gh-118658: Modify cert generation script to extract cert3.pem by felixfontein · Pull Request #124599 · python/cpython
The additional data in cert3.pem shouldn't affect the tests.
Apparently it does:
ERROR: test_certificate_chain (test.test_ssl.TestPostHandshakeAuth.test_certificate_chain)
----------------------------------------------------------------------
Traceback (most recent call last):
File "/home/runner/work/cpython/cpython/Lib/test/test_ssl.py", line 4707, in test_certificate_chain
expected_ee_cert = ssl.PEM_cert_to_DER_cert(f.read())
File "/home/runner/work/cpython/cpython/Lib/ssl.py", line 1498, in PEM_cert_to_DER_cert
raise ValueError("Invalid PEM encoding; must start with %s"
% PEM_HEADER)
ValueError: Invalid PEM encoding; must start with -----BEGIN CERTIFICATE-----
So PEM_cert_to_DER_cert doesn't like PEM with comments. I guess in that case #124598 is preferable.