diff --git a/CMakeLists.txt b/CMakeLists.txt
index 5df7d18f..d8382652 100644
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -825,7 +825,7 @@ endif()
 #
 set(CPACK_PACKAGE_NAME "GmSSL")
 set(CPACK_PACKAGE_VENDOR "GmSSL develop team")
-set(CPACK_PACKAGE_VERSION "3.2.0-dev.1111")
+set(CPACK_PACKAGE_VERSION "3.2.0-dev.1112")
 set(CPACK_PACKAGE_DESCRIPTION_FILE ${PROJECT_SOURCE_DIR}/README.md)
 set(CPACK_NSIS_MODIFY_PATH ON)
 include(CPack)
diff --git a/cmake/cert_commands.cmake b/cmake/cert_commands.cmake
index 6ed748b6..ce71af0f 100644
--- a/cmake/cert_commands.cmake
+++ b/cmake/cert_commands.cmake
@@ -1,268 +1,205 @@
+set(GMSSL_TEST_PASS P@ssw0rd)
+set(GMSSL_TEST_SUBJECT -C CN -ST Beijing -L Haidian -O GmSSL -OU Test)
 
-execute_process(
-	COMMAND bin/gmssl sm2keygen -pass P@ssw0rd -out rootcakey.pem
-	RESULT_VARIABLE TEST_RESULT
-	ERROR_VARIABLE TEST_STDERR
-)
-if(NOT ${TEST_RESULT} EQUAL 0)
-	message(FATAL_ERROR "stderr: ${TEST_STDERR}")
-endif()
-if(NOT EXISTS rootcakey.pem)
-	message(FATAL_ERROR "generated file does not exist")
-endif()
+function(gmssl_run)
+	execute_process(
+		COMMAND ${ARGN}
+		RESULT_VARIABLE TEST_RESULT
+		ERROR_VARIABLE TEST_STDERR
+	)
+	if(NOT ${TEST_RESULT} EQUAL 0)
+		message(FATAL_ERROR "command failed: ${ARGN}\nstderr: ${TEST_STDERR}")
+	endif()
+endfunction()
 
-execute_process(
-	COMMAND bin/gmssl certgen -C CN -ST Beijing -L Haidian -O PKU -OU CS -CN ROOTCA -days 3650 -key rootcakey.pem -pass P@ssw0rd -out rootcacert.pem -key_usage keyCertSign -key_usage cRLSign -ca
-	RESULT_VARIABLE TEST_RESULT
-	ERROR_VARIABLE TEST_STDERR
-)
-if(NOT ${TEST_RESULT} EQUAL 0)
-	message(FATAL_ERROR "stderr: ${TEST_STDERR}")
-endif()
-if(NOT EXISTS rootcacert.pem)
-	message(FATAL_ERROR "generated file does not exist")
-endif()
-file(READ rootcacert.pem FILE_CONTENT)
-if (NOT FILE_CONTENT MATCHES "^-----BEGIN CERTIFICATE-----")
-	message(FATAL_ERROR "generate file error")
-endif()
+function(gmssl_require_generated_file file)
+	if(NOT EXISTS "${file}")
+		message(FATAL_ERROR "generated file does not exist: ${file}")
+	endif()
+endfunction()
 
-execute_process(
-	COMMAND bin/gmssl sm2keygen -pass P@ssw0rd -out cakey.pem
-	RESULT_VARIABLE TEST_RESULT
-	ERROR_VARIABLE TEST_STDERR
-)
-if(NOT ${TEST_RESULT} EQUAL 0)
-	message(FATAL_ERROR "stderr: ${TEST_STDERR}")
-endif()
-if(NOT EXISTS cakey.pem)
-	message(FATAL_ERROR "generated file does not exist")
-endif()
+function(gmssl_read_generated_pem file expected_header)
+	gmssl_require_generated_file("${file}")
+	file(READ "${file}" FILE_CONTENT)
+	if(NOT FILE_CONTENT MATCHES "^${expected_header}")
+		message(FATAL_ERROR "generated file has unexpected PEM header: ${file}")
+	endif()
+endfunction()
 
-execute_process(
-	COMMAND bin/gmssl reqgen -C CN -ST Beijing -L Haidian -O PKU -OU CS -CN "Sub CA" -key cakey.pem -pass P@ssw0rd -out careq.pem
-	RESULT_VARIABLE TEST_RESULT
-	ERROR_VARIABLE TEST_STDERR
-)
-if(NOT ${TEST_RESULT} EQUAL 0)
-	message(FATAL_ERROR "stderr: ${TEST_STDERR}")
-endif()
-if(NOT EXISTS careq.pem)
-    message(FATAL_ERROR "generated file does not exist")
-endif()
-file(READ careq.pem FILE_CONTENT)
-if (NOT FILE_CONTENT MATCHES "^-----BEGIN CERTIFICATE REQUEST-----")
-	message(FATAL_ERROR "generate file error")
-endif()
+function(gmssl_generate_sm2_key key_file)
+	gmssl_run(bin/gmssl sm2keygen -pass ${GMSSL_TEST_PASS} -out "${key_file}")
+	gmssl_require_generated_file("${key_file}")
+endfunction()
 
-execute_process(
-	COMMAND bin/gmssl reqsign -in careq.pem -days 365 -key_usage keyCertSign -path_len_constraint 0 -cacert rootcacert.pem -key rootcakey.pem -pass P@ssw0rd -out cacert.pem -ca
-	RESULT_VARIABLE TEST_RESULT
-	ERROR_VARIABLE TEST_STDERR
-)
-if(NOT ${TEST_RESULT} EQUAL 0)
-	message(FATAL_ERROR "stderr: ${TEST_STDERR}")
-endif()
-if(NOT EXISTS cacert.pem)
-	message(FATAL_ERROR "generated file does not exist")
-endif()
+function(gmssl_generate_p256_key key_file export_file)
+	if(export_file)
+		gmssl_run(bin/gmssl p256keygen -pass ${GMSSL_TEST_PASS} -out "${key_file}" -export "${export_file}")
+		gmssl_require_generated_file("${export_file}")
+	else()
+		gmssl_run(bin/gmssl p256keygen -pass ${GMSSL_TEST_PASS} -out "${key_file}")
+	endif()
+	gmssl_require_generated_file("${key_file}")
+endfunction()
 
-execute_process(
-	COMMAND bin/gmssl sm2keygen -pass P@ssw0rd -out signkey.pem
-	RESULT_VARIABLE TEST_RESULT
-	ERROR_VARIABLE TEST_STDERR
-)
-if(NOT ${TEST_RESULT} EQUAL 0)
-	message(FATAL_ERROR "stderr: ${TEST_STDERR}")
-endif()
-if(NOT EXISTS signkey.pem)
-	message(FATAL_ERROR "generated file does not exist")
-endif()
+function(gmssl_generate_key alg key_file export_file)
+	if(alg STREQUAL SM2)
+		gmssl_generate_sm2_key("${key_file}")
+	elseif(alg STREQUAL P256)
+		gmssl_generate_p256_key("${key_file}" "${export_file}")
+	else()
+		message(FATAL_ERROR "unknown key algorithm: ${alg}")
+	endif()
+endfunction()
 
-execute_process(
-	COMMAND bin/gmssl reqgen -C CN -ST Beijing -L Haidian -O PKU -OU CS -CN localhost -key signkey.pem -pass P@ssw0rd -out signreq.pem
-	RESULT_VARIABLE TEST_RESULT
-	ERROR_VARIABLE TEST_STDERR
-)
-if(NOT ${TEST_RESULT} EQUAL 0)
-	message(FATAL_ERROR "stderr: ${TEST_STDERR}")
-endif()
-if(NOT EXISTS signreq.pem)
-    message(FATAL_ERROR "generated file does not exist")
-endif()
+function(gmssl_generate_root_ca alg prefix common_name)
+	gmssl_generate_key(${alg} "${prefix}_key.pem" "${prefix}_key.exp")
+	gmssl_run(bin/gmssl certgen
+		${GMSSL_TEST_SUBJECT}
+		-CN "${common_name}"
+		-days 3650
+		-key "${prefix}_key.pem"
+		-pass ${GMSSL_TEST_PASS}
+		-out "${prefix}_cert.pem"
+		-key_usage keyCertSign
+		-key_usage cRLSign
+		-ca)
+	gmssl_read_generated_pem("${prefix}_cert.pem" "-----BEGIN CERTIFICATE-----")
+endfunction()
 
-execute_process(
-	COMMAND bin/gmssl reqsign -in signreq.pem -days 365 -key_usage digitalSignature -cacert cacert.pem -key cakey.pem -pass P@ssw0rd -subject_dns_name localhost -out signcert.pem
-	RESULT_VARIABLE TEST_RESULT
-	ERROR_VARIABLE TEST_STDERR
-)
-if(NOT ${TEST_RESULT} EQUAL 0)
-	message(FATAL_ERROR "stderr: ${TEST_STDERR}")
-endif()
-if(NOT EXISTS signcert.pem)
-	message(FATAL_ERROR "generated file does not exist")
-endif()
+function(gmssl_generate_ca alg prefix common_name issuer_cert issuer_key path_len)
+	gmssl_generate_key(${alg} "${prefix}_key.pem" "${prefix}_key.exp")
+	gmssl_run(bin/gmssl reqgen
+		${GMSSL_TEST_SUBJECT}
+		-CN "${common_name}"
+		-key "${prefix}_key.pem"
+		-pass ${GMSSL_TEST_PASS}
+		-out "${prefix}_req.pem")
+	gmssl_read_generated_pem("${prefix}_req.pem" "-----BEGIN CERTIFICATE REQUEST-----")
+	gmssl_run(bin/gmssl reqsign
+		-in "${prefix}_req.pem"
+		-days 1825
+		-key_usage keyCertSign
+		-key_usage cRLSign
+		-path_len_constraint ${path_len}
+		-cacert "${issuer_cert}"
+		-key "${issuer_key}"
+		-pass ${GMSSL_TEST_PASS}
+		-out "${prefix}_cert.pem"
+		-ca)
+	gmssl_read_generated_pem("${prefix}_cert.pem" "-----BEGIN CERTIFICATE-----")
+endfunction()
 
-execute_process(
-	COMMAND bin/gmssl sm2keygen -pass P@ssw0rd -out enckey.pem
-	RESULT_VARIABLE TEST_RESULT
-	ERROR_VARIABLE TEST_STDERR
-)
-if(NOT ${TEST_RESULT} EQUAL 0)
-	message(FATAL_ERROR "stderr: ${TEST_STDERR}")
-endif()
-if(NOT EXISTS enckey.pem)
-    message(FATAL_ERROR "generated file does not exist")
-endif()
+function(gmssl_generate_end_entity alg prefix common_name issuer_cert issuer_key key_usage ext_key_usage subject_dns_name export_key)
+	if(export_key)
+		set(export_file "${prefix}_key.exp")
+	else()
+		set(export_file "")
+	endif()
+	gmssl_generate_key(${alg} "${prefix}_key.pem" "${export_file}")
+	gmssl_run(bin/gmssl reqgen
+		${GMSSL_TEST_SUBJECT}
+		-CN "${common_name}"
+		-key "${prefix}_key.pem"
+		-pass ${GMSSL_TEST_PASS}
+		-out "${prefix}_req.pem")
+	gmssl_read_generated_pem("${prefix}_req.pem" "-----BEGIN CERTIFICATE REQUEST-----")
 
-execute_process(
-	COMMAND bin/gmssl reqgen -C CN -ST Beijing -L Haidian -O PKU -OU CS -CN localhost -key enckey.pem -pass P@ssw0rd -out encreq.pem
-	RESULT_VARIABLE TEST_RESULT
-	ERROR_VARIABLE TEST_STDERR
-)
-if(NOT ${TEST_RESULT} EQUAL 0)
-	message(FATAL_ERROR "stderr: ${TEST_STDERR}")
-endif()
-if(NOT EXISTS encreq.pem)
-	message(FATAL_ERROR "generated file does not exist")
-endif()
+	set(sign_args
+		-in "${prefix}_req.pem"
+		-days 365
+		-key_usage ${key_usage}
+		-cacert "${issuer_cert}"
+		-key "${issuer_key}"
+		-pass ${GMSSL_TEST_PASS}
+		-out "${prefix}_cert.pem")
+	if(ext_key_usage)
+		list(APPEND sign_args -ext_key_usage ${ext_key_usage})
+	endif()
+	if(subject_dns_name)
+		list(APPEND sign_args -subject_dns_name ${subject_dns_name})
+	endif()
+	gmssl_run(bin/gmssl reqsign ${sign_args})
+	gmssl_read_generated_pem("${prefix}_cert.pem" "-----BEGIN CERTIFICATE-----")
+endfunction()
 
-execute_process(
-	COMMAND bin/gmssl reqsign -in encreq.pem -days 365 -key_usage keyEncipherment -cacert cacert.pem -key cakey.pem -pass P@ssw0rd -subject_dns_name localhost -out enccert.pem
-	RESULT_VARIABLE TEST_RESULT
-	ERROR_VARIABLE TEST_STDERR
-)
-if(NOT ${TEST_RESULT} EQUAL 0)
-	message(FATAL_ERROR "stderr: ${TEST_STDERR}")
-endif()
-if(NOT EXISTS enccert.pem)
-	message(FATAL_ERROR "generated file does not exist")
-endif()
+function(gmssl_write_bundle out_file)
+	file(WRITE "${out_file}" "")
+	foreach(pem_file IN LISTS ARGN)
+		gmssl_require_generated_file("${pem_file}")
+		file(READ "${pem_file}" PEM_CONTENT)
+		file(APPEND "${out_file}" "${PEM_CONTENT}")
+	endforeach()
+	gmssl_require_generated_file("${out_file}")
+endfunction()
 
-file(WRITE tlcp_server_certs.pem "")
-file(READ signcert.pem CERT_CONTENT)
-file(APPEND tlcp_server_certs.pem "${CERT_CONTENT}")
-file(READ enccert.pem CERT_CONTENT)
-file(APPEND tlcp_server_certs.pem "${CERT_CONTENT}")
-file(READ cacert.pem CERT_CONTENT)
-file(APPEND tlcp_server_certs.pem "${CERT_CONTENT}")
+# Root CAs
+gmssl_generate_root_ca(SM2 sm2_root_ca "GmSSL SM2 Test Root CA")
+gmssl_generate_root_ca(P256 p256_root_ca "GmSSL P256 Test Root CA")
 
-file(WRITE tlcp_server_keys.pem "")
-file(READ signkey.pem KEY_CONTENT)
-file(APPEND tlcp_server_keys.pem "${KEY_CONTENT}")
-file(READ enckey.pem KEY_CONTENT)
-file(APPEND tlcp_server_keys.pem "${KEY_CONTENT}")
+# SM2 TLS server chain: root -> server CA 1 -> server CA 2 -> server certificate
+gmssl_generate_ca(SM2 sm2_tls_server_ca1 "GmSSL SM2 TLS Server CA 1"
+	sm2_root_ca_cert.pem sm2_root_ca_key.pem 1)
+gmssl_generate_ca(SM2 sm2_tls_server_ca2 "GmSSL SM2 TLS Server CA 2"
+	sm2_tls_server_ca1_cert.pem sm2_tls_server_ca1_key.pem 0)
+gmssl_generate_end_entity(SM2 sm2_tls_server "GmSSL SM2 TLS Server"
+	sm2_tls_server_ca2_cert.pem sm2_tls_server_ca2_key.pem
+	digitalSignature serverAuth localhost OFF)
+gmssl_write_bundle(sm2_tls_server_certs.pem
+	sm2_tls_server_cert.pem sm2_tls_server_ca2_cert.pem sm2_tls_server_ca1_cert.pem)
 
-file(WRITE tls_server_certs.pem "")
-file(READ signcert.pem CERT_CONTENT)
-file(APPEND tls_server_certs.pem "${CERT_CONTENT}")
-file(READ cacert.pem CERT_CONTENT)
-file(APPEND tls_server_certs.pem "${CERT_CONTENT}")
+# P256 TLS server chain: root -> server CA 1 -> server CA 2 -> server certificate
+gmssl_generate_ca(P256 p256_tls_server_ca1 "GmSSL P256 TLS Server CA 1"
+	p256_root_ca_cert.pem p256_root_ca_key.pem 1)
+gmssl_generate_ca(P256 p256_tls_server_ca2 "GmSSL P256 TLS Server CA 2"
+	p256_tls_server_ca1_cert.pem p256_tls_server_ca1_key.pem 0)
+gmssl_generate_end_entity(P256 p256_tls_server "GmSSL P256 TLS Server"
+	p256_tls_server_ca2_cert.pem p256_tls_server_ca2_key.pem
+	digitalSignature serverAuth localhost ON)
+gmssl_write_bundle(p256_tls_server_certs.pem
+	p256_tls_server_cert.pem p256_tls_server_ca2_cert.pem p256_tls_server_ca1_cert.pem)
+gmssl_write_bundle(p256_tls_server_cert_chain.pem
+	p256_tls_server_ca2_cert.pem p256_tls_server_ca1_cert.pem)
 
-execute_process(
-	COMMAND bin/gmssl p256keygen -pass P@ssw0rd -out p256rootcakey.pem -export p256rootcakey.exp
-	RESULT_VARIABLE TEST_RESULT
-	ERROR_VARIABLE TEST_STDERR
-)
-if(NOT ${TEST_RESULT} EQUAL 0)
-	message(FATAL_ERROR "stderr: ${TEST_STDERR}")
-endif()
-if(NOT EXISTS p256rootcakey.pem OR NOT EXISTS p256rootcakey.exp)
-	message(FATAL_ERROR "generated file does not exist")
-endif()
+# SM2 TLS client chain: root -> client CA -> client certificate
+gmssl_generate_ca(SM2 sm2_tls_client_ca "GmSSL SM2 TLS Client CA"
+	sm2_root_ca_cert.pem sm2_root_ca_key.pem 0)
+gmssl_generate_end_entity(SM2 sm2_tls_client "GmSSL SM2 TLS Client"
+	sm2_tls_client_ca_cert.pem sm2_tls_client_ca_key.pem
+	digitalSignature clientAuth "" OFF)
+gmssl_write_bundle(sm2_tls_client_certs.pem
+	sm2_tls_client_cert.pem sm2_tls_client_ca_cert.pem)
 
-execute_process(
-	COMMAND bin/gmssl certgen -C CN -ST Beijing -L Haidian -O PKU -OU CS -CN P256ROOTCA -days 3650 -key p256rootcakey.pem -pass P@ssw0rd -out p256rootcacert.pem -key_usage keyCertSign -key_usage cRLSign -ca
-	RESULT_VARIABLE TEST_RESULT
-	ERROR_VARIABLE TEST_STDERR
-)
-if(NOT ${TEST_RESULT} EQUAL 0)
-	message(FATAL_ERROR "stderr: ${TEST_STDERR}")
-endif()
-if(NOT EXISTS p256rootcacert.pem)
-	message(FATAL_ERROR "generated file does not exist")
-endif()
+# P256 TLS client chain: root -> client CA -> client certificate
+gmssl_generate_ca(P256 p256_tls_client_ca "GmSSL P256 TLS Client CA"
+	p256_root_ca_cert.pem p256_root_ca_key.pem 0)
+gmssl_generate_end_entity(P256 p256_tls_client "GmSSL P256 TLS Client"
+	p256_tls_client_ca_cert.pem p256_tls_client_ca_key.pem
+	digitalSignature clientAuth "" ON)
+gmssl_write_bundle(p256_tls_client_certs.pem
+	p256_tls_client_cert.pem p256_tls_client_ca_cert.pem)
 
-execute_process(
-	COMMAND bin/gmssl p256keygen -pass P@ssw0rd -out p256cakey.pem -export p256cakey.exp
-	RESULT_VARIABLE TEST_RESULT
-	ERROR_VARIABLE TEST_STDERR
-)
-if(NOT ${TEST_RESULT} EQUAL 0)
-	message(FATAL_ERROR "stderr: ${TEST_STDERR}")
-endif()
-if(NOT EXISTS p256cakey.pem OR NOT EXISTS p256cakey.exp)
-	message(FATAL_ERROR "generated file does not exist")
-endif()
+# OCSP delegated responders for certificates issued by the TLS server CA2s.
+gmssl_generate_end_entity(SM2 sm2_ocsp_responder "GmSSL SM2 OCSP Responder"
+	sm2_tls_server_ca2_cert.pem sm2_tls_server_ca2_key.pem
+	digitalSignature OCSPSigning "" OFF)
+gmssl_generate_end_entity(P256 p256_ocsp_responder "GmSSL P256 OCSP Responder"
+	p256_tls_server_ca2_cert.pem p256_tls_server_ca2_key.pem
+	digitalSignature OCSPSigning "" ON)
 
-execute_process(
-	COMMAND bin/gmssl reqgen -C CN -ST Beijing -L Haidian -O PKU -OU CS -CN "P256 Sub CA" -key p256cakey.pem -pass P@ssw0rd -out p256careq.pem
-	RESULT_VARIABLE TEST_RESULT
-	ERROR_VARIABLE TEST_STDERR
-)
-if(NOT ${TEST_RESULT} EQUAL 0)
-	message(FATAL_ERROR "stderr: ${TEST_STDERR}")
-endif()
-if(NOT EXISTS p256careq.pem)
-	message(FATAL_ERROR "generated file does not exist")
-endif()
+# TLCP server chain reuses the SM2 TLS server CA chain and adds an encryption certificate.
+gmssl_generate_end_entity(SM2 sm2_tlcp_server_sign "GmSSL SM2 TLCP Server"
+	sm2_tls_server_ca2_cert.pem sm2_tls_server_ca2_key.pem
+	digitalSignature serverAuth localhost OFF)
+gmssl_generate_end_entity(SM2 sm2_tlcp_server_enc "GmSSL SM2 TLCP Server"
+	sm2_tls_server_ca2_cert.pem sm2_tls_server_ca2_key.pem
+	keyEncipherment serverAuth localhost OFF)
+gmssl_write_bundle(sm2_tlcp_server_certs.pem
+	sm2_tlcp_server_sign_cert.pem
+	sm2_tlcp_server_enc_cert.pem
+	sm2_tls_server_ca2_cert.pem
+	sm2_tls_server_ca1_cert.pem)
+gmssl_write_bundle(sm2_tlcp_server_keys.pem
+	sm2_tlcp_server_sign_key.pem sm2_tlcp_server_enc_key.pem)
 
-execute_process(
-	COMMAND bin/gmssl reqsign -in p256careq.pem -days 365 -key_usage keyCertSign -path_len_constraint 0 -cacert p256rootcacert.pem -key p256rootcakey.pem -pass P@ssw0rd -out p256cacert.pem -ca
-	RESULT_VARIABLE TEST_RESULT
-	ERROR_VARIABLE TEST_STDERR
-)
-if(NOT ${TEST_RESULT} EQUAL 0)
-	message(FATAL_ERROR "stderr: ${TEST_STDERR}")
-endif()
-if(NOT EXISTS p256cacert.pem)
-	message(FATAL_ERROR "generated file does not exist")
-endif()
-
-execute_process(
-	COMMAND bin/gmssl p256keygen -pass P@ssw0rd -out p256signkey.pem -export p256signkey.exp
-	RESULT_VARIABLE TEST_RESULT
-	ERROR_VARIABLE TEST_STDERR
-)
-if(NOT ${TEST_RESULT} EQUAL 0)
-	message(FATAL_ERROR "stderr: ${TEST_STDERR}")
-endif()
-if(NOT EXISTS p256signkey.pem OR NOT EXISTS p256signkey.exp)
-	message(FATAL_ERROR "generated file does not exist")
-endif()
-
-execute_process(
-	COMMAND bin/gmssl reqgen -C CN -ST Beijing -L Haidian -O PKU -OU CS -CN 127.0.0.1 -key p256signkey.pem -pass P@ssw0rd -out p256signreq.pem
-	RESULT_VARIABLE TEST_RESULT
-	ERROR_VARIABLE TEST_STDERR
-)
-if(NOT ${TEST_RESULT} EQUAL 0)
-	message(FATAL_ERROR "stderr: ${TEST_STDERR}")
-endif()
-if(NOT EXISTS p256signreq.pem)
-	message(FATAL_ERROR "generated file does not exist")
-endif()
-
-execute_process(
-	COMMAND bin/gmssl reqsign -in p256signreq.pem -days 365 -key_usage digitalSignature -cacert p256cacert.pem -key p256cakey.pem -pass P@ssw0rd -subject_dns_name 127.0.0.1 -out p256signcert.pem
-	RESULT_VARIABLE TEST_RESULT
-	ERROR_VARIABLE TEST_STDERR
-)
-if(NOT ${TEST_RESULT} EQUAL 0)
-	message(FATAL_ERROR "stderr: ${TEST_STDERR}")
-endif()
-if(NOT EXISTS p256signcert.pem)
-	message(FATAL_ERROR "generated file does not exist")
-endif()
-
-file(WRITE p256certs.pem "")
-file(READ p256signcert.pem CERT_CONTENT)
-file(APPEND p256certs.pem "${CERT_CONTENT}")
-file(READ p256cacert.pem CERT_CONTENT)
-file(APPEND p256certs.pem "${CERT_CONTENT}")
-
-file(WRITE rootcacerts.pem "")
-file(READ rootcacert.pem CERT_CONTENT)
-file(APPEND rootcacerts.pem "${CERT_CONTENT}")
-file(READ p256rootcacert.pem CERT_CONTENT)
-file(APPEND rootcacerts.pem "${CERT_CONTENT}")
+gmssl_write_bundle(test_root_certs.pem
+	sm2_root_ca_cert.pem p256_root_ca_cert.pem)
diff --git a/cmake/openssl_interop_commands.cmake b/cmake/openssl_interop_commands.cmake
index 94daf5a2..027018ee 100644
--- a/cmake/openssl_interop_commands.cmake
+++ b/cmake/openssl_interop_commands.cmake
@@ -7,12 +7,13 @@ if(NOT OPENSSL_EXECUTABLE)
 	message(FATAL_ERROR "openssl executable not found")
 endif()
 
-gmssl_require_file(p256rootcacert.pem)
-gmssl_require_file(p256cacert.pem)
-gmssl_require_file(p256signcert.pem)
-gmssl_require_file(p256certs.pem)
-gmssl_require_file(p256signkey.pem)
-gmssl_require_file(p256signkey.exp)
+gmssl_require_file(p256_root_ca_cert.pem)
+gmssl_require_file(p256_tls_server_ca2_cert.pem)
+gmssl_require_file(p256_tls_server_cert.pem)
+gmssl_require_file(p256_tls_server_cert_chain.pem)
+gmssl_require_file(p256_tls_server_certs.pem)
+gmssl_require_file(p256_tls_server_key.pem)
+gmssl_require_file(p256_tls_server_key.exp)
 
 if(NOT DEFINED TEST_CASE)
 	set(TEST_CASE tls12_openssl_server)
@@ -23,8 +24,8 @@ set(TLS13_PSK 1122334455667788112233445566778811223344556677881122334455667788)
 if(TEST_CASE STREQUAL tls12_openssl_server)
 	set(TEST_NAME tls12_openssl_server)
 	set(TEST_PORT 4450)
-	set(SERVER_COMMAND "${OPENSSL_EXECUTABLE} s_server -accept ${TEST_PORT} -cert p256signcert.pem -cert_chain p256cacert.pem -key p256signkey.exp -tls1_2 -cipher ECDHE-ECDSA-AES128-SHA256 -named_curve prime256v1 -www -naccept 1 -quiet")
-	set(CLIENT_COMMAND "bin/gmssl tls12_client -host 127.0.0.1 -port ${TEST_PORT} -server_name 127.0.0.1 -cacert p256rootcacert.pem -cipher_suite TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 -supported_group prime256v1 -sig_alg ecdsa_secp256r1_sha256 -get /")
+	set(SERVER_COMMAND "${OPENSSL_EXECUTABLE} s_server -accept ${TEST_PORT} -cert p256_tls_server_cert.pem -cert_chain p256_tls_server_cert_chain.pem -key p256_tls_server_key.exp -tls1_2 -cipher ECDHE-ECDSA-AES128-SHA256 -named_curve prime256v1 -www -naccept 1 -quiet")
+	set(CLIENT_COMMAND "bin/gmssl tls12_client -host 127.0.0.1 -port ${TEST_PORT} -server_name localhost -cacert p256_root_ca_cert.pem -cipher_suite TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 -supported_group prime256v1 -sig_alg ecdsa_secp256r1_sha256 -get /")
 	gmssl_run_command_interop_test(
 		TEST_NAME ${TEST_NAME}
 		PORT ${TEST_PORT}
@@ -34,8 +35,8 @@ if(TEST_CASE STREQUAL tls12_openssl_server)
 elseif(TEST_CASE STREQUAL tls12_openssl_client)
 	set(TEST_NAME tls12_openssl_client)
 	set(TEST_PORT 4451)
-	set(SERVER_COMMAND "bin/gmssl tls12_server -port ${TEST_PORT} -cert p256certs.pem -key p256signkey.pem -pass P@ssw0rd -cipher_suite TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 -supported_group prime256v1 -sig_alg ecdsa_secp256r1_sha256 -renegotiation_info")
-	set(CLIENT_COMMAND "printf 'GET / HTTP/1.0\\r\\n\\r\\n' | ${OPENSSL_EXECUTABLE} s_client -connect 127.0.0.1:${TEST_PORT} -tls1_2 -CAfile p256rootcacert.pem -cipher ECDHE-ECDSA-AES128-SHA256 -groups prime256v1 -servername 127.0.0.1 -brief")
+	set(SERVER_COMMAND "bin/gmssl tls12_server -port ${TEST_PORT} -cert p256_tls_server_certs.pem -key p256_tls_server_key.pem -pass P@ssw0rd -cipher_suite TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 -supported_group prime256v1 -sig_alg ecdsa_secp256r1_sha256 -renegotiation_info")
+	set(CLIENT_COMMAND "printf 'GET / HTTP/1.0\\r\\n\\r\\n' | ${OPENSSL_EXECUTABLE} s_client -connect 127.0.0.1:${TEST_PORT} -tls1_2 -CAfile p256_root_ca_cert.pem -cipher ECDHE-ECDSA-AES128-SHA256 -groups prime256v1 -servername localhost -brief")
 	gmssl_run_command_interop_test(
 		TEST_NAME ${TEST_NAME}
 		PORT ${TEST_PORT}
@@ -45,8 +46,8 @@ elseif(TEST_CASE STREQUAL tls12_openssl_client)
 elseif(TEST_CASE STREQUAL tls13_openssl_server)
 	set(TEST_NAME tls13_openssl_server)
 	set(TEST_PORT 4452)
-	set(SERVER_COMMAND "${OPENSSL_EXECUTABLE} s_server -accept ${TEST_PORT} -cert p256signcert.pem -cert_chain p256cacert.pem -key p256signkey.exp -tls1_3 -ciphersuites TLS_AES_128_GCM_SHA256 -groups prime256v1 -no_middlebox -www -naccept 1 -quiet")
-	set(CLIENT_COMMAND "bin/gmssl tls13_client -host 127.0.0.1 -port ${TEST_PORT} -server_name 127.0.0.1 -cacert p256rootcacert.pem -cipher_suite TLS_AES_128_GCM_SHA256 -supported_group prime256v1 -sig_alg ecdsa_secp256r1_sha256 -get /")
+	set(SERVER_COMMAND "${OPENSSL_EXECUTABLE} s_server -accept ${TEST_PORT} -cert p256_tls_server_cert.pem -cert_chain p256_tls_server_cert_chain.pem -key p256_tls_server_key.exp -tls1_3 -ciphersuites TLS_AES_128_GCM_SHA256 -groups prime256v1 -no_middlebox -www -naccept 1 -quiet")
+	set(CLIENT_COMMAND "bin/gmssl tls13_client -host 127.0.0.1 -port ${TEST_PORT} -server_name localhost -cacert p256_root_ca_cert.pem -cipher_suite TLS_AES_128_GCM_SHA256 -supported_group prime256v1 -sig_alg ecdsa_secp256r1_sha256 -get /")
 	gmssl_run_command_interop_test(
 		TEST_NAME ${TEST_NAME}
 		PORT ${TEST_PORT}
@@ -56,8 +57,8 @@ elseif(TEST_CASE STREQUAL tls13_openssl_server)
 elseif(TEST_CASE STREQUAL tls13_openssl_client)
 	set(TEST_NAME tls13_openssl_client)
 	set(TEST_PORT 4453)
-	set(SERVER_COMMAND "bin/gmssl tls13_server -port ${TEST_PORT} -cert p256certs.pem -key p256signkey.pem -pass P@ssw0rd -cipher_suite TLS_AES_128_GCM_SHA256 -supported_group prime256v1 -sig_alg ecdsa_secp256r1_sha256")
-	set(CLIENT_COMMAND "printf 'GET / HTTP/1.0\\r\\n\\r\\n' | ${OPENSSL_EXECUTABLE} s_client -connect 127.0.0.1:${TEST_PORT} -tls1_3 -CAfile p256rootcacert.pem -ciphersuites TLS_AES_128_GCM_SHA256 -groups prime256v1 -sigalgs ecdsa_secp256r1_sha256 -no_middlebox -brief")
+	set(SERVER_COMMAND "bin/gmssl tls13_server -port ${TEST_PORT} -cert p256_tls_server_certs.pem -key p256_tls_server_key.pem -pass P@ssw0rd -cipher_suite TLS_AES_128_GCM_SHA256 -supported_group prime256v1 -sig_alg ecdsa_secp256r1_sha256")
+	set(CLIENT_COMMAND "printf 'GET / HTTP/1.0\\r\\n\\r\\n' | ${OPENSSL_EXECUTABLE} s_client -connect 127.0.0.1:${TEST_PORT} -tls1_3 -CAfile p256_root_ca_cert.pem -ciphersuites TLS_AES_128_GCM_SHA256 -groups prime256v1 -sigalgs ecdsa_secp256r1_sha256 -servername localhost -no_middlebox -brief")
 	gmssl_run_command_interop_test(
 		TEST_NAME ${TEST_NAME}
 		PORT ${TEST_PORT}
@@ -67,8 +68,8 @@ elseif(TEST_CASE STREQUAL tls13_openssl_client)
 elseif(TEST_CASE STREQUAL tls13_hrr_openssl_client)
 	set(TEST_NAME tls13_hrr_openssl_client)
 	set(TEST_PORT 4454)
-	set(SERVER_COMMAND "bin/gmssl tls13_server -port ${TEST_PORT} -cert p256certs.pem -key p256signkey.pem -pass P@ssw0rd -cipher_suite TLS_AES_128_GCM_SHA256 -supported_group prime256v1 -sig_alg ecdsa_secp256r1_sha256 -verbose")
-	set(CLIENT_COMMAND "printf 'GET / HTTP/1.0\\r\\n\\r\\n' | ${OPENSSL_EXECUTABLE} s_client -connect 127.0.0.1:${TEST_PORT} -tls1_3 -CAfile p256rootcacert.pem -ciphersuites TLS_AES_128_GCM_SHA256 -groups secp384r1:prime256v1 -sigalgs ecdsa_secp256r1_sha256 -no_middlebox -brief -msg")
+	set(SERVER_COMMAND "bin/gmssl tls13_server -port ${TEST_PORT} -cert p256_tls_server_certs.pem -key p256_tls_server_key.pem -pass P@ssw0rd -cipher_suite TLS_AES_128_GCM_SHA256 -supported_group prime256v1 -sig_alg ecdsa_secp256r1_sha256 -verbose")
+	set(CLIENT_COMMAND "printf 'GET / HTTP/1.0\\r\\n\\r\\n' | ${OPENSSL_EXECUTABLE} s_client -connect 127.0.0.1:${TEST_PORT} -tls1_3 -CAfile p256_root_ca_cert.pem -ciphersuites TLS_AES_128_GCM_SHA256 -groups secp384r1:prime256v1 -sigalgs ecdsa_secp256r1_sha256 -servername localhost -no_middlebox -brief -msg")
 	gmssl_run_command_interop_test(
 		TEST_NAME ${TEST_NAME}
 		PORT ${TEST_PORT}
@@ -90,7 +91,7 @@ elseif(TEST_CASE STREQUAL tls13_psk_dhe_openssl_server)
 elseif(TEST_CASE STREQUAL tls13_psk_dhe_openssl_client)
 	set(TEST_NAME tls13_psk_dhe_openssl_client)
 	set(TEST_PORT 4456)
-	set(SERVER_COMMAND "bin/gmssl tls13_server -port ${TEST_PORT} -cert p256certs.pem -key p256signkey.pem -pass P@ssw0rd -cipher_suite TLS_AES_128_GCM_SHA256 -supported_group prime256v1 -psk_dhe_ke -psk_identity 001 -psk_cipher_suite TLS_AES_128_GCM_SHA256 -psk_key ${TLS13_PSK}")
+	set(SERVER_COMMAND "bin/gmssl tls13_server -port ${TEST_PORT} -cert p256_tls_server_certs.pem -key p256_tls_server_key.pem -pass P@ssw0rd -cipher_suite TLS_AES_128_GCM_SHA256 -supported_group prime256v1 -psk_dhe_ke -psk_identity 001 -psk_cipher_suite TLS_AES_128_GCM_SHA256 -psk_key ${TLS13_PSK}")
 	set(CLIENT_COMMAND "printf 'GET / HTTP/1.0\\r\\n\\r\\n' | ${OPENSSL_EXECUTABLE} s_client -connect 127.0.0.1:${TEST_PORT} -tls1_3 -psk_identity 001 -psk ${TLS13_PSK} -ciphersuites TLS_AES_128_GCM_SHA256 -groups prime256v1 -no_middlebox -brief")
 	gmssl_run_command_interop_test(
 		TEST_NAME ${TEST_NAME}
@@ -112,7 +113,7 @@ elseif(TEST_CASE STREQUAL tls13_psk_only_openssl_server)
 elseif(TEST_CASE STREQUAL tls13_psk_only_openssl_client)
 	set(TEST_NAME tls13_psk_only_openssl_client)
 	set(TEST_PORT 4458)
-	set(SERVER_COMMAND "bin/gmssl tls13_server -port ${TEST_PORT} -cert p256certs.pem -key p256signkey.pem -pass P@ssw0rd -cipher_suite TLS_AES_128_GCM_SHA256 -psk_ke -psk_identity 001 -psk_cipher_suite TLS_AES_128_GCM_SHA256 -psk_key ${TLS13_PSK}")
+	set(SERVER_COMMAND "bin/gmssl tls13_server -port ${TEST_PORT} -cert p256_tls_server_certs.pem -key p256_tls_server_key.pem -pass P@ssw0rd -cipher_suite TLS_AES_128_GCM_SHA256 -psk_ke -psk_identity 001 -psk_cipher_suite TLS_AES_128_GCM_SHA256 -psk_key ${TLS13_PSK}")
 	set(CLIENT_COMMAND "printf 'GET / HTTP/1.0\\r\\n\\r\\n' | ${OPENSSL_EXECUTABLE} s_client -connect 127.0.0.1:${TEST_PORT} -tls1_3 -psk_identity 001 -psk ${TLS13_PSK} -ciphersuites TLS_AES_128_GCM_SHA256 -allow_no_dhe_kex -prefer_no_dhe_kex -no_middlebox -brief")
 	gmssl_run_command_interop_test(
 		TEST_NAME ${TEST_NAME}
diff --git a/cmake/tlcp_commands.cmake b/cmake/tlcp_commands.cmake
index 58f3ff19..c83372e4 100644
--- a/cmake/tlcp_commands.cmake
+++ b/cmake/tlcp_commands.cmake
@@ -1,8 +1,8 @@
 include("${CMAKE_CURRENT_LIST_DIR}/tls_command_test.cmake")
 
-gmssl_require_file(rootcacert.pem)
-gmssl_require_file(tlcp_server_certs.pem)
-gmssl_require_file(tlcp_server_keys.pem)
+gmssl_require_file(sm2_root_ca_cert.pem)
+gmssl_require_file(sm2_tlcp_server_certs.pem)
+gmssl_require_file(sm2_tlcp_server_keys.pem)
 
 if(NOT DEFINED TEST_CASE)
 	set(TEST_CASE tlcp_sm4_cbc)
@@ -27,15 +27,15 @@ gmssl_run_tls_command_test(
 		tlcp_server
 		-port ${TEST_PORT}
 		-cipher_suite ${TEST_CIPHER_SUITE}
-		-cert tlcp_server_certs.pem
-		-key tlcp_server_keys.pem
+		-cert sm2_tlcp_server_certs.pem
+		-key sm2_tlcp_server_keys.pem
 		-pass P@ssw0rd
 	CLIENT_ARGS
 		tlcp_client
 		-host 127.0.0.1
 		-port ${TEST_PORT}
 		-server_name localhost
-		-cacert rootcacert.pem
+		-cacert sm2_root_ca_cert.pem
 		-cipher_suite ${TEST_CIPHER_SUITE}
 		-in ${TEST_NAME}_message.txt
 )
diff --git a/cmake/tls12_commands.cmake b/cmake/tls12_commands.cmake
index 92dabb1f..e1690ec8 100644
--- a/cmake/tls12_commands.cmake
+++ b/cmake/tls12_commands.cmake
@@ -1,8 +1,8 @@
 include("${CMAKE_CURRENT_LIST_DIR}/tls_command_test.cmake")
 
-gmssl_require_file(rootcacert.pem)
-gmssl_require_file(tls_server_certs.pem)
-gmssl_require_file(signkey.pem)
+gmssl_require_file(sm2_root_ca_cert.pem)
+gmssl_require_file(sm2_tls_server_certs.pem)
+gmssl_require_file(sm2_tls_server_key.pem)
 
 if(NOT DEFINED TEST_CASE)
 	set(TEST_CASE tls12_sm4_cbc)
@@ -26,8 +26,8 @@ gmssl_run_tls_command_test(
 	SERVER_ARGS
 		tls12_server
 		-port ${TEST_PORT}
-		-cert tls_server_certs.pem
-		-key signkey.pem
+		-cert sm2_tls_server_certs.pem
+		-key sm2_tls_server_key.pem
 		-pass P@ssw0rd
 		-cipher_suite ${TEST_CIPHER_SUITE}
 		-supported_group sm2p256v1
@@ -37,7 +37,7 @@ gmssl_run_tls_command_test(
 		-host 127.0.0.1
 		-port ${TEST_PORT}
 		-server_name localhost
-		-cacert rootcacert.pem
+		-cacert sm2_root_ca_cert.pem
 		-cipher_suite ${TEST_CIPHER_SUITE}
 		-supported_group sm2p256v1
 		-sig_alg sm2sig_sm3
diff --git a/cmake/tls13_commands.cmake b/cmake/tls13_commands.cmake
index aa6b7054..7d9ff0ff 100644
--- a/cmake/tls13_commands.cmake
+++ b/cmake/tls13_commands.cmake
@@ -1,8 +1,8 @@
 include("${CMAKE_CURRENT_LIST_DIR}/tls_command_test.cmake")
 
-gmssl_require_file(rootcacert.pem)
-gmssl_require_file(tls_server_certs.pem)
-gmssl_require_file(signkey.pem)
+gmssl_require_file(sm2_root_ca_cert.pem)
+gmssl_require_file(sm2_tls_server_certs.pem)
+gmssl_require_file(sm2_tls_server_key.pem)
 
 set(TLS13_PSK 1122334455667788112233445566778811223344556677881122334455667788)
 
@@ -17,8 +17,8 @@ if(TEST_CASE STREQUAL tls13_sm4_gcm)
 		SERVER_ARGS
 			tls13_server
 			-port 4433
-			-cert tls_server_certs.pem
-			-key signkey.pem
+			-cert sm2_tls_server_certs.pem
+			-key sm2_tls_server_key.pem
 			-pass P@ssw0rd
 			-cipher_suite TLS_SM4_GCM_SM3
 			-supported_group sm2p256v1
@@ -28,7 +28,7 @@ if(TEST_CASE STREQUAL tls13_sm4_gcm)
 			-host 127.0.0.1
 			-port 4433
 			-server_name localhost
-			-cacert rootcacert.pem
+			-cacert sm2_root_ca_cert.pem
 			-cipher_suite TLS_SM4_GCM_SM3
 			-supported_group sm2p256v1
 			-sig_alg sm2sig_sm3
@@ -42,8 +42,8 @@ elseif(TEST_CASE STREQUAL tls13_hrr_sm4_gcm)
 		SERVER_ARGS
 			tls13_server
 			-port 4460
-			-cert tls_server_certs.pem
-			-key signkey.pem
+			-cert sm2_tls_server_certs.pem
+			-key sm2_tls_server_key.pem
 			-pass P@ssw0rd
 			-cipher_suite TLS_SM4_GCM_SM3
 			-supported_group sm2p256v1
@@ -54,7 +54,7 @@ elseif(TEST_CASE STREQUAL tls13_hrr_sm4_gcm)
 			-host 127.0.0.1
 			-port 4460
 			-server_name localhost
-			-cacert rootcacert.pem
+			-cacert sm2_root_ca_cert.pem
 			-cipher_suite TLS_SM4_GCM_SM3
 			-supported_group prime256v1
 			-supported_group sm2p256v1
@@ -70,8 +70,8 @@ elseif(TEST_CASE STREQUAL tls13_psk_dhe_sm4_gcm)
 		SERVER_ARGS
 			tls13_server
 			-port 4437
-			-cert tls_server_certs.pem
-			-key signkey.pem
+			-cert sm2_tls_server_certs.pem
+			-key sm2_tls_server_key.pem
 			-pass P@ssw0rd
 			-cipher_suite TLS_SM4_GCM_SM3
 			-supported_group sm2p256v1
@@ -98,8 +98,8 @@ elseif(TEST_CASE STREQUAL tls13_psk_only_sm4_gcm)
 		SERVER_ARGS
 			tls13_server
 			-port 4461
-			-cert tls_server_certs.pem
-			-key signkey.pem
+			-cert sm2_tls_server_certs.pem
+			-key sm2_tls_server_key.pem
 			-pass P@ssw0rd
 			-cipher_suite TLS_SM4_GCM_SM3
 			-psk_ke
@@ -125,8 +125,8 @@ elseif(TEST_CASE STREQUAL tls13_early_data_sm4_gcm)
 		SERVER_ARGS
 			tls13_server
 			-port 4462
-			-cert tls_server_certs.pem
-			-key signkey.pem
+			-cert sm2_tls_server_certs.pem
+			-key sm2_tls_server_key.pem
 			-pass P@ssw0rd
 			-cipher_suite TLS_SM4_GCM_SM3
 			-psk_ke
diff --git a/include/gmssl/version.h b/include/gmssl/version.h
index 482a2b9d..753e8b26 100644
--- a/include/gmssl/version.h
+++ b/include/gmssl/version.h
@@ -18,7 +18,7 @@ extern "C" {
 
 
 #define GMSSL_VERSION_NUM	30200
-#define GMSSL_VERSION_STR	"GmSSL 3.2.0-dev.1111"
+#define GMSSL_VERSION_STR	"GmSSL 3.2.0-dev.1112"
 
 int gmssl_version_num(void);
 const char *gmssl_version_str(void);