diff --git a/artemis-core-client/src/main/java/org/apache/activemq/artemis/core/remoting/impl/netty/NettyConnector.java b/artemis-core-client/src/main/java/org/apache/activemq/artemis/core/remoting/impl/netty/NettyConnector.java
index 08001c66c2..dde607f991 100644
--- a/artemis-core-client/src/main/java/org/apache/activemq/artemis/core/remoting/impl/netty/NettyConnector.java
+++ b/artemis-core-client/src/main/java/org/apache/activemq/artemis/core/remoting/impl/netty/NettyConnector.java
@@ -423,7 +423,7 @@ public class NettyConnector extends AbstractConnector {
 
          enabledProtocols = ConfigurationHelper.getStringProperty(TransportConstants.ENABLED_PROTOCOLS_PROP_NAME, TransportConstants.DEFAULT_ENABLED_PROTOCOLS, configuration);
 
-         verifyHost = ConfigurationHelper.getBooleanProperty(TransportConstants.VERIFY_HOST_PROP_NAME, TransportConstants.DEFAULT_VERIFY_HOST, configuration);
+         verifyHost = ConfigurationHelper.getBooleanProperty(TransportConstants.VERIFY_HOST_PROP_NAME, TransportConstants.DEFAULT_CONNECTOR_VERIFY_HOST, configuration);
 
          trustAll = ConfigurationHelper.getBooleanProperty(TransportConstants.TRUST_ALL_PROP_NAME, TransportConstants.DEFAULT_TRUST_ALL, configuration);
 
@@ -450,7 +450,7 @@ public class NettyConnector extends AbstractConnector {
          crlPath = TransportConstants.DEFAULT_CRL_PATH;
          enabledCipherSuites = TransportConstants.DEFAULT_ENABLED_CIPHER_SUITES;
          enabledProtocols = TransportConstants.DEFAULT_ENABLED_PROTOCOLS;
-         verifyHost = TransportConstants.DEFAULT_VERIFY_HOST;
+         verifyHost = TransportConstants.DEFAULT_CONNECTOR_VERIFY_HOST;
          trustAll = TransportConstants.DEFAULT_TRUST_ALL;
          sniHost = TransportConstants.DEFAULT_SNIHOST_CONFIG;
          useDefaultSslContext = TransportConstants.DEFAULT_USE_DEFAULT_SSL_CONTEXT;
diff --git a/artemis-core-client/src/main/java/org/apache/activemq/artemis/core/remoting/impl/netty/TransportConstants.java b/artemis-core-client/src/main/java/org/apache/activemq/artemis/core/remoting/impl/netty/TransportConstants.java
index 82ae94482f..37100875f3 100644
--- a/artemis-core-client/src/main/java/org/apache/activemq/artemis/core/remoting/impl/netty/TransportConstants.java
+++ b/artemis-core-client/src/main/java/org/apache/activemq/artemis/core/remoting/impl/netty/TransportConstants.java
@@ -246,7 +246,9 @@ public class TransportConstants {
 
    public static final boolean DEFAULT_WANT_CLIENT_AUTH = false;
 
-   public static final boolean DEFAULT_VERIFY_HOST = false;
+   public static final boolean DEFAULT_ACCEPTOR_VERIFY_HOST = false;
+
+   public static final boolean DEFAULT_CONNECTOR_VERIFY_HOST = true;
 
    public static final String DEFAULT_SSL_PROVIDER = "JDK";
 
diff --git a/artemis-server/src/main/java/org/apache/activemq/artemis/core/remoting/impl/netty/NettyAcceptor.java b/artemis-server/src/main/java/org/apache/activemq/artemis/core/remoting/impl/netty/NettyAcceptor.java
index 8593399412..72c732f620 100644
--- a/artemis-server/src/main/java/org/apache/activemq/artemis/core/remoting/impl/netty/NettyAcceptor.java
+++ b/artemis-server/src/main/java/org/apache/activemq/artemis/core/remoting/impl/netty/NettyAcceptor.java
@@ -321,7 +321,7 @@ public class NettyAcceptor extends AbstractAcceptor {
 
          wantClientAuth = ConfigurationHelper.getBooleanProperty(TransportConstants.WANT_CLIENT_AUTH_PROP_NAME, TransportConstants.DEFAULT_WANT_CLIENT_AUTH, configuration);
 
-         verifyHost = ConfigurationHelper.getBooleanProperty(TransportConstants.VERIFY_HOST_PROP_NAME, TransportConstants.DEFAULT_VERIFY_HOST, configuration);
+         verifyHost = ConfigurationHelper.getBooleanProperty(TransportConstants.VERIFY_HOST_PROP_NAME, TransportConstants.DEFAULT_ACCEPTOR_VERIFY_HOST, configuration);
 
          sslProvider = ConfigurationHelper.getStringProperty(TransportConstants.SSL_PROVIDER, TransportConstants.DEFAULT_SSL_PROVIDER, configuration);
 
@@ -356,7 +356,7 @@ public class NettyAcceptor extends AbstractAcceptor {
          enabledProtocols = TransportConstants.DEFAULT_ENABLED_PROTOCOLS;
          needClientAuth = TransportConstants.DEFAULT_NEED_CLIENT_AUTH;
          wantClientAuth = TransportConstants.DEFAULT_WANT_CLIENT_AUTH;
-         verifyHost = TransportConstants.DEFAULT_VERIFY_HOST;
+         verifyHost = TransportConstants.DEFAULT_ACCEPTOR_VERIFY_HOST;
          sslProvider = TransportConstants.DEFAULT_SSL_PROVIDER;
          sniHost = TransportConstants.DEFAULT_SNIHOST_CONFIG;
          trustManagerFactoryPlugin = TransportConstants.DEFAULT_TRUST_MANAGER_FACTORY_PLUGIN;
diff --git a/examples/features/standard/jmx-ssl/readme.md b/examples/features/standard/jmx-ssl/readme.md
index 454dfb6930..b5154bd528 100644
--- a/examples/features/standard/jmx-ssl/readme.md
+++ b/examples/features/standard/jmx-ssl/readme.md
@@ -16,12 +16,54 @@ With these properties, ActiveMQ Artemis broker will be manageable remotely using
 
 The various keystore files are generated using the following commands:
 
-* `keytool -genkey -keystore server-side-keystore.jks -storepass secureexample -keypass secureexample -dname "CN=ActiveMQ Artemis Server, OU=Artemis, O=ActiveMQ, L=AMQ, S=AMQ, C=AMQ" -keyalg RSA`
-* `keytool -export -keystore server-side-keystore.jks -file server-side-cert.cer -storepass secureexample`
-* `keytool -import -keystore client-side-truststore.jks -file server-side-cert.cer -storepass secureexample -keypass secureexample -noprompt`
-* `keytool -genkey -keystore client-side-keystore.jks -storepass secureexample -keypass secureexample -dname "CN=ActiveMQ Artemis Client, OU=Artemis, O=ActiveMQ, L=AMQ, S=AMQ, C=AMQ" -keyalg RSA`
-* `keytool -export -keystore client-side-keystore.jks -file client-side-cert.cer -storepass secureexample`
-* `keytool -import -keystore server-side-truststore.jks -file client-side-cert.cer -storepass secureexample -keypass secureexample -noprompt`
+```shell
+#!/bin/bash
+set -e
+
+KEY_PASS=securepass
+STORE_PASS=securepass
+CA_VALIDITY=365000
+VALIDITY=36500
+
+# Create a key and self-signed certificate for the CA, to sign server certificate requests and use for trust:
+# -----------------------------------------------------------------------------------------------------------
+keytool -storetype pkcs12 -keystore server-ca-keystore.p12 -storepass $STORE_PASS -keypass $KEY_PASS -alias server-ca -genkey -keyalg "RSA" -keysize 2048 -dname "CN=ActiveMQ Artemis Server Certification Authority, OU=Artemis, O=ActiveMQ" -validity $CA_VALIDITY -ext bc:c=ca:true
+keytool -storetype pkcs12 -keystore server-ca-keystore.p12 -storepass $STORE_PASS -alias server-ca -exportcert -rfc > server-ca.crt
+
+# Create trust store with the server CA cert:
+# -------------------------------------------
+keytool -keystore server-ca-truststore.p12 -storepass $STORE_PASS -keypass $KEY_PASS -importcert -alias server-ca -file server-ca.crt -noprompt
+
+# Create a key pair for the server, and sign it with the CA:
+# ----------------------------------------------------------
+keytool -keystore server-keystore.jks -storepass $STORE_PASS -keypass $KEY_PASS -alias server -genkey -keyalg "RSA" -keysize 2048 -dname "CN=ActiveMQ Artemis Server, OU=Artemis, O=ActiveMQ, L=AMQ, S=AMQ, C=AMQ" -validity $VALIDITY -ext bc=ca:false -ext eku=sA -ext san=dns:localhost,ip:127.0.0.1
+
+keytool -keystore server-keystore.jks -storepass $STORE_PASS -alias server -certreq -file server.csr
+keytool -keystore server-ca-keystore.p12 -storepass $STORE_PASS -alias server-ca -gencert -rfc -infile server.csr -outfile server.crt -validity $VALIDITY -ext bc=ca:false -ext san=dns:localhost,ip:127.0.0.1
+
+keytool -keystore server-keystore.jks -storepass $STORE_PASS -keypass $KEY_PASS -importcert -alias server-ca -file server-ca.crt -noprompt
+keytool -keystore server-keystore.jks -storepass $STORE_PASS -keypass $KEY_PASS -importcert -alias server -file server.crt
+
+# Create a key and self-signed certificate for the CA, to sign client certificate requests and use for trust:
+# -----------------------------------------------------------------------------------------------------------
+keytool -keystore client-ca-keystore.jks -storepass $STORE_PASS -keypass $KEY_PASS -alias client-ca -genkey -keyalg "RSA" -keysize 2048 -dname "CN=ActiveMQ Artemis Client Certification Authority, OU=Artemis, O=ActiveMQ" -validity $CA_VALIDITY -ext bc:c=ca:true
+keytool -keystore client-ca-keystore.jks -storepass $STORE_PASS -alias client-ca -exportcert -rfc > client-ca.crt
+
+# Create trust store with the client CA cert:
+# -------------------------------------------
+keytool -storetype pkcs12 -keystore client-ca-keystore.p12 -storepass $STORE_PASS -keypass $KEY_PASS -alias client-ca -genkey -keyalg "RSA" -keysize 2048 -dname "CN=ActiveMQ Artemis Client Certification Authority, OU=Artemis, O=ActiveMQ" -validity $CA_VALIDITY -ext bc:c=ca:true
+keytool -storetype pkcs12 -keystore client-ca-keystore.p12 -storepass $STORE_PASS -alias client-ca -exportcert -rfc > client-ca.crt
+
+# Create a key pair for the client, and sign it with the CA:
+# ----------------------------------------------------------
+keytool -keystore client-keystore.jks -storepass $STORE_PASS -keypass $KEY_PASS -alias client -genkey -keyalg "RSA" -keysize 2048 -dname "CN=ActiveMQ Artemis Client, OU=Artemis, O=ActiveMQ, L=AMQ, S=AMQ, C=AMQ" -validity $VALIDITY -ext bc=ca:false -ext eku=cA -ext san=dns:localhost,ip:127.0.0.1
+
+keytool -keystore client-keystore.jks -storepass $STORE_PASS -alias client -certreq -file client.csr
+keytool -keystore client-ca-keystore.p12 -storepass $STORE_PASS -alias client-ca -gencert -rfc -infile client.csr -outfile client.crt -validity $VALIDITY -ext bc=ca:false -ext eku=cA -ext san=dns:localhost,ip:127.0.0.1
+
+keytool -keystore client-keystore.jks -storepass $STORE_PASS -keypass $KEY_PASS -importcert -alias client-ca -file client-ca.crt -noprompt
+keytool -keystore client-keystore.jks -storepass $STORE_PASS -keypass $KEY_PASS -importcert -alias client -file client.crt
+```
 
 ## More information
 
diff --git a/examples/features/standard/jmx-ssl/src/main/java/org/apache/activemq/artemis/jms/example/JMXOverSSLExample.java b/examples/features/standard/jmx-ssl/src/main/java/org/apache/activemq/artemis/jms/example/JMXOverSSLExample.java
index 8681a19dc1..6e0adff760 100644
--- a/examples/features/standard/jmx-ssl/src/main/java/org/apache/activemq/artemis/jms/example/JMXOverSSLExample.java
+++ b/examples/features/standard/jmx-ssl/src/main/java/org/apache/activemq/artemis/jms/example/JMXOverSSLExample.java
@@ -83,10 +83,10 @@ public class JMXOverSSLExample {
          String[] creds = {"guest", "guest"};
          env.put(JMXConnector.CREDENTIALS, creds);
 
-         System.setProperty("javax.net.ssl.trustStore", args[0] + "client-side-truststore.jks");
-         System.setProperty("javax.net.ssl.trustStorePassword", "secureexample");
-         System.setProperty("javax.net.ssl.keyStore", args[0] + "client-side-keystore.jks");
-         System.setProperty("javax.net.ssl.keyStorePassword", "secureexample");
+         System.setProperty("javax.net.ssl.trustStore", args[0] + "server-ca-truststore.jks");
+         System.setProperty("javax.net.ssl.trustStorePassword", "securepass");
+         System.setProperty("javax.net.ssl.keyStore", args[0] + "client-keystore.jks");
+         System.setProperty("javax.net.ssl.keyStorePassword", "securepass");
 
          JMXConnector connector = JMXConnectorFactory.connect(new JMXServiceURL(JMXOverSSLExample.JMX_URL), env);
 
diff --git a/examples/features/standard/jmx-ssl/src/main/resources/activemq/server0/client-ca-truststore.jks b/examples/features/standard/jmx-ssl/src/main/resources/activemq/server0/client-ca-truststore.jks
new file mode 100644
index 0000000000..e2dfeff87d
Binary files /dev/null and b/examples/features/standard/jmx-ssl/src/main/resources/activemq/server0/client-ca-truststore.jks differ
diff --git a/examples/features/standard/jmx-ssl/src/main/resources/activemq/server0/client-keystore.jks b/examples/features/standard/jmx-ssl/src/main/resources/activemq/server0/client-keystore.jks
new file mode 100644
index 0000000000..b968a0c54d
Binary files /dev/null and b/examples/features/standard/jmx-ssl/src/main/resources/activemq/server0/client-keystore.jks differ
diff --git a/examples/features/standard/jmx-ssl/src/main/resources/activemq/server0/client-side-keystore.jks b/examples/features/standard/jmx-ssl/src/main/resources/activemq/server0/client-side-keystore.jks
deleted file mode 100644
index cb65a44ddc..0000000000
Binary files a/examples/features/standard/jmx-ssl/src/main/resources/activemq/server0/client-side-keystore.jks and /dev/null differ
diff --git a/examples/features/standard/jmx-ssl/src/main/resources/activemq/server0/client-side-truststore.jks b/examples/features/standard/jmx-ssl/src/main/resources/activemq/server0/client-side-truststore.jks
deleted file mode 100644
index 7eb1d5634d..0000000000
Binary files a/examples/features/standard/jmx-ssl/src/main/resources/activemq/server0/client-side-truststore.jks and /dev/null differ
diff --git a/examples/features/standard/jmx-ssl/src/main/resources/activemq/server0/management.xml b/examples/features/standard/jmx-ssl/src/main/resources/activemq/server0/management.xml
index dd15e5c218..77beedb320 100644
--- a/examples/features/standard/jmx-ssl/src/main/resources/activemq/server0/management.xml
+++ b/examples/features/standard/jmx-ssl/src/main/resources/activemq/server0/management.xml
@@ -20,10 +20,10 @@
          connector-port="1099"
          connector-host="localhost"
          secured="true"
-         key-store-path="${data.dir}/../etc/server-side-keystore.jks"
-         key-store-password="ENC(2a7c211d21c295cdbcde3589c205decb)"
-         trust-store-path="${data.dir}/../etc/server-side-truststore.jks"
-         trust-store-password="ENC(2a7c211d21c295cdbcde3589c205decb)"/>
+         key-store-path="${data.dir}/../etc/server-keystore.jks"
+         key-store-password="ENC(1f0e6cd7ced61232730f9e82cc91c1e1)"
+         trust-store-path="${data.dir}/../etc/client-ca-truststore.jks"
+         trust-store-password="ENC(1f0e6cd7ced61232730f9e82cc91c1e1)"/>
    <authorisation>
       <whitelist>
          <entry domain="hawtio"/>
diff --git a/examples/features/standard/jmx-ssl/src/main/resources/activemq/server0/server-ca-truststore.jks b/examples/features/standard/jmx-ssl/src/main/resources/activemq/server0/server-ca-truststore.jks
new file mode 100644
index 0000000000..3fe0f29ad2
Binary files /dev/null and b/examples/features/standard/jmx-ssl/src/main/resources/activemq/server0/server-ca-truststore.jks differ
diff --git a/examples/features/standard/jmx-ssl/src/main/resources/activemq/server0/server-keystore.jks b/examples/features/standard/jmx-ssl/src/main/resources/activemq/server0/server-keystore.jks
new file mode 100644
index 0000000000..5a7e2c00bf
Binary files /dev/null and b/examples/features/standard/jmx-ssl/src/main/resources/activemq/server0/server-keystore.jks differ
diff --git a/examples/features/standard/jmx-ssl/src/main/resources/activemq/server0/server-side-keystore.jks b/examples/features/standard/jmx-ssl/src/main/resources/activemq/server0/server-side-keystore.jks
deleted file mode 100644
index 6089c6ee13..0000000000
Binary files a/examples/features/standard/jmx-ssl/src/main/resources/activemq/server0/server-side-keystore.jks and /dev/null differ
diff --git a/examples/features/standard/jmx-ssl/src/main/resources/activemq/server0/server-side-truststore.jks b/examples/features/standard/jmx-ssl/src/main/resources/activemq/server0/server-side-truststore.jks
deleted file mode 100644
index 0b7e224163..0000000000
Binary files a/examples/features/standard/jmx-ssl/src/main/resources/activemq/server0/server-side-truststore.jks and /dev/null differ
diff --git a/examples/features/standard/ssl-enabled-crl-mqtt/readme.md b/examples/features/standard/ssl-enabled-crl-mqtt/readme.md
index 56be3ceeeb..399c7e84b4 100644
--- a/examples/features/standard/ssl-enabled-crl-mqtt/readme.md
+++ b/examples/features/standard/ssl-enabled-crl-mqtt/readme.md
@@ -7,92 +7,96 @@ This example shows you how to configure 2-way SSL with CRL along with 2 differen
 To configure 2-way SSL with CRL you need to configure the acceptor as follows:
 
 ```
-<acceptor name="mqtt">tcp://0.0.0.0:1883?tcpSendBufferSize=1048576;tcpReceiveBufferSize=1048576;protocols=MQTT;useEpoll=true;sslEnabled=true;keyStorePath=${data.dir}/../etc/keystore1.jks;keyStorePassword=changeit;trustStorePath=${data.dir}/../etc/truststore.jks;keyStorePassword=changeit;crlPath=${data.dir}/../etc/root.crl.pem;needClientAuth=true</acceptor>`
+<acceptor name="mqtt">tcp://0.0.0.0:1883?protocols=MQTT;sslEnabled=true;keyStorePath=server-keystore.jks;keyStorePassword=securepass;trustStorePath=client-ca-truststore.jks;keyStorePassword=securepass;crlPath=other-client-crl.pem;needClientAuth=true</acceptor>
 ```
 
-In the server-side URL, the `keystore1.jks` is the key store file holding the server's key certificate. The `truststore.jks` is the file holding the certificates which the server trusts. The `root.crl.pem` is the file holding the revoked certificates. Notice also the `sslEnabled` and `needClientAuth` parameters which enable SSL and require clients to present their own certificate respectively.
+In the server-side URL, the `server-keystore.jks` is the key store file holding the server's key certificate. The `client-ca-truststore.jks` is the file holding the certificates which the server trusts. The `other-client-crl.pem` is the file holding the revoked certificates. Notice also the `sslEnabled` and `needClientAuth` parameters which enable SSL and require clients to present their own certificate respectively.
 
-The various keystore files are generated using the following commands. Keep in mind that each common name should be different and the passwords should be `changeit`.
+The various keystore files are generated using the following commands. Keep in mind that each common name should be different and the passwords should be `securepass`.
 
+
+```shell
+#!/bin/bash
+set -e
+
+KEY_PASS=securepass
+STORE_PASS=securepass
+CA_VALIDITY=365000
+VALIDITY=36500
+
+# Create a key and self-signed certificate for the CA, to sign server certificate requests and use for trust:
+# -----------------------------------------------------------------------------------------------------------
+keytool -storetype pkcs12 -keystore server-ca-keystore.p12 -storepass $STORE_PASS -keypass $KEY_PASS -alias server-ca -genkey -keyalg "RSA" -keysize 2048 -dname "CN=ActiveMQ Artemis Server Certification Authority, OU=Artemis, O=ActiveMQ" -validity $CA_VALIDITY -ext bc:c=ca:true
+keytool -storetype pkcs12 -keystore server-ca-keystore.p12 -storepass $STORE_PASS -alias server-ca -exportcert -rfc > server-ca.crt
+
+# Create trust store with the server CA cert:
+# -------------------------------------------
+keytool -keystore server-ca-truststore.p12 -storepass $STORE_PASS -keypass $KEY_PASS -importcert -alias server-ca -file server-ca.crt -noprompt
+
+# Create a key pair for the server, and sign it with the CA:
+# ----------------------------------------------------------
+keytool -keystore server-keystore.jks -storepass $STORE_PASS -keypass $KEY_PASS -alias server -genkey -keyalg "RSA" -keysize 2048 -dname "CN=ActiveMQ Artemis Server, OU=Artemis, O=ActiveMQ, L=AMQ, S=AMQ, C=AMQ" -validity $VALIDITY -ext bc=ca:false -ext eku=sA -ext san=dns:localhost,ip:127.0.0.1
+
+keytool -keystore server-keystore.jks -storepass $STORE_PASS -alias server -certreq -file server.csr
+keytool -keystore server-ca-keystore.p12 -storepass $STORE_PASS -alias server-ca -gencert -rfc -infile server.csr -outfile server.crt -validity $VALIDITY -ext bc=ca:false -ext san=dns:localhost,ip:127.0.0.1
+
+keytool -keystore server-keystore.jks -storepass $STORE_PASS -keypass $KEY_PASS -importcert -alias server-ca -file server-ca.crt -noprompt
+keytool -keystore server-keystore.jks -storepass $STORE_PASS -keypass $KEY_PASS -importcert -alias server -file server.crt
+
+# Create a key and self-signed certificate for the CA, to sign client certificate requests and use for trust:
+# -----------------------------------------------------------------------------------------------------------
+keytool -keystore client-ca-keystore.jks -storepass $STORE_PASS -keypass $KEY_PASS -alias client-ca -genkey -keyalg "RSA" -keysize 2048 -dname "CN=ActiveMQ Artemis Client Certification Authority, OU=Artemis, O=ActiveMQ" -validity $CA_VALIDITY -ext bc:c=ca:true
+keytool -keystore client-ca-keystore.jks -storepass $STORE_PASS -alias client-ca -exportcert -rfc > client-ca.crt
+
+# Create trust store with the client CA cert:
+# -------------------------------------------
+keytool -storetype pkcs12 -keystore client-ca-keystore.p12 -storepass $STORE_PASS -keypass $KEY_PASS -alias client-ca -genkey -keyalg "RSA" -keysize 2048 -dname "CN=ActiveMQ Artemis Client Certification Authority, OU=Artemis, O=ActiveMQ" -validity $CA_VALIDITY -ext bc:c=ca:true
+keytool -storetype pkcs12 -keystore client-ca-keystore.p12 -storepass $STORE_PASS -alias client-ca -exportcert -rfc > client-ca.crt
+
+# Create a key pair for the client, and sign it with the CA:
+# ----------------------------------------------------------
+keytool -keystore client-keystore.jks -storepass $STORE_PASS -keypass $KEY_PASS -alias client -genkey -keyalg "RSA" -keysize 2048 -dname "CN=ActiveMQ Artemis Client, OU=Artemis, O=ActiveMQ, L=AMQ, S=AMQ, C=AMQ" -validity $VALIDITY -ext bc=ca:false -ext eku=cA -ext san=dns:localhost,ip:127.0.0.1
+
+keytool -keystore client-keystore.jks -storepass $STORE_PASS -alias client -certreq -file client.csr
+keytool -keystore client-ca-keystore.p12 -storepass $STORE_PASS -alias client-ca -gencert -rfc -infile client.csr -outfile client.crt -validity $VALIDITY -ext bc=ca:false -ext eku=cA -ext san=dns:localhost,ip:127.0.0.1
+
+keytool -keystore client-keystore.jks -storepass $STORE_PASS -keypass $KEY_PASS -importcert -alias client-ca -file client-ca.crt -noprompt
+keytool -keystore client-keystore.jks -storepass $STORE_PASS -keypass $KEY_PASS -importcert -alias client -file client.crt
+
+# Create a key pair for the other client, and sign it with the CA:
+# ----------------------------------------------------------------
+keytool -keystore other-client-keystore.jks -storepass $STORE_PASS -keypass $KEY_PASS -alias other-client -genkey -keyalg "RSA" -keysize 2048 -dname "CN=ActiveMQ Artemis Other Client, OU=Artemis, O=ActiveMQ, L=AMQ, S=AMQ, C=AMQ" -validity $VALIDITY -ext bc=ca:false -ext eku=cA -ext san=dns:localhost,ip:127.0.0.1
+
+keytool -keystore other-client-keystore.jks -storepass $STORE_PASS -alias other-client -certreq -file other-client.csr
+keytool -keystore client-ca-keystore.p12 -storepass $STORE_PASS -alias client-ca -gencert -rfc -infile other-client.csr -outfile other-client.crt -validity $VALIDITY -ext bc=ca:false -ext eku=cA -ext san=dns:localhost,ip:127.0.0.1
+
+keytool -keystore other-client-keystore.jks -storepass $STORE_PASS -keypass $KEY_PASS -importcert -alias client-ca -file client-ca.crt -noprompt
+keytool -keystore other-client-keystore.jks -storepass $STORE_PASS -keypass $KEY_PASS -importcert -alias other-client -file other-client.crt
 ```
-openssl genrsa -out ca.key 2048
-openssl req -new -x509 -days 1826 -key ca.key -out ca.crt
-touch certindex
-echo 01 > certserial
-echo 01 > crlnumber
-```
-
 ## Create the ca.conf file:
 
 ```
 [ ca ]
-default_ca = myca
+default_ca      = CA_default
 
-[ crl_ext ]
-# issuerAltName=issuer:copy #this would copy the issuer name to altname
-authorityKeyIdentifier=keyid:always
-
-[ myca ]
-dir = ./
-new_certs_dir = $dir
-unique_subject = no
-certificate = $dir/ca.crt
-database = $dir/certindex
-private_key = $dir/ca.key
-serial = $dir/certserial
-default_days = 730
-default_md = sha1
-policy = myca_policy
-x509_extensions = myca_extensions
-crlnumber = $dir/crlnumber
-default_crl_days = 730
-
-[ myca_policy ]
-commonName = supplied
-stateOrProvinceName = supplied
-countryName = optional
-emailAddress = optional
-organizationName = supplied
-organizationalUnitName = optional
-
-[ myca_extensions ]
-basicConstraints = CA:false
-subjectKeyIdentifier = hash
-authorityKeyIdentifier = keyid:always
-keyUsage = digitalSignature,keyEncipherment
-extendedKeyUsage = serverAuth, clientAuth
-crlDistributionPoints = URI:http://example.com/root.crl
-subjectAltName = @alt_names
-
-[alt_names]
-DNS.1 = example.com
-DNS.2 = *.example.com`
+[ CA_default ]
+dir             = ./
+database        = $dir/openssl-database
+crlnumber       = $dir/openssl-crlnumber
+default_md      = default
 ```
 
 ## Continue with the following commands:
 
-```
-openssl genrsa -out keystore1.key 2048
-openssl req -new -key keystore1.key -out keystore1.csr
-openssl ca -batch -config ca.conf -notext -in keystore1.csr -out keystore1.crt
-openssl genrsa -out client_revoked.key 2048
-openssl req -new -key client_revoked.key -out client_revoked.csr
-openssl ca -batch -config ca.conf -notext -in client_revoked.csr -out client_revoked.crt
-openssl genrsa -out client_not_revoked.key 2048
-openssl req -new -key client_not_revoked.key -out client_not_revoked.csr
-openssl ca -batch -config ca.conf -notext -in client_not_revoked.csr -out client_not_revoked.crt
-openssl ca -config ca.conf -gencrl -keyfile ca.key -cert ca.crt -out root.crl.pem
-openssl ca -config ca.conf -revoke client_revoked.crt -keyfile ca.key -cert ca.crt
-openssl ca -config ca.conf -gencrl -keyfile ca.key -cert ca.crt -out root.crl.pem
+```shell
+# Export the key of the server CA:
+# ----------------------------------------------------------------------------------------------------
+openssl pkcs12 -in client-ca-keystore.p12 -nodes -nocerts -out client-ca.pem -password pass:$STORE_PASS
 
-openssl pkcs12 -export -name client_revoked -in client_revoked.crt -inkey client_revoked.key -out client_revoked.p12
-keytool -importkeystore -destkeystore client_revoked.jks -srckeystore client_revoked.p12 -srcstoretype pkcs12 -alias client_revoked
-
-openssl pkcs12 -export -name client_not_revoked -in client_not_revoked.crt -inkey client_not_revoked.key -out client_not_revoked.p12
-keytool -importkeystore -destkeystore client_not_revoked.jks -srckeystore client_not_revoked.p12 -srcstoretype pkcs12 -alias client_not_revoked
-
-openssl pkcs12 -export -name keystore1 -in keystore1.crt -inkey keystore1.key -out keystore1.p12
-keytool -importkeystore -destkeystore keystore1.jks -srckeystore keystore1.p12 -srcstoretype pkcs12 -alias keystore1
-
-keytool -import -trustcacerts -alias trust_key -file ca.crt -keystore truststore.jks
+# Create crl with the other client cert:
+# -------------------------------------------------------
+> openssl-database
+echo 00 > openssl-crlnumber
+openssl ca -config openssl.conf -revoke other-client.crt -keyfile client-ca.pem -cert client-ca.crt
+openssl ca -config openssl.conf -gencrl -keyfile client-ca.pem -cert client-ca.crt -out other-client-crl.pem -crldays $VALIDITY
 ```
\ No newline at end of file
diff --git a/examples/features/standard/ssl-enabled-crl-mqtt/src/main/java/org/apache/activemq/artemis/jms/example/MqttCrlEnabledExample.java b/examples/features/standard/ssl-enabled-crl-mqtt/src/main/java/org/apache/activemq/artemis/jms/example/MqttCrlEnabledExample.java
index 46e0ad1505..43982be8cd 100644
--- a/examples/features/standard/ssl-enabled-crl-mqtt/src/main/java/org/apache/activemq/artemis/jms/example/MqttCrlEnabledExample.java
+++ b/examples/features/standard/ssl-enabled-crl-mqtt/src/main/java/org/apache/activemq/artemis/jms/example/MqttCrlEnabledExample.java
@@ -31,14 +31,14 @@ public class MqttCrlEnabledExample {
    public static void main(final String[] args) throws Exception {
       boolean exception = false;
       try {
-         callBroker("truststore.jks", "changeit", "client_revoked.jks", "changeit");
+         callBroker("server-ca-truststore.jks", "securepass", "other-client-keystore.jks", "securepass");
       } catch (SSLException e) {
          exception = true;
       }
       if (!exception) {
          throw new RuntimeException("The connection should be revoked");
       }
-      callBroker("truststore.jks", "changeit", "client_not_revoked.jks", "changeit");
+      callBroker("server-ca-truststore.jks", "securepass", "client-keystore.jks", "securepass");
    }
 
    private static void callBroker(String truststorePath, String truststorePass, String keystorePath, String keystorePass) throws Exception {
diff --git a/examples/features/standard/ssl-enabled-crl-mqtt/src/main/resources/activemq/server0/broker.xml b/examples/features/standard/ssl-enabled-crl-mqtt/src/main/resources/activemq/server0/broker.xml
index 9877bd57fa..fa630dc707 100644
--- a/examples/features/standard/ssl-enabled-crl-mqtt/src/main/resources/activemq/server0/broker.xml
+++ b/examples/features/standard/ssl-enabled-crl-mqtt/src/main/resources/activemq/server0/broker.xml
@@ -22,7 +22,7 @@ under the License.
 
       <acceptors>
          <acceptor name="netty-acceptor">tcp://localhost:61616</acceptor>
-         <acceptor name="mqtt">tcp://0.0.0.0:1883?protocols=MQTT;sslEnabled=true;keyStorePath=keystore1.jks;keyStorePassword=changeit;trustStorePath=truststore.jks;keyStorePassword=changeit;crlPath=root.crl.pem;needClientAuth=true</acceptor>
+         <acceptor name="mqtt">tcp://0.0.0.0:1883?protocols=MQTT;sslEnabled=true;keyStorePath=server-keystore.jks;keyStorePassword=securepass;trustStorePath=client-ca-truststore.jks;keyStorePassword=securepass;crlPath=other-client-crl.pem;needClientAuth=true</acceptor>
       </acceptors>
 
       <wildcard-addresses>
diff --git a/examples/features/standard/ssl-enabled-crl-mqtt/src/main/resources/activemq/server0/client-ca-truststore.jks b/examples/features/standard/ssl-enabled-crl-mqtt/src/main/resources/activemq/server0/client-ca-truststore.jks
new file mode 100644
index 0000000000..e2dfeff87d
Binary files /dev/null and b/examples/features/standard/ssl-enabled-crl-mqtt/src/main/resources/activemq/server0/client-ca-truststore.jks differ
diff --git a/examples/features/standard/ssl-enabled-crl-mqtt/src/main/resources/activemq/server0/keystore1.jks b/examples/features/standard/ssl-enabled-crl-mqtt/src/main/resources/activemq/server0/keystore1.jks
deleted file mode 100644
index 5d85fa7918..0000000000
Binary files a/examples/features/standard/ssl-enabled-crl-mqtt/src/main/resources/activemq/server0/keystore1.jks and /dev/null differ
diff --git a/examples/features/standard/ssl-enabled-crl-mqtt/src/main/resources/activemq/server0/other-client-crl.pem b/examples/features/standard/ssl-enabled-crl-mqtt/src/main/resources/activemq/server0/other-client-crl.pem
new file mode 100644
index 0000000000..45f51abe29
--- /dev/null
+++ b/examples/features/standard/ssl-enabled-crl-mqtt/src/main/resources/activemq/server0/other-client-crl.pem
@@ -0,0 +1,12 @@
+-----BEGIN X509 CRL-----
+MIIB0zCBvAIBATANBgkqhkiG9w0BAQsFADBfMREwDwYDVQQKEwhBY3RpdmVNUTEQ
+MA4GA1UECxMHQXJ0ZW1pczE4MDYGA1UEAxMvQWN0aXZlTVEgQXJ0ZW1pcyBDbGll
+bnQgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkXDTIxMDgwMzEzMDMwN1oYDzIxMjEw
+NzEwMTMwMzA3WjAXMBUCBH493qkXDTIxMDgwMzEzMDMwN1qgDjAMMAoGA1UdFAQD
+AgEAMA0GCSqGSIb3DQEBCwUAA4IBAQBzM0YCos5sHRAN4pPzNWCAonqezX6FfcY+
+SuufVcxD583O2Vnuwmz9i9PhGJJbWxGuCtXwS1JNldm7/rXhpZOd539W1BJQprGb
+nwooQWTBBU8qTaXmUVWiPsMlL/IcMUTB/DVgWsRuwjA7wtVAseIoa2Z/geZZAOwO
+vgp7RAtWW9M1Vr7/XWNsJqIOoPnPqGhg8Nve2sFfySQmJQZP8LnnDgC6pv51TnRa
+VrOmHtralj2d0U3z78nRZW26S1XMxA0wb5yTc4T8lxCZ969vwtiWOQRCoKL/EFWe
+Yy2oBbRjTHEZWYyhYHCMcGP2JSGcDnSZmc+d7ydgx4Gq7nHy3FCM
+-----END X509 CRL-----
diff --git a/examples/features/standard/ssl-enabled-crl-mqtt/src/main/resources/activemq/server0/root.crl.pem b/examples/features/standard/ssl-enabled-crl-mqtt/src/main/resources/activemq/server0/root.crl.pem
deleted file mode 100644
index 972afba252..0000000000
--- a/examples/features/standard/ssl-enabled-crl-mqtt/src/main/resources/activemq/server0/root.crl.pem
+++ /dev/null
@@ -1,12 +0,0 @@
------BEGIN X509 CRL-----
-MIIBwzCBrAIBATANBgkqhkiG9w0BAQUFADBUMQswCQYDVQQGEwJBVTETMBEGA1UE
-CAwKU29tZS1TdGF0ZTEhMB8GA1UECgwYSW50ZXJuZXQgV2lkZ2l0cyBQdHkgTHRk
-MQ0wCwYDVQQDDARjZXJ0Fw0yMDAxMDcxNjU0NTdaFw0yMjAxMDYxNjU0NTdaMBQw
-EgIBAhcNMjAwMTA3MTY1NDUwWqAOMAwwCgYDVR0UBAMCAQIwDQYJKoZIhvcNAQEF
-BQADggEBABMQJLN47mGcjUL4MzSwCwRZRuD53jrjQNVJ/0k69VGhwku5wCBzkT1G
-qFMmmIxIk3n24UORXqHXuJTLeZj6ibGGYVDUz0gFDHIaBBczy///mguC0yN4nWtl
-VR9r4LB9+ShzgL8mm5f1fB6nLZFXLbe4uLPNY600Z34AdtQrfQ7KumTlKQDGhNy0
-jNWmygLihTGVc4zoTcVKS7VJq/IuPJJzTm7AJ3zmLe5uq5lLmUAxzcF7YWTo85gZ
-8K8kRJ0U75ujFez5Qx2oiuEPOvie0N6tpsV6JEE62Nbvso/jbbbOoG/1DTyaN1IM
-xT78WqZYTHjJd4X0aoovUmFEhwOvzGs=
------END X509 CRL-----
diff --git a/examples/features/standard/ssl-enabled-crl-mqtt/src/main/resources/activemq/server0/server-keystore.jks b/examples/features/standard/ssl-enabled-crl-mqtt/src/main/resources/activemq/server0/server-keystore.jks
new file mode 100644
index 0000000000..5a7e2c00bf
Binary files /dev/null and b/examples/features/standard/ssl-enabled-crl-mqtt/src/main/resources/activemq/server0/server-keystore.jks differ
diff --git a/examples/features/standard/ssl-enabled-crl-mqtt/src/main/resources/activemq/server0/truststore.jks b/examples/features/standard/ssl-enabled-crl-mqtt/src/main/resources/activemq/server0/truststore.jks
deleted file mode 100644
index 8410bc3723..0000000000
Binary files a/examples/features/standard/ssl-enabled-crl-mqtt/src/main/resources/activemq/server0/truststore.jks and /dev/null differ
diff --git a/examples/features/standard/ssl-enabled-crl-mqtt/src/main/resources/client-keystore.jks b/examples/features/standard/ssl-enabled-crl-mqtt/src/main/resources/client-keystore.jks
new file mode 100644
index 0000000000..b968a0c54d
Binary files /dev/null and b/examples/features/standard/ssl-enabled-crl-mqtt/src/main/resources/client-keystore.jks differ
diff --git a/examples/features/standard/ssl-enabled-crl-mqtt/src/main/resources/client_not_revoked.jks b/examples/features/standard/ssl-enabled-crl-mqtt/src/main/resources/client_not_revoked.jks
deleted file mode 100644
index b03e57a4f0..0000000000
Binary files a/examples/features/standard/ssl-enabled-crl-mqtt/src/main/resources/client_not_revoked.jks and /dev/null differ
diff --git a/examples/features/standard/ssl-enabled-crl-mqtt/src/main/resources/client_revoked.jks b/examples/features/standard/ssl-enabled-crl-mqtt/src/main/resources/client_revoked.jks
deleted file mode 100644
index 5e9987c7ec..0000000000
Binary files a/examples/features/standard/ssl-enabled-crl-mqtt/src/main/resources/client_revoked.jks and /dev/null differ
diff --git a/examples/features/standard/ssl-enabled-crl-mqtt/src/main/resources/other-client-keystore.jks b/examples/features/standard/ssl-enabled-crl-mqtt/src/main/resources/other-client-keystore.jks
new file mode 100644
index 0000000000..f2061bd8bc
Binary files /dev/null and b/examples/features/standard/ssl-enabled-crl-mqtt/src/main/resources/other-client-keystore.jks differ
diff --git a/examples/features/standard/ssl-enabled-crl-mqtt/src/main/resources/server-ca-truststore.jks b/examples/features/standard/ssl-enabled-crl-mqtt/src/main/resources/server-ca-truststore.jks
new file mode 100644
index 0000000000..3fe0f29ad2
Binary files /dev/null and b/examples/features/standard/ssl-enabled-crl-mqtt/src/main/resources/server-ca-truststore.jks differ
diff --git a/examples/features/standard/ssl-enabled-crl-mqtt/src/main/resources/truststore.jks b/examples/features/standard/ssl-enabled-crl-mqtt/src/main/resources/truststore.jks
deleted file mode 100644
index 8410bc3723..0000000000
Binary files a/examples/features/standard/ssl-enabled-crl-mqtt/src/main/resources/truststore.jks and /dev/null differ
diff --git a/examples/features/standard/ssl-enabled-dual-authentication/readme.md b/examples/features/standard/ssl-enabled-dual-authentication/readme.md
index 1fbe0dabfc..10584e63c7 100644
--- a/examples/features/standard/ssl-enabled-dual-authentication/readme.md
+++ b/examples/features/standard/ssl-enabled-dual-authentication/readme.md
@@ -6,21 +6,63 @@ This example shows you how to configure 2-way SSL along with 2 different authent
 
 To configure 2-way SSL you need to configure the acceptor as follows:
 
-    <acceptor name="netty-ssl-acceptor">tcp://localhost:5500?sslEnabled=true;needClientAuth=true;keyStorePath=server-side-keystore.jks;keyStorePassword=secureexample;trustStorePath=server-side-truststore.jks;trustStorePassword=secureexample</acceptor>
+    <acceptor name="netty-ssl-acceptor">tcp://localhost:5500?sslEnabled=true;needClientAuth=true;keyStorePath=server-keystore.jks;keyStorePassword=securepass;trustStorePath=client-ca-truststore.jks;trustStorePassword=securepass</acceptor>
 
-In the server-side URL, the `server-side-keystore.jks` is the key store file holding the server's certificate. The `server-side-truststore.jks` is the file holding the certificates which the broker trusts. Notice also the `sslEnabled` and `needClientAuth` parameters which enable SSL and require clients to present their own certificate respectively.
+In the server-side URL, the `server-keystore.jks` is the key store file holding the server's certificate. The `client-ca-truststore.jks` is the file holding the certificates which the broker trusts. Notice also the `sslEnabled` and `needClientAuth` parameters which enable SSL and require clients to present their own certificate respectively.
 
 Here's the URL the client uses to connect over SSL:
 
-    tcp://localhost:5500?sslEnabled=true&trustStorePath=activemq/server0/client-side-truststore.jks&trustStorePassword=secureexample&keyStorePath=activemq/server0/client-side-keystore.jks&keyStorePassword=secureexample
+    tcp://localhost:5500?sslEnabled=true&trustStorePath=server-ca-truststore.jks&trustStorePassword=securepass&keyStorePath=client-keystore.jks&keyStorePassword=securepass
 
-In the client-side URL, the `client-side-keystore.jks` is the key store file holding the client's certificate. The `client-side-truststore.jks` is the file holding the certificates which the client trusts. The `sslEnabled` parameter is present here as well just as it is on the server.
+In the client-side URL, the `client-keystore.jks` is the key store file holding the client's certificate. The `server-ca-truststore.jks` is the file holding the certificates which the client trusts. The `sslEnabled` parameter is present here as well just as it is on the server.
 
 The various keystore files are generated using the following commands:
 
-* `keytool -genkey -keystore server-side-keystore.jks -storepass secureexample -keypass secureexample -dname "CN=ActiveMQ Artemis Server, OU=Artemis, O=ActiveMQ, L=AMQ, S=AMQ, C=AMQ" -keyalg RSA`
-* `keytool -export -keystore server-side-keystore.jks -file server-side-cert.cer -storepass secureexample`
-* `keytool -import -keystore client-side-truststore.jks -file server-side-cert.cer -storepass secureexample -keypass secureexample -noprompt`
-* `keytool -genkey -keystore client-side-keystore.jks -storepass secureexample -keypass secureexample -dname "CN=ActiveMQ Artemis Client, OU=Artemis, O=ActiveMQ, L=AMQ, S=AMQ, C=AMQ" -keyalg RSA`
-* `keytool -export -keystore client-side-keystore.jks -file client-side-cert.cer -storepass secureexample`
-* `keytool -import -keystore server-side-truststore.jks -file client-side-cert.cer -storepass secureexample -keypass secureexample -noprompt` 
+```shell
+#!/bin/bash
+set -e
+
+KEY_PASS=securepass
+STORE_PASS=securepass
+CA_VALIDITY=365000
+VALIDITY=36500
+
+# Create a key and self-signed certificate for the CA, to sign server certificate requests and use for trust:
+# -----------------------------------------------------------------------------------------------------------
+keytool -storetype pkcs12 -keystore server-ca-keystore.p12 -storepass $STORE_PASS -keypass $KEY_PASS -alias server-ca -genkey -keyalg "RSA" -keysize 2048 -dname "CN=ActiveMQ Artemis Server Certification Authority, OU=Artemis, O=ActiveMQ" -validity $CA_VALIDITY -ext bc:c=ca:true
+keytool -storetype pkcs12 -keystore server-ca-keystore.p12 -storepass $STORE_PASS -alias server-ca -exportcert -rfc > server-ca.crt
+
+# Create trust store with the server CA cert:
+# -------------------------------------------
+keytool -keystore server-ca-truststore.p12 -storepass $STORE_PASS -keypass $KEY_PASS -importcert -alias server-ca -file server-ca.crt -noprompt
+
+# Create a key pair for the server, and sign it with the CA:
+# ----------------------------------------------------------
+keytool -keystore server-keystore.jks -storepass $STORE_PASS -keypass $KEY_PASS -alias server -genkey -keyalg "RSA" -keysize 2048 -dname "CN=ActiveMQ Artemis Server, OU=Artemis, O=ActiveMQ, L=AMQ, S=AMQ, C=AMQ" -validity $VALIDITY -ext bc=ca:false -ext eku=sA -ext san=dns:localhost,ip:127.0.0.1
+
+keytool -keystore server-keystore.jks -storepass $STORE_PASS -alias server -certreq -file server.csr
+keytool -keystore server-ca-keystore.p12 -storepass $STORE_PASS -alias server-ca -gencert -rfc -infile server.csr -outfile server.crt -validity $VALIDITY -ext bc=ca:false -ext san=dns:localhost,ip:127.0.0.1
+
+keytool -keystore server-keystore.jks -storepass $STORE_PASS -keypass $KEY_PASS -importcert -alias server-ca -file server-ca.crt -noprompt
+keytool -keystore server-keystore.jks -storepass $STORE_PASS -keypass $KEY_PASS -importcert -alias server -file server.crt
+
+# Create a key and self-signed certificate for the CA, to sign client certificate requests and use for trust:
+# -----------------------------------------------------------------------------------------------------------
+keytool -keystore client-ca-keystore.jks -storepass $STORE_PASS -keypass $KEY_PASS -alias client-ca -genkey -keyalg "RSA" -keysize 2048 -dname "CN=ActiveMQ Artemis Client Certification Authority, OU=Artemis, O=ActiveMQ" -validity $CA_VALIDITY -ext bc:c=ca:true
+keytool -keystore client-ca-keystore.jks -storepass $STORE_PASS -alias client-ca -exportcert -rfc > client-ca.crt
+
+# Create trust store with the client CA cert:
+# -------------------------------------------
+keytool -storetype pkcs12 -keystore client-ca-keystore.p12 -storepass $STORE_PASS -keypass $KEY_PASS -alias client-ca -genkey -keyalg "RSA" -keysize 2048 -dname "CN=ActiveMQ Artemis Client Certification Authority, OU=Artemis, O=ActiveMQ" -validity $CA_VALIDITY -ext bc:c=ca:true
+keytool -storetype pkcs12 -keystore client-ca-keystore.p12 -storepass $STORE_PASS -alias client-ca -exportcert -rfc > client-ca.crt
+
+# Create a key pair for the client, and sign it with the CA:
+# ----------------------------------------------------------
+keytool -keystore client-keystore.jks -storepass $STORE_PASS -keypass $KEY_PASS -alias client -genkey -keyalg "RSA" -keysize 2048 -dname "CN=ActiveMQ Artemis Client, OU=Artemis, O=ActiveMQ, L=AMQ, S=AMQ, C=AMQ" -validity $VALIDITY -ext bc=ca:false -ext eku=cA -ext san=dns:localhost,ip:127.0.0.1
+
+keytool -keystore client-keystore.jks -storepass $STORE_PASS -alias client -certreq -file client.csr
+keytool -keystore client-ca-keystore.p12 -storepass $STORE_PASS -alias client-ca -gencert -rfc -infile client.csr -outfile client.crt -validity $VALIDITY -ext bc=ca:false -ext eku=cA -ext san=dns:localhost,ip:127.0.0.1
+
+keytool -keystore client-keystore.jks -storepass $STORE_PASS -keypass $KEY_PASS -importcert -alias client-ca -file client-ca.crt -noprompt
+keytool -keystore client-keystore.jks -storepass $STORE_PASS -keypass $KEY_PASS -importcert -alias client -file client.crt
+```
diff --git a/examples/features/standard/ssl-enabled-dual-authentication/src/main/resources/activemq/server0/broker.xml b/examples/features/standard/ssl-enabled-dual-authentication/src/main/resources/activemq/server0/broker.xml
index 1bba774894..4de5a06678 100644
--- a/examples/features/standard/ssl-enabled-dual-authentication/src/main/resources/activemq/server0/broker.xml
+++ b/examples/features/standard/ssl-enabled-dual-authentication/src/main/resources/activemq/server0/broker.xml
@@ -31,7 +31,7 @@ under the License.
       <!-- Acceptors -->
       <acceptors>
          <acceptor name="netty-acceptor">tcp://localhost:61616</acceptor>
-         <acceptor name="netty-ssl-acceptor">tcp://localhost:5500?sslEnabled=true;needClientAuth=true;keyStorePath=server-side-keystore.jks;keyStorePassword=secureexample;trustStorePath=server-side-truststore.jks;trustStorePassword=secureexample</acceptor>
+         <acceptor name="netty-ssl-acceptor">tcp://localhost:5500?sslEnabled=true;needClientAuth=true;keyStorePath=server-keystore.jks;keyStorePassword=securepass;trustStorePath=client-ca-truststore.jks;trustStorePassword=securepass</acceptor>
       </acceptors>
 
       <!-- Other config -->
diff --git a/examples/features/standard/ssl-enabled-dual-authentication/src/main/resources/activemq/server0/client-ca-truststore.jks b/examples/features/standard/ssl-enabled-dual-authentication/src/main/resources/activemq/server0/client-ca-truststore.jks
new file mode 100644
index 0000000000..e2dfeff87d
Binary files /dev/null and b/examples/features/standard/ssl-enabled-dual-authentication/src/main/resources/activemq/server0/client-ca-truststore.jks differ
diff --git a/examples/features/standard/ssl-enabled-dual-authentication/src/main/resources/activemq/server0/client-side-keystore.jks b/examples/features/standard/ssl-enabled-dual-authentication/src/main/resources/activemq/server0/client-side-keystore.jks
deleted file mode 100644
index cb65a44ddc..0000000000
Binary files a/examples/features/standard/ssl-enabled-dual-authentication/src/main/resources/activemq/server0/client-side-keystore.jks and /dev/null differ
diff --git a/examples/features/standard/ssl-enabled-dual-authentication/src/main/resources/activemq/server0/client-side-truststore.jks b/examples/features/standard/ssl-enabled-dual-authentication/src/main/resources/activemq/server0/client-side-truststore.jks
deleted file mode 100644
index 7eb1d5634d..0000000000
Binary files a/examples/features/standard/ssl-enabled-dual-authentication/src/main/resources/activemq/server0/client-side-truststore.jks and /dev/null differ
diff --git a/examples/features/standard/ssl-enabled-dual-authentication/src/main/resources/activemq/server0/server-keystore.jks b/examples/features/standard/ssl-enabled-dual-authentication/src/main/resources/activemq/server0/server-keystore.jks
new file mode 100644
index 0000000000..5a7e2c00bf
Binary files /dev/null and b/examples/features/standard/ssl-enabled-dual-authentication/src/main/resources/activemq/server0/server-keystore.jks differ
diff --git a/examples/features/standard/ssl-enabled-dual-authentication/src/main/resources/activemq/server0/server-side-keystore.jks b/examples/features/standard/ssl-enabled-dual-authentication/src/main/resources/activemq/server0/server-side-keystore.jks
deleted file mode 100644
index 6089c6ee13..0000000000
Binary files a/examples/features/standard/ssl-enabled-dual-authentication/src/main/resources/activemq/server0/server-side-keystore.jks and /dev/null differ
diff --git a/examples/features/standard/ssl-enabled-dual-authentication/src/main/resources/activemq/server0/server-side-truststore.jks b/examples/features/standard/ssl-enabled-dual-authentication/src/main/resources/activemq/server0/server-side-truststore.jks
deleted file mode 100644
index 0b7e224163..0000000000
Binary files a/examples/features/standard/ssl-enabled-dual-authentication/src/main/resources/activemq/server0/server-side-truststore.jks and /dev/null differ
diff --git a/examples/features/standard/ssl-enabled-dual-authentication/src/main/resources/client-keystore.jks b/examples/features/standard/ssl-enabled-dual-authentication/src/main/resources/client-keystore.jks
new file mode 100644
index 0000000000..b968a0c54d
Binary files /dev/null and b/examples/features/standard/ssl-enabled-dual-authentication/src/main/resources/client-keystore.jks differ
diff --git a/examples/features/standard/ssl-enabled-dual-authentication/src/main/resources/jndi.properties b/examples/features/standard/ssl-enabled-dual-authentication/src/main/resources/jndi.properties
index 12fbef627e..aa50486921 100644
--- a/examples/features/standard/ssl-enabled-dual-authentication/src/main/resources/jndi.properties
+++ b/examples/features/standard/ssl-enabled-dual-authentication/src/main/resources/jndi.properties
@@ -16,6 +16,6 @@
 # under the License.
 
 java.naming.factory.initial=org.apache.activemq.artemis.jndi.ActiveMQInitialContextFactory
-connectionFactory.SslConnectionFactory=tcp://localhost:5500?sslEnabled=true&trustStorePath=activemq/server0/client-side-truststore.jks&trustStorePassword=secureexample&keyStorePath=activemq/server0/client-side-keystore.jks&keyStorePassword=secureexample
+connectionFactory.SslConnectionFactory=tcp://localhost:5500?sslEnabled=true&trustStorePath=server-ca-truststore.jks&trustStorePassword=securepass&keyStorePath=client-keystore.jks&keyStorePassword=securepass
 connectionFactory.ConnectionFactory=tcp://localhost:61616
 queue.queue/exampleQueue=exampleQueue
diff --git a/examples/features/standard/ssl-enabled-dual-authentication/src/main/resources/server-ca-truststore.jks b/examples/features/standard/ssl-enabled-dual-authentication/src/main/resources/server-ca-truststore.jks
new file mode 100644
index 0000000000..3fe0f29ad2
Binary files /dev/null and b/examples/features/standard/ssl-enabled-dual-authentication/src/main/resources/server-ca-truststore.jks differ
diff --git a/examples/features/standard/ssl-enabled/pom.xml b/examples/features/standard/ssl-enabled/pom.xml
index 718ca7ee4a..8eb6dcf398 100644
--- a/examples/features/standard/ssl-enabled/pom.xml
+++ b/examples/features/standard/ssl-enabled/pom.xml
@@ -66,7 +66,7 @@ under the License.
                   <configuration>
                      <ignore>${noServer}</ignore>
                      <spawn>true</spawn>
-                     <testURI>tcp://localhost:5500?sslEnabled=true&amp;trustStorePath=activemq/server0/activemq.example.truststore&amp;trustStorePassword=activemqexample</testURI>
+                     <testURI>tcp://localhost:5500?sslEnabled=true&amp;trustStorePath=activemq/server0/server-ca-truststore.jks&amp;trustStorePassword=securepass</testURI>
                      <args>
                         <param>run</param>
                      </args>
diff --git a/examples/features/standard/ssl-enabled/readme.md b/examples/features/standard/ssl-enabled/readme.md
index 6038f6da90..5c3a12d988 100644
--- a/examples/features/standard/ssl-enabled/readme.md
+++ b/examples/features/standard/ssl-enabled/readme.md
@@ -6,10 +6,35 @@ This example shows you how to configure SSL with ActiveMQ Artemis to send and re
 
 Using SSL can make your messaging applications interact with ActiveMQ Artemis securely. An application can be secured transparently without extra coding effort. To secure your messaging application with SSL, you need to configure connector and acceptor as follows:
 
-    <acceptor name="netty-ssl-acceptor">tcp://localhost:5500?sslEnabled=true;keyStorePath=activemq.example.keystore;keyStorePassword=activemqexample</acceptor>
+    <acceptor name="netty-ssl-acceptor">tcp://localhost:5500?sslEnabled=true;keyStorePath=server-keystore.jks;keyStorePassword=securepass</acceptor>
 
 In the configuration, the `activemq.example.keystore` is the key store file holding the server's certificate. The `activemq.example.truststore` is the file holding the certificates which the client trusts (i.e. the server's certificate exported from activemq.example.keystore). They are generated via the following commands:
 
-* `keytool -genkey -keystore activemq.example.keystore -storepass activemqexample -keypass activemqexample -dname "CN=ActiveMQ Artemis Server, OU=Artemis, O=ActiveMQ, L=AMQ, S=AMQ, C=AMQ" -keyalg RSA`
-* `keytool -export -keystore activemq.example.keystore -file server-side-cert.cer -storepass activemqexample`
-* `keytool -import -keystore activemq.example.truststore -file server-side-cert.cer -storepass activemqexample -keypass activemqexample -noprompt`
\ No newline at end of file
+```shell
+#!/bin/bash
+set -e
+
+KEY_PASS=securepass
+STORE_PASS=securepass
+CA_VALIDITY=365000
+VALIDITY=36500
+
+# Create a key and self-signed certificate for the CA, to sign server certificate requests and use for trust:
+# -----------------------------------------------------------------------------------------------------------
+keytool -storetype pkcs12 -keystore server-ca-keystore.p12 -storepass $STORE_PASS -keypass $KEY_PASS -alias server-ca -genkey -keyalg "RSA" -keysize 2048 -dname "CN=ActiveMQ Artemis Server Certification Authority, OU=Artemis, O=ActiveMQ" -validity $CA_VALIDITY -ext bc:c=ca:true
+keytool -storetype pkcs12 -keystore server-ca-keystore.p12 -storepass $STORE_PASS -alias server-ca -exportcert -rfc > server-ca.crt
+
+# Create trust store with the server CA cert:
+# -------------------------------------------
+keytool -keystore server-ca-truststore.p12 -storepass $STORE_PASS -keypass $KEY_PASS -importcert -alias server-ca -file server-ca.crt -noprompt
+
+# Create a key pair for the server, and sign it with the CA:
+# ----------------------------------------------------------
+keytool -keystore server-keystore.jks -storepass $STORE_PASS -keypass $KEY_PASS -alias server -genkey -keyalg "RSA" -keysize 2048 -dname "CN=ActiveMQ Artemis Server, OU=Artemis, O=ActiveMQ, L=AMQ, S=AMQ, C=AMQ" -validity $VALIDITY -ext bc=ca:false -ext eku=sA -ext san=dns:localhost,ip:127.0.0.1
+
+keytool -keystore server-keystore.jks -storepass $STORE_PASS -alias server -certreq -file server.csr
+keytool -keystore server-ca-keystore.p12 -storepass $STORE_PASS -alias server-ca -gencert -rfc -infile server.csr -outfile server.crt -validity $VALIDITY -ext bc=ca:false -ext san=dns:localhost,ip:127.0.0.1
+
+keytool -keystore server-keystore.jks -storepass $STORE_PASS -keypass $KEY_PASS -importcert -alias server-ca -file server-ca.crt -noprompt
+keytool -keystore server-keystore.jks -storepass $STORE_PASS -keypass $KEY_PASS -importcert -alias server -file server.crt
+```
diff --git a/examples/features/standard/ssl-enabled/src/main/resources/activemq/server0/activemq.example.keystore b/examples/features/standard/ssl-enabled/src/main/resources/activemq/server0/activemq.example.keystore
deleted file mode 100644
index 4ed24133c4..0000000000
Binary files a/examples/features/standard/ssl-enabled/src/main/resources/activemq/server0/activemq.example.keystore and /dev/null differ
diff --git a/examples/features/standard/ssl-enabled/src/main/resources/activemq/server0/activemq.example.truststore b/examples/features/standard/ssl-enabled/src/main/resources/activemq/server0/activemq.example.truststore
deleted file mode 100644
index 45ab086071..0000000000
Binary files a/examples/features/standard/ssl-enabled/src/main/resources/activemq/server0/activemq.example.truststore and /dev/null differ
diff --git a/examples/features/standard/ssl-enabled/src/main/resources/activemq/server0/broker.xml b/examples/features/standard/ssl-enabled/src/main/resources/activemq/server0/broker.xml
index 04bcec5976..1a346304ad 100644
--- a/examples/features/standard/ssl-enabled/src/main/resources/activemq/server0/broker.xml
+++ b/examples/features/standard/ssl-enabled/src/main/resources/activemq/server0/broker.xml
@@ -31,7 +31,7 @@ under the License.
       <!-- Acceptors -->
       <acceptors>
          <!-- keystores will be found automatically if they are on the classpath -->
-         <acceptor name="netty-ssl-acceptor">tcp://localhost:5500?sslEnabled=true;keyStorePath=activemq.example.keystore;keyStorePassword=activemqexample</acceptor>
+         <acceptor name="netty-ssl-acceptor">tcp://localhost:5500?sslEnabled=true;keyStorePath=server-keystore.jks;keyStorePassword=securepass</acceptor>
       </acceptors>
 
       <!-- Other config -->
diff --git a/examples/features/standard/ssl-enabled/src/main/resources/activemq/server0/server-ca-truststore.jks b/examples/features/standard/ssl-enabled/src/main/resources/activemq/server0/server-ca-truststore.jks
new file mode 100644
index 0000000000..3fe0f29ad2
Binary files /dev/null and b/examples/features/standard/ssl-enabled/src/main/resources/activemq/server0/server-ca-truststore.jks differ
diff --git a/examples/features/standard/ssl-enabled/src/main/resources/activemq/server0/server-keystore.jks b/examples/features/standard/ssl-enabled/src/main/resources/activemq/server0/server-keystore.jks
new file mode 100644
index 0000000000..5a7e2c00bf
Binary files /dev/null and b/examples/features/standard/ssl-enabled/src/main/resources/activemq/server0/server-keystore.jks differ
diff --git a/examples/features/standard/ssl-enabled/src/main/resources/jndi.properties b/examples/features/standard/ssl-enabled/src/main/resources/jndi.properties
index 7929c7c4fa..1b2906f559 100644
--- a/examples/features/standard/ssl-enabled/src/main/resources/jndi.properties
+++ b/examples/features/standard/ssl-enabled/src/main/resources/jndi.properties
@@ -16,5 +16,5 @@
 # under the License.
 
 java.naming.factory.initial=org.apache.activemq.artemis.jndi.ActiveMQInitialContextFactory
-connectionFactory.ConnectionFactory=tcp://localhost:5500?sslEnabled=true&trustStorePath=activemq/server0/activemq.example.truststore&trustStorePassword=activemqexample
+connectionFactory.ConnectionFactory=tcp://localhost:5500?sslEnabled=true&trustStorePath=activemq/server0/server-ca-truststore.jks&trustStorePassword=securepass
 queue.queue/exampleQueue=exampleQueue
diff --git a/examples/protocols/stomp/stomp-dual-authentication/src/main/java/org/apache/activemq/artemis/jms/example/StompDualAuthenticationExample.java b/examples/protocols/stomp/stomp-dual-authentication/src/main/java/org/apache/activemq/artemis/jms/example/StompDualAuthenticationExample.java
index 688c03ab3f..8346494241 100644
--- a/examples/protocols/stomp/stomp-dual-authentication/src/main/java/org/apache/activemq/artemis/jms/example/StompDualAuthenticationExample.java
+++ b/examples/protocols/stomp/stomp-dual-authentication/src/main/java/org/apache/activemq/artemis/jms/example/StompDualAuthenticationExample.java
@@ -45,10 +45,10 @@ public class StompDualAuthenticationExample {
 
       try {
          // set up SSL keystores for Stomp connection
-         System.setProperty("javax.net.ssl.trustStore", args[0] + "client-side-truststore.jks");
-         System.setProperty("javax.net.ssl.trustStorePassword", "secureexample");
-         System.setProperty("javax.net.ssl.keyStore", args[0] + "client-side-keystore.jks");
-         System.setProperty("javax.net.ssl.keyStorePassword", "secureexample");
+         System.setProperty("javax.net.ssl.trustStore", args[0] + "server-ca-truststore.jks");
+         System.setProperty("javax.net.ssl.trustStorePassword", "securepass");
+         System.setProperty("javax.net.ssl.keyStore", args[0] + "client-keystore.jks");
+         System.setProperty("javax.net.ssl.keyStorePassword", "securepass");
 
          // Step 1. Create an SSL socket to connect to the broker
          SSLSocketFactory sslsocketfactory = (SSLSocketFactory) SSLSocketFactory.getDefault();
diff --git a/tests/integration-tests/pom.xml b/tests/integration-tests/pom.xml
index d7e71e598e..7517eee99e 100644
--- a/tests/integration-tests/pom.xml
+++ b/tests/integration-tests/pom.xml
@@ -474,6 +474,9 @@
                <exclude>**/rest/*.xml</exclude>
             </excludes>
          </testResource>
+         <testResource>
+            <directory>../security-resources</directory>
+         </testResource>
       </testResources>
       <plugins>
          <plugin>
diff --git a/tests/integration-tests/src/test/java/org/apache/activemq/artemis/tests/integration/amqp/AmqpFailoverEndpointDiscoveryTest.java b/tests/integration-tests/src/test/java/org/apache/activemq/artemis/tests/integration/amqp/AmqpFailoverEndpointDiscoveryTest.java
index 5ded6f29fe..c135dc5089 100644
--- a/tests/integration-tests/src/test/java/org/apache/activemq/artemis/tests/integration/amqp/AmqpFailoverEndpointDiscoveryTest.java
+++ b/tests/integration-tests/src/test/java/org/apache/activemq/artemis/tests/integration/amqp/AmqpFailoverEndpointDiscoveryTest.java
@@ -36,6 +36,9 @@ import org.junit.Test;
 import org.junit.runner.RunWith;
 import org.junit.runners.Parameterized;
 
+/**
+ * See the tests/security-resources/build.sh script for details on the security resources used.
+ */
 @RunWith(Parameterized.class)
 public class AmqpFailoverEndpointDiscoveryTest extends FailoverTestBase {
 
@@ -90,9 +93,9 @@ public class AmqpFailoverEndpointDiscoveryTest extends FailoverTestBase {
       if (protocol == 0) {
          return new JmsConnectionFactory("failover:(amqp://localhost:61616)");
       } else {
-         String keystore = this.getClass().getClassLoader().getResource("client-side-keystore.jks").getFile();
-         String truststore = this.getClass().getClassLoader().getResource("client-side-truststore.jks").getFile();
-         return new JmsConnectionFactory("failover:(amqps://localhost:61616?transport.keyStoreLocation=" + keystore + "&transport.keyStorePassword=secureexample&transport.trustStoreLocation=" + truststore + "&transport.trustStorePassword=secureexample&transport.verifyHost=false)");
+         String keystore = this.getClass().getClassLoader().getResource("client-keystore.jks").getFile();
+         String truststore = this.getClass().getClassLoader().getResource("server-ca-truststore.jks").getFile();
+         return new JmsConnectionFactory("failover:(amqps://localhost:61616?transport.keyStoreLocation=" + keystore + "&transport.keyStorePassword=securepass&transport.trustStoreLocation=" + truststore + "&transport.trustStorePassword=securepass&transport.verifyHost=false)");
       }
    }
 
@@ -101,10 +104,10 @@ public class AmqpFailoverEndpointDiscoveryTest extends FailoverTestBase {
       if (protocol == 1) {
          server1Params.put(TransportConstants.SSL_ENABLED_PROP_NAME, "true");
 
-         server1Params.put(TransportConstants.KEYSTORE_PATH_PROP_NAME, "server-side-keystore.jks");
-         server1Params.put(TransportConstants.KEYSTORE_PASSWORD_PROP_NAME, "secureexample");
-         server1Params.put(TransportConstants.TRUSTSTORE_PATH_PROP_NAME, "server-side-truststore.jks");
-         server1Params.put(TransportConstants.TRUSTSTORE_PASSWORD_PROP_NAME, "secureexample");
+         server1Params.put(TransportConstants.KEYSTORE_PATH_PROP_NAME, "server-keystore.jks");
+         server1Params.put(TransportConstants.KEYSTORE_PASSWORD_PROP_NAME, "securepass");
+         server1Params.put(TransportConstants.TRUSTSTORE_PATH_PROP_NAME, "client-ca-truststore.jks");
+         server1Params.put(TransportConstants.TRUSTSTORE_PASSWORD_PROP_NAME, "securepass");
       }
 
       if (live) {
@@ -120,10 +123,10 @@ public class AmqpFailoverEndpointDiscoveryTest extends FailoverTestBase {
       Map<String, Object> server1Params = new HashMap<>();
       if (protocol == 1) {
          server1Params.put(TransportConstants.SSL_ENABLED_PROP_NAME, true);
-         server1Params.put(TransportConstants.TRUSTSTORE_PATH_PROP_NAME, "client-side-truststore.jks");
-         server1Params.put(TransportConstants.TRUSTSTORE_PASSWORD_PROP_NAME, "secureexample");
-         server1Params.put(TransportConstants.KEYSTORE_PATH_PROP_NAME, "client-side-keystore.jks");
-         server1Params.put(TransportConstants.KEYSTORE_PASSWORD_PROP_NAME, "secureexample");
+         server1Params.put(TransportConstants.TRUSTSTORE_PATH_PROP_NAME, "server-ca-truststore.jks");
+         server1Params.put(TransportConstants.TRUSTSTORE_PASSWORD_PROP_NAME, "securepass");
+         server1Params.put(TransportConstants.KEYSTORE_PATH_PROP_NAME, "client-keystore.jks");
+         server1Params.put(TransportConstants.KEYSTORE_PASSWORD_PROP_NAME, "securepass");
       }
       if (live) {
          return new TransportConfiguration(NETTY_CONNECTOR_FACTORY, server1Params);
diff --git a/tests/integration-tests/src/test/java/org/apache/activemq/artemis/tests/integration/amqp/JMSSaslExternalLDAPTest.java b/tests/integration-tests/src/test/java/org/apache/activemq/artemis/tests/integration/amqp/JMSSaslExternalLDAPTest.java
index 6320b4fc82..7e109732aa 100644
--- a/tests/integration-tests/src/test/java/org/apache/activemq/artemis/tests/integration/amqp/JMSSaslExternalLDAPTest.java
+++ b/tests/integration-tests/src/test/java/org/apache/activemq/artemis/tests/integration/amqp/JMSSaslExternalLDAPTest.java
@@ -58,6 +58,9 @@ import org.junit.runner.RunWith;
 import static org.junit.Assert.assertNotNull;
 import static org.junit.Assert.assertEquals;
 
+/**
+ * See the tests/security-resources/build.sh script for details on the security resources used.
+ */
 @RunWith(FrameworkRunner.class)
 @CreateLdapServer(transports = {@CreateTransport(protocol = "LDAP", port = 1024)})
 @ApplyLdifFiles("AMQauth.ldif")
@@ -117,10 +120,10 @@ public class JMSSaslExternalLDAPTest extends AbstractLdapTestUnit {
 
       Map<String, Object> params = new HashMap<>();
       params.put(TransportConstants.SSL_ENABLED_PROP_NAME, true);
-      params.put(TransportConstants.KEYSTORE_PATH_PROP_NAME, "keystore1.jks");
-      params.put(TransportConstants.KEYSTORE_PASSWORD_PROP_NAME, "changeit");
-      params.put(TransportConstants.TRUSTSTORE_PATH_PROP_NAME, "truststore.jks");
-      params.put(TransportConstants.TRUSTSTORE_PASSWORD_PROP_NAME, "changeit");
+      params.put(TransportConstants.KEYSTORE_PATH_PROP_NAME, "server-keystore.jks");
+      params.put(TransportConstants.KEYSTORE_PASSWORD_PROP_NAME, "securepass");
+      params.put(TransportConstants.TRUSTSTORE_PATH_PROP_NAME, "client-ca-truststore.jks");
+      params.put(TransportConstants.TRUSTSTORE_PASSWORD_PROP_NAME, "securepass");
       params.put(TransportConstants.NEED_CLIENT_AUTH_PROP_NAME, true);
 
       Map<String, Object> extraParams = new HashMap<>();
@@ -146,14 +149,14 @@ public class JMSSaslExternalLDAPTest extends AbstractLdapTestUnit {
    @Test(timeout = 600000)
    public void testRoundTrip() throws Exception {
 
-      final String keystore = this.getClass().getClassLoader().getResource("client_not_revoked.jks").getFile();
-      final String truststore = this.getClass().getClassLoader().getResource("truststore.jks").getFile();
+      final String keystore = this.getClass().getClassLoader().getResource("client-keystore.jks").getFile();
+      final String truststore = this.getClass().getClassLoader().getResource("server-ca-truststore.jks").getFile();
 
       String connOptions = "?amqp.saslMechanisms=EXTERNAL" + "&" +
          "transport.trustStoreLocation=" + truststore + "&" +
-         "transport.trustStorePassword=changeit" + "&" +
+         "transport.trustStorePassword=securepass" + "&" +
          "transport.keyStoreLocation=" + keystore + "&" +
-         "transport.keyStorePassword=changeit" + "&" +
+         "transport.keyStorePassword=securepass" + "&" +
          "transport.verifyHost=false";
 
       JmsConnectionFactory factory = new JmsConnectionFactory(new URI("amqps://localhost:" + 61616 + connOptions));
diff --git a/tests/integration-tests/src/test/java/org/apache/activemq/artemis/tests/integration/amqp/JMSSaslExternalTest.java b/tests/integration-tests/src/test/java/org/apache/activemq/artemis/tests/integration/amqp/JMSSaslExternalTest.java
index b9da886d85..078d39f8af 100644
--- a/tests/integration-tests/src/test/java/org/apache/activemq/artemis/tests/integration/amqp/JMSSaslExternalTest.java
+++ b/tests/integration-tests/src/test/java/org/apache/activemq/artemis/tests/integration/amqp/JMSSaslExternalTest.java
@@ -60,6 +60,9 @@ import org.junit.After;
 import org.junit.Before;
 import org.junit.Test;
 
+/**
+ * See the tests/security-resources/build.sh script for details on the security resources used.
+ */
 public class JMSSaslExternalTest extends ActiveMQTestBase {
 
    static {
@@ -98,10 +101,10 @@ public class JMSSaslExternalTest extends ActiveMQTestBase {
 
       Map<String, Object> params = new HashMap<>();
       params.put(TransportConstants.SSL_ENABLED_PROP_NAME, true);
-      params.put(TransportConstants.KEYSTORE_PATH_PROP_NAME, "keystore1.jks");
-      params.put(TransportConstants.KEYSTORE_PASSWORD_PROP_NAME, "changeit");
-      params.put(TransportConstants.TRUSTSTORE_PATH_PROP_NAME, "truststore.jks");
-      params.put(TransportConstants.TRUSTSTORE_PASSWORD_PROP_NAME, "changeit");
+      params.put(TransportConstants.KEYSTORE_PATH_PROP_NAME, "server-keystore.jks");
+      params.put(TransportConstants.KEYSTORE_PASSWORD_PROP_NAME, "securepass");
+      params.put(TransportConstants.TRUSTSTORE_PATH_PROP_NAME, "client-ca-truststore.jks");
+      params.put(TransportConstants.TRUSTSTORE_PASSWORD_PROP_NAME, "securepass");
       params.put(TransportConstants.NEED_CLIENT_AUTH_PROP_NAME, true);
 
       Map<String, Object> extraParams = new HashMap<>();
@@ -127,14 +130,14 @@ public class JMSSaslExternalTest extends ActiveMQTestBase {
    @Test(timeout = 600000)
    public void testConnection() throws Exception {
 
-      final String keystore = this.getClass().getClassLoader().getResource("client_not_revoked.jks").getFile();
-      final String truststore = this.getClass().getClassLoader().getResource("truststore.jks").getFile();
+      final String keystore = this.getClass().getClassLoader().getResource("other-client-keystore.jks").getFile();
+      final String truststore = this.getClass().getClassLoader().getResource("server-ca-truststore.jks").getFile();
 
       String connOptions = "?amqp.saslMechanisms=EXTERNAL" + "&" +
          "transport.trustStoreLocation=" + truststore + "&" +
-         "transport.trustStorePassword=changeit" + "&" +
+         "transport.trustStorePassword=securepass" + "&" +
          "transport.keyStoreLocation=" + keystore + "&" +
-         "transport.keyStorePassword=changeit" + "&" +
+         "transport.keyStorePassword=securepass" + "&" +
          "transport.verifyHost=false";
 
       JmsConnectionFactory factory = new JmsConnectionFactory(new URI("amqps://localhost:" + 61616 + connOptions));
@@ -164,10 +167,10 @@ public class JMSSaslExternalTest extends ActiveMQTestBase {
 
       final Map<String, Object> config = new LinkedHashMap<>(); config.put(TransportConstants.HOST_PROP_NAME, "localhost");
       config.put(TransportConstants.PORT_PROP_NAME, String.valueOf(61616));
-      config.put(TransportConstants.KEYSTORE_PATH_PROP_NAME, "client_not_revoked.jks");
-      config.put(TransportConstants.KEYSTORE_PASSWORD_PROP_NAME, "changeit");
-      config.put(TransportConstants.TRUSTSTORE_PATH_PROP_NAME, "truststore.jks");
-      config.put(TransportConstants.TRUSTSTORE_PASSWORD_PROP_NAME, "changeit");
+      config.put(TransportConstants.KEYSTORE_PATH_PROP_NAME, "client-keystore.jks");
+      config.put(TransportConstants.KEYSTORE_PASSWORD_PROP_NAME, "securepass");
+      config.put(TransportConstants.TRUSTSTORE_PATH_PROP_NAME, "server-ca-truststore.jks");
+      config.put(TransportConstants.TRUSTSTORE_PASSWORD_PROP_NAME, "securepass");
       config.put(TransportConstants.NEED_CLIENT_AUTH_PROP_NAME, true);
       config.put(TransportConstants.SSL_ENABLED_PROP_NAME, true);
 
diff --git a/tests/integration-tests/src/test/java/org/apache/activemq/artemis/tests/integration/amqp/connect/AMQPConnectSaslTest.java b/tests/integration-tests/src/test/java/org/apache/activemq/artemis/tests/integration/amqp/connect/AMQPConnectSaslTest.java
index 0a37e89c19..7140d75bfe 100644
--- a/tests/integration-tests/src/test/java/org/apache/activemq/artemis/tests/integration/amqp/connect/AMQPConnectSaslTest.java
+++ b/tests/integration-tests/src/test/java/org/apache/activemq/artemis/tests/integration/amqp/connect/AMQPConnectSaslTest.java
@@ -52,16 +52,21 @@ import io.vertx.proton.ProtonConnection;
 import io.vertx.proton.ProtonServerOptions;
 import io.vertx.proton.sasl.ProtonSaslAuthenticator;
 
+/**
+ * See the tests/security-resources/build.sh script for details on the security resources used.
+ */
 public class AMQPConnectSaslTest extends AmqpClientTestSupport {
 
    private static final int BROKER_PORT_NUM = AMQP_PORT + 1;
 
-   private static final String SERVER_KEYSTORE_NAME = "keystore1.jks";
-   private static final String SERVER_KEYSTORE_PASSWORD = "changeit";
-   private static final String CLIENT_KEYSTORE_NAME = "client_not_revoked.jks";
-   private static final String CLIENT_KEYSTORE_PASSWORD = "changeit";
-   private static final String TRUSTSTORE_NAME = "truststore.jks";
-   private static final String TRUSTSTORE_PASSWORD = "changeit";
+   private static final String SERVER_KEYSTORE_NAME = "server-keystore.jks";
+   private static final String SERVER_KEYSTORE_PASSWORD = "securepass";
+   private static final String CLIENT_KEYSTORE_NAME = "client-keystore.jks";
+   private static final String CLIENT_KEYSTORE_PASSWORD = "securepass";
+   private static final String SERVER_TRUSTSTORE_NAME = "server-ca-truststore.jks";
+   private static final String SERVER_TRUSTSTORE_PASSWORD = "securepass";
+   private static final String CLIENT_TRUSTSTORE_NAME = "client-ca-truststore.jks";
+   private static final String CLIENT_TRUSTSTORE_PASSWORD = "securepass";
 
    private static final String USER = "MY_USER";
    private static final String PASSWD = "PASSWD_VALUE";
@@ -220,8 +225,8 @@ public class AMQPConnectSaslTest extends AmqpClientTestSupport {
       serverOptions.setKeyStoreOptions(jksKeyStoreOptions);
 
       if (requireClientCert) {
-         final String trustStorePath = this.getClass().getClassLoader().getResource(TRUSTSTORE_NAME).getFile();
-         JksOptions jksTrustStoreOptions = new JksOptions().setPath(trustStorePath).setPassword(TRUSTSTORE_PASSWORD);
+         final String trustStorePath = this.getClass().getClassLoader().getResource(CLIENT_TRUSTSTORE_NAME).getFile();
+         JksOptions jksTrustStoreOptions = new JksOptions().setPath(trustStorePath).setPassword(CLIENT_TRUSTSTORE_PASSWORD);
 
          serverOptions.setTrustStoreOptions(jksTrustStoreOptions);
          serverOptions.setClientAuth(ClientAuth.REQUIRED);
@@ -236,7 +241,7 @@ public class AMQPConnectSaslTest extends AmqpClientTestSupport {
       });
 
       String amqpServerConnectionURI = "tcp://localhost:" + mockServer.actualPort() +
-               "?sslEnabled=true;trustStorePath=" + TRUSTSTORE_NAME + ";trustStorePassword=" + TRUSTSTORE_PASSWORD;
+               "?sslEnabled=true;trustStorePath=" + SERVER_TRUSTSTORE_NAME + ";trustStorePassword=" + SERVER_TRUSTSTORE_PASSWORD;
       if (requireClientCert) {
          amqpServerConnectionURI +=
                   ";keyStorePath=" + CLIENT_KEYSTORE_NAME + ";keyStorePassword=" + CLIENT_KEYSTORE_PASSWORD;
diff --git a/tests/integration-tests/src/test/java/org/apache/activemq/artemis/tests/integration/management/SSLSecurityNotificationTest.java b/tests/integration-tests/src/test/java/org/apache/activemq/artemis/tests/integration/management/SSLSecurityNotificationTest.java
index e4d1a6e8ff..71476f5943 100644
--- a/tests/integration-tests/src/test/java/org/apache/activemq/artemis/tests/integration/management/SSLSecurityNotificationTest.java
+++ b/tests/integration-tests/src/test/java/org/apache/activemq/artemis/tests/integration/management/SSLSecurityNotificationTest.java
@@ -51,6 +51,9 @@ import org.junit.Test;
 import static org.apache.activemq.artemis.api.core.management.CoreNotificationType.CONSUMER_CREATED;
 import static org.apache.activemq.artemis.api.core.management.CoreNotificationType.SECURITY_AUTHENTICATION_VIOLATION;
 
+/**
+ * See the tests/security-resources/build.sh script for details on the security resources used.
+ */
 public class SSLSecurityNotificationTest extends ActiveMQTestBase {
 
    static {
@@ -78,10 +81,10 @@ public class SSLSecurityNotificationTest extends ActiveMQTestBase {
 
       TransportConfiguration tc = new TransportConfiguration(NETTY_CONNECTOR_FACTORY);
       tc.getParams().put(TransportConstants.SSL_ENABLED_PROP_NAME, true);
-      tc.getParams().put(TransportConstants.TRUSTSTORE_PATH_PROP_NAME, "client-side-truststore.jks");
-      tc.getParams().put(TransportConstants.TRUSTSTORE_PASSWORD_PROP_NAME, "secureexample");
-      tc.getParams().put(TransportConstants.KEYSTORE_PATH_PROP_NAME, "bad-client-side-keystore.jks");
-      tc.getParams().put(TransportConstants.KEYSTORE_PASSWORD_PROP_NAME, "secureexample");
+      tc.getParams().put(TransportConstants.TRUSTSTORE_PATH_PROP_NAME, "server-ca-truststore.jks");
+      tc.getParams().put(TransportConstants.TRUSTSTORE_PASSWORD_PROP_NAME, "securepass");
+      tc.getParams().put(TransportConstants.KEYSTORE_PATH_PROP_NAME, "unknown-client-keystore.jks");
+      tc.getParams().put(TransportConstants.KEYSTORE_PASSWORD_PROP_NAME, "securepass");
 
       ServerLocator locator = addServerLocator(ActiveMQClient.createServerLocatorWithoutHA(tc));
       ClientSessionFactory sf = addSessionFactory(createSessionFactory(locator));
@@ -96,7 +99,7 @@ public class SSLSecurityNotificationTest extends ActiveMQTestBase {
       ClientMessage[] notifications = SSLSecurityNotificationTest.consumeMessages(1, notifConsumer);
       Assert.assertEquals(SECURITY_AUTHENTICATION_VIOLATION.toString(), notifications[0].getObjectProperty(ManagementHelper.HDR_NOTIFICATION_TYPE).toString());
       Assert.assertEquals(null, notifications[0].getObjectProperty(ManagementHelper.HDR_USER));
-      Assert.assertEquals("CN=Bad Client, OU=Artemis, O=ActiveMQ, L=AMQ, ST=AMQ, C=AMQ", notifications[0].getObjectProperty(ManagementHelper.HDR_CERT_SUBJECT_DN).toString());
+      Assert.assertEquals("CN=ActiveMQ Artemis Unknown Client, OU=Artemis, O=ActiveMQ, L=AMQ, ST=AMQ, C=AMQ", notifications[0].getObjectProperty(ManagementHelper.HDR_CERT_SUBJECT_DN).toString());
       Assert.assertTrue(notifications[0].getObjectProperty(ManagementHelper.HDR_REMOTE_ADDRESS).toString().startsWith("/127.0.0.1"));
       Assert.assertTrue(notifications[0].getTimestamp() >= start);
       Assert.assertTrue((long) notifications[0].getObjectProperty(ManagementHelper.HDR_NOTIFICATION_TIMESTAMP) >= start);
@@ -116,10 +119,10 @@ public class SSLSecurityNotificationTest extends ActiveMQTestBase {
 
       TransportConfiguration tc = new TransportConfiguration(NETTY_CONNECTOR_FACTORY);
       tc.getParams().put(TransportConstants.SSL_ENABLED_PROP_NAME, true);
-      tc.getParams().put(TransportConstants.TRUSTSTORE_PATH_PROP_NAME, "client-side-truststore.jks");
-      tc.getParams().put(TransportConstants.TRUSTSTORE_PASSWORD_PROP_NAME, "secureexample");
-      tc.getParams().put(TransportConstants.KEYSTORE_PATH_PROP_NAME, "client-side-keystore.jks");
-      tc.getParams().put(TransportConstants.KEYSTORE_PASSWORD_PROP_NAME, "secureexample");
+      tc.getParams().put(TransportConstants.TRUSTSTORE_PATH_PROP_NAME, "server-ca-truststore.jks");
+      tc.getParams().put(TransportConstants.TRUSTSTORE_PASSWORD_PROP_NAME, "securepass");
+      tc.getParams().put(TransportConstants.KEYSTORE_PATH_PROP_NAME, "client-keystore.jks");
+      tc.getParams().put(TransportConstants.KEYSTORE_PASSWORD_PROP_NAME, "securepass");
 
       ServerLocator locator = addServerLocator(ActiveMQClient.createServerLocatorWithoutHA(tc));
       ClientSessionFactory sf = addSessionFactory(createSessionFactory(locator));
@@ -154,10 +157,10 @@ public class SSLSecurityNotificationTest extends ActiveMQTestBase {
 
       Map<String, Object> params = new HashMap<>();
       params.put(TransportConstants.SSL_ENABLED_PROP_NAME, true);
-      params.put(TransportConstants.KEYSTORE_PATH_PROP_NAME, "server-side-keystore.jks");
-      params.put(TransportConstants.KEYSTORE_PASSWORD_PROP_NAME, "secureexample");
-      params.put(TransportConstants.TRUSTSTORE_PATH_PROP_NAME, "server-side-truststore.jks");
-      params.put(TransportConstants.TRUSTSTORE_PASSWORD_PROP_NAME, "secureexample");
+      params.put(TransportConstants.KEYSTORE_PATH_PROP_NAME, "server-keystore.jks");
+      params.put(TransportConstants.KEYSTORE_PASSWORD_PROP_NAME, "securepass");
+      params.put(TransportConstants.TRUSTSTORE_PATH_PROP_NAME, "client-ca-truststore.jks");
+      params.put(TransportConstants.TRUSTSTORE_PASSWORD_PROP_NAME, "securepass");
       params.put(TransportConstants.NEED_CLIENT_AUTH_PROP_NAME, true);
 
       server.getConfiguration().addAcceptorConfiguration(new TransportConfiguration(NETTY_ACCEPTOR_FACTORY, params));
@@ -173,10 +176,10 @@ public class SSLSecurityNotificationTest extends ActiveMQTestBase {
 
       TransportConfiguration tc = new TransportConfiguration(NETTY_CONNECTOR_FACTORY);
       tc.getParams().put(TransportConstants.SSL_ENABLED_PROP_NAME, true);
-      tc.getParams().put(TransportConstants.TRUSTSTORE_PATH_PROP_NAME, "client-side-truststore.jks");
-      tc.getParams().put(TransportConstants.TRUSTSTORE_PASSWORD_PROP_NAME, "secureexample");
-      tc.getParams().put(TransportConstants.KEYSTORE_PATH_PROP_NAME, "client-side-keystore.jks");
-      tc.getParams().put(TransportConstants.KEYSTORE_PASSWORD_PROP_NAME, "secureexample");
+      tc.getParams().put(TransportConstants.TRUSTSTORE_PATH_PROP_NAME, "server-ca-truststore.jks");
+      tc.getParams().put(TransportConstants.TRUSTSTORE_PASSWORD_PROP_NAME, "securepass");
+      tc.getParams().put(TransportConstants.KEYSTORE_PATH_PROP_NAME, "client-keystore.jks");
+      tc.getParams().put(TransportConstants.KEYSTORE_PASSWORD_PROP_NAME, "securepass");
 
       ServerLocator locator = addServerLocator(ActiveMQClient.createServerLocatorWithoutHA(tc));
       ClientSessionFactory sf = addSessionFactory(createSessionFactory(locator));
diff --git a/tests/integration-tests/src/test/java/org/apache/activemq/artemis/tests/integration/mqtt/imported/MQTTSecurityCRLTest.java b/tests/integration-tests/src/test/java/org/apache/activemq/artemis/tests/integration/mqtt/imported/MQTTSecurityCRLTest.java
index 3db9734cf2..080fdda9d4 100644
--- a/tests/integration-tests/src/test/java/org/apache/activemq/artemis/tests/integration/mqtt/imported/MQTTSecurityCRLTest.java
+++ b/tests/integration-tests/src/test/java/org/apache/activemq/artemis/tests/integration/mqtt/imported/MQTTSecurityCRLTest.java
@@ -37,87 +37,10 @@ import org.fusesource.mqtt.client.QoS;
 import org.fusesource.mqtt.client.Topic;
 import org.junit.Test;
 
+/**
+ * See the tests/security-resources/build.sh script for details on the security resources used.
+ */
 public class MQTTSecurityCRLTest extends ActiveMQTestBase {
-   /**
-    * These artifacts are required for testing mqtt with CRL
-    * <p>
-    * openssl genrsa -out ca.key 2048
-    * openssl req -new -x509 -days 1826 -key ca.key -out ca.crt
-    * touch certindex
-    * echo 01 > certserial
-    * echo 01 > crlnumber
-    * <p>
-    * Create ca.conf file with
-    * <p>
-    * [ ca ]
-    * default_ca = myca
-    * <p>
-    * [ crl_ext ]
-    * # issuerAltName=issuer:copy #this would copy the issuer name to altname
-    * authorityKeyIdentifier=keyid:always
-    * <p>
-    * [ myca ]
-    * dir = ./
-    * new_certs_dir = $dir
-    * unique_subject = no
-    * certificate = $dir/ca.crt
-    * database = $dir/certindex
-    * private_key = $dir/ca.key
-    * serial = $dir/certserial
-    * default_days = 730
-    * default_md = sha1
-    * policy = myca_policy
-    * x509_extensions = myca_extensions
-    * crlnumber = $dir/crlnumber
-    * default_crl_days = 730
-    * <p>
-    * [ myca_policy ]
-    * commonName = supplied
-    * stateOrProvinceName = supplied
-    * countryName = optional
-    * emailAddress = optional
-    * organizationName = supplied
-    * organizationalUnitName = optional
-    * <p>
-    * [ myca_extensions ]
-    * basicConstraints = CA:false
-    * subjectKeyIdentifier = hash
-    * authorityKeyIdentifier = keyid:always
-    * keyUsage = digitalSignature,keyEncipherment
-    * extendedKeyUsage = serverAuth, clientAuth
-    * crlDistributionPoints = URI:http://example.com/root.crl
-    * subjectAltName = @alt_names
-    * <p>
-    * [alt_names]
-    * DNS.1 = example.com
-    * DNS.2 = *.example.com
-    * <p>
-    * Continue executing the commands:
-    * <p>
-    * openssl genrsa -out keystore1.key 2048
-    * openssl req -new -key keystore1.key -out keystore1.csr
-    * openssl ca -batch -config ca.conf -notext -in keystore1.csr -out keystore1.crt
-    * openssl genrsa -out client_revoked.key 2048
-    * openssl req -new -key client_revoked.key -out client_revoked.csr
-    * openssl ca -batch -config ca.conf -notext -in client_revoked.csr -out client_revoked.crt
-    * openssl genrsa -out client_not_revoked.key 2048
-    * openssl req -new -key client_not_revoked.key -out client_not_revoked.csr
-    * openssl ca -batch -config ca.conf -notext -in client_not_revoked.csr -out client_not_revoked.crt
-    * openssl ca -config ca.conf -gencrl -keyfile ca.key -cert ca.crt -out root.crl.pem
-    * openssl ca -config ca.conf -revoke client_revoked.crt -keyfile ca.key -cert ca.crt
-    * openssl ca -config ca.conf -gencrl -keyfile ca.key -cert ca.crt -out root.crl.pem
-    * <p>
-    * openssl pkcs12 -export -name client_revoked -in client_revoked.crt -inkey client_revoked.key -out client_revoked.p12
-    * keytool -importkeystore -destkeystore client_revoked.jks -srckeystore client_revoked.p12 -srcstoretype pkcs12 -alias client_revoked
-    * <p>
-    * openssl pkcs12 -export -name client_not_revoked -in client_not_revoked.crt -inkey client_not_revoked.key -out client_not_revoked.p12
-    * keytool -importkeystore -destkeystore client_not_revoked.jks -srckeystore client_not_revoked.p12 -srcstoretype pkcs12 -alias client_not_revoked
-    * <p>
-    * openssl pkcs12 -export -name keystore1 -in keystore1.crt -inkey keystore1.key -out keystore1.p12
-    * keytool -importkeystore -destkeystore keystore1.jks -srckeystore keystore1.p12 -srcstoretype pkcs12 -alias keystore1
-    * <p>
-    * keytool -import -trustcacerts -alias trust_key -file ca.crt -keystore truststore.jks
-    */
 
    @Test
    public void crlRevokedTest() throws Exception {
@@ -131,7 +54,7 @@ public class MQTTSecurityCRLTest extends ActiveMQTestBase {
             Thread.sleep(50);
          }
 
-         connection1 = retrieveMQTTConnection("ssl://localhost:1883", "truststore.jks", "changeit", "client_revoked.jks", "changeit");
+         connection1 = retrieveMQTTConnection("ssl://localhost:1883", "server-ca-truststore.jks", "securepass", "other-client-keystore.jks", "securepass");
 
          // Subscribe to topics
          Topic[] topics = {new Topic("test/+/some/#", QoS.AT_MOST_ONCE)};
@@ -170,7 +93,7 @@ public class MQTTSecurityCRLTest extends ActiveMQTestBase {
             Thread.sleep(50);
          }
 
-         connection1 = retrieveMQTTConnection("ssl://localhost:1883", "truststore.jks", "changeit", "client_not_revoked.jks", "changeit");
+         connection1 = retrieveMQTTConnection("ssl://localhost:1883", "server-ca-truststore.jks", "securepass", "client-keystore.jks", "securepass");
 
          // Subscribe to topics
          Topic[] topics = {new Topic("test/+/some/#", QoS.AT_MOST_ONCE)};
@@ -220,11 +143,11 @@ public class MQTTSecurityCRLTest extends ActiveMQTestBase {
       TransportConfiguration transportConfiguration = new TransportConfiguration(NettyAcceptorFactory.class.getCanonicalName(), null, "mqtt", null);
 
       transportConfiguration.getParams().put(TransportConstants.SSL_ENABLED_PROP_NAME, true);
-      transportConfiguration.getParams().put(TransportConstants.TRUSTSTORE_PATH_PROP_NAME, "truststore.jks");
-      transportConfiguration.getParams().put(TransportConstants.TRUSTSTORE_PASSWORD_PROP_NAME, "changeit");
-      transportConfiguration.getParams().put(TransportConstants.KEYSTORE_PATH_PROP_NAME, "keystore1.jks");
-      transportConfiguration.getParams().put(TransportConstants.KEYSTORE_PASSWORD_PROP_NAME, "changeit");
-      transportConfiguration.getParams().put(TransportConstants.CRL_PATH_PROP_NAME, "root.crl.pem");
+      transportConfiguration.getParams().put(TransportConstants.TRUSTSTORE_PATH_PROP_NAME, "client-ca-truststore.jks");
+      transportConfiguration.getParams().put(TransportConstants.TRUSTSTORE_PASSWORD_PROP_NAME, "securepass");
+      transportConfiguration.getParams().put(TransportConstants.KEYSTORE_PATH_PROP_NAME, "server-keystore.jks");
+      transportConfiguration.getParams().put(TransportConstants.KEYSTORE_PASSWORD_PROP_NAME, "securepass");
+      transportConfiguration.getParams().put(TransportConstants.CRL_PATH_PROP_NAME, "other-client-crl.pem");
       transportConfiguration.getParams().put(TransportConstants.NEED_CLIENT_AUTH_PROP_NAME, "true");
       transportConfiguration.getParams().put(TransportConstants.PORT_PROP_NAME, "1883");
       transportConfiguration.getParams().put(TransportConstants.HOST_PROP_NAME, "localhost");
diff --git a/tests/integration-tests/src/test/java/org/apache/activemq/artemis/tests/integration/security/SecurityTest.java b/tests/integration-tests/src/test/java/org/apache/activemq/artemis/tests/integration/security/SecurityTest.java
index 1da806d5c2..45b1082ac3 100644
--- a/tests/integration-tests/src/test/java/org/apache/activemq/artemis/tests/integration/security/SecurityTest.java
+++ b/tests/integration-tests/src/test/java/org/apache/activemq/artemis/tests/integration/security/SecurityTest.java
@@ -78,6 +78,9 @@ import org.junit.Before;
 import org.junit.Ignore;
 import org.junit.Test;
 
+/**
+ * See the tests/security-resources/build.sh script for details on the security resources used.
+ */
 public class SecurityTest extends ActiveMQTestBase {
 
    static {
@@ -183,10 +186,10 @@ public class SecurityTest extends ActiveMQTestBase {
 
       Map<String, Object> params = new HashMap<>();
       params.put(TransportConstants.SSL_ENABLED_PROP_NAME, true);
-      params.put(TransportConstants.KEYSTORE_PATH_PROP_NAME, "server-side-keystore.jks");
-      params.put(TransportConstants.KEYSTORE_PASSWORD_PROP_NAME, "secureexample");
-      params.put(TransportConstants.TRUSTSTORE_PATH_PROP_NAME, "server-side-truststore.jks");
-      params.put(TransportConstants.TRUSTSTORE_PASSWORD_PROP_NAME, "secureexample");
+      params.put(TransportConstants.KEYSTORE_PATH_PROP_NAME, "server-keystore.jks");
+      params.put(TransportConstants.KEYSTORE_PASSWORD_PROP_NAME, "securepass");
+      params.put(TransportConstants.TRUSTSTORE_PATH_PROP_NAME, "client-ca-truststore.jks");
+      params.put(TransportConstants.TRUSTSTORE_PASSWORD_PROP_NAME, "securepass");
       params.put(clientAuthPropName, true);
 
       server.getConfiguration().addAcceptorConfiguration(new TransportConfiguration(NETTY_ACCEPTOR_FACTORY, params));
@@ -195,10 +198,10 @@ public class SecurityTest extends ActiveMQTestBase {
 
       TransportConfiguration tc = new TransportConfiguration(NETTY_CONNECTOR_FACTORY);
       tc.getParams().put(TransportConstants.SSL_ENABLED_PROP_NAME, true);
-      tc.getParams().put(TransportConstants.TRUSTSTORE_PATH_PROP_NAME, "client-side-truststore.jks");
-      tc.getParams().put(TransportConstants.TRUSTSTORE_PASSWORD_PROP_NAME, "secureexample");
-      tc.getParams().put(TransportConstants.KEYSTORE_PATH_PROP_NAME, "client-side-keystore.jks");
-      tc.getParams().put(TransportConstants.KEYSTORE_PASSWORD_PROP_NAME, "secureexample");
+      tc.getParams().put(TransportConstants.TRUSTSTORE_PATH_PROP_NAME, "server-ca-truststore.jks");
+      tc.getParams().put(TransportConstants.TRUSTSTORE_PASSWORD_PROP_NAME, "securepass");
+      tc.getParams().put(TransportConstants.KEYSTORE_PATH_PROP_NAME, "client-keystore.jks");
+      tc.getParams().put(TransportConstants.KEYSTORE_PASSWORD_PROP_NAME, "securepass");
       ServerLocator locator = addServerLocator(ActiveMQClient.createServerLocatorWithoutHA(tc));
       ClientSessionFactory cf = createSessionFactory(locator);
 
@@ -218,10 +221,10 @@ public class SecurityTest extends ActiveMQTestBase {
 
       Map<String, Object> params = new HashMap<>();
       params.put(TransportConstants.SSL_ENABLED_PROP_NAME, true);
-      params.put(TransportConstants.KEYSTORE_PATH_PROP_NAME, "server-side-keystore.jks");
-      params.put(TransportConstants.KEYSTORE_PASSWORD_PROP_NAME, "secureexample");
-      params.put(TransportConstants.TRUSTSTORE_PATH_PROP_NAME, "server-side-truststore.jks");
-      params.put(TransportConstants.TRUSTSTORE_PASSWORD_PROP_NAME, "secureexample");
+      params.put(TransportConstants.KEYSTORE_PATH_PROP_NAME, "server-keystore.jks");
+      params.put(TransportConstants.KEYSTORE_PASSWORD_PROP_NAME, "securepass");
+      params.put(TransportConstants.TRUSTSTORE_PATH_PROP_NAME, "client-ca-truststore.jks");
+      params.put(TransportConstants.TRUSTSTORE_PASSWORD_PROP_NAME, "securepass");
       params.put(TransportConstants.NEED_CLIENT_AUTH_PROP_NAME, true);
 
       server.getConfiguration().addAcceptorConfiguration(new TransportConfiguration(NETTY_ACCEPTOR_FACTORY, params));
@@ -234,10 +237,10 @@ public class SecurityTest extends ActiveMQTestBase {
       server.start();
 
       ActiveMQSslConnectionFactory factory = new ActiveMQSslConnectionFactory("ssl://localhost:61616?verifyHostName=false");
-      factory.setTrustStore("client-side-truststore.jks");
-      factory.setTrustStorePassword("secureexample");
-      factory.setKeyStore("client-side-keystore.jks");
-      factory.setKeyStorePassword("secureexample");
+      factory.setTrustStore("server-ca-truststore.jks");
+      factory.setTrustStorePassword("securepass");
+      factory.setKeyStore("client-keystore.jks");
+      factory.setKeyStorePassword("securepass");
 
       try (ActiveMQConnection connection = (ActiveMQConnection) factory.createConnection()) {
          Session session = connection.createSession(false, Session.AUTO_ACKNOWLEDGE);
@@ -264,10 +267,10 @@ public class SecurityTest extends ActiveMQTestBase {
 
       Map<String, Object> params = new HashMap<>();
       params.put(TransportConstants.SSL_ENABLED_PROP_NAME, true);
-      params.put(TransportConstants.KEYSTORE_PATH_PROP_NAME, "server-side-keystore.jks");
-      params.put(TransportConstants.KEYSTORE_PASSWORD_PROP_NAME, "secureexample");
-      params.put(TransportConstants.TRUSTSTORE_PATH_PROP_NAME, "server-side-truststore.jks");
-      params.put(TransportConstants.TRUSTSTORE_PASSWORD_PROP_NAME, "secureexample");
+      params.put(TransportConstants.KEYSTORE_PATH_PROP_NAME, "server-keystore.jks");
+      params.put(TransportConstants.KEYSTORE_PASSWORD_PROP_NAME, "securepass");
+      params.put(TransportConstants.TRUSTSTORE_PATH_PROP_NAME, "client-ca-truststore.jks");
+      params.put(TransportConstants.TRUSTSTORE_PASSWORD_PROP_NAME, "securepass");
       params.put(TransportConstants.NEED_CLIENT_AUTH_PROP_NAME, true);
 
       server.getConfiguration().addAcceptorConfiguration(new TransportConfiguration(NETTY_ACCEPTOR_FACTORY, params));
@@ -275,10 +278,10 @@ public class SecurityTest extends ActiveMQTestBase {
 
       ActiveMQSslConnectionFactory factory = new ActiveMQSslConnectionFactory("ssl://localhost:61616?verifyHostName=false");
       factory.setUserName("test-user");
-      factory.setTrustStore("client-side-truststore.jks");
-      factory.setTrustStorePassword("secureexample");
-      factory.setKeyStore("client-side-keystore.jks");
-      factory.setKeyStorePassword("secureexample");
+      factory.setTrustStore("server-ca-truststore.jks");
+      factory.setTrustStorePassword("securepass");
+      factory.setKeyStore("client-keystore.jks");
+      factory.setKeyStorePassword("securepass");
       factory.setWatchTopicAdvisories(false);
 
       try (ActiveMQConnection connection = (ActiveMQConnection) factory.createConnection()) {
@@ -381,9 +384,9 @@ public class SecurityTest extends ActiveMQTestBase {
     * This test requires a client-side certificate that will be trusted by the server but whose dname will be rejected
     * by the CertLogin login module. I created this cert with the follow commands:
     *
-    * keytool -genkey -keystore bad-client-side-keystore.jks -storepass secureexample -keypass secureexample -dname "CN=Bad Client, OU=Artemis, O=ActiveMQ, L=AMQ, S=AMQ, C=AMQ" -keyalg RSA
-    * keytool -export -keystore bad-client-side-keystore.jks -file activemq-jks.cer -storepass secureexample
-    * keytool -import -keystore server-side-truststore.jks -file activemq-jks.cer -storepass secureexample -keypass secureexample -noprompt -alias bad
+    * keytool -genkey -keystore bad-client-keystore.jks -storepass securepass -keypass securepass -dname "CN=Bad Client, OU=Artemis, O=ActiveMQ, L=AMQ, S=AMQ, C=AMQ" -keyalg RSA
+    * keytool -export -keystore bad-client-keystore.jks -file activemq-jks.cer -storepass securepass
+    * keytool -import -keystore client-ca-truststore.jks -file activemq-jks.cer -storepass securepass -keypass securepass -noprompt -alias bad
     */
    @Test
    public void testJAASSecurityManagerAuthenticationWithBadClientCert() throws Exception {
@@ -392,10 +395,10 @@ public class SecurityTest extends ActiveMQTestBase {
 
       Map<String, Object> params = new HashMap<>();
       params.put(TransportConstants.SSL_ENABLED_PROP_NAME, true);
-      params.put(TransportConstants.KEYSTORE_PATH_PROP_NAME, "server-side-keystore.jks");
-      params.put(TransportConstants.KEYSTORE_PASSWORD_PROP_NAME, "secureexample");
-      params.put(TransportConstants.TRUSTSTORE_PATH_PROP_NAME, "server-side-truststore.jks");
-      params.put(TransportConstants.TRUSTSTORE_PASSWORD_PROP_NAME, "secureexample");
+      params.put(TransportConstants.KEYSTORE_PATH_PROP_NAME, "server-keystore.jks");
+      params.put(TransportConstants.KEYSTORE_PASSWORD_PROP_NAME, "securepass");
+      params.put(TransportConstants.TRUSTSTORE_PATH_PROP_NAME, "client-ca-truststore.jks");
+      params.put(TransportConstants.TRUSTSTORE_PASSWORD_PROP_NAME, "securepass");
       params.put(TransportConstants.NEED_CLIENT_AUTH_PROP_NAME, true);
 
       server.getConfiguration().addAcceptorConfiguration(new TransportConfiguration(NETTY_ACCEPTOR_FACTORY, params));
@@ -404,10 +407,10 @@ public class SecurityTest extends ActiveMQTestBase {
 
       TransportConfiguration tc = new TransportConfiguration(NETTY_CONNECTOR_FACTORY);
       tc.getParams().put(TransportConstants.SSL_ENABLED_PROP_NAME, true);
-      tc.getParams().put(TransportConstants.TRUSTSTORE_PATH_PROP_NAME, "client-side-truststore.jks");
-      tc.getParams().put(TransportConstants.TRUSTSTORE_PASSWORD_PROP_NAME, "secureexample");
-      tc.getParams().put(TransportConstants.KEYSTORE_PATH_PROP_NAME, "bad-client-side-keystore.jks");
-      tc.getParams().put(TransportConstants.KEYSTORE_PASSWORD_PROP_NAME, "secureexample");
+      tc.getParams().put(TransportConstants.TRUSTSTORE_PATH_PROP_NAME, "server-ca-truststore.jks");
+      tc.getParams().put(TransportConstants.TRUSTSTORE_PASSWORD_PROP_NAME, "securepass");
+      tc.getParams().put(TransportConstants.KEYSTORE_PATH_PROP_NAME, "unknown-client-keystore.jks");
+      tc.getParams().put(TransportConstants.KEYSTORE_PASSWORD_PROP_NAME, "securepass");
       ServerLocator locator = addServerLocator(ActiveMQClient.createServerLocatorWithoutHA(tc));
       ClientSessionFactory cf = createSessionFactory(locator);
 
@@ -701,10 +704,10 @@ public class SecurityTest extends ActiveMQTestBase {
 
       Map<String, Object> params = new HashMap<>();
       params.put(TransportConstants.SSL_ENABLED_PROP_NAME, true);
-      params.put(TransportConstants.KEYSTORE_PATH_PROP_NAME, "server-side-keystore.jks");
-      params.put(TransportConstants.KEYSTORE_PASSWORD_PROP_NAME, "secureexample");
-      params.put(TransportConstants.TRUSTSTORE_PATH_PROP_NAME, "server-side-truststore.jks");
-      params.put(TransportConstants.TRUSTSTORE_PASSWORD_PROP_NAME, "secureexample");
+      params.put(TransportConstants.KEYSTORE_PATH_PROP_NAME, "server-keystore.jks");
+      params.put(TransportConstants.KEYSTORE_PASSWORD_PROP_NAME, "securepass");
+      params.put(TransportConstants.TRUSTSTORE_PATH_PROP_NAME, "client-ca-truststore.jks");
+      params.put(TransportConstants.TRUSTSTORE_PASSWORD_PROP_NAME, "securepass");
       params.put(TransportConstants.NEED_CLIENT_AUTH_PROP_NAME, true);
 
       server.getConfiguration().addAcceptorConfiguration(new TransportConfiguration(NETTY_ACCEPTOR_FACTORY, params));
@@ -717,10 +720,10 @@ public class SecurityTest extends ActiveMQTestBase {
 
       TransportConfiguration tc = new TransportConfiguration(NETTY_CONNECTOR_FACTORY);
       tc.getParams().put(TransportConstants.SSL_ENABLED_PROP_NAME, true);
-      tc.getParams().put(TransportConstants.TRUSTSTORE_PATH_PROP_NAME, "client-side-truststore.jks");
-      tc.getParams().put(TransportConstants.TRUSTSTORE_PASSWORD_PROP_NAME, "secureexample");
-      tc.getParams().put(TransportConstants.KEYSTORE_PATH_PROP_NAME, "client-side-keystore.jks");
-      tc.getParams().put(TransportConstants.KEYSTORE_PASSWORD_PROP_NAME, "secureexample");
+      tc.getParams().put(TransportConstants.TRUSTSTORE_PATH_PROP_NAME, "server-ca-truststore.jks");
+      tc.getParams().put(TransportConstants.TRUSTSTORE_PASSWORD_PROP_NAME, "securepass");
+      tc.getParams().put(TransportConstants.KEYSTORE_PATH_PROP_NAME, "client-keystore.jks");
+      tc.getParams().put(TransportConstants.KEYSTORE_PASSWORD_PROP_NAME, "securepass");
       ServerLocator locator = addServerLocator(ActiveMQClient.createServerLocatorWithoutHA(tc));
       ClientSessionFactory cf = createSessionFactory(locator);
 
@@ -894,10 +897,10 @@ public class SecurityTest extends ActiveMQTestBase {
 
       Map<String, Object> params = new HashMap<>();
       params.put(TransportConstants.SSL_ENABLED_PROP_NAME, true);
-      params.put(TransportConstants.KEYSTORE_PATH_PROP_NAME, "server-side-keystore.jks");
-      params.put(TransportConstants.KEYSTORE_PASSWORD_PROP_NAME, "secureexample");
-      params.put(TransportConstants.TRUSTSTORE_PATH_PROP_NAME, "server-side-truststore.jks");
-      params.put(TransportConstants.TRUSTSTORE_PASSWORD_PROP_NAME, "secureexample");
+      params.put(TransportConstants.KEYSTORE_PATH_PROP_NAME, "server-keystore.jks");
+      params.put(TransportConstants.KEYSTORE_PASSWORD_PROP_NAME, "securepass");
+      params.put(TransportConstants.TRUSTSTORE_PATH_PROP_NAME, "client-ca-truststore.jks");
+      params.put(TransportConstants.TRUSTSTORE_PASSWORD_PROP_NAME, "securepass");
       params.put(clientAuthPropName, true);
 
       server.getConfiguration().addAcceptorConfiguration(new TransportConfiguration(NETTY_ACCEPTOR_FACTORY, params));
@@ -909,10 +912,10 @@ public class SecurityTest extends ActiveMQTestBase {
 
       TransportConfiguration tc = new TransportConfiguration(NETTY_CONNECTOR_FACTORY);
       tc.getParams().put(TransportConstants.SSL_ENABLED_PROP_NAME, true);
-      tc.getParams().put(TransportConstants.TRUSTSTORE_PATH_PROP_NAME, "client-side-truststore.jks");
-      tc.getParams().put(TransportConstants.TRUSTSTORE_PASSWORD_PROP_NAME, "secureexample");
-      tc.getParams().put(TransportConstants.KEYSTORE_PATH_PROP_NAME, "client-side-keystore.jks");
-      tc.getParams().put(TransportConstants.KEYSTORE_PASSWORD_PROP_NAME, "secureexample");
+      tc.getParams().put(TransportConstants.TRUSTSTORE_PATH_PROP_NAME, "server-ca-truststore.jks");
+      tc.getParams().put(TransportConstants.TRUSTSTORE_PASSWORD_PROP_NAME, "securepass");
+      tc.getParams().put(TransportConstants.KEYSTORE_PATH_PROP_NAME, "client-keystore.jks");
+      tc.getParams().put(TransportConstants.KEYSTORE_PASSWORD_PROP_NAME, "securepass");
       ServerLocator locator = addServerLocator(ActiveMQClient.createServerLocatorWithoutHA(tc));
       ClientSessionFactory cf = createSessionFactory(locator);
       ClientSession session = addClientSession(cf.createSession());
diff --git a/tests/integration-tests/src/test/java/org/apache/activemq/artemis/tests/integration/ssl/CoreClientOverOneWaySSLTest.java b/tests/integration-tests/src/test/java/org/apache/activemq/artemis/tests/integration/ssl/CoreClientOverOneWaySSLTest.java
index 5d912f6436..710bb16925 100644
--- a/tests/integration-tests/src/test/java/org/apache/activemq/artemis/tests/integration/ssl/CoreClientOverOneWaySSLTest.java
+++ b/tests/integration-tests/src/test/java/org/apache/activemq/artemis/tests/integration/ssl/CoreClientOverOneWaySSLTest.java
@@ -56,6 +56,9 @@ import org.junit.Test;
 import org.junit.runner.RunWith;
 import org.junit.runners.Parameterized;
 
+/**
+ * See the tests/security-resources/build.sh script for details on the security resources used.
+ */
 @RunWith(value = Parameterized.class)
 public class CoreClientOverOneWaySSLTest extends ActiveMQTestBase {
    String suffix = "";
@@ -82,60 +85,18 @@ public class CoreClientOverOneWaySSLTest extends ActiveMQTestBase {
       if (suffix.equalsIgnoreCase("PKCS12")) {
          suffix = "p12";
       }
-      SERVER_SIDE_KEYSTORE = "server-side-keystore." + suffix;
-      CLIENT_SIDE_TRUSTSTORE = "client-side-truststore." + suffix;
+      SERVER_SIDE_KEYSTORE = "server-keystore." + suffix;
+      CLIENT_SIDE_TRUSTSTORE = "server-ca-truststore." + suffix;
    }
 
    public static final SimpleString QUEUE = new SimpleString("QueueOverSSL");
 
-   /**
-    * These artifacts are required for testing 1-way SSL
-    *
-    * Commands to create the JKS artifacts:
-    * keytool -genkey -keystore server-side-keystore.jks -storepass secureexample -keypass secureexample -dname "CN=ActiveMQ Artemis Server, OU=Artemis, O=ActiveMQ, L=AMQ, S=AMQ, C=AMQ" -keyalg RSA
-    * keytool -export -keystore server-side-keystore.jks -file activemq-jks.cer -storepass secureexample
-    * keytool -import -keystore client-side-truststore.jks -file activemq-jks.cer -storepass secureexample -keypass secureexample -noprompt
-    *
-    * keytool -genkey -keystore other-server-side-keystore.jks -storepass secureexample -keypass secureexample -dname "CN=Other ActiveMQ Artemis Server, OU=Artemis, O=ActiveMQ, L=AMQ, S=AMQ, C=AMQ" -keyalg RSA
-    * keytool -export -keystore other-server-side-keystore.jks -file activemq-jks.cer -storepass secureexample
-    * keytool -import -keystore other-client-side-truststore.jks -file activemq-jks.cer -storepass secureexample -keypass secureexample -noprompt
-    *
-    * keytool -genkey -keystore verified-server-side-keystore.jks -storepass secureexample -keypass secureexample -dname "CN=localhost, OU=Artemis, O=ActiveMQ, L=AMQ, S=AMQ, C=AMQ" -keyalg RSA
-    * keytool -export -keystore verified-server-side-keystore.jks -file activemq-jks.cer -storepass secureexample
-    * keytool -import -keystore verified-client-side-truststore.jks -file activemq-jks.cer -storepass secureexample -keypass secureexample -noprompt
-    *
-    * Commands to create the JCEKS artifacts:
-    * keytool -genkey -keystore server-side-keystore.jceks -storetype JCEKS -storepass secureexample -keypass secureexample -dname "CN=ActiveMQ Artemis Server, OU=Artemis, O=ActiveMQ, L=AMQ, S=AMQ, C=AMQ" -keyalg RSA
-    * keytool -export -keystore server-side-keystore.jceks -file activemq-jceks.cer -storetype jceks -storepass secureexample
-    * keytool -import -keystore client-side-truststore.jceks -storetype JCEKS -file activemq-jceks.cer -storepass secureexample -keypass secureexample -noprompt
-    *
-    * keytool -genkey -keystore other-server-side-keystore.jceks -storetype JCEKS -storepass secureexample -keypass secureexample -dname "CN=Other ActiveMQ Artemis Server, OU=Artemis, O=ActiveMQ, L=AMQ, S=AMQ, C=AMQ" -keyalg RSA
-    * keytool -export -keystore other-server-side-keystore.jceks -file activemq-jceks.cer -storetype jceks -storepass secureexample
-    * keytool -import -keystore other-client-side-truststore.jceks -storetype JCEKS -file activemq-jceks.cer -storepass secureexample -keypass secureexample -noprompt
-    *
-    * keytool -genkey -keystore verified-server-side-keystore.jceks -storetype JCEKS -storepass secureexample -keypass secureexample -dname "CN=localhost, OU=Artemis, O=ActiveMQ, L=AMQ, S=AMQ, C=AMQ" -keyalg RSA
-    * keytool -export -keystore verified-server-side-keystore.jceks -file activemq-jceks.cer -storetype jceks -storepass secureexample
-    * keytool -import -keystore verified-client-side-truststore.jceks -storetype JCEKS -file activemq-jceks.cer -storepass secureexample -keypass secureexample -noprompt
-    *
-    * Commands to create the PKCS12 artifacts:
-    * keytool -genkey -keystore server-side-keystore.p12 -storetype PKCS12 -storepass secureexample -keypass secureexample -dname "CN=ActiveMQ Artemis Server, OU=Artemis, O=ActiveMQ, L=AMQ, S=AMQ, C=AMQ" -keyalg RSA
-    * keytool -export -keystore server-side-keystore.p12 -file activemq-p12.cer -storetype PKCS12 -storepass secureexample
-    * keytool -import -keystore client-side-truststore.p12 -storetype PKCS12 -file activemq-p12.cer -storepass secureexample -keypass secureexample -noprompt
-    *
-    * keytool -genkey -keystore other-server-side-keystore.p12 -storetype PKCS12 -storepass secureexample -keypass secureexample -dname "CN=Other ActiveMQ Artemis Server, OU=Artemis, O=ActiveMQ, L=AMQ, S=AMQ, C=AMQ" -keyalg RSA
-    * keytool -export -keystore other-server-side-keystore.p12 -file activemq-p12.cer -storetype PKCS12 -storepass secureexample
-    * keytool -import -keystore other-client-side-truststore.p12 -storetype PKCS12 -file activemq-p12.cer -storepass secureexample -keypass secureexample -noprompt
-    *
-    * keytool -genkey -keystore verified-server-side-keystore.p12 -storetype PKCS12 -storepass secureexample -keypass secureexample -dname "CN=localhost, OU=Artemis, O=ActiveMQ, L=AMQ, S=AMQ, C=AMQ" -keyalg RSA
-    * keytool -export -keystore verified-server-side-keystore.p12 -file activemq-p12.cer -storetype PKCS12 -storepass secureexample
-    * keytool -import -keystore verified-client-side-truststore.p12 -storetype PKCS12 -file activemq-p12.cer -storepass secureexample -keypass secureexample -noprompt
-    */
    private boolean generateWarning;
    private String storeProvider;
    private String storeType;
    private String SERVER_SIDE_KEYSTORE;
    private String CLIENT_SIDE_TRUSTSTORE;
-   private final String PASSWORD = "secureexample";
+   private final String PASSWORD = "securepass";
 
    private ActiveMQServer server;
 
@@ -476,13 +437,13 @@ public class CoreClientOverOneWaySSLTest extends ActiveMQTestBase {
 
    @Test
    public void testOneWaySSLVerifyHost() throws Exception {
-      createCustomSslServer(true);
+      createCustomSslServer();
       String text = RandomUtil.randomString();
 
       tc.getParams().put(TransportConstants.SSL_ENABLED_PROP_NAME, true);
       tc.getParams().put(TransportConstants.TRUSTSTORE_PROVIDER_PROP_NAME, storeProvider);
       tc.getParams().put(TransportConstants.TRUSTSTORE_TYPE_PROP_NAME, storeType);
-      tc.getParams().put(TransportConstants.TRUSTSTORE_PATH_PROP_NAME, "verified-" + CLIENT_SIDE_TRUSTSTORE);
+      tc.getParams().put(TransportConstants.TRUSTSTORE_PATH_PROP_NAME, CLIENT_SIDE_TRUSTSTORE);
       tc.getParams().put(TransportConstants.TRUSTSTORE_PASSWORD_PROP_NAME, PASSWORD);
       tc.getParams().put(TransportConstants.VERIFY_HOST_PROP_NAME, true);
 
@@ -505,7 +466,7 @@ public class CoreClientOverOneWaySSLTest extends ActiveMQTestBase {
 
    @Test
    public void testOneWaySSLVerifyHostNegative() throws Exception {
-      createCustomSslServer();
+      createCustomSslServer(true);
       String text = RandomUtil.randomString();
 
       tc.getParams().put(TransportConstants.SSL_ENABLED_PROP_NAME, true);
@@ -548,7 +509,7 @@ public class CoreClientOverOneWaySSLTest extends ActiveMQTestBase {
       tc.getParams().put(TransportConstants.SSL_ENABLED_PROP_NAME, true);
       tc.getParams().put(TransportConstants.TRUSTSTORE_PROVIDER_PROP_NAME, storeProvider);
       tc.getParams().put(TransportConstants.TRUSTSTORE_TYPE_PROP_NAME, storeType);
-      tc.getParams().put(TransportConstants.TRUSTSTORE_PATH_PROP_NAME, "other-client-side-truststore." + suffix);
+      tc.getParams().put(TransportConstants.TRUSTSTORE_PATH_PROP_NAME, "other-server-truststore." + suffix);
       tc.getParams().put(TransportConstants.TRUSTSTORE_PASSWORD_PROP_NAME, PASSWORD);
 
       ServerLocator locator = addServerLocator(ActiveMQClient.createServerLocatorWithoutHA(tc)).setCallTimeout(3000);
@@ -561,7 +522,7 @@ public class CoreClientOverOneWaySSLTest extends ActiveMQTestBase {
 
       // reload the acceptor to reload the SSL stores
       NettyAcceptor acceptor = (NettyAcceptor) server.getRemotingService().getAcceptor("nettySSL");
-      acceptor.setKeyStorePath("other-server-side-keystore." + suffix);
+      acceptor.setKeyStorePath("other-" + SERVER_SIDE_KEYSTORE);
       acceptor.reload();
 
       // create a session with the locator which failed previously proving that the SSL stores have been reloaded
@@ -1000,20 +961,20 @@ public class CoreClientOverOneWaySSLTest extends ActiveMQTestBase {
       createCustomSslServer(null, null, false, sniHost);
    }
 
-   private void createCustomSslServer(boolean useVerifiedKeystore) throws Exception {
-      createCustomSslServer(null, null, useVerifiedKeystore, null);
+   private void createCustomSslServer(boolean useUnknownKeystore) throws Exception {
+      createCustomSslServer(null, null, useUnknownKeystore, null);
    }
 
    private void createCustomSslServer(String cipherSuites,
                                       String protocols,
-                                      boolean useVerifiedKeystore,
+                                      boolean useUnknownKeystore,
                                       String sniHost) throws Exception {
-      createCustomSslServer(cipherSuites, protocols, useVerifiedKeystore, sniHost, null);
+      createCustomSslServer(cipherSuites, protocols, useUnknownKeystore, sniHost, null);
    }
 
    private void createCustomSslServer(String cipherSuites,
                                       String protocols,
-                                      boolean useVerifiedKeystore,
+                                      boolean useUnknownKeystore,
                                       String sniHost,
                                       String trustManagerFactoryPlugin) throws Exception {
       Map<String, Object> params = new HashMap<>();
@@ -1025,8 +986,8 @@ public class CoreClientOverOneWaySSLTest extends ActiveMQTestBase {
          params.put(TransportConstants.SNIHOST_PROP_NAME, sniHost);
       }
 
-      if (useVerifiedKeystore) {
-         params.put(TransportConstants.KEYSTORE_PATH_PROP_NAME, "verified-" + SERVER_SIDE_KEYSTORE);
+      if (useUnknownKeystore) {
+         params.put(TransportConstants.KEYSTORE_PATH_PROP_NAME, "unknown-" + SERVER_SIDE_KEYSTORE);
       } else {
          params.put(TransportConstants.KEYSTORE_PATH_PROP_NAME, SERVER_SIDE_KEYSTORE);
       }
diff --git a/tests/integration-tests/src/test/java/org/apache/activemq/artemis/tests/integration/ssl/CoreClientOverTwoWaySSLTest.java b/tests/integration-tests/src/test/java/org/apache/activemq/artemis/tests/integration/ssl/CoreClientOverTwoWaySSLTest.java
index ed78d7217c..c21dc45292 100644
--- a/tests/integration-tests/src/test/java/org/apache/activemq/artemis/tests/integration/ssl/CoreClientOverTwoWaySSLTest.java
+++ b/tests/integration-tests/src/test/java/org/apache/activemq/artemis/tests/integration/ssl/CoreClientOverTwoWaySSLTest.java
@@ -55,6 +55,9 @@ import org.junit.runners.Parameterized;
 
 import io.netty.handler.ssl.SslHandler;
 
+/**
+ * See the tests/security-resources/build.sh script for details on the security resources used.
+ */
 @RunWith(value = Parameterized.class)
 public class CoreClientOverTwoWaySSLTest extends ActiveMQTestBase {
 
@@ -96,90 +99,14 @@ public class CoreClientOverTwoWaySSLTest extends ActiveMQTestBase {
          suffix = "p12";
       }
 
-      String prefix = "";
-      if (TransportConstants.OPENSSL_PROVIDER.equals(clientSSLProvider) || TransportConstants.OPENSSL_PROVIDER.equals(serverSSLProvider)) {
-         prefix = "openssl-";
-      }
-      SERVER_SIDE_KEYSTORE = prefix + "server-side-keystore." + suffix;
-      SERVER_SIDE_TRUSTSTORE = prefix + "server-side-truststore." + suffix;
-      CLIENT_SIDE_TRUSTSTORE = prefix + "client-side-truststore." + suffix;
-      CLIENT_SIDE_KEYSTORE = prefix + "client-side-keystore." + suffix;
+      SERVER_SIDE_KEYSTORE = "server-keystore." + suffix;
+      SERVER_SIDE_TRUSTSTORE = "client-ca-truststore." + suffix;
+      CLIENT_SIDE_TRUSTSTORE = "server-ca-truststore." + suffix;
+      CLIENT_SIDE_KEYSTORE = "client-keystore." + suffix;
    }
 
    public static final SimpleString QUEUE = new SimpleString("QueueOverSSL");
 
-   /**
-    * These artifacts are required for testing 2-way SSL in addition to the artifacts for 1-way SSL from {@link CoreClientOverOneWaySSLTest}
-    *
-    * Commands to create the JKS artifacts:
-    * keytool -genkey -keystore client-side-keystore.jks -storepass secureexample -keypass secureexample -dname "CN=ActiveMQ Artemis Client, OU=Artemis, O=ActiveMQ, L=AMQ, S=AMQ, C=AMQ" -keyalg RSA
-    * keytool -export -keystore client-side-keystore.jks -file activemq-jks.cer -storepass secureexample
-    * keytool -import -keystore server-side-truststore.jks -file activemq-jks.cer -storepass secureexample -keypass secureexample -noprompt
-    *
-    * keytool -genkey -keystore verified-client-side-keystore.jks -storepass secureexample -keypass secureexample -dname "CN=ActiveMQ Artemis Client, OU=Artemis, O=ActiveMQ, L=AMQ, S=AMQ, C=AMQ" -keyalg RSA -ext san=ip:127.0.0.1
-    * keytool -export -keystore verified-client-side-keystore.jks -file activemq-jks.cer -storepass secureexample
-    * keytool -import -keystore verified-server-side-truststore.jks -file activemq-jks.cer -storepass secureexample -keypass secureexample -noprompt
-    *
-    * Commands to create the JCEKS artifacts:
-    * keytool -genkey -keystore client-side-keystore.jceks -storetype JCEKS -storepass secureexample -keypass secureexample -dname "CN=ActiveMQ Artemis Client, OU=Artemis, O=ActiveMQ, L=AMQ, S=AMQ, C=AMQ" -keyalg RSA
-    * keytool -export -keystore client-side-keystore.jceks -file activemq-jceks.cer -storetype jceks -storepass secureexample
-    * keytool -import -keystore server-side-truststore.jceks -storetype JCEKS -file activemq-jceks.cer -storepass secureexample -keypass secureexample -noprompt
-    *
-    * keytool -genkey -keystore verified-client-side-keystore.jceks -storetype JCEKS -storepass secureexample -keypass secureexample -dname "CN=localhost, OU=Artemis, O=ActiveMQ, L=AMQ, S=AMQ, C=AMQ" -keyalg RSA -ext san=ip:127.0.0.1
-    * keytool -export -keystore verified-client-side-keystore.jceks -file activemq-jceks.cer -storetype jceks -storepass secureexample
-    * keytool -import -keystore verified-server-side-truststore.jceks -storetype JCEKS -file activemq-jceks.cer -storepass secureexample -keypass secureexample -noprompt
-    *
-    * Commands to create the PKCS12 artifacts:
-    * keytool -genkey -keystore client-side-keystore.p12 -storetype PKCS12 -storepass secureexample -keypass secureexample -dname "CN=ActiveMQ Artemis Client, OU=Artemis, O=ActiveMQ, L=AMQ, S=AMQ, C=AMQ" -keyalg RSA
-    * keytool -export -keystore client-side-keystore.p12 -file activemq-p12.cer -storetype PKCS12 -storepass secureexample
-    * keytool -import -keystore server-side-truststore.p12 -storetype PKCS12 -file activemq-p12.cer -storepass secureexample -keypass secureexample -noprompt
-    *
-    * keytool -genkey -keystore verified-client-side-keystore.p12 -storetype PKCS12 -storepass secureexample -keypass secureexample -dname "CN=localhost, OU=Artemis, O=ActiveMQ, L=AMQ, S=AMQ, C=AMQ" -keyalg RSA -ext san=ip:127.0.0.1
-    * keytool -export -keystore verified-client-side-keystore.p12 -file activemq-p12.cer -storetype PKCS12 -storepass secureexample
-    * keytool -import -keystore verified-server-side-truststore.p12 -storetype PKCS12 -file activemq-p12.cer -storepass secureexample -keypass secureexample -noprompt
-    *
-    * These artifacts are required for testing 2-way SSL with Open SSL - note the EC key and ECDSA signature to comply with what OpenSSL offers
-    *
-    * Commands to create the OpenSSL JKS artifacts:
-    * keytool -genkey -keystore openssl-client-side-keystore.jks -storepass secureexample -keypass secureexample -dname "CN=ActiveMQ Artemis Client, OU=Artemis, O=ActiveMQ, L=AMQ, S=AMQ, C=AMQ" -keyalg EC -sigalg SHA256withECDSA
-    * keytool -export -keystore openssl-client-side-keystore.jks -file activemq-jks.cer -storepass secureexample
-    * keytool -import -keystore openssl-server-side-truststore.jks -file activemq-jks.cer -storepass secureexample -keypass secureexample -noprompt
-    *
-    * keytool -genkey -keystore openssl-server-side-keystore.jks -storepass secureexample -keypass secureexample -dname "CN=ActiveMQ Artemis Server, OU=Artemis, O=ActiveMQ, L=AMQ, S=AMQ, C=AMQ" -keyalg EC -sigalg SHA256withECDSA
-    * keytool -export -keystore openssl-server-side-keystore.jks -file activemq-jks.cer -storepass secureexample
-    * keytool -import -keystore openssl-client-side-truststore.jks -file activemq-jks.cer -storepass secureexample -keypass secureexample -noprompt
-    *
-    * keytool -genkey -keystore verified-openssl-client-side-keystore.jks -storepass secureexample -keypass secureexample -dname "CN=localhost, OU=Artemis, O=ActiveMQ, L=AMQ, S=AMQ, C=AMQ" -keyalg EC -sigalg SHA256withECDSA -ext san=ip:127.0.0.1
-    * keytool -export -keystore verified-openssl-client-side-keystore.jks -file activemq-jks.cer -storepass secureexample
-    * keytool -import -keystore verified-openssl-server-side-truststore.jks -file activemq-jks.cer -storepass secureexample -keypass secureexample -noprompt
-    *
-    * Commands to create the OpenSSL JCEKS artifacts:
-    * keytool -genkey -keystore openssl-client-side-keystore.jceks -storetype JCEKS -storepass secureexample -keypass secureexample -dname "CN=ActiveMQ Artemis Client, OU=Artemis, O=ActiveMQ, L=AMQ, S=AMQ, C=AMQ" -keyalg EC  -sigalg SHA256withECDSA
-    * keytool -export -keystore openssl-client-side-keystore.jceks -file activemq-jceks.cer -storetype jceks -storepass secureexample
-    * keytool -import -keystore openssl-server-side-truststore.jceks -storetype JCEKS -file activemq-jceks.cer -storepass secureexample -keypass secureexample -noprompt
-    *
-    * keytool -genkey -keystore openssl-server-side-keystore.jceks -storetype JCEKS -storepass secureexample -keypass secureexample -dname "CN=ActiveMQ Artemis Server, OU=Artemis, O=ActiveMQ, L=AMQ, S=AMQ, C=AMQ" -keyalg EC  -sigalg SHA256withECDSA
-    * keytool -export -keystore openssl-server-side-keystore.jceks -file activemq-jceks.cer -storetype jceks -storepass secureexample
-    * keytool -import -keystore openssl-client-side-truststore.jceks -storetype JCEKS -file activemq-jceks.cer -storepass secureexample -keypass secureexample -noprompt
-    *
-    * keytool -genkey -keystore verified-openssl-client-side-keystore.jceks -storetype JCEKS -storepass secureexample -keypass secureexample -dname "CN=localhost, OU=Artemis, O=ActiveMQ, L=AMQ, S=AMQ, C=AMQ" -keyalg EC -sigalg SHA256withECDSA -ext san=ip:127.0.0.1
-    * keytool -export -keystore verified-openssl-client-side-keystore.jceks -file activemq-jceks.cer -storetype jceks -storepass secureexample
-    * keytool -import -keystore verified-openssl-server-side-truststore.jceks -storetype JCEKS -file activemq-jceks.cer -storepass secureexample -keypass secureexample -noprompt
-    *
-    * Commands to create the OpenSSL PKCS12 artifacts:
-    * keytool -genkey -keystore openssl-client-side-keystore.p12 -storetype PKCS12 -storepass secureexample -keypass secureexample -dname "CN=ActiveMQ Artemis Client, OU=Artemis, O=ActiveMQ, L=AMQ, S=AMQ, C=AMQ" -keyalg EC  -sigalg SHA256withECDSA
-    * keytool -export -keystore openssl-client-side-keystore.p12 -file activemq-p12.cer -storetype PKCS12 -storepass secureexample
-    * keytool -import -keystore openssl-server-side-truststore.p12 -storetype PKCS12 -file activemq-p12.cer -storepass secureexample -keypass secureexample -noprompt
-    *
-    * keytool -genkey -keystore openssl-server-side-keystore.p12 -storetype PKCS12 -storepass secureexample -keypass secureexample -dname "CN=ActiveMQ Artemis Server, OU=Artemis, O=ActiveMQ, L=AMQ, S=AMQ, C=AMQ" -keyalg EC  -sigalg SHA256withECDSA
-    * keytool -export -keystore openssl-server-side-keystore.p12 -file activemq-p12.cer -storetype PKCS12 -storepass secureexample
-    * keytool -import -keystore openssl-client-side-truststore.p12 -storetype PKCS12 -file activemq-p12.cer -storepass secureexample -keypass secureexample -noprompt
-    *
-    * keytool -genkey -keystore verified-openssl-client-side-keystore.p12 -storetype PKCS12 -storepass secureexample -keypass secureexample -dname "CN=localhost, OU=Artemis, O=ActiveMQ, L=AMQ, S=AMQ, C=AMQ" -keyalg EC -sigalg SHA256withECDSA -ext san=ip:127.0.0.1
-    * keytool -export -keystore verified-openssl-client-side-keystore.p12 -file activemq-p12.cer -storetype PKCS12 -storepass secureexample
-    * keytool -import -keystore verified-openssl-server-side-truststore.p12 -storetype PKCS12 -file activemq-p12.cer -storepass secureexample -keypass secureexample -noprompt
-    */
-
    private String storeType;
    private String storeProvider;
    private String clientSSLProvider;
@@ -188,7 +115,7 @@ public class CoreClientOverTwoWaySSLTest extends ActiveMQTestBase {
    private String SERVER_SIDE_TRUSTSTORE;
    private String CLIENT_SIDE_TRUSTSTORE;
    private String CLIENT_SIDE_KEYSTORE;
-   private final String PASSWORD = "secureexample";
+   private final String PASSWORD = "securepass";
 
    private ActiveMQServer server;
 
@@ -255,7 +182,7 @@ public class CoreClientOverTwoWaySSLTest extends ActiveMQTestBase {
    public void testTwoWaySSLVerifyClientHost() throws Exception {
       NettyAcceptor acceptor = (NettyAcceptor) server.getRemotingService().getAcceptor("nettySSL");
       acceptor.getConfiguration().put(TransportConstants.VERIFY_HOST_PROP_NAME, true);
-      acceptor.getConfiguration().put(TransportConstants.TRUSTSTORE_PATH_PROP_NAME, "verified-" + SERVER_SIDE_TRUSTSTORE);
+      acceptor.getConfiguration().put(TransportConstants.TRUSTSTORE_PATH_PROP_NAME, SERVER_SIDE_TRUSTSTORE);
       server.getRemotingService().stop(false);
       server.getRemotingService().start();
       server.getRemotingService().startAcceptors();
@@ -272,7 +199,7 @@ public class CoreClientOverTwoWaySSLTest extends ActiveMQTestBase {
 
       tc.getParams().put(TransportConstants.KEYSTORE_PROVIDER_PROP_NAME, storeProvider);
       tc.getParams().put(TransportConstants.KEYSTORE_TYPE_PROP_NAME, storeType);
-      tc.getParams().put(TransportConstants.KEYSTORE_PATH_PROP_NAME, "verified-" + CLIENT_SIDE_KEYSTORE);
+      tc.getParams().put(TransportConstants.KEYSTORE_PATH_PROP_NAME, CLIENT_SIDE_KEYSTORE);
       tc.getParams().put(TransportConstants.KEYSTORE_PASSWORD_PROP_NAME, PASSWORD);
 
       server.getRemotingService().addIncomingInterceptor(new MyInterceptor());
@@ -310,7 +237,7 @@ public class CoreClientOverTwoWaySSLTest extends ActiveMQTestBase {
       tc.getParams().put(TransportConstants.TRUSTSTORE_PASSWORD_PROP_NAME, PASSWORD);
 
       tc.getParams().put(TransportConstants.KEYSTORE_PROVIDER_PROP_NAME, storeType);
-      tc.getParams().put(TransportConstants.KEYSTORE_PATH_PROP_NAME, CLIENT_SIDE_KEYSTORE);
+      tc.getParams().put(TransportConstants.KEYSTORE_PATH_PROP_NAME, "unknown" + CLIENT_SIDE_KEYSTORE);
       tc.getParams().put(TransportConstants.KEYSTORE_PASSWORD_PROP_NAME, PASSWORD);
 
       server.getRemotingService().addIncomingInterceptor(new MyInterceptor());
diff --git a/tests/integration-tests/src/test/java/org/apache/activemq/artemis/tests/integration/ssl/DualAuthenticationTest.java b/tests/integration-tests/src/test/java/org/apache/activemq/artemis/tests/integration/ssl/DualAuthenticationTest.java
index 7da92b268a..d87b20a80b 100644
--- a/tests/integration-tests/src/test/java/org/apache/activemq/artemis/tests/integration/ssl/DualAuthenticationTest.java
+++ b/tests/integration-tests/src/test/java/org/apache/activemq/artemis/tests/integration/ssl/DualAuthenticationTest.java
@@ -50,7 +50,7 @@ import org.junit.Before;
 import org.junit.Test;
 
 /**
- * See {@link CoreClientOverTwoWaySSLTest} for details about the keystores required for this test.
+ * See the tests/security-resources/build.sh script for details on the security resources used.
  */
 public class DualAuthenticationTest extends ActiveMQTestBase {
 
@@ -67,11 +67,11 @@ public class DualAuthenticationTest extends ActiveMQTestBase {
       }
    }
 
-   private String SERVER_SIDE_KEYSTORE = "server-side-keystore.jks";
-   private String SERVER_SIDE_TRUSTSTORE = "server-side-truststore.jks";
-   private String CLIENT_SIDE_TRUSTSTORE = "client-side-truststore.jks";
-   private String CLIENT_SIDE_KEYSTORE = "client-side-keystore.jks";
-   private final String PASSWORD = "secureexample";
+   private String SERVER_SIDE_KEYSTORE = "server-keystore.jks";
+   private String SERVER_SIDE_TRUSTSTORE = "client-ca-truststore.jks";
+   private String CLIENT_SIDE_TRUSTSTORE = "server-ca-truststore.jks";
+   private String CLIENT_SIDE_KEYSTORE = "client-keystore.jks";
+   private final String PASSWORD = "securepass";
 
    private ActiveMQServer server;
 
diff --git a/tests/integration-tests/src/test/java/org/apache/activemq/artemis/tests/integration/ssl/SSLTestBase.java b/tests/integration-tests/src/test/java/org/apache/activemq/artemis/tests/integration/ssl/SSLTestBase.java
index 72db844e76..08e7c773d3 100644
--- a/tests/integration-tests/src/test/java/org/apache/activemq/artemis/tests/integration/ssl/SSLTestBase.java
+++ b/tests/integration-tests/src/test/java/org/apache/activemq/artemis/tests/integration/ssl/SSLTestBase.java
@@ -32,6 +32,9 @@ import java.util.Collection;
 import java.util.HashMap;
 import java.util.Map;
 
+/**
+ * See the tests/security-resources/build.sh script for details on the security resources used.
+ */
 public abstract class SSLTestBase extends ActiveMQTestBase {
 
    @Parameterized.Parameters(name = "sslProvider={0},clientProvider={1}")
@@ -44,11 +47,11 @@ public abstract class SSLTestBase extends ActiveMQTestBase {
 
    protected static final String QUEUE = "ssl.test.queue";
 
-   protected final String PASSWORD = "secureexample";
-   protected String SERVER_SIDE_KEYSTORE = "openssl-server-side-keystore.jks";
-   protected String SERVER_SIDE_TRUSTSTORE = "openssl-server-side-truststore.jks";
-   protected String CLIENT_SIDE_TRUSTSTORE = "openssl-client-side-truststore.jks";
-   protected String CLIENT_SIDE_KEYSTORE = "openssl-client-side-keystore.jks";
+   protected final String PASSWORD = "securepass";
+   protected String SERVER_SIDE_KEYSTORE = "server-keystore.jks";
+   protected String SERVER_SIDE_TRUSTSTORE = "client-ca-truststore.jks";
+   protected String CLIENT_SIDE_TRUSTSTORE = "server-ca-truststore.jks";
+   protected String CLIENT_SIDE_KEYSTORE = "client-keystore.jks";
 
    protected ActiveMQServer server;
 
diff --git a/tests/integration-tests/src/test/java/org/apache/activemq/artemis/tests/integration/transports/netty/NettyConnectorWithHTTPUpgradeTest.java b/tests/integration-tests/src/test/java/org/apache/activemq/artemis/tests/integration/transports/netty/NettyConnectorWithHTTPUpgradeTest.java
index 92aab6d7b1..98c23d6572 100644
--- a/tests/integration-tests/src/test/java/org/apache/activemq/artemis/tests/integration/transports/netty/NettyConnectorWithHTTPUpgradeTest.java
+++ b/tests/integration-tests/src/test/java/org/apache/activemq/artemis/tests/integration/transports/netty/NettyConnectorWithHTTPUpgradeTest.java
@@ -75,6 +75,8 @@ import static org.apache.activemq.artemis.tests.util.RandomUtil.randomString;
 
 /**
  * Test that Netty Connector can connect to a Web Server and upgrade from a HTTP request to its remoting protocol.
+ *
+ * See the tests/security-resources/build.sh script for details on the security resources used.
  */
 @RunWith(value = Parameterized.class)
 public class NettyConnectorWithHTTPUpgradeTest extends ActiveMQTestBase {
@@ -102,9 +104,9 @@ public class NettyConnectorWithHTTPUpgradeTest extends ActiveMQTestBase {
    private NioEventLoopGroup bossGroup;
    private NioEventLoopGroup workerGroup;
 
-   private String SERVER_SIDE_KEYSTORE = "server-side-keystore.jks";
-   private String CLIENT_SIDE_TRUSTSTORE = "client-side-truststore.jks";
-   private final String PASSWORD = "secureexample";
+   private String SERVER_SIDE_KEYSTORE = "server-keystore.jks";
+   private String CLIENT_SIDE_TRUSTSTORE = "server-ca-truststore.jks";
+   private final String PASSWORD = "securepass";
 
    @Override
    @Before
diff --git a/tests/integration-tests/src/test/resources/AMQauth.ldif b/tests/integration-tests/src/test/resources/AMQauth.ldif
index 74f04f74b4..e4d18ff8da 100755
--- a/tests/integration-tests/src/test/resources/AMQauth.ldif
+++ b/tests/integration-tests/src/test/resources/AMQauth.ldif
@@ -144,6 +144,6 @@ uniquemember: cn=role3
 ## group with member identified just by DN from SASL external tls certificate subject DN
 dn: cn=widgets,ou=system
 cn: widgets
-member: uid=O=Internet Widgits Pty Ltd,C=AU,ST=Some-State,CN=cert4
+member: uid=CN=ActiveMQ Artemis Client,OU=Artemis,O=ActiveMQ,L=AMQ,ST=AMQ,C=AMQ
 objectClass: groupOfNames
 objectClass: top
\ No newline at end of file
diff --git a/tests/integration-tests/src/test/resources/cert-regexps.properties b/tests/integration-tests/src/test/resources/cert-regexps.properties
index 9677bd81ae..0083306eaa 100644
--- a/tests/integration-tests/src/test/resources/cert-regexps.properties
+++ b/tests/integration-tests/src/test/resources/cert-regexps.properties
@@ -16,4 +16,4 @@
 #
 
 first=/CN=ActiveMQ Artemis Client, OU=Artemis, O=ActiveMQ(, [A-Z]+=AMQ)+/
-second=O=Internet Widgits Pty Ltd, C=AU, ST=Some-State, CN=lakalkalaoioislkxn
+second=/CN=ActiveMQ Artemis Other Client, OU=Artemis, O=ActiveMQ(, [A-Z]+=AMQ)+/
diff --git a/tests/integration-tests/src/test/resources/cert-users.properties b/tests/integration-tests/src/test/resources/cert-users.properties
index d1b556e719..97ca6cec13 100644
--- a/tests/integration-tests/src/test/resources/cert-users.properties
+++ b/tests/integration-tests/src/test/resources/cert-users.properties
@@ -16,4 +16,4 @@
 #
 
 first=CN=ActiveMQ Artemis Client, OU=Artemis, O=ActiveMQ, L=AMQ, ST=AMQ, C=AMQ
-second=O=Internet Widgits Pty Ltd, C=AU, ST=Some-State, CN=cert4
+second=CN=ActiveMQ Artemis Other Client, OU=Artemis, O=ActiveMQ, L=AMQ, ST=AMQ, C=AMQ
diff --git a/tests/integration-tests/src/test/resources/client_not_revoked.jks b/tests/integration-tests/src/test/resources/client_not_revoked.jks
deleted file mode 100644
index b03e57a4f0..0000000000
Binary files a/tests/integration-tests/src/test/resources/client_not_revoked.jks and /dev/null differ
diff --git a/tests/integration-tests/src/test/resources/client_revoked.jks b/tests/integration-tests/src/test/resources/client_revoked.jks
deleted file mode 100644
index 5e9987c7ec..0000000000
Binary files a/tests/integration-tests/src/test/resources/client_revoked.jks and /dev/null differ
diff --git a/tests/integration-tests/src/test/resources/keystore1.jks b/tests/integration-tests/src/test/resources/keystore1.jks
deleted file mode 100644
index 5d85fa7918..0000000000
Binary files a/tests/integration-tests/src/test/resources/keystore1.jks and /dev/null differ
diff --git a/tests/integration-tests/src/test/resources/truststore.jks b/tests/integration-tests/src/test/resources/truststore.jks
deleted file mode 100644
index 8410bc3723..0000000000
Binary files a/tests/integration-tests/src/test/resources/truststore.jks and /dev/null differ
diff --git a/tests/security-resources/build.sh b/tests/security-resources/build.sh
new file mode 100755
index 0000000000..82484a4f3c
--- /dev/null
+++ b/tests/security-resources/build.sh
@@ -0,0 +1,156 @@
+#!/bin/bash
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+
+# The various SSL stores and certificates were created with the following commands:
+# Requires use of JDK 8+ keytool command.
+set -e
+
+KEY_PASS=securepass
+STORE_PASS=securepass
+CA_VALIDITY=365000
+VALIDITY=36500
+
+# Clean up existing files
+# -----------------------
+rm -f *.crt *.csr openssl-* *.jceks *.jks *.p12 *.pem
+
+# Create a key and self-signed certificate for the CA, to sign server certificate requests and use for trust:
+# ----------------------------------------------------------------------------------------------------
+keytool -storetype pkcs12 -keystore server-ca-keystore.p12 -storepass $STORE_PASS -keypass $KEY_PASS -alias server-ca -genkey -keyalg "RSA" -keysize 2048 -dname "CN=ActiveMQ Artemis Server Certification Authority, OU=Artemis, O=ActiveMQ" -validity $CA_VALIDITY -ext bc:c=ca:true
+keytool -storetype pkcs12 -keystore server-ca-keystore.p12 -storepass $STORE_PASS -alias server-ca -exportcert -rfc > server-ca.crt
+openssl pkcs12 -in server-ca-keystore.p12 -nodes -nocerts -out server-ca.pem -password pass:$STORE_PASS
+
+# Create trust store with the server CA cert:
+# -------------------------------------------------------
+keytool -storetype pkcs12 -keystore server-ca-truststore.p12 -storepass $STORE_PASS -keypass $KEY_PASS -importcert -alias server-ca -file server-ca.crt -noprompt
+keytool -importkeystore -srckeystore server-ca-truststore.p12 -destkeystore server-ca-truststore.jceks -srcstoretype pkcs12 -deststoretype jceks -srcstorepass securepass -deststorepass securepass
+keytool -importkeystore -srckeystore server-ca-truststore.p12 -destkeystore server-ca-truststore.jks -srcstoretype pkcs12 -deststoretype jks -srcstorepass securepass -deststorepass securepass
+
+# Create a key pair for the server, and sign it with the CA:
+# ----------------------------------------------------------
+keytool -storetype pkcs12 -keystore server-keystore.p12 -storepass $STORE_PASS -keypass $KEY_PASS -alias server -genkey -keyalg "RSA" -keysize 2048 -dname "CN=ActiveMQ Artemis Server, OU=Artemis, O=ActiveMQ, L=AMQ, S=AMQ, C=AMQ" -validity $VALIDITY -ext bc=ca:false -ext eku=sA -ext san=dns:localhost,ip:127.0.0.1
+
+keytool -storetype pkcs12 -keystore server-keystore.p12 -storepass $STORE_PASS -alias server -certreq -file server.csr
+keytool -storetype pkcs12 -keystore server-ca-keystore.p12 -storepass $STORE_PASS -alias server-ca -gencert -rfc -infile server.csr -outfile server.crt -validity $VALIDITY -ext bc=ca:false -ext san=dns:localhost,ip:127.0.0.1
+
+keytool -storetype pkcs12 -keystore server-keystore.p12 -storepass $STORE_PASS -keypass $KEY_PASS -importcert -alias server-ca -file server-ca.crt -noprompt
+keytool -storetype pkcs12 -keystore server-keystore.p12 -storepass $STORE_PASS -keypass $KEY_PASS -importcert -alias server -file server.crt
+
+keytool -importkeystore -srckeystore server-keystore.p12 -destkeystore server-keystore.jceks -srcstoretype pkcs12 -deststoretype jceks -srcstorepass securepass -deststorepass securepass
+keytool -importkeystore -srckeystore server-keystore.p12 -destkeystore server-keystore.jks -srcstoretype pkcs12 -deststoretype jks -srcstorepass securepass -deststorepass securepass
+
+# Create a key pair for the other server, and sign it with the CA:
+# ----------------------------------------------------------
+keytool -storetype pkcs12 -keystore other-server-keystore.p12 -storepass $STORE_PASS -keypass $KEY_PASS -alias other-server -genkey -keyalg "RSA" -keysize 2048 -dname "CN=ActiveMQ Artemis Other Server, OU=Artemis, O=ActiveMQ, L=AMQ, S=AMQ, C=AMQ" -validity $VALIDITY -ext bc=ca:false -ext san=dns:localhost,ip:127.0.0.1
+
+keytool -storetype pkcs12 -keystore other-server-keystore.p12 -storepass $STORE_PASS -alias other-server -certreq -file other-server.csr
+keytool -storetype pkcs12 -keystore server-ca-keystore.p12 -storepass $STORE_PASS -alias server-ca -gencert -rfc -infile other-server.csr -outfile other-server.crt -validity $VALIDITY -ext bc=ca:false -ext eku=sA -ext san=dns:localhost,ip:127.0.0.1
+
+keytool -storetype pkcs12 -keystore other-server-keystore.p12 -storepass $STORE_PASS -keypass $KEY_PASS -importcert -alias server-ca -file server-ca.crt -noprompt
+keytool -storetype pkcs12 -keystore other-server-keystore.p12 -storepass $STORE_PASS -keypass $KEY_PASS -importcert -alias other-server -file other-server.crt
+
+keytool -importkeystore -srckeystore other-server-keystore.p12 -destkeystore other-server-keystore.jceks -srcstoretype pkcs12 -deststoretype jceks -srcstorepass securepass -deststorepass securepass
+keytool -importkeystore -srckeystore other-server-keystore.p12 -destkeystore other-server-keystore.jks -srcstoretype pkcs12 -deststoretype jks -srcstorepass securepass -deststorepass securepass
+
+# Create trust store with the other server cert:
+# -------------------------------------------------------
+keytool -storetype pkcs12 -keystore other-server-truststore.p12 -storepass $STORE_PASS -keypass $KEY_PASS -importcert -alias other-server -file other-server.crt -noprompt
+keytool -importkeystore -srckeystore other-server-truststore.p12 -destkeystore other-server-truststore.jceks -srcstoretype pkcs12 -deststoretype jceks -srcstorepass securepass -deststorepass securepass
+keytool -importkeystore -srckeystore other-server-truststore.p12 -destkeystore other-server-truststore.jks -srcstoretype pkcs12 -deststoretype jks -srcstorepass securepass -deststorepass securepass
+
+# Create crl with the other server cert:
+# -------------------------------------------------------
+> openssl-database
+echo 00 > openssl-crlnumber
+openssl ca -config openssl.conf -revoke other-server.crt -keyfile server-ca.pem -cert server-ca.crt
+openssl ca -config openssl.conf -gencrl -keyfile server-ca.pem -cert server-ca.crt -out other-server-crl.pem -crldays $VALIDITY
+
+# Create a key pair for the broker with an unexpected hostname, and sign it with the CA:
+# --------------------------------------------------------------------------------------
+keytool -storetype pkcs12 -keystore unknown-server-keystore.p12 -storepass $STORE_PASS -keypass $KEY_PASS -alias unknown-server -genkey -keyalg "RSA" -keysize 2048 -dname "CN=ActiveMQ Artemis Unknown Server, OU=Artemis, O=ActiveMQ, L=AMQ, S=AMQ, C=AMQ" -validity $VALIDITY -ext bc=ca:false -ext eku=sA
+
+keytool -storetype pkcs12 -keystore unknown-server-keystore.p12 -storepass $STORE_PASS -alias unknown-server -certreq -file unknown-server.csr
+keytool -storetype pkcs12 -keystore server-ca-keystore.p12 -storepass $STORE_PASS -alias server-ca -gencert -rfc -infile unknown-server.csr -outfile unknown-server.crt -validity $VALIDITY -ext bc=ca:false -ext eku=sA
+
+keytool -storetype pkcs12 -keystore unknown-server-keystore.p12 -storepass $STORE_PASS -keypass $KEY_PASS -importcert -alias server-ca -file server-ca.crt -noprompt
+keytool -storetype pkcs12 -keystore unknown-server-keystore.p12 -storepass $STORE_PASS -keypass $KEY_PASS -importcert -alias unknown-server -file unknown-server.crt
+
+keytool -importkeystore -srckeystore unknown-server-keystore.p12 -destkeystore unknown-server-keystore.jceks -srcstoretype pkcs12 -deststoretype jceks -srcstorepass securepass -deststorepass securepass
+keytool -importkeystore -srckeystore unknown-server-keystore.p12 -destkeystore unknown-server-keystore.jks -srcstoretype pkcs12 -deststoretype jks -srcstorepass securepass -deststorepass securepass
+
+# Create a key and self-signed certificate for the CA, to sign client certificate requests and use for trust:
+# ----------------------------------------------------------------------------------------------------
+keytool -storetype pkcs12 -keystore client-ca-keystore.p12 -storepass $STORE_PASS -keypass $KEY_PASS -alias client-ca -genkey -keyalg "RSA" -keysize 2048 -dname "CN=ActiveMQ Artemis Client Certification Authority, OU=Artemis, O=ActiveMQ" -validity $CA_VALIDITY -ext bc:c=ca:true
+keytool -storetype pkcs12 -keystore client-ca-keystore.p12 -storepass $STORE_PASS -alias client-ca -exportcert -rfc > client-ca.crt
+openssl pkcs12 -in client-ca-keystore.p12 -nodes -nocerts -out client-ca.pem -password pass:$STORE_PASS
+
+# Create trust store with the client CA cert:
+# -------------------------------------------------------
+keytool -storetype pkcs12 -keystore client-ca-truststore.p12 -storepass $STORE_PASS -keypass $KEY_PASS -importcert -alias client-ca -file client-ca.crt -noprompt
+keytool -importkeystore -srckeystore client-ca-truststore.p12 -destkeystore client-ca-truststore.jceks -srcstoretype pkcs12 -deststoretype jceks -srcstorepass securepass -deststorepass securepass
+keytool -importkeystore -srckeystore client-ca-truststore.p12 -destkeystore client-ca-truststore.jks -srcstoretype pkcs12 -deststoretype jks -srcstorepass securepass -deststorepass securepass
+
+# Create a key pair for the client, and sign it with the CA:
+# ----------------------------------------------------------
+keytool -storetype pkcs12 -keystore client-keystore.p12 -storepass $STORE_PASS -keypass $KEY_PASS -alias client -genkey -keyalg "RSA" -keysize 2048 -dname "CN=ActiveMQ Artemis Client, OU=Artemis, O=ActiveMQ, L=AMQ, S=AMQ, C=AMQ" -validity $VALIDITY -ext bc=ca:false -ext eku=cA -ext san=dns:localhost,ip:127.0.0.1
+
+keytool -storetype pkcs12 -keystore client-keystore.p12 -storepass $STORE_PASS -alias client -certreq -file client.csr
+keytool -storetype pkcs12 -keystore client-ca-keystore.p12 -storepass $STORE_PASS -alias client-ca -gencert -rfc -infile client.csr -outfile client.crt -validity $VALIDITY -ext bc=ca:false -ext eku=cA -ext san=dns:localhost,ip:127.0.0.1
+
+keytool -storetype pkcs12 -keystore client-keystore.p12 -storepass $STORE_PASS -keypass $KEY_PASS -importcert -alias client-ca -file client-ca.crt -noprompt
+keytool -storetype pkcs12 -keystore client-keystore.p12 -storepass $STORE_PASS -keypass $KEY_PASS -importcert -alias client -file client.crt
+
+keytool -importkeystore -srckeystore client-keystore.p12 -destkeystore client-keystore.jceks -srcstoretype pkcs12 -deststoretype jceks -srcstorepass securepass -deststorepass securepass
+keytool -importkeystore -srckeystore client-keystore.p12 -destkeystore client-keystore.jks -srcstoretype pkcs12 -deststoretype jks -srcstorepass securepass -deststorepass securepass
+
+# Create a key pair for the other client, and sign it with the CA:
+# ----------------------------------------------------------
+keytool -storetype pkcs12 -keystore other-client-keystore.p12 -storepass $STORE_PASS -keypass $KEY_PASS -alias other-client -genkey -keyalg "RSA" -keysize 2048 -dname "CN=ActiveMQ Artemis Other Client, OU=Artemis, O=ActiveMQ, L=AMQ, S=AMQ, C=AMQ" -validity $VALIDITY -ext bc=ca:false -ext eku=cA -ext san=dns:localhost,ip:127.0.0.1
+
+keytool -storetype pkcs12 -keystore other-client-keystore.p12 -storepass $STORE_PASS -alias other-client -certreq -file other-client.csr
+keytool -storetype pkcs12 -keystore client-ca-keystore.p12 -storepass $STORE_PASS -alias client-ca -gencert -rfc -infile other-client.csr -outfile other-client.crt -validity $VALIDITY -ext bc=ca:false -ext eku=cA -ext san=dns:localhost,ip:127.0.0.1
+
+keytool -storetype pkcs12 -keystore other-client-keystore.p12 -storepass $STORE_PASS -keypass $KEY_PASS -importcert -alias client-ca -file client-ca.crt -noprompt
+keytool -storetype pkcs12 -keystore other-client-keystore.p12 -storepass $STORE_PASS -keypass $KEY_PASS -importcert -alias other-client -file other-client.crt
+
+keytool -importkeystore -srckeystore other-client-keystore.p12 -destkeystore other-client-keystore.jceks -srcstoretype pkcs12 -deststoretype jceks -srcstorepass securepass -deststorepass securepass
+keytool -importkeystore -srckeystore other-client-keystore.p12 -destkeystore other-client-keystore.jks -srcstoretype pkcs12 -deststoretype jks -srcstorepass securepass -deststorepass securepass
+
+# Create crl with the other client cert:
+# -------------------------------------------------------
+> openssl-database
+echo 00 > openssl-crlnumber
+openssl ca -config openssl.conf -revoke other-client.crt -keyfile client-ca.pem -cert client-ca.crt
+openssl ca -config openssl.conf -gencrl -keyfile client-ca.pem -cert client-ca.crt -out other-client-crl.pem -crldays $VALIDITY
+
+# Create a key pair for the client with an unexpected hostname, and sign it with the CA:
+# ----------------------------------------------------------
+keytool -storetype pkcs12 -keystore unknown-client-keystore.p12 -storepass $STORE_PASS -keypass $KEY_PASS -alias unknown-client -genkey -keyalg "RSA" -keysize 2048 -dname "CN=ActiveMQ Artemis Unknown Client, OU=Artemis, O=ActiveMQ, L=AMQ, S=AMQ, C=AMQ" -validity $VALIDITY -ext bc=ca:false -ext eku=cA
+
+keytool -storetype pkcs12 -keystore unknown-client-keystore.p12 -storepass $STORE_PASS -alias unknown-client -certreq -file unknown-client.csr
+keytool -storetype pkcs12 -keystore client-ca-keystore.p12 -storepass $STORE_PASS -alias client-ca -gencert -rfc -infile unknown-client.csr -outfile unknown-client.crt -validity $VALIDITY -ext bc=ca:false -ext eku=cA
+
+keytool -storetype pkcs12 -keystore unknown-client-keystore.p12 -storepass $STORE_PASS -keypass $KEY_PASS -importcert -alias client-ca -file client-ca.crt -noprompt
+keytool -storetype pkcs12 -keystore unknown-client-keystore.p12 -storepass $STORE_PASS -keypass $KEY_PASS -importcert -alias unknown-client -file unknown-client.crt
+
+keytool -importkeystore -srckeystore unknown-client-keystore.p12 -destkeystore unknown-client-keystore.jceks -srcstoretype pkcs12 -deststoretype jceks -srcstorepass securepass -deststorepass securepass
+keytool -importkeystore -srckeystore unknown-client-keystore.p12 -destkeystore unknown-client-keystore.jks -srcstoretype pkcs12 -deststoretype jks -srcstorepass securepass -deststorepass securepass
+
+# Clean up working files
+# -----------------------
+rm -f *.crt *.csr openssl-*
diff --git a/tests/security-resources/client-ca-keystore.p12 b/tests/security-resources/client-ca-keystore.p12
new file mode 100644
index 0000000000..7c6fae79e7
Binary files /dev/null and b/tests/security-resources/client-ca-keystore.p12 differ
diff --git a/tests/security-resources/client-ca-truststore.jceks b/tests/security-resources/client-ca-truststore.jceks
new file mode 100644
index 0000000000..8c7f939c6c
Binary files /dev/null and b/tests/security-resources/client-ca-truststore.jceks differ
diff --git a/tests/security-resources/client-ca-truststore.jks b/tests/security-resources/client-ca-truststore.jks
new file mode 100644
index 0000000000..e2dfeff87d
Binary files /dev/null and b/tests/security-resources/client-ca-truststore.jks differ
diff --git a/tests/security-resources/client-ca-truststore.p12 b/tests/security-resources/client-ca-truststore.p12
new file mode 100644
index 0000000000..706407d49a
Binary files /dev/null and b/tests/security-resources/client-ca-truststore.p12 differ
diff --git a/tests/security-resources/client-ca.pem b/tests/security-resources/client-ca.pem
new file mode 100644
index 0000000000..6eab31a900
--- /dev/null
+++ b/tests/security-resources/client-ca.pem
@@ -0,0 +1,32 @@
+Bag Attributes
+    friendlyName: client-ca
+    localKeyID: 54 69 6D 65 20 31 36 32 37 39 39 35 37 37 38 32 30 33 
+Key Attributes: <No Attributes>
+-----BEGIN PRIVATE KEY-----
+MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQCteE6eFAkH+r0S
+3xmAZW5j+sqa8RGh+/KQJ6BgQQpsDeS3RkxnN2e8tSF27eBwFZcnhUKLBFGbarjj
+sHRZ5HwDPty/C8RVhvbPWi2AvW8uEvh65G+fjyf5JT8jAfvP12EFv1u9sQjI1hXH
+6CjX7lOCRjxriwz86NTsgiPVO3Q89pmhgmQjO0JBtolsxCZvV0DDS7xvGpmHudlf
+UHR1ydjA0+s6YDQ4UIOBwUu/CcHdIgAk1yiWQE4OA72cXTfR/Mybfpoqh6TegnSk
+ONJY1/iNgmujU5nOwDKlEG5BzSd0ueE1RSoFg2OGVPuo73lS2iouCXFvFU90yDGA
+bdKlRIHlAgMBAAECggEAdbXYay4fPrnnSQH4tQafFNreVqtUkr17SFSLYCViZBY9
+aBwcxkFzdDrY3XHnRUdxTVEA6YJhuft+QIrBOSpw+GbUthLPBFZT7jo7/EsPQY1/
+7SxLjlM/BbI/mIrFC7ET1imWoC6cTmPvXbps1LGVGyZ742H0yz1XFrHsjMoOQzrW
+itL29T09CYfZrB+/uo2ozfAjTDKVUALhrd4qN/uiJsHTfZPOwIv/qgZTSUHDsfZP
+SbUjJjWoEWJBhIewosCeyFaGOYN4JmHUQG597Xp8PS+cAvfLWMpBcSsX1ULClY2Q
+PSv0PKVprZdIfeOtQHmRk56lwhW2QV7PhwstKdqjNQKBgQDvbfFlYkCq6HwMcPQJ
+h2hBIUFHm7rBVflw72LKEYE5oiouSflMVRujujPUWIHkF9TRBZ0f4B+J9sUXTyPY
+wAlbRTAaG5JGLjF6JxLjkw5MiPooJk8YcHPaadpOgT/vLall3mhdQG+hEshtysHP
+jdagK93joWVc0aTdj2NFkJUFFwKBgQC5ebxmnkb2PyzH2oatZNfMLWnLjs8GFoWe
+NHbJTzLAadl/sVTVhaWHYDjvbtZPq+0ynzLGnNQ7HPtuSqNiG2bY3/eedWdruPIO
+Dcztr05YUzDX5pItoUucu19V0k0sWSOeKBD5mTVdUHgCLxd0GyZ4ODkS63ItjiBM
+78m5q8MGYwKBgCed7X91DnY5Ga2FUxvwh9OfCQosPm6XJzsEoTgGRXef2ZLnMpTq
+0DP7L3BHZNa1CsW7RBBuKUnOxzXgJnJK9EFh5V+siDuMkStBI+L8BjWrxJi4HgZR
+NRpCwZiT0lxlFc6BSouDifUBAqEIF6GcOpMuLvznS7pcBgeTHj34em/pAoGAW8kS
+ovXQyCubTYum+kfdQv12TXXunWSn2xK7dgPraaz4JWjsQn5Q3B2SD2saQ3Mhftup
+lQAnRtmg04O8NuC4lLrBH3maJITxxGKv9y+55ZvFoBJKZKpdcMKI+z+HUVsLdUj+
+nYZkEjmwKeSEBsEo2HV6SRKa/lBHS8ueWHPXn2ECgYBn/WeTob0JMmoF5dIhISpP
+bA/j/gj2r7aTR7/o9bpmJjj0f71zuPvJRIo5L1qs/UvsZIoU8DuZwSx8KyzS6g+J
+VB5gE3JBKUhshy8TnMNIR+ZzJBFYtYc1TbB2OSsWP6sIilFN8KQKU9RMpmo6yiZZ
+us6gZcNh399Hz894wYKyog==
+-----END PRIVATE KEY-----
diff --git a/tests/security-resources/client-keystore.jceks b/tests/security-resources/client-keystore.jceks
new file mode 100644
index 0000000000..a0ac1a3dad
Binary files /dev/null and b/tests/security-resources/client-keystore.jceks differ
diff --git a/tests/security-resources/client-keystore.jks b/tests/security-resources/client-keystore.jks
new file mode 100644
index 0000000000..b968a0c54d
Binary files /dev/null and b/tests/security-resources/client-keystore.jks differ
diff --git a/tests/security-resources/client-keystore.p12 b/tests/security-resources/client-keystore.p12
new file mode 100644
index 0000000000..13b246823d
Binary files /dev/null and b/tests/security-resources/client-keystore.p12 differ
diff --git a/tests/security-resources/openssl.conf b/tests/security-resources/openssl.conf
new file mode 100644
index 0000000000..efe2ffba63
--- /dev/null
+++ b/tests/security-resources/openssl.conf
@@ -0,0 +1,26 @@
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+
+# OpenSSL configuration for CRL generation
+[ ca ]
+default_ca      = CA_default
+
+[ CA_default ]
+dir             = ./
+database        = $dir/openssl-database
+crlnumber       = $dir/openssl-crlnumber
+default_md      = default
diff --git a/tests/security-resources/other-client-crl.pem b/tests/security-resources/other-client-crl.pem
new file mode 100644
index 0000000000..45f51abe29
--- /dev/null
+++ b/tests/security-resources/other-client-crl.pem
@@ -0,0 +1,12 @@
+-----BEGIN X509 CRL-----
+MIIB0zCBvAIBATANBgkqhkiG9w0BAQsFADBfMREwDwYDVQQKEwhBY3RpdmVNUTEQ
+MA4GA1UECxMHQXJ0ZW1pczE4MDYGA1UEAxMvQWN0aXZlTVEgQXJ0ZW1pcyBDbGll
+bnQgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkXDTIxMDgwMzEzMDMwN1oYDzIxMjEw
+NzEwMTMwMzA3WjAXMBUCBH493qkXDTIxMDgwMzEzMDMwN1qgDjAMMAoGA1UdFAQD
+AgEAMA0GCSqGSIb3DQEBCwUAA4IBAQBzM0YCos5sHRAN4pPzNWCAonqezX6FfcY+
+SuufVcxD583O2Vnuwmz9i9PhGJJbWxGuCtXwS1JNldm7/rXhpZOd539W1BJQprGb
+nwooQWTBBU8qTaXmUVWiPsMlL/IcMUTB/DVgWsRuwjA7wtVAseIoa2Z/geZZAOwO
+vgp7RAtWW9M1Vr7/XWNsJqIOoPnPqGhg8Nve2sFfySQmJQZP8LnnDgC6pv51TnRa
+VrOmHtralj2d0U3z78nRZW26S1XMxA0wb5yTc4T8lxCZ969vwtiWOQRCoKL/EFWe
+Yy2oBbRjTHEZWYyhYHCMcGP2JSGcDnSZmc+d7ydgx4Gq7nHy3FCM
+-----END X509 CRL-----
diff --git a/tests/security-resources/other-client-keystore.jceks b/tests/security-resources/other-client-keystore.jceks
new file mode 100644
index 0000000000..0cf978c275
Binary files /dev/null and b/tests/security-resources/other-client-keystore.jceks differ
diff --git a/tests/security-resources/other-client-keystore.jks b/tests/security-resources/other-client-keystore.jks
new file mode 100644
index 0000000000..f2061bd8bc
Binary files /dev/null and b/tests/security-resources/other-client-keystore.jks differ
diff --git a/tests/security-resources/other-client-keystore.p12 b/tests/security-resources/other-client-keystore.p12
new file mode 100644
index 0000000000..2c6d590707
Binary files /dev/null and b/tests/security-resources/other-client-keystore.p12 differ
diff --git a/tests/security-resources/other-server-crl.pem b/tests/security-resources/other-server-crl.pem
new file mode 100644
index 0000000000..05ea5ae033
--- /dev/null
+++ b/tests/security-resources/other-server-crl.pem
@@ -0,0 +1,12 @@
+-----BEGIN X509 CRL-----
+MIIB0zCBvAIBATANBgkqhkiG9w0BAQsFADBfMREwDwYDVQQKEwhBY3RpdmVNUTEQ
+MA4GA1UECxMHQXJ0ZW1pczE4MDYGA1UEAxMvQWN0aXZlTVEgQXJ0ZW1pcyBTZXJ2
+ZXIgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkXDTIxMDgwMzEzMDI1NFoYDzIxMjEw
+NzEwMTMwMjU0WjAXMBUCBFu18ooXDTIxMDgwMzEzMDI1NFqgDjAMMAoGA1UdFAQD
+AgEAMA0GCSqGSIb3DQEBCwUAA4IBAQA8+qy2sN70qrXKuAwdIk1gF6mj+3ikFIhj
+LP9hU8PBxolCzcz9SJv3xvcuGsrZtp30EU0JYQBIadfpsm6Fe6iCpXxD62n99vry
+OpRF9Nt2qjkQpGVrAl4LeM53Z3CFiC9Ghg7rZftB+Glxte3+mSyxWRB3drj1xiqg
+Rt6y43ipQh4F9bxMANhgEUSvC7SrGGKke2z0nHj7gpzseSYbZucfagRk9LzSFFC6
+HWXmFdWFYhEV6Gh7XFKRKVi7DNXp1jWDTAt+g4bif/N2aIES+gqJFsufnqOYNiiL
+J70UOUc9D7l2GHbPaVOOHuqo+zhjTy3IJv1329uYbvMHuGJUIjVV
+-----END X509 CRL-----
diff --git a/tests/security-resources/other-server-keystore.jceks b/tests/security-resources/other-server-keystore.jceks
new file mode 100644
index 0000000000..5e3a133783
Binary files /dev/null and b/tests/security-resources/other-server-keystore.jceks differ
diff --git a/tests/security-resources/other-server-keystore.jks b/tests/security-resources/other-server-keystore.jks
new file mode 100644
index 0000000000..4661445cc7
Binary files /dev/null and b/tests/security-resources/other-server-keystore.jks differ
diff --git a/tests/security-resources/other-server-keystore.p12 b/tests/security-resources/other-server-keystore.p12
new file mode 100644
index 0000000000..e21a4e11ff
Binary files /dev/null and b/tests/security-resources/other-server-keystore.p12 differ
diff --git a/tests/security-resources/other-server-truststore.jceks b/tests/security-resources/other-server-truststore.jceks
new file mode 100644
index 0000000000..58d5e0a1af
Binary files /dev/null and b/tests/security-resources/other-server-truststore.jceks differ
diff --git a/tests/security-resources/other-server-truststore.jks b/tests/security-resources/other-server-truststore.jks
new file mode 100644
index 0000000000..ad4a0f2c56
Binary files /dev/null and b/tests/security-resources/other-server-truststore.jks differ
diff --git a/tests/security-resources/other-server-truststore.p12 b/tests/security-resources/other-server-truststore.p12
new file mode 100644
index 0000000000..93b1d0b58f
Binary files /dev/null and b/tests/security-resources/other-server-truststore.p12 differ
diff --git a/tests/security-resources/server-ca-keystore.p12 b/tests/security-resources/server-ca-keystore.p12
new file mode 100644
index 0000000000..fb54141cf8
Binary files /dev/null and b/tests/security-resources/server-ca-keystore.p12 differ
diff --git a/tests/security-resources/server-ca-truststore.jceks b/tests/security-resources/server-ca-truststore.jceks
new file mode 100644
index 0000000000..5c2cc80a98
Binary files /dev/null and b/tests/security-resources/server-ca-truststore.jceks differ
diff --git a/tests/security-resources/server-ca-truststore.jks b/tests/security-resources/server-ca-truststore.jks
new file mode 100644
index 0000000000..3fe0f29ad2
Binary files /dev/null and b/tests/security-resources/server-ca-truststore.jks differ
diff --git a/tests/security-resources/server-ca-truststore.p12 b/tests/security-resources/server-ca-truststore.p12
new file mode 100644
index 0000000000..1fa9c61b53
Binary files /dev/null and b/tests/security-resources/server-ca-truststore.p12 differ
diff --git a/tests/security-resources/server-ca.pem b/tests/security-resources/server-ca.pem
new file mode 100644
index 0000000000..7327a779de
--- /dev/null
+++ b/tests/security-resources/server-ca.pem
@@ -0,0 +1,32 @@
+Bag Attributes
+    friendlyName: server-ca
+    localKeyID: 54 69 6D 65 20 31 36 32 37 39 39 35 37 36 34 38 34 34 
+Key Attributes: <No Attributes>
+-----BEGIN PRIVATE KEY-----
+MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQCNcCgfsx99PDN6
++cK7pt1Z6i+6JVNVt5j2D8XsOOo2RzSZwOxPfQU7WlD2SBKF/tqRSo/qiT4Tf1UJ
+nEt3HLP+CEvLWj+AVNF9V+DpzRl7PnADeZsgaPOtUnLn+4bRSnwGwsUrCeJaJCQN
+drNt3sREpaQ8WizxR1nicLyN3H6RtoEV2bE+NGt+hdek/iFWtIm6L3QXbeMnBhl3
+DkXdKTnEk2zqmwtCgxHnHXKMxPB3utwKBloulHxsvUI4s+twH9cJYvFokyBVIBwJ
+/Xa1IlrPdiEyv1qk7Uul3a7grR1ljEabbn9V6HS6KG8KEPLE5Kk97PNKU5LFkwPr
+PC/QY8tBAgMBAAECggEARQlqvFZdV26sHimNMLU5NCtIEo8nhx5vriNy02PQhp/o
+/+eYMRBwHlFuVVhGmlsUani/mJZW04OCiYddmo1LGgMIpACwID7GZm0fnl97QZnv
+aPLRkldIIeCtr6gpXT0DHvWw8doIP0GGy3+WA1oJ6QwFB2RorXjLWej3UDNBIHP/
+UN/DuMvvl82ZVVpgLSAxWWDQxZpDE7Mvwcpd+yms9qhzaH6Sf3/TPxkn6tPrGSN/
+E3O7ez+ixqATQ5L+N4ZsBUWfrX2fPplZB3Zmt8QUSYDZ9IeO0Oga4N6g0PRxQILG
+QxJ7MCwu0DAGx3KgKWsQg5f8tLSeHzwEHnz63+1xlQKBgQDO/cm2bJ8bqyIxERTD
+s8FekrL2vlzTd+uChZEIX74nCjnG6jWK7TExqq/56khGORz5OFSRXqKR6CkEs5o8
+SzUHduc34OtFsQovyxFSxIY7O8qcbIcpav1CA5S7BtU9zleUr5Av3DsG8hZwyIhk
+zDk6Vf/tLTH6PVGPfPe3E5mAxwKBgQCu7Qn7HkjLXcVzgzpp1CXYoBQTmKHZf2fF
+wnTASFrRjQTwVN+p0afueTqzn4TutSosKiymtGgVonZoLWmBWSuKbEHLECHXlQcY
+wjRAccB6u0Q5NZLcVmFLVjLiKw+kljSNgpQI6vYgPWp4zF6x/9ioRbz0+3wuKzsI
+pUkcPg5btwKBgEyWeOFH1aNOMeuHz3AN/dl5XECR9RTFxV1ZAG3hxyD41qH0HPWX
+h+FBr7U/65gYH9FS92+GXY6xISQ9NC9lAG0PoMP7M/JobEV81J8UWjpmiDRSr7wy
+exzG6Gw/Pf2NcLhyMV6UFT8fqg/3EwiAzBf6pCRk2Z4mvBvkeF/EH8MXAoGAIuzm
+6kGQrTIKw1Z3KjwWVlsXxxXZctCSSpTZtK59m4s5aja39XMLwXxo8QYvh22afvjo
+s1wfz/oBBCnU/+Nq4xdcR4vwBdgWc6YKwrczhA2xwG5m5SFGCcGrJScN14G5+msQ
+3Xr0K1m30WiUm5uGiYprAMrZb2poPgCqST5GpZ8CgYA7dc8QWQWUzaP1gjA6hspC
+4qcHecNaYxaNPjhR9kBlzx9VXtVpqk0IyDkHIdJ7nz+GPa9WJTSmkgpYwz7hSWw7
+O8PbsxZ1qY4j9/yNUGcIodjgwUckwj8ULkl8mDGQCZByImZzjqHUfWuezWmhjW43
+sfD8CrHOirVMRbu49FEAVw==
+-----END PRIVATE KEY-----
diff --git a/tests/security-resources/server-keystore.jceks b/tests/security-resources/server-keystore.jceks
new file mode 100644
index 0000000000..57cc472efe
Binary files /dev/null and b/tests/security-resources/server-keystore.jceks differ
diff --git a/tests/security-resources/server-keystore.jks b/tests/security-resources/server-keystore.jks
new file mode 100644
index 0000000000..5a7e2c00bf
Binary files /dev/null and b/tests/security-resources/server-keystore.jks differ
diff --git a/tests/security-resources/server-keystore.p12 b/tests/security-resources/server-keystore.p12
new file mode 100644
index 0000000000..fe5eab7268
Binary files /dev/null and b/tests/security-resources/server-keystore.p12 differ
diff --git a/tests/security-resources/unknown-client-keystore.jceks b/tests/security-resources/unknown-client-keystore.jceks
new file mode 100644
index 0000000000..dde733626e
Binary files /dev/null and b/tests/security-resources/unknown-client-keystore.jceks differ
diff --git a/tests/security-resources/unknown-client-keystore.jks b/tests/security-resources/unknown-client-keystore.jks
new file mode 100644
index 0000000000..10c7c434aa
Binary files /dev/null and b/tests/security-resources/unknown-client-keystore.jks differ
diff --git a/tests/security-resources/unknown-client-keystore.p12 b/tests/security-resources/unknown-client-keystore.p12
new file mode 100644
index 0000000000..bb53b8c446
Binary files /dev/null and b/tests/security-resources/unknown-client-keystore.p12 differ
diff --git a/tests/security-resources/unknown-server-keystore.jceks b/tests/security-resources/unknown-server-keystore.jceks
new file mode 100644
index 0000000000..ef2b078e4c
Binary files /dev/null and b/tests/security-resources/unknown-server-keystore.jceks differ
diff --git a/tests/security-resources/unknown-server-keystore.jks b/tests/security-resources/unknown-server-keystore.jks
new file mode 100644
index 0000000000..039a581d0b
Binary files /dev/null and b/tests/security-resources/unknown-server-keystore.jks differ
diff --git a/tests/security-resources/unknown-server-keystore.p12 b/tests/security-resources/unknown-server-keystore.p12
new file mode 100644
index 0000000000..8fbec3e026
Binary files /dev/null and b/tests/security-resources/unknown-server-keystore.p12 differ
diff --git a/tests/smoke-tests/pom.xml b/tests/smoke-tests/pom.xml
index 61e3d0c843..cc5a141216 100644
--- a/tests/smoke-tests/pom.xml
+++ b/tests/smoke-tests/pom.xml
@@ -170,6 +170,11 @@
    </dependencies>
 
    <build>
+      <testResources>
+         <testResource>
+            <directory>../security-resources</directory>
+         </testResource>
+      </testResources>
       <plugins>
          <plugin>
             <groupId>org.apache.activemq</groupId>
diff --git a/tests/smoke-tests/src/main/resources/servers/audit-logging-amqp-mutual-ssl/broker.xml b/tests/smoke-tests/src/main/resources/servers/audit-logging-amqp-mutual-ssl/broker.xml
index 0166df412d..e3bf43573b 100644
--- a/tests/smoke-tests/src/main/resources/servers/audit-logging-amqp-mutual-ssl/broker.xml
+++ b/tests/smoke-tests/src/main/resources/servers/audit-logging-amqp-mutual-ssl/broker.xml
@@ -30,7 +30,7 @@ under the License.
 
       <acceptors>
          <acceptor name="artemis">tcp://localhost:61616?securityDomain=guest</acceptor> <!-- this is only for the smoke test health-check -->
-         <acceptor name="netty-ssl-acceptor">tcp://localhost:5500?sslEnabled=true;needClientAuth=true;keyStorePath=server-side-keystore.jks;keyStorePassword=secureexample;trustStorePath=server-side-truststore.jks;trustStorePassword=secureexample</acceptor>
+         <acceptor name="netty-ssl-acceptor">tcp://localhost:5500?sslEnabled=true;needClientAuth=true;keyStorePath=../../test-classes/server-keystore.jks;keyStorePassword=securepass;trustStorePath=../../test-classes/client-ca-truststore.jks;trustStorePassword=securepass</acceptor>
       </acceptors>
 
       <security-settings>
diff --git a/tests/smoke-tests/src/main/resources/servers/audit-logging-amqp-mutual-ssl/client-side-keystore.jks b/tests/smoke-tests/src/main/resources/servers/audit-logging-amqp-mutual-ssl/client-side-keystore.jks
deleted file mode 100644
index 654d691b5c..0000000000
Binary files a/tests/smoke-tests/src/main/resources/servers/audit-logging-amqp-mutual-ssl/client-side-keystore.jks and /dev/null differ
diff --git a/tests/smoke-tests/src/main/resources/servers/audit-logging-amqp-mutual-ssl/client-side-truststore.jks b/tests/smoke-tests/src/main/resources/servers/audit-logging-amqp-mutual-ssl/client-side-truststore.jks
deleted file mode 100644
index 95e451a698..0000000000
Binary files a/tests/smoke-tests/src/main/resources/servers/audit-logging-amqp-mutual-ssl/client-side-truststore.jks and /dev/null differ
diff --git a/tests/smoke-tests/src/main/resources/servers/audit-logging-amqp-mutual-ssl/server-side-keystore.jks b/tests/smoke-tests/src/main/resources/servers/audit-logging-amqp-mutual-ssl/server-side-keystore.jks
deleted file mode 100644
index b7624b9cef..0000000000
Binary files a/tests/smoke-tests/src/main/resources/servers/audit-logging-amqp-mutual-ssl/server-side-keystore.jks and /dev/null differ
diff --git a/tests/smoke-tests/src/main/resources/servers/audit-logging-amqp-mutual-ssl/server-side-truststore.jks b/tests/smoke-tests/src/main/resources/servers/audit-logging-amqp-mutual-ssl/server-side-truststore.jks
deleted file mode 100644
index e039222af3..0000000000
Binary files a/tests/smoke-tests/src/main/resources/servers/audit-logging-amqp-mutual-ssl/server-side-truststore.jks and /dev/null differ
diff --git a/tests/smoke-tests/src/test/java/org/apache/activemq/artemis/tests/smoke/logging/AuditLoggerAMQPMutualSSLTest.java b/tests/smoke-tests/src/test/java/org/apache/activemq/artemis/tests/smoke/logging/AuditLoggerAMQPMutualSSLTest.java
index f21680a0d5..efabe44443 100644
--- a/tests/smoke-tests/src/test/java/org/apache/activemq/artemis/tests/smoke/logging/AuditLoggerAMQPMutualSSLTest.java
+++ b/tests/smoke-tests/src/test/java/org/apache/activemq/artemis/tests/smoke/logging/AuditLoggerAMQPMutualSSLTest.java
@@ -29,14 +29,7 @@ import org.apache.qpid.jms.JmsConnectionFactory;
 import org.junit.Test;
 
 /**
- * The various keystore files used for this test were generated using the following commands:
- *
- * keytool -genkey -keystore server-side-keystore.jks -storepass secureexample -keypass secureexample -dname "CN=ActiveMQ Artemis Server, OU=Artemis, O=ActiveMQ, L=AMQ, S=AMQ, C=AMQ" -keyalg RSA
- * keytool -export -keystore server-side-keystore.jks -file server-side-cert.cer -storepass secureexample
- * keytool -import -keystore client-side-truststore.jks -file server-side-cert.cer -storepass secureexample -keypass secureexample -noprompt
- * keytool -genkey -keystore client-side-keystore.jks -storepass secureexample -keypass secureexample -dname "CN=ActiveMQ Artemis Client, OU=Artemis, O=ActiveMQ, L=AMQ, S=AMQ, C=AMQ" -keyalg RSA
- * keytool -export -keystore client-side-keystore.jks -file client-side-cert.cer -storepass secureexample
- * keytool -import -keystore server-side-truststore.jks -file client-side-cert.cer -storepass secureexample -keypass secureexample -noprompt
+ * See the tests/security-resources/build.sh script for details on the security resources used.
  */
 public class AuditLoggerAMQPMutualSSLTest extends AuditLoggerTestBase {
 
@@ -52,10 +45,10 @@ public class AuditLoggerAMQPMutualSSLTest extends AuditLoggerTestBase {
       int maxInactivityDurationInitialDelay = 30000;
       int idleTimeout = 120000;
       boolean verifyHost = false;
-      String keyStoreLocation = "target/" + getServerName() + "/etc/client-side-keystore.jks";
-      String keyStorePassword = "secureexample";
-      String trustStoreLocation = "target/" + getServerName() + "/etc/client-side-truststore.jks";
-      String trustStorePassword = "secureexample";
+      String keyStoreLocation = getClass().getClassLoader().getResource("client-keystore.jks").getFile();
+      String keyStorePassword = "securepass";
+      String trustStoreLocation = getClass().getClassLoader().getResource("server-ca-truststore.jks").getFile();
+      String trustStorePassword = "securepass";
 
       String remoteUri = sslhost +
          "?maxInactivityDurationInitialDelay=" + maxInactivityDurationInitialDelay +
diff --git a/tests/unit-tests/pom.xml b/tests/unit-tests/pom.xml
index 3282727b55..51e2582fc1 100644
--- a/tests/unit-tests/pom.xml
+++ b/tests/unit-tests/pom.xml
@@ -178,6 +178,11 @@
    </dependencies>
 
    <build>
+      <testResources>
+         <testResource>
+            <directory>../security-resources</directory>
+         </testResource>
+      </testResources>
       <plugins>
          <plugin>
             <groupId>org.apache.maven.plugins</groupId>
diff --git a/tests/unit-tests/src/test/java/org/apache/activemq/artemis/tests/unit/core/remoting/impl/netty/NettyConnectorTest.java b/tests/unit-tests/src/test/java/org/apache/activemq/artemis/tests/unit/core/remoting/impl/netty/NettyConnectorTest.java
index 12667c2f99..8c9476b6a3 100644
--- a/tests/unit-tests/src/test/java/org/apache/activemq/artemis/tests/unit/core/remoting/impl/netty/NettyConnectorTest.java
+++ b/tests/unit-tests/src/test/java/org/apache/activemq/artemis/tests/unit/core/remoting/impl/netty/NettyConnectorTest.java
@@ -42,6 +42,9 @@ import org.junit.Assert;
 import org.junit.Before;
 import org.junit.Test;
 
+/**
+ * See the tests/security-resources/build.sh script for details on the security resources used.
+ */
 public class NettyConnectorTest extends ActiveMQTestBase {
 
    private ActiveMQServer server;
@@ -56,10 +59,10 @@ public class NettyConnectorTest extends ActiveMQTestBase {
       Map<String, Object> params = new HashMap<>();
       params.put(TransportConstants.SSL_ENABLED_PROP_NAME, true);
       params.put(TransportConstants.SSL_PROVIDER, TransportConstants.OPENSSL_PROVIDER);
-      params.put(TransportConstants.KEYSTORE_PATH_PROP_NAME, "openssl-server-side-keystore.jks");
-      params.put(TransportConstants.KEYSTORE_PASSWORD_PROP_NAME, "secureexample");
-      params.put(TransportConstants.TRUSTSTORE_PATH_PROP_NAME,  "openssl-server-side-truststore.jks");
-      params.put(TransportConstants.TRUSTSTORE_PASSWORD_PROP_NAME, "secureexample");
+      params.put(TransportConstants.KEYSTORE_PATH_PROP_NAME, "server-keystore.jks");
+      params.put(TransportConstants.KEYSTORE_PASSWORD_PROP_NAME, "securepass");
+      params.put(TransportConstants.TRUSTSTORE_PATH_PROP_NAME,  "client-ca-truststore.jks");
+      params.put(TransportConstants.TRUSTSTORE_PASSWORD_PROP_NAME, "securepass");
       params.put(TransportConstants.NEED_CLIENT_AUTH_PROP_NAME, true);
       ConfigurationImpl config = createBasicConfig().addAcceptorConfiguration(new TransportConfiguration(NETTY_ACCEPTOR_FACTORY, params, "nettySSL"));
       server = createServer(false, config);
@@ -148,10 +151,10 @@ public class NettyConnectorTest extends ActiveMQTestBase {
          }
       };
 
-      System.setProperty(NettyConnector.JAVAX_KEYSTORE_PATH_PROP_NAME, "openssl-client-side-keystore.jks");
-      System.setProperty(NettyConnector.JAVAX_KEYSTORE_PASSWORD_PROP_NAME, "secureexample");
-      System.setProperty(NettyConnector.JAVAX_TRUSTSTORE_PATH_PROP_NAME, "openssl-client-side-truststore.jks");
-      System.setProperty(NettyConnector.JAVAX_TRUSTSTORE_PASSWORD_PROP_NAME, "secureexample");
+      System.setProperty(NettyConnector.JAVAX_KEYSTORE_PATH_PROP_NAME, "client-keystore.jks");
+      System.setProperty(NettyConnector.JAVAX_KEYSTORE_PASSWORD_PROP_NAME, "securepass");
+      System.setProperty(NettyConnector.JAVAX_TRUSTSTORE_PATH_PROP_NAME, "server-ca-truststore.jks");
+      System.setProperty(NettyConnector.JAVAX_TRUSTSTORE_PASSWORD_PROP_NAME, "securepass");
 
       Map<String, Object> params = new HashMap<>();
       params.put(TransportConstants.SSL_ENABLED_PROP_NAME, true);
@@ -184,10 +187,10 @@ public class NettyConnectorTest extends ActiveMQTestBase {
 
       Map<String, Object> params = new HashMap<>();
       params.put(TransportConstants.SSL_ENABLED_PROP_NAME, true);
-      params.put(TransportConstants.KEYSTORE_PATH_PROP_NAME,  "openssl-client-side-keystore.jks");
-      params.put(TransportConstants.KEYSTORE_PASSWORD_PROP_NAME, "secureexample");
-      params.put(TransportConstants.TRUSTSTORE_PATH_PROP_NAME,"openssl-client-side-truststore.jks");
-      params.put(TransportConstants.TRUSTSTORE_PASSWORD_PROP_NAME, "secureexample");
+      params.put(TransportConstants.KEYSTORE_PATH_PROP_NAME,  "client-keystore.jks");
+      params.put(TransportConstants.KEYSTORE_PASSWORD_PROP_NAME, "securepass");
+      params.put(TransportConstants.TRUSTSTORE_PATH_PROP_NAME,"server-ca-truststore.jks");
+      params.put(TransportConstants.TRUSTSTORE_PASSWORD_PROP_NAME, "securepass");
 
       NettyConnector connector = new NettyConnector(params, handler, listener, executorService, Executors.newCachedThreadPool(ActiveMQThreadFactory.defaultThreadFactory()), Executors.newScheduledThreadPool(5, ActiveMQThreadFactory.defaultThreadFactory()));
 
@@ -210,10 +213,10 @@ public class NettyConnectorTest extends ActiveMQTestBase {
       };
 
       //system properties will override the bad transport constants
-      System.setProperty(NettyConnector.JAVAX_KEYSTORE_PATH_PROP_NAME, "openssl-client-side-keystore.jks");
-      System.setProperty(NettyConnector.JAVAX_KEYSTORE_PASSWORD_PROP_NAME, "secureexample");
-      System.setProperty(NettyConnector.JAVAX_TRUSTSTORE_PATH_PROP_NAME, "openssl-client-side-truststore.jks");
-      System.setProperty(NettyConnector.JAVAX_TRUSTSTORE_PASSWORD_PROP_NAME, "secureexample");
+      System.setProperty(NettyConnector.JAVAX_KEYSTORE_PATH_PROP_NAME, "client-keystore.jks");
+      System.setProperty(NettyConnector.JAVAX_KEYSTORE_PASSWORD_PROP_NAME, "securepass");
+      System.setProperty(NettyConnector.JAVAX_TRUSTSTORE_PATH_PROP_NAME, "server-ca-truststore.jks");
+      System.setProperty(NettyConnector.JAVAX_TRUSTSTORE_PASSWORD_PROP_NAME, "securepass");
 
       Map<String, Object> params = new HashMap<>();
       params.put(TransportConstants.SSL_ENABLED_PROP_NAME, true);
@@ -252,10 +255,10 @@ public class NettyConnectorTest extends ActiveMQTestBase {
       Map<String, Object> params = new HashMap<>();
       params.put(TransportConstants.SSL_ENABLED_PROP_NAME, true);
       params.put(TransportConstants.FORCE_SSL_PARAMETERS, true);
-      params.put(TransportConstants.KEYSTORE_PATH_PROP_NAME,  "openssl-client-side-keystore.jks");
-      params.put(TransportConstants.KEYSTORE_PASSWORD_PROP_NAME, "secureexample");
-      params.put(TransportConstants.TRUSTSTORE_PATH_PROP_NAME,"openssl-client-side-truststore.jks");
-      params.put(TransportConstants.TRUSTSTORE_PASSWORD_PROP_NAME, "secureexample");
+      params.put(TransportConstants.KEYSTORE_PATH_PROP_NAME,  "client-keystore.jks");
+      params.put(TransportConstants.KEYSTORE_PASSWORD_PROP_NAME, "securepass");
+      params.put(TransportConstants.TRUSTSTORE_PATH_PROP_NAME,"server-ca-truststore.jks");
+      params.put(TransportConstants.TRUSTSTORE_PASSWORD_PROP_NAME, "securepass");
 
       NettyConnector connector = new NettyConnector(params, handler, listener, executorService, Executors.newCachedThreadPool(ActiveMQThreadFactory.defaultThreadFactory()), Executors.newScheduledThreadPool(5, ActiveMQThreadFactory.defaultThreadFactory()));
 
@@ -279,10 +282,10 @@ public class NettyConnectorTest extends ActiveMQTestBase {
       };
 
       //bad system properties will override the transport constants
-      System.setProperty(NettyConnector.JAVAX_KEYSTORE_PATH_PROP_NAME, "openssl-client-side-keystore.jks");
-      System.setProperty(NettyConnector.JAVAX_KEYSTORE_PASSWORD_PROP_NAME, "secureexample");
-      System.setProperty(NettyConnector.JAVAX_TRUSTSTORE_PATH_PROP_NAME, "openssl-client-side-truststore.jks");
-      System.setProperty(NettyConnector.JAVAX_TRUSTSTORE_PASSWORD_PROP_NAME, "secureexample");
+      System.setProperty(NettyConnector.JAVAX_KEYSTORE_PATH_PROP_NAME, "client-keystore.jks");
+      System.setProperty(NettyConnector.JAVAX_KEYSTORE_PASSWORD_PROP_NAME, "securepass");
+      System.setProperty(NettyConnector.JAVAX_TRUSTSTORE_PATH_PROP_NAME, "server-ca-truststore.jks");
+      System.setProperty(NettyConnector.JAVAX_TRUSTSTORE_PASSWORD_PROP_NAME, "securepass");
 
       Map<String, Object> params = new HashMap<>();
       params.put(TransportConstants.SSL_ENABLED_PROP_NAME, true);
@@ -318,10 +321,10 @@ public class NettyConnectorTest extends ActiveMQTestBase {
 
       NettyConnector connector = new NettyConnector(params, handler, listener, executorService, Executors.newCachedThreadPool(ActiveMQThreadFactory.defaultThreadFactory()), Executors.newScheduledThreadPool(5, ActiveMQThreadFactory.defaultThreadFactory()));
 
-      System.setProperty(NettyConnector.ACTIVEMQ_KEYSTORE_PATH_PROP_NAME, "openssl-client-side-keystore.jks");
-      System.setProperty(NettyConnector.ACTIVEMQ_KEYSTORE_PASSWORD_PROP_NAME, "secureexample");
-      System.setProperty(NettyConnector.ACTIVEMQ_TRUSTSTORE_PATH_PROP_NAME, "openssl-client-side-truststore.jks");
-      System.setProperty(NettyConnector.ACTIVEMQ_TRUSTSTORE_PASSWORD_PROP_NAME, "secureexample");
+      System.setProperty(NettyConnector.ACTIVEMQ_KEYSTORE_PATH_PROP_NAME, "client-keystore.jks");
+      System.setProperty(NettyConnector.ACTIVEMQ_KEYSTORE_PASSWORD_PROP_NAME, "securepass");
+      System.setProperty(NettyConnector.ACTIVEMQ_TRUSTSTORE_PATH_PROP_NAME, "server-ca-truststore.jks");
+      System.setProperty(NettyConnector.ACTIVEMQ_TRUSTSTORE_PASSWORD_PROP_NAME, "securepass");
 
       connector.start();
       Assert.assertTrue(connector.isStarted());
@@ -343,10 +346,10 @@ public class NettyConnectorTest extends ActiveMQTestBase {
 
       NettyConnector connector = new NettyConnector(params, handler, listener, executorService, Executors.newCachedThreadPool(ActiveMQThreadFactory.defaultThreadFactory()), Executors.newScheduledThreadPool(5, ActiveMQThreadFactory.defaultThreadFactory()));
 
-      System.setProperty(NettyConnector.ACTIVEMQ_KEYSTORE_PATH_PROP_NAME, "openssl-client-side-keystore.jks");
-      System.setProperty(NettyConnector.ACTIVEMQ_KEYSTORE_PASSWORD_PROP_NAME, "secureexample");
-      System.setProperty(NettyConnector.ACTIVEMQ_TRUSTSTORE_PATH_PROP_NAME, "openssl-client-side-truststore.jks");
-      System.setProperty(NettyConnector.ACTIVEMQ_TRUSTSTORE_PASSWORD_PROP_NAME, "secureexample");
+      System.setProperty(NettyConnector.ACTIVEMQ_KEYSTORE_PATH_PROP_NAME, "client-keystore.jks");
+      System.setProperty(NettyConnector.ACTIVEMQ_KEYSTORE_PASSWORD_PROP_NAME, "securepass");
+      System.setProperty(NettyConnector.ACTIVEMQ_TRUSTSTORE_PATH_PROP_NAME, "server-ca-truststore.jks");
+      System.setProperty(NettyConnector.ACTIVEMQ_TRUSTSTORE_PASSWORD_PROP_NAME, "securepass");
 
       System.setProperty(NettyConnector.JAVAX_KEYSTORE_PATH_PROP_NAME, "bad path");
       System.setProperty(NettyConnector.JAVAX_KEYSTORE_PASSWORD_PROP_NAME, "bad password");
diff --git a/tests/unit-tests/src/test/java/org/apache/activemq/artemis/tests/unit/core/remoting/impl/ssl/SSLSupportTest.java b/tests/unit-tests/src/test/java/org/apache/activemq/artemis/tests/unit/core/remoting/impl/ssl/SSLSupportTest.java
index 7539b55475..45d0aa04fe 100644
--- a/tests/unit-tests/src/test/java/org/apache/activemq/artemis/tests/unit/core/remoting/impl/ssl/SSLSupportTest.java
+++ b/tests/unit-tests/src/test/java/org/apache/activemq/artemis/tests/unit/core/remoting/impl/ssl/SSLSupportTest.java
@@ -30,6 +30,9 @@ import org.junit.Test;
 import org.junit.runner.RunWith;
 import org.junit.runners.Parameterized;
 
+/**
+ * See the tests/security-resources/build.sh script for details on the security resources used.
+ */
 @RunWith(value = Parameterized.class)
 public class SSLSupportTest extends ActiveMQTestBase {
 
@@ -57,8 +60,8 @@ public class SSLSupportTest extends ActiveMQTestBase {
       if (storeType.equals("PKCS12")) {
          suffix = "p12";
       }
-      keyStorePath = "server-side-keystore." + suffix;
-      trustStorePath = "server-side-truststore." + suffix;
+      keyStorePath = "server-keystore." + suffix;
+      trustStorePath = "client-ca-truststore." + suffix;
    }
 
    private String storeProvider;
@@ -87,7 +90,7 @@ public class SSLSupportTest extends ActiveMQTestBase {
    @Before
    public void setUp() throws Exception {
       super.setUp();
-      keyStorePassword = "secureexample";
+      keyStorePassword = "securepass";
       trustStorePassword = keyStorePassword;
    }
 
@@ -190,7 +193,7 @@ public class SSLSupportTest extends ActiveMQTestBase {
       new SSLSupport()
          .setKeystoreProvider(storeProvider)
          .setKeystoreType(storeType)
-         .setKeystorePath("src/test/resources/" + keyStorePath)
+         .setKeystorePath("../security-resources/" + keyStorePath)
          .setKeystorePassword(keyStorePassword)
          .setTruststoreProvider(storeProvider)
          .setTruststoreType(storeType)
diff --git a/tests/unit-tests/src/test/resources/bad-client-side-keystore.jks b/tests/unit-tests/src/test/resources/bad-client-side-keystore.jks
deleted file mode 100644
index ee0de7b550..0000000000
Binary files a/tests/unit-tests/src/test/resources/bad-client-side-keystore.jks and /dev/null differ
diff --git a/tests/unit-tests/src/test/resources/beans1.xml b/tests/unit-tests/src/test/resources/beans1.xml
deleted file mode 100644
index b7ef164d44..0000000000
--- a/tests/unit-tests/src/test/resources/beans1.xml
+++ /dev/null
@@ -1,20 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<!--
-  Licensed to the Apache Software Foundation (ASF) under one or more
-  contributor license agreements.  See the NOTICE file distributed with
-  this work for additional information regarding copyright ownership.
-  The ASF licenses this file to You under the Apache License, Version 2.0
-  (the "License"); you may not use this file except in compliance with
-  the License.  You may obtain a copy of the License at
-
-  http://www.apache.org/licenses/LICENSE-2.0
-
-  Unless required by applicable law or agreed to in writing, software
-  distributed under the License is distributed on an "AS IS" BASIS,
-  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-  See the License for the specific language governing permissions and
-  limitations under the License.
--->
-<deployment xmlns="urn:jboss:bean-deployer:2.0">
-   <bean name="bean" class="org.apache.activemq.artemis.tests.unit.microcontainer.DummyBean"/>
-</deployment>
\ No newline at end of file
diff --git a/tests/unit-tests/src/test/resources/client-side-keystore.jceks b/tests/unit-tests/src/test/resources/client-side-keystore.jceks
deleted file mode 100644
index 3bebbf4014..0000000000
Binary files a/tests/unit-tests/src/test/resources/client-side-keystore.jceks and /dev/null differ
diff --git a/tests/unit-tests/src/test/resources/client-side-keystore.jks b/tests/unit-tests/src/test/resources/client-side-keystore.jks
deleted file mode 100644
index 0949d201d8..0000000000
Binary files a/tests/unit-tests/src/test/resources/client-side-keystore.jks and /dev/null differ
diff --git a/tests/unit-tests/src/test/resources/client-side-keystore.p12 b/tests/unit-tests/src/test/resources/client-side-keystore.p12
deleted file mode 100644
index fd4055f741..0000000000
Binary files a/tests/unit-tests/src/test/resources/client-side-keystore.p12 and /dev/null differ
diff --git a/tests/unit-tests/src/test/resources/client-side-truststore.jceks b/tests/unit-tests/src/test/resources/client-side-truststore.jceks
deleted file mode 100644
index 20884ded06..0000000000
Binary files a/tests/unit-tests/src/test/resources/client-side-truststore.jceks and /dev/null differ
diff --git a/tests/unit-tests/src/test/resources/client-side-truststore.jks b/tests/unit-tests/src/test/resources/client-side-truststore.jks
deleted file mode 100644
index 3218d73d60..0000000000
Binary files a/tests/unit-tests/src/test/resources/client-side-truststore.jks and /dev/null differ
diff --git a/tests/unit-tests/src/test/resources/client-side-truststore.p12 b/tests/unit-tests/src/test/resources/client-side-truststore.p12
deleted file mode 100644
index 229e6ec855..0000000000
Binary files a/tests/unit-tests/src/test/resources/client-side-truststore.p12 and /dev/null differ
diff --git a/tests/unit-tests/src/test/resources/openssl-client-side-keystore.jceks b/tests/unit-tests/src/test/resources/openssl-client-side-keystore.jceks
deleted file mode 100644
index f69d19faad..0000000000
Binary files a/tests/unit-tests/src/test/resources/openssl-client-side-keystore.jceks and /dev/null differ
diff --git a/tests/unit-tests/src/test/resources/openssl-client-side-keystore.jks b/tests/unit-tests/src/test/resources/openssl-client-side-keystore.jks
deleted file mode 100644
index 674681d75b..0000000000
Binary files a/tests/unit-tests/src/test/resources/openssl-client-side-keystore.jks and /dev/null differ
diff --git a/tests/unit-tests/src/test/resources/openssl-client-side-keystore.p12 b/tests/unit-tests/src/test/resources/openssl-client-side-keystore.p12
deleted file mode 100644
index 098abe789b..0000000000
Binary files a/tests/unit-tests/src/test/resources/openssl-client-side-keystore.p12 and /dev/null differ
diff --git a/tests/unit-tests/src/test/resources/openssl-client-side-truststore.jceks b/tests/unit-tests/src/test/resources/openssl-client-side-truststore.jceks
deleted file mode 100644
index 83685c6edc..0000000000
Binary files a/tests/unit-tests/src/test/resources/openssl-client-side-truststore.jceks and /dev/null differ
diff --git a/tests/unit-tests/src/test/resources/openssl-client-side-truststore.jks b/tests/unit-tests/src/test/resources/openssl-client-side-truststore.jks
deleted file mode 100644
index 30c92b480b..0000000000
Binary files a/tests/unit-tests/src/test/resources/openssl-client-side-truststore.jks and /dev/null differ
diff --git a/tests/unit-tests/src/test/resources/openssl-client-side-truststore.p12 b/tests/unit-tests/src/test/resources/openssl-client-side-truststore.p12
deleted file mode 100644
index ce77bd620b..0000000000
Binary files a/tests/unit-tests/src/test/resources/openssl-client-side-truststore.p12 and /dev/null differ
diff --git a/tests/unit-tests/src/test/resources/openssl-server-side-keystore.jceks b/tests/unit-tests/src/test/resources/openssl-server-side-keystore.jceks
deleted file mode 100644
index 7e869474f0..0000000000
Binary files a/tests/unit-tests/src/test/resources/openssl-server-side-keystore.jceks and /dev/null differ
diff --git a/tests/unit-tests/src/test/resources/openssl-server-side-keystore.jks b/tests/unit-tests/src/test/resources/openssl-server-side-keystore.jks
deleted file mode 100644
index 85a560a68c..0000000000
Binary files a/tests/unit-tests/src/test/resources/openssl-server-side-keystore.jks and /dev/null differ
diff --git a/tests/unit-tests/src/test/resources/openssl-server-side-keystore.p12 b/tests/unit-tests/src/test/resources/openssl-server-side-keystore.p12
deleted file mode 100644
index 8aa49b64dd..0000000000
Binary files a/tests/unit-tests/src/test/resources/openssl-server-side-keystore.p12 and /dev/null differ
diff --git a/tests/unit-tests/src/test/resources/openssl-server-side-truststore.jceks b/tests/unit-tests/src/test/resources/openssl-server-side-truststore.jceks
deleted file mode 100644
index d09d0a073c..0000000000
Binary files a/tests/unit-tests/src/test/resources/openssl-server-side-truststore.jceks and /dev/null differ
diff --git a/tests/unit-tests/src/test/resources/openssl-server-side-truststore.jks b/tests/unit-tests/src/test/resources/openssl-server-side-truststore.jks
deleted file mode 100644
index 54cc5a41fd..0000000000
Binary files a/tests/unit-tests/src/test/resources/openssl-server-side-truststore.jks and /dev/null differ
diff --git a/tests/unit-tests/src/test/resources/openssl-server-side-truststore.p12 b/tests/unit-tests/src/test/resources/openssl-server-side-truststore.p12
deleted file mode 100644
index 2937f289e5..0000000000
Binary files a/tests/unit-tests/src/test/resources/openssl-server-side-truststore.p12 and /dev/null differ
diff --git a/tests/unit-tests/src/test/resources/other-client-side-truststore.jceks b/tests/unit-tests/src/test/resources/other-client-side-truststore.jceks
deleted file mode 100644
index c1d1a5ba5b..0000000000
Binary files a/tests/unit-tests/src/test/resources/other-client-side-truststore.jceks and /dev/null differ
diff --git a/tests/unit-tests/src/test/resources/other-client-side-truststore.jks b/tests/unit-tests/src/test/resources/other-client-side-truststore.jks
deleted file mode 100644
index b3c907bf73..0000000000
Binary files a/tests/unit-tests/src/test/resources/other-client-side-truststore.jks and /dev/null differ
diff --git a/tests/unit-tests/src/test/resources/other-client-side-truststore.p12 b/tests/unit-tests/src/test/resources/other-client-side-truststore.p12
deleted file mode 100644
index f573785fd3..0000000000
Binary files a/tests/unit-tests/src/test/resources/other-client-side-truststore.p12 and /dev/null differ
diff --git a/tests/unit-tests/src/test/resources/other-server-side-keystore.jceks b/tests/unit-tests/src/test/resources/other-server-side-keystore.jceks
deleted file mode 100644
index acf1603252..0000000000
Binary files a/tests/unit-tests/src/test/resources/other-server-side-keystore.jceks and /dev/null differ
diff --git a/tests/unit-tests/src/test/resources/other-server-side-keystore.jks b/tests/unit-tests/src/test/resources/other-server-side-keystore.jks
deleted file mode 100644
index 98276fdc99..0000000000
Binary files a/tests/unit-tests/src/test/resources/other-server-side-keystore.jks and /dev/null differ
diff --git a/tests/unit-tests/src/test/resources/other-server-side-keystore.p12 b/tests/unit-tests/src/test/resources/other-server-side-keystore.p12
deleted file mode 100644
index 7c6eb6527f..0000000000
Binary files a/tests/unit-tests/src/test/resources/other-server-side-keystore.p12 and /dev/null differ
diff --git a/tests/unit-tests/src/test/resources/server-side-keystore.jceks b/tests/unit-tests/src/test/resources/server-side-keystore.jceks
deleted file mode 100644
index 9d8c27c4a6..0000000000
Binary files a/tests/unit-tests/src/test/resources/server-side-keystore.jceks and /dev/null differ
diff --git a/tests/unit-tests/src/test/resources/server-side-keystore.jks b/tests/unit-tests/src/test/resources/server-side-keystore.jks
deleted file mode 100644
index f1fd537e7c..0000000000
Binary files a/tests/unit-tests/src/test/resources/server-side-keystore.jks and /dev/null differ
diff --git a/tests/unit-tests/src/test/resources/server-side-keystore.p12 b/tests/unit-tests/src/test/resources/server-side-keystore.p12
deleted file mode 100644
index 3cb6d2825f..0000000000
Binary files a/tests/unit-tests/src/test/resources/server-side-keystore.p12 and /dev/null differ
diff --git a/tests/unit-tests/src/test/resources/server-side-truststore.jceks b/tests/unit-tests/src/test/resources/server-side-truststore.jceks
deleted file mode 100644
index 1387739695..0000000000
Binary files a/tests/unit-tests/src/test/resources/server-side-truststore.jceks and /dev/null differ
diff --git a/tests/unit-tests/src/test/resources/server-side-truststore.jks b/tests/unit-tests/src/test/resources/server-side-truststore.jks
deleted file mode 100644
index e8e831118a..0000000000
Binary files a/tests/unit-tests/src/test/resources/server-side-truststore.jks and /dev/null differ
diff --git a/tests/unit-tests/src/test/resources/server-side-truststore.p12 b/tests/unit-tests/src/test/resources/server-side-truststore.p12
deleted file mode 100644
index fcdafdba92..0000000000
Binary files a/tests/unit-tests/src/test/resources/server-side-truststore.p12 and /dev/null differ
diff --git a/tests/unit-tests/src/test/resources/verified-client-side-keystore.jceks b/tests/unit-tests/src/test/resources/verified-client-side-keystore.jceks
deleted file mode 100644
index f8b23bef13..0000000000
Binary files a/tests/unit-tests/src/test/resources/verified-client-side-keystore.jceks and /dev/null differ
diff --git a/tests/unit-tests/src/test/resources/verified-client-side-keystore.jks b/tests/unit-tests/src/test/resources/verified-client-side-keystore.jks
deleted file mode 100644
index 492aee8f5a..0000000000
Binary files a/tests/unit-tests/src/test/resources/verified-client-side-keystore.jks and /dev/null differ
diff --git a/tests/unit-tests/src/test/resources/verified-client-side-keystore.p12 b/tests/unit-tests/src/test/resources/verified-client-side-keystore.p12
deleted file mode 100644
index 5b88b94b4b..0000000000
Binary files a/tests/unit-tests/src/test/resources/verified-client-side-keystore.p12 and /dev/null differ
diff --git a/tests/unit-tests/src/test/resources/verified-client-side-truststore.jceks b/tests/unit-tests/src/test/resources/verified-client-side-truststore.jceks
deleted file mode 100644
index 4d53b3e6c8..0000000000
Binary files a/tests/unit-tests/src/test/resources/verified-client-side-truststore.jceks and /dev/null differ
diff --git a/tests/unit-tests/src/test/resources/verified-client-side-truststore.jks b/tests/unit-tests/src/test/resources/verified-client-side-truststore.jks
deleted file mode 100644
index 0adc640bee..0000000000
Binary files a/tests/unit-tests/src/test/resources/verified-client-side-truststore.jks and /dev/null differ
diff --git a/tests/unit-tests/src/test/resources/verified-client-side-truststore.p12 b/tests/unit-tests/src/test/resources/verified-client-side-truststore.p12
deleted file mode 100644
index 7e2c6f0420..0000000000
Binary files a/tests/unit-tests/src/test/resources/verified-client-side-truststore.p12 and /dev/null differ
diff --git a/tests/unit-tests/src/test/resources/verified-openssl-client-side-keystore.jceks b/tests/unit-tests/src/test/resources/verified-openssl-client-side-keystore.jceks
deleted file mode 100644
index 12682dfafc..0000000000
Binary files a/tests/unit-tests/src/test/resources/verified-openssl-client-side-keystore.jceks and /dev/null differ
diff --git a/tests/unit-tests/src/test/resources/verified-openssl-client-side-keystore.jks b/tests/unit-tests/src/test/resources/verified-openssl-client-side-keystore.jks
deleted file mode 100644
index 8a7b07754a..0000000000
Binary files a/tests/unit-tests/src/test/resources/verified-openssl-client-side-keystore.jks and /dev/null differ
diff --git a/tests/unit-tests/src/test/resources/verified-openssl-client-side-keystore.p12 b/tests/unit-tests/src/test/resources/verified-openssl-client-side-keystore.p12
deleted file mode 100644
index 3d07421fdc..0000000000
Binary files a/tests/unit-tests/src/test/resources/verified-openssl-client-side-keystore.p12 and /dev/null differ
diff --git a/tests/unit-tests/src/test/resources/verified-openssl-server-side-truststore.jceks b/tests/unit-tests/src/test/resources/verified-openssl-server-side-truststore.jceks
deleted file mode 100644
index 63c03c245c..0000000000
Binary files a/tests/unit-tests/src/test/resources/verified-openssl-server-side-truststore.jceks and /dev/null differ
diff --git a/tests/unit-tests/src/test/resources/verified-openssl-server-side-truststore.jks b/tests/unit-tests/src/test/resources/verified-openssl-server-side-truststore.jks
deleted file mode 100644
index af8a9875fe..0000000000
Binary files a/tests/unit-tests/src/test/resources/verified-openssl-server-side-truststore.jks and /dev/null differ
diff --git a/tests/unit-tests/src/test/resources/verified-openssl-server-side-truststore.p12 b/tests/unit-tests/src/test/resources/verified-openssl-server-side-truststore.p12
deleted file mode 100644
index be0c8f0387..0000000000
Binary files a/tests/unit-tests/src/test/resources/verified-openssl-server-side-truststore.p12 and /dev/null differ
diff --git a/tests/unit-tests/src/test/resources/verified-server-side-keystore.jceks b/tests/unit-tests/src/test/resources/verified-server-side-keystore.jceks
deleted file mode 100644
index ee7992f920..0000000000
Binary files a/tests/unit-tests/src/test/resources/verified-server-side-keystore.jceks and /dev/null differ
diff --git a/tests/unit-tests/src/test/resources/verified-server-side-keystore.jks b/tests/unit-tests/src/test/resources/verified-server-side-keystore.jks
deleted file mode 100644
index 79b7cff81b..0000000000
Binary files a/tests/unit-tests/src/test/resources/verified-server-side-keystore.jks and /dev/null differ
diff --git a/tests/unit-tests/src/test/resources/verified-server-side-keystore.p12 b/tests/unit-tests/src/test/resources/verified-server-side-keystore.p12
deleted file mode 100644
index b218430bb2..0000000000
Binary files a/tests/unit-tests/src/test/resources/verified-server-side-keystore.p12 and /dev/null differ
diff --git a/tests/unit-tests/src/test/resources/verified-server-side-truststore.jceks b/tests/unit-tests/src/test/resources/verified-server-side-truststore.jceks
deleted file mode 100644
index 671c21e778..0000000000
Binary files a/tests/unit-tests/src/test/resources/verified-server-side-truststore.jceks and /dev/null differ
diff --git a/tests/unit-tests/src/test/resources/verified-server-side-truststore.jks b/tests/unit-tests/src/test/resources/verified-server-side-truststore.jks
deleted file mode 100644
index a861b27e3e..0000000000
Binary files a/tests/unit-tests/src/test/resources/verified-server-side-truststore.jks and /dev/null differ
diff --git a/tests/unit-tests/src/test/resources/verified-server-side-truststore.p12 b/tests/unit-tests/src/test/resources/verified-server-side-truststore.p12
deleted file mode 100644
index eef6db5936..0000000000
Binary files a/tests/unit-tests/src/test/resources/verified-server-side-truststore.p12 and /dev/null differ