8fO6BrZBomOmYEiWrhWbp6XRJEz+62M8
+LwE9wQnoobko3xtX+90rHWUp1jIvZRoM3dHSxIEtI2mePPklHC9RpEf9qpiwY+yR
+84mI/HGiC5MnBe4BN8BMI1s2pOvLKgaEf5FJRON2nAR1qTDh0BVZx9pby2fheXBr
+U80cp5khOjOeNFTJfoTJcxRv43HH4U58Ce1Gra5grB8fhdBjCqUZnX2zsuAOVAcn
++bOMUcHMI9dW6og3Plb09nhTjzLlD3i2+rCBHZOlw9m3nTBALkE8iL0f5/BFxEFy
+p3fX1YWoSh/XTKdaKCQsZ9xs1oCZ73h7l1F6+o/qD2PjCkOtI5PRAGmZ83FpKY0G
+eRF3vM1guPaV4qpccOqN7qii3MLVEqxWbnM0+ZBfMoHIwSvWgxaallcoyhEgLwkO
+9wliM4ORX+csTmdDCJl1URR7pJBRmBMX6a7fqsZPxLQ+VjhYXZDwCohuRSYRaoai
+YMVp6s6KutzSt/JUSP1oDYPxIY6pfxq/LMN4R/tBK+bdhQP8EEvcJGjKkzxslThU
+utQF9Ml8oBw0LmCsxRnkPfhF2d3PmNX97QPwLBN6q1PvhQLOd1s9ILKSLBN89UCM
+P7BrU/m3qcXlkGbbzKjjTMqHlvoCUQnieyAKc3ugWwGc9LIAEaFTLj45B5POXKqk
+TYG3ubWWgtwVtWlCO8IMjz3+8jnQ+bHoiBwVA0y3WyQvvwqeU7SnuBHb9ktURUrs
+o2LrswBQbDxvfH7T7Iz2e6pvhGMegkNo3LO86e7gaC1shMs4juCT1jy2ln2XexgN
+xP8Lo0hkO2UJEVs2OMBjmawbPSEg/p/7cftwMpVUV/Dgl/7viwcLy5RGJff9y5L7
+-----END RSA PRIVATE KEY-----
diff --git a/apps/epp_proxy/priv/test_ca/private/webclient.key.pem b/apps/epp_proxy/priv/test_ca/private/webclient.key.pem
new file mode 100644
index 0000000..dc5ad8a
--- /dev/null
+++ b/apps/epp_proxy/priv/test_ca/private/webclient.key.pem
@@ -0,0 +1,51 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIJKQIBAAKCAgEAnr1o0ODAjhsVIOgwHpYSovv/NwwFCdU+Pd9gQEtjGmj1MS8W
+WTJuCzYmdwLm2BZuIigTt8T85s23Rsudj8gp1GcyY6W2e21twA79aYpATY8+/9VV
+8at8eLrwi5UQ3ZsT1hnsY2ndy50qXh2kZbpVCTI/0qnYbFrdrT7ZZ5xI2sRI1fNN
+at70xEjS6mMjAIMdn2Kn/gXouDRnjMFruspepGpHuvDxgzYs31S+YEvp94JB0oTF
+omoDHRunrJyHC2Kzvy05Vfjul1DEvetE+YG5eNYyOltIA8R0v8uECHsukPgQmTnS
+zUrqqrwRk8JqC1oKvCzaq7z0w8Pwx6QiIzdiCb6i5lurJIGMIeVKVVstDZoKkweV
+J1o9ayRhInUheVuWqF2AitR6F+62FH/OcVn8voWSrODQxq5oXtqqyuDRQC4GtnpM
+7EFksK5+0+djyo0FTIS94oYjlGKPckxou5P2xqYFJxus6dxaeAUiwOsJSqkY3OQQ
+hlCAQIm1wrPVRbRFpc6Js7cpDw8wCXAZNAWrCDpUF0fVjGacCW6e+CH9uIFXq9lY
+t5lak3dvHWjoVw3fRbjhZDsequznxCqr2l2VbjbnaJD1elVg/U+ztp2/0Gg1f2lP
+EftMdQSjXL/B6GENxDUWe4UAx5YZTYWkHDEFqyIlMEKhZCnzMyUj7jCztXsCAwEA
+AQKCAgEAkR2GnK1aWo7XmeWpV8zJ7MWCYshSMtMGu3lhfGVui843mGb7fz9i6kzu
+jQ3SCuk2dXM901n5+OVHDylFORQ7aTmODxqG3/8Bvfn2IG2Kq1ywsyBMGUoz2ArN
+rEzxxiTm1WuNdrRpVqKvAKsIhxb4dhfB0MwEVcobrS0vglCVKakXDMAHnhOEn4wT
+hMJsVSOICRUfjlHIld0SbNLFsVUfgB7IxFVP9Cuqid/myhGcKfCiS9mk8v0HK60E
+dAAEVJw+xh6Js9aGBz6HHTffLlkxPQ5TjJW2F/uY310lrrstrsmYIvuBgrtiHAMh
+7npkh0whVDWNEkMDX5PYoimiK5+NtvpEc9zdNup8pE2qe5LklZ/7RlShJWQLJbvW
+2H28i047kfy2ltZ6hmVHDXMHrLx87Rrh0P+kHl53zM1G9f2MrhGe33CS7PMiZUsZ
+CzAvVISZMz9TvQ78vFQ6d7RoBvTvcfVYwq17uPI9mu5tReZxE2J9RCCkEssLufs/
+r8FpR40oFPftFr3PkIDsMI22/9OLYs1hqW+wtpGkPgF6rPTSVh8D2NvGNzRnj4bG
+duYEnKcsz41rA8bhD7zmw5a6L53wvAB+rcRJUN+SrAGLlTpOUkjWPhZafNkbZHNx
+HJ+CE6pNyHJWFHpaUUq6WIHoaJa1EEBgh5DPWJ8NFAWxnMrl0gECggEBAMmqaSLa
+N+PC3WuRBCh5XZmdCsBGcs5DJT5PW0h2y2mfNxAugSamD26KGn6AmSbqGZJJvMBI
+JLMNSYiCAqy0uKmvCe0yiik6FQFNRwzROfW52PTQVCaUQ8v0NXAeeMmgM5CEuD+k
+0f8xdThw2saXpdYbVxXjBpkhKC1biAJFz8m2yfjaBSmZQVRWxjL9+XaeVyPZN85M
+/2/Lt+VQTMaq58+bpUYuAhlEyMwetNw8CuhWTlYtVJgmEHKuLywD2MJLCx5hScip
+HwirW6VZTtinb6SruTgbzYd/urim/ZIfDIwwuPaJA5Hfrll3uSnQBlq0EcWwcbYT
+X9afxmvM7XAbGaECggEBAMmCQaswfDAtxaUbn6BLHjlOKLx02GrRPsr6AIPHY55T
+DafwOUZiHPF3eekmDlQNgpAFTnecgHiT4dpmBl0wRZ5VwVZL/nU3dZKbHbfU05Ll
+EpTazguhubuHmYClNXAIQ9OEFy+4NpHB9blqISCNJ1sJqel9TXhpbmeo+aNEbH0A
+aDnnRRWnQrzhL9k5Y5ot/lbUEAsuEw5JKJgj2BrkA5ZymaI+5hBYOkBLUzMqbEwN
+tMlhKTtf4Kow1DXwwXpWEc1gj16+XuKWv6BW0kKrjWk5I9XTTPucD5btKO0r9H5F
+Qe/4msfkcQhZXsZomhAHzSj47przXWFZ1otOCUdnkZsCggEAbCbbCZj0Pk7ERqrY
+CwjDnN1u5Z0iduHluFwAvYUQJA4CDsiR9PM79XFVMiCvggIsQpsPAiPuoqPumqn2
+2z50hnPcI/xlwiRnHXKfNw2CQvkvlGOhrar4DQpkGkQNTTyASvISifdPs8eHcQR9
+H+I2SvQQqSk+4aK5lFGxSF6+SBSijrYF7MBHG/8JflFclzPl0dDtr9L1brRXZEDD
+XAxOE7YKVe/YqkqMUYPqRO5ifyXCD09yPcK0MXyeycEqX1C1ns5YLqgcf56+oJeb
+xG9PXYXG6INon1FuBxdviAzkws5ic70ZUAMg0tR1Vio9LinCGj49TYNoc4bud+PI
+NsYh4QKCAQEAtB/BP5sJh6+CmsIEgC5lh+f7tenkgicksB+lUiZrP90Rueqb5/RP
+1vBrgyNHb47cBI0ZxQWaOS5HlwfX7Hj34j7ZoaAwhuraKACMIgUWUpp9b53ezLr1
+4VGmvz3udISOzIWojDloXgY49lKN5iEG6vPKdDJTi60CyZpb+7twFpTEle3K7T4k
+A95u/Qe1pt4yGb9Z0ASReBWhOc3goLjtFBDAkC0VTcrv1wT+DCCBycH+tnwpdS+R
+DdC0ALuC1y4Un7cOsSwOeREzncm+DWZ383TmOX61s7uem9TG3qqJ1E1oUW+yO7hR
+6Zqpg0WBYY73rwZFkzCzag/6HW/WD4PevQKCAQAxXWBVRh+1p8ILMhwwQDPj/FyU
+9AhUL0N5xJadovn0qN5OO0yqlXtyWPGOsIdsbU8IRbxRNLH/ZSb804cH1Ky2Yo78
+T2GvHI+piesctkhk4tA7O6j6XkbRGLeVpjnK0Wbqzp1GOkJKGggMNhkM/5qLUzcd
+7GHRbicxal4RD7lcydzQFJ/3OVzhsvTWvg7Hkbrx6tqtR8Jqs18Sq7KWObvsxEdF
+B3WUG8B8nc36lIGtmWrCAj/y3RTtqgYQzxKvIcy6/cLPsRQXoobWnbt6Kg/npLhc
+ywHDhrlN/yA+mptelrTiI3HNwoNn4C9azQDxysUO7jgoAv+bF+plQ1LgJM/4
+-----END RSA PRIVATE KEY-----
diff --git a/apps/epp_proxy/priv/test_ca/serial b/apps/epp_proxy/priv/test_ca/serial
new file mode 100644
index 0000000..83b33d2
--- /dev/null
+++ b/apps/epp_proxy/priv/test_ca/serial
@@ -0,0 +1 @@
+1000
diff --git a/apps/epp_proxy/priv/test_ca/server.csr b/apps/epp_proxy/priv/test_ca/server.csr
new file mode 100644
index 0000000..1020d46
--- /dev/null
+++ b/apps/epp_proxy/priv/test_ca/server.csr
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE REQUEST-----
+MIIC2DCCAcACAQAwgZIxCzAJBgNVBAYTAkVFMREwDwYDVQQIDAhIYXJqdW1hYTEQ
+MA4GA1UEBwwHVGFsbGlubjEZMBcGA1UECgwQRWVzdGlJbnRlcm5ldGlTQTEQMA4G
+A1UECwwHQXJlbmR1czEgMB4GCSqGSIb3DQEJARYRaGVsbG9AaW50ZXJuZXQuZWUx
+DzANBgNVBAMMBioudGVzdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
+AKqGSyKRUfemyMMZPRr803k57DzKUyf3yPkll0IeVH5QCBu+B5fmgVvpPIyGflcc
+F8J+7sGO33bXprvQswqmCuKamYNevCBAtNFZ3gu4In2jFoAXfwzYr9xWnzaU4oXT
+Ga2YvMSySLjcPFy2g3mxkK63zlsNQnsLpvzCWiBZyAbbbAavoxcCrQCfUYDYOlJd
+sThqaray5lNtR5iM5vYam3mliDSF9UA1QtmVnYFV4KBCA/0S1HPAPq4lVHWisxvZ
+Aq7bsxjvD4V6BeQSVrbKwHGBUHr941USqZUhYcIYo4djGNeKgNtcLHjTBe/n0go4
+brxKJsaczUEh9FAAx1tKde8CAwEAAaAAMA0GCSqGSIb3DQEBCwUAA4IBAQAkJkKR
+jqptkp2vkHUH/Nnmqh9SCPD5wETGtGLZzS/ZnWAyRPHZ8Kw3XnCvyZj41EnWifWC
++0kKSpQTvhED8RPmgfE1piQtSPuFJ9f26vyag5sGPfUkBaBl6zaxpK3fDHpCercy
+N5J6b1FAoWj/rhtRCMJx8OYCmurBp4BUtyYbduk0FWhdcX8uyRiLOOxaGO7ZpkEf
+CEUhEarperXPqhm9NtNbPrEP15tunf5otM6FjpIoc0wFtlOUdrZBT9dE+67F8WlT
+qlXUSXucrhWt/WXEiuzaj6w/J7prDr9ua/xO9qUo5aWA6QlPsSsaQl9KF9ST0qXG
+hm/lggFVtkCvKv5L
+-----END CERTIFICATE REQUEST-----
diff --git a/apps/epp_proxy/priv/test_ca/server.csr.cnf b/apps/epp_proxy/priv/test_ca/server.csr.cnf
new file mode 100644
index 0000000..b4b38b4
--- /dev/null
+++ b/apps/epp_proxy/priv/test_ca/server.csr.cnf
@@ -0,0 +1,14 @@
+[req]
+default_bits = 2048
+prompt = no
+default_md = sha256
+distinguished_name = dn
+
+[dn]
+C=EE
+ST=Harjumaa
+L=Tallinn
+O=EestiInternetiSA
+OU=Arendus
+emailAddress=hello@internet.ee
+CN = *.test
diff --git a/apps/epp_proxy/priv/test_ca/v3.ext b/apps/epp_proxy/priv/test_ca/v3.ext
new file mode 100644
index 0000000..82646bc
--- /dev/null
+++ b/apps/epp_proxy/priv/test_ca/v3.ext
@@ -0,0 +1,8 @@
+authorityKeyIdentifier=keyid,issuer
+basicConstraints=CA:FALSE
+keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
+subjectAltName = @alt_names
+
+[alt_names]
+DNS.1 = test
+DNS.2 = registry.test
diff --git a/apps/epp_proxy/src/epp_tls_acceptor.erl b/apps/epp_proxy/src/epp_tls_acceptor.erl
index d1e8b44..fd2bd9e 100644
--- a/apps/epp_proxy/src/epp_tls_acceptor.erl
+++ b/apps/epp_proxy/src/epp_tls_acceptor.erl
@@ -68,23 +68,23 @@ create_worker(Socket) ->
 ca_cert_file() ->
     case application:get_env(epp_proxy, cacertfile_path) of
       undefined -> undefined;
-      {ok, CaCertFile} -> CaCertFile
+      {ok, CaCertFile} -> epp_util:path_for_file(CaCertFile)
     end.
 
 cert_file() ->
     case application:get_env(epp_proxy, certfile_path) of
       undefined -> undefined;
-      {ok, CertFile} -> CertFile
+      {ok, CertFile} -> epp_util:path_for_file(CertFile)
     end.
 
 key_file() ->
     case application:get_env(epp_proxy, keyfile_path) of
       undefined -> undefined;
-      {ok, KeyFile} -> KeyFile
+      {ok, KeyFile} -> epp_util:path_for_file(KeyFile)
     end.
 
 crl_file() ->
     case application:get_env(epp_proxy, crlfile_path) of
       undefined -> undefined;
-      {ok, CrlFile} -> CrlFile
+      {ok, CrlFile} -> epp_util:path_for_file(CrlFile)
     end.
diff --git a/apps/epp_proxy/src/epp_util.erl b/apps/epp_proxy/src/epp_util.erl
index 9573990..929e8e0 100644
--- a/apps/epp_proxy/src/epp_util.erl
+++ b/apps/epp_proxy/src/epp_util.erl
@@ -2,7 +2,7 @@
 
 -export([create_map/1, create_session_id/1,
 	 frame_length/1, frame_length_to_receive/1,
-	 frame_length_to_send/1, readable_ip/1, session_id/1]).
+	 frame_length_to_send/1, readable_ip/1, session_id/1, path_for_file/1]).
 
 -define(OFFSET, 4).
 
@@ -67,3 +67,11 @@ readable_ip({FirstOctet, SecondOctet, ThirdOctet,
 	    integer_to_list(FourthOctet)],
     Binary = list_to_binary(List),
     Binary.
+
+path_for_file(Filename) ->
+    case filename:pathtype(Filename) of
+        absolute -> Filename;
+        relative ->
+            CWD = code:priv_dir(epp_proxy),
+            filename:join(CWD, Filename)
+    end.
diff --git a/apps/epp_proxy/test/epp_http_client_SUITE.erl b/apps/epp_proxy/test/epp_http_client_SUITE.erl
index d9285e1..65f4eb5 100644
--- a/apps/epp_proxy/test/epp_http_client_SUITE.erl
+++ b/apps/epp_proxy/test/epp_http_client_SUITE.erl
@@ -9,16 +9,17 @@
          error_request_builder_test_case/1,
          command_request_builder_test_case/1]).
 
-all() -> [hello_request_builder_test_case,
-         error_request_builder_test_case,
-         command_request_builder_test_case].
+all() ->
+    [hello_request_builder_test_case,
+     error_request_builder_test_case,
+     command_request_builder_test_case].
 
 hello_request_builder_test_case(_Config) ->
     RequestMap = #{command => "hello", session_id => "Random",
                    cl_trid => "EE-123456789", raw_frame => "",
                    headers => [{"User-Agent", <<"EPP proxy">>}]},
     Request = epp_http_client:request_builder(RequestMap),
-    ExpectedTuple = {epp_request,get,"https://localhost:9292/epp/session/hello",
+    ExpectedTuple = {epp_request,get,"http://localhost:9292/epp/session/hello",
                      [],
                      [<<"session=Random; Version=1">>],
                      [{"User-Agent",<<"EPP proxy">>}], "hello"},
@@ -31,7 +32,7 @@ error_request_builder_test_case(_Config) ->
                    message => <<"Expected better XML">>,
                    headers => [{"User-Agent", <<"EPP proxy">>}]},
     Request = epp_http_client:request_builder(RequestMap),
-    ExpectedTuple = {epp_request,get,"https://localhost:9292/epp/error",
+    ExpectedTuple = {epp_request,get,"http://localhost:9292/epp/error",
                      [{<<"code">>,<<"2001">>},
                       {<<"msg">>,<<"Expected better XML">>},
                       {<<"clTRID">>,"EE-123456789"}],
@@ -47,7 +48,7 @@ command_request_builder_test_case(_Config) ->
                    headers => [{"User-Agent", <<"EPP proxy">>}]},
     Request = epp_http_client:request_builder(RequestMap),
     ExpectedTuple = {epp_request,post,
-                     "https://localhost:9292/epp/command/create",
+                     "http://localhost:9292/epp/command/create",
                      {multipart,
                       [{<<"raw_frame">>,"Some XML here"},
                        {<<"clTRID">>,"EE-123456789"}]},
diff --git a/apps/epp_proxy/test/epp_router_SUITE.erl b/apps/epp_proxy/test/epp_router_SUITE.erl
index 585e26f..c63e602 100644
--- a/apps/epp_proxy/test/epp_router_SUITE.erl
+++ b/apps/epp_proxy/test/epp_router_SUITE.erl
@@ -25,61 +25,61 @@ request_method_test_case(_Config) ->
 
 %% TODO: Make less verbose and repetitive
 hello_url_test_case(_Config) ->
-    "https://localhost:9292/epp/session/hello" = epp_router:route_request("hello"),
-    "https://localhost:9292/epp/session/hello" = epp_router:route_request(<<"hello">>),
+    "http://localhost:9292/epp/session/hello" = epp_router:route_request("hello"),
+    "http://localhost:9292/epp/session/hello" = epp_router:route_request(<<"hello">>),
     ok.
 
 login_url_test_case(_Config) ->
-    "https://localhost:9292/epp/session/login" = epp_router:route_request("login"),
-    "https://localhost:9292/epp/session/login" = epp_router:route_request(<<"login">>),
+    "http://localhost:9292/epp/session/login" = epp_router:route_request("login"),
+    "http://localhost:9292/epp/session/login" = epp_router:route_request(<<"login">>),
     ok.
 
 logout_url_test_case(_Config) ->
-    "https://localhost:9292/epp/session/logout" = epp_router:route_request("logout"),
-    "https://localhost:9292/epp/session/logout" = epp_router:route_request(<<"logout">>),
+    "http://localhost:9292/epp/session/logout" = epp_router:route_request("logout"),
+    "http://localhost:9292/epp/session/logout" = epp_router:route_request(<<"logout">>),
     ok.
 
 check_url_test_case(_Config) ->
-    "https://localhost:9292/epp/command/check" = epp_router:route_request("check"),
-    "https://localhost:9292/epp/command/check" = epp_router:route_request(<<"check">>),
+    "http://localhost:9292/epp/command/check" = epp_router:route_request("check"),
+    "http://localhost:9292/epp/command/check" = epp_router:route_request(<<"check">>),
     ok.
 
 info_url_test_case(_Config) ->
-    "https://localhost:9292/epp/command/info" = epp_router:route_request("info"),
-    "https://localhost:9292/epp/command/info" = epp_router:route_request(<<"info">>),
+    "http://localhost:9292/epp/command/info" = epp_router:route_request("info"),
+    "http://localhost:9292/epp/command/info" = epp_router:route_request(<<"info">>),
     ok.
 
 poll_url_test_case(_Config) ->
-    "https://localhost:9292/epp/command/poll" = epp_router:route_request("poll"),
-    "https://localhost:9292/epp/command/poll" = epp_router:route_request(<<"poll">>),
+    "http://localhost:9292/epp/command/poll" = epp_router:route_request("poll"),
+    "http://localhost:9292/epp/command/poll" = epp_router:route_request(<<"poll">>),
     ok.
 
 create_url_test_case(_Config) ->
-    "https://localhost:9292/epp/command/create" = epp_router:route_request("create"),
-    "https://localhost:9292/epp/command/create" = epp_router:route_request(<<"create">>),
+    "http://localhost:9292/epp/command/create" = epp_router:route_request("create"),
+    "http://localhost:9292/epp/command/create" = epp_router:route_request(<<"create">>),
     ok.
 
 delete_url_test_case(_Config) ->
-    "https://localhost:9292/epp/command/delete" = epp_router:route_request("delete"),
-    "https://localhost:9292/epp/command/delete" = epp_router:route_request(<<"delete">>),
+    "http://localhost:9292/epp/command/delete" = epp_router:route_request("delete"),
+    "http://localhost:9292/epp/command/delete" = epp_router:route_request(<<"delete">>),
     ok.
 
 renew_url_test_case(_Config) ->
-    "https://localhost:9292/epp/command/renew" = epp_router:route_request("renew"),
-    "https://localhost:9292/epp/command/renew" = epp_router:route_request(<<"renew">>),
+    "http://localhost:9292/epp/command/renew" = epp_router:route_request("renew"),
+    "http://localhost:9292/epp/command/renew" = epp_router:route_request(<<"renew">>),
     ok.
 
 update_url_test_case(_Config) ->
-    "https://localhost:9292/epp/command/update" = epp_router:route_request("update"),
-    "https://localhost:9292/epp/command/update" = epp_router:route_request(<<"update">>),
+    "http://localhost:9292/epp/command/update" = epp_router:route_request("update"),
+    "http://localhost:9292/epp/command/update" = epp_router:route_request(<<"update">>),
     ok.
 
 transfer_url_test_case(_Config) ->
-    "https://localhost:9292/epp/command/transfer" = epp_router:route_request("transfer"),
-    "https://localhost:9292/epp/command/transfer" = epp_router:route_request(<<"transfer">>),
+    "http://localhost:9292/epp/command/transfer" = epp_router:route_request("transfer"),
+    "http://localhost:9292/epp/command/transfer" = epp_router:route_request(<<"transfer">>),
     ok.
 
 error_url_test_case(_Config) ->
-    "https://localhost:9292/epp/error" = epp_router:route_request("error"),
-    "https://localhost:9292/epp/error" = epp_router:route_request(<<"error">>),
+    "http://localhost:9292/epp/error" = epp_router:route_request("error"),
+    "http://localhost:9292/epp/error" = epp_router:route_request(<<"error">>),
     ok.
diff --git a/apps/epp_proxy/test/tls_client_SUITE.erl b/apps/epp_proxy/test/tls_client_SUITE.erl
new file mode 100644
index 0000000..ae0ac6f
--- /dev/null
+++ b/apps/epp_proxy/test/tls_client_SUITE.erl
@@ -0,0 +1,40 @@
+-module(tls_client_SUITE).
+
+-include("epp_proxy.hrl").
+-include_lib("common_test/include/ct.hrl").
+
+-export([all/0]).
+-export([init_per_suite/1, end_per_suite/1]).
+-export([frame_size_test_case/1]).
+
+all() ->
+    [frame_size_test_case].
+
+
+init_per_suite(Config) ->
+    application:ensure_all_started(epp_proxy),
+    application:ensure_all_started(hackney),
+    [{my_key, <<"my value">>} | Config].
+
+%% Test Cases
+frame_size_test_case(_Config) ->
+    CWD = code:priv_dir(epp_proxy),
+    Options = [binary,
+               {certfile, filename:join(CWD, "test_ca/certs/webclient.crt.pem")},
+	       {keyfile, filename:join(CWD, "test_ca/private/webclient.key.pem")},
+               {active, false}],
+    {ok, Socket} = ssl:connect("localhost", 1443, Options, 2000),
+    {ok, Data} = ssl:recv(Socket, 0, 1200),
+    true = (byte_size(Data) =:= length_of_data(Data)),
+    ok.
+
+end_per_suite(Config) ->
+    application:stop(epp_proxy),
+    application:stop(hackney),
+    Config.
+
+%% Helper functions:
+length_of_data(Data) ->
+    EPPEnvelope = binary:part(Data, {0, 4}),
+    ReportedLength = binary:decode_unsigned(EPPEnvelope, big),
+    ReportedLength.
diff --git a/config/docker.config b/config/docker.config
index 1b97d6c..e3073a5 100644
--- a/config/docker.config
+++ b/config/docker.config
@@ -3,9 +3,9 @@
                {dev_mode, true},
                {tcp_port, 3333},
                {tls_port, 700},
-               {epp_session_url, "http://httpd:3000/epp/session/"},
-               {epp_command_url, "http://httpd:3000/epp/command/"},
-               {epp_error_url, "http://httpd:3000/epp/error/"},
+               {epp_session_url, "http://epp:3000/epp/session/"},
+               {epp_command_url, "http://epp:3000/epp/command/"},
+               {epp_error_url, "http://epp:3000/epp/error/"},
                {cacertfile_path, "/opt/ca/certs/ca.crt.pem"},
                {certfile_path, "/opt/ca/certs/apache.crt"},
                {keyfile_path, "/opt/ca/private/apache.key"},
diff --git a/config/test.config b/config/test.config
index 2fe7e75..bb9982d 100644
--- a/config/test.config
+++ b/config/test.config
@@ -1,11 +1,22 @@
 [
   {epp_proxy, [{dev_mode, false},
                {tcp_port, 3333},
-               {tls_port, 4444},
-               {epp_session_url, "https://localhost:9292/epp/session/"},
-               {epp_command_url, "https://localhost:9292/epp/command/"},
-               {epp_error_url, "https://localhost:9292/epp/error/"},
-               {cacertfile_path, "/opt/shared/ca/certs/ca.crt.pem"},
-               {certfile_path, "/opt/shared/ca/certs/apache.crt"},
-               {keyfile_path, "/opt/shared/ca/private/apache.key"}]}
+               {tls_port, 1443},
+
+               {epp_session_url, "http://localhost:9292/epp/session/"},
+               {epp_command_url, "http://localhost:9292/epp/command/"},
+               {epp_error_url, "http://localhost:9292/epp/error/"},
+               %% Path to root CA that should check the client certificates.
+               {cacertfile_path, "test_ca/certs/ca.crt.pem"},
+               {certfile_path, "test_ca/certs/apache.crt"},
+               {keyfile_path, "test_ca/private/apache.key"},
+               {crlfile_path, "test_ca/crl/crl.pem"}]},
+
+
+  {lager, [
+    {handlers, [
+               {lager_console_backend, [{level, warning}]}
+               %% {lager_syslog_backend, ["epp_proxy", local0, debug]}
+    ]}
+  ]}
 ].