diff --git a/test/testdata/tsa-mtls-cacert.pem b/test/testdata/tsa-mtls-cacert.pem
new file mode 100644
index 000000000000..75fb89408cb4
--- /dev/null
+++ b/test/testdata/tsa-mtls-cacert.pem
@@ -0,0 +1,31 @@
+-----BEGIN CERTIFICATE-----
+MIIFRjCCAy6gAwIBAgICB+MwDQYJKoZIhvcNAQELBQAwNTEOMAwGA1UEChMFbG9j
+YWwxIzAhBgNVBAMTGlRlc3QgVFNBIFRpbWVzdGFtcGluZyBSb290MB4XDTIzMDcx
+NDIyMTczNFoXDTMzMDcxNDIyMjczNFowNTEOMAwGA1UEChMFbG9jYWwxIzAhBgNV
+BAMTGlRlc3QgVFNBIFRpbWVzdGFtcGluZyBSb290MIICIjANBgkqhkiG9w0BAQEF
+AAOCAg8AMIICCgKCAgEAu7qD+j8SmKRw0Vs9CJKnI499aDYdUtrAucvcal7Catrb
+uTMzGCdjbuanwZy4OTDoyZmmwyfBVV/i588g68sJunKaMzXw81FXV2JtDBD6m26s
+hezZ399Occ5dk7PYxFUXulzozIo8xqEaieVYM4psg8exwvNIWxhhAcBgtBepgJqo
+N3f5WVPexG/1Td6MGAjJhFnaHN4wgDPQ4N4MoVpHXpug0sp+wLIUEtgqIS3heW9l
+FD2DNVXZxcUxLTn3qU4DY8t7VTP4LeAqWnIwoQw9CGX1aJTze0198sHMaF7dA5oZ
+02wcwr3Ag8kSCgTjrx8EBUzv8O+18UOabd2szNcDlXsgUCRIVcGZ3uKS5WEhj8Pf
+B2xkkqO02LuFM8iGWaLiiIMKhISRiHY5vZNOnFubU3zs/6K9aX9XNwZrYFitfcpc
+/YyiRefwqyJC5AlDDMQqXbRcAreildmIAGGYSuThOSaHr0k24VarUvEpcIDNufFS
+JogMbCYoBx/lU2xNL/pFdx4XqSX6wgSlSQpbgVj924H2kaMiRAiNVIBNLV29RFCh
+B/g6I0stggYEKwaP4j6eyyubnL6lBbqjY6NLrG/dKADghJRI02S2hCNiVzcZ0ovC
+GShjvTdMLvOLMuqCGBTOFjyyQMohjaRZYFZSG6BSWXAl2pLfcWbx62/GBok51nUC
+AwEAAaNgMF4wDgYDVR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0O
+BBYEFAdXDBWL8SjEP5mZ8QhOUGK5/KuhMBwGA1UdEQQVMBOBEWlhbWNhQGV4YW1w
+bGUuY29tMA0GCSqGSIb3DQEBCwUAA4ICAQBFvZ77bDLgEOhL7Tb4TfTwpirKrsdJ
+tjCQcZ2kTitVihG/blnHs/jQMJTxx2thAdBE9Z5m5bGZ9wltu8XxXmvwt/l7weYk
+oCLpElt9ZOhcZW4ujUleERZPp3jmfjwgWQHcW5T+IifcRZiARqfHDNA2yog+v5iW
+V3L4jHU7y382cE50VI9hLeu97/Sd+/2UkOcEugaZNDcJ2lJfjBrDAdOxtHlooX+Z
+NglRc297sB+ewKxig68U2CDB5+vQyfcIyV6lUQNoAtklH+w9n/ZPa5rUpKEsoUb4
+OhYCVOV36UJpGyWBLC1nHxPNPcteRfIbRijZFLfNs5fIPdGPktbbsNkCEU2AVpxD
+6FvEz+lzuBsYC8mMM10mv02f6AoS82/q+Z83g0nhbw1o9BxN3cDTT7p49bmPB3+W
+eCKCnxE8FCR66CfuLVvw2rKMeRVlXE9wWT8Q09xMe0c9XOuU9gvBu1U9UwQqsBhL
+k0mKpR6q1a3vaAHHvV5B7pvlo3GRH1aoAbvtIEpHtD+5nr935SArkIxe4TVUBOM0
+SfpepiOfytbAYmW9//pulz1EujxKwBNgjs8Mho8Aj1/OGjRfQzao0S/9ZLZGsC0S
+UyJ4O7NNdft0E8b/TBZ8D9HyRxLzPJjoAbhYB191oeMf0kjDTzE4knwDmkW1Xv5J
+kAX1gdQ8SKfdsg==
+-----END CERTIFICATE-----
diff --git a/test/testdata/tsa-mtls-client-key.pem b/test/testdata/tsa-mtls-client-key.pem
new file mode 100644
index 000000000000..9b14f1af1037
--- /dev/null
+++ b/test/testdata/tsa-mtls-client-key.pem
@@ -0,0 +1,51 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIJKAIBAAKCAgEAwXAkR3o2/ig//0RWmfE8fjJ8gjZTGVWNlgBHxrPK0TFnHK+o
+vgoUCBs+stErdV/5hnfeDsCl1cTjqSP+AL6CM8VQU3en1AeZw9uXdfFF4MYypvji
+ZHdXRo9eGfQzAwZZyPXij1S7KpN68uxk/lO7dleeIJ5FM7bAVzgKgDYffDsWSIC2
+GvKLboKdb0JUSDr8+1HOX6M64ehs5Kr6nKaOvzPn9mp+Y00J7t7O9Df7qDLu7Eve
+vCk0KZcsxB4N6Pbg/GE1/QlYfv8FfbqODXKi5TSmFH42UMqFnsj3l7YHQ7gg/mlk
+/K6BQYda2y/FMObJ5r5ztvNkWRYrsLtwge8EVLD1/TayjB8unGiGBZj5QNrbEwED
+X3OxKdgp3iC5lWJtWD3vuea1SeH3V77vM2nXOm6TxD815vQ4WcRUDBCvkhEEt+Ol
+mibFJe2kK/z34emWcbCXTkG5KZXp6VxsXpdOou9vGxPcSjsk4ncbq+2HQ4K4g0mZ
+JBjJMUyu25+PIiYa+b7vOwZ0VSMAQ44TPHXBANQYbx0UnGhoZ/lMHL6hI2YXskSO
+wgqNoN+IDlMH7iiUhfQcr+WZg57gHRZ3uO0WcpHlYWKHPPyZ7vDen/lStOHkQCAV
+t4DKsD01xlhx5BRNXujgFNhGDc63CgkKygBd1P8kGkDm/2IBlbwUWwja5hMCAwEA
+AQKCAgB4r/fipKzU69Xp9QA3Mdy1O9iVAUHdh5Q751bg8WH0HOehbTNRxkXzPNRk
+ir6bj9LGA9mGyMlu01XbPLqISlQ/6raQLRKH5moYWdRo4KzhbadCp/vQBOlt+5sR
+hFujYn34NPkyxgG0sak/ESB90U4fqtDctwKkHjxo7m0Wyy3fu5nOiIeVzogR3epN
+9UtSeYNHZiXlY5kkQ3hVPxv3Sq+7Oa5a/tx2JiWxZFAo7RjVO1n4EeoY6XhDDq/+
+eGXjWMzMifY+NmuBaKlLZW6lk0VwzeVk2c4XoBO4GtjnTcnAhYwIT0eTo2i/sqyM
+HoTgWs3TajYWCkssjfmaXYf3eWHwQZECABxYV723T7bB02Hgmz5yNsIr2qkfi69G
+PY2DfO5TxFlDkbCbWZ55WNiJJ7XImvydozebm+Non4KucllTS/pkmFrMrX5k7WeA
+jp5wErSIQ0mdLcn/gEiiKxsMhRpgjxVv1geJ8xTRNXMd3b2tYsDUkKUZFAX5IRme
+b/aggrgCGI6RQg5FVWfyCWrD2Z1b9UZh2dv2SBxl1/+F2CaDK5bl5y7iQHtj+pPB
+9TudKP2s0nJizzwvHSGa8qtSRUqGeiaMFW5Z1Chtovuvk78dcxQQvXqmY8kdYvoL
+gdeBXxzhBfG/JCZRrH0DEgxQeyxQ6MXH8ME0WJyXLns3iuXo0QKCAQEAxdMahNjs
+gv38HzGqQxf6QwU37mhcoNs8ZgkcUgCtk7kQd3XeI6rMfsaJYU/cFwJb2YyZAfPl
+gFIaKhnNwtpKuQzwJfvwhp0ZAkFUoGIzhY2/nx8qo4pDPd7Pxq3jRyRMKQ3IzJOj
+fd5/7eNMcPV+E4+CZ28i3VQjXcsJ3NUv/SMdOIS9FKojorV1HfYNRWnML386GKpP
+n6fm5veBnZFv8RZdl0ZaV7I3UY7LV5nqf/fS7qD/wsgdy0LNr/y9L9tAZsZbW6hT
+vW2bnVhkB+bwSQmuw+3UBXd3pPnTlgi0F7V1dSVPirbdJk6pxi55XI4Vqc8kkQ2W
+suvVlr8qJF42yQKCAQEA+lLNc275KJbVjq44v+jNJo0aDjoNN7eHoHQAd5qj6XbZ
+zJe5JVqifOR+J+rlpmU/vulmoXri+MeV+kkumgQ/9DQBjITS05HzPRzR85cZHMNM
+7OAZANP9ieKaFy+S5ZZo30X5eLrLBfvSlbb/K6gyYgRs8VrikNreEYhlIZcjjlWc
+0tglTKgRvFAxuGP5X9pauUg9r+BI6h45IcYSiCtIyLTDgyLX70bLqynWFLhSZ2M4
+NsrWDD9keoMFNR4/e+m8ysEFieOOF4JQNki+KOmvW+uBKn+hBr0UF+Pnt0qiFjx9
+d0se0j+8FPxClzK5Vkp43FFa8lN549BzUyDgCgY3+wKCAQB53qF5sgGSeVG3Deus
+RbtBSpe4YcaeujEtUvOFeTF1zg7c6VoecvxkJX9A2efmrOdU0I76avy53tqLkTX3
+km9yLQxM+jalV2auwvyVianf3wFrz9F+ypC+LuOlrD5V94CL0hggH9wakNYTAXJ4
+LGStPD3D5u19mHXpNEoxJ4zWz6kSxoONlXs6o7sw6AIo/xJxOFncFB/VZaSUKWpK
+Xeyug27I4OiLGhmGPwf6QbH7f/sMU1b88jeYnuEESBlswA+ewRhLERn1mu7BMlD9
+pUHmXPazcXKqo3yrv9Sfm2EHMhzYPFISTLFVBiUFGGBfqpCh+iC2075BH5SHt+EI
+YpoxAoIBAQCRdQARbZC2tz8NE8vCKELdfeyAC9eWYr0azY1f8qoAhaF1s0xQmmQE
+8rkj9OjRUdBC3VlXyBKPwVoy/8dmk8Wd34Ju5tejPRH8lvyg8VIUVqAinO2qf4S6
+VMR5aJmRc18pLn4SW2iR54yslpOcCLaOIkgzzz4MMkIMKhep9ysgEDt6gULbUmZL
+6MWbgexseHNzarj9s/RqpnlIWNJ38b7vcaqSTvLvBVJf+YV+sMShcxQ9MoxCvatj
+TTL/dL4rAN1Fa/gN8f6lRoHZqVdmarQNU8HQsi0dv00nvLTu2x1okmnNogcc4RAn
+mZYQSddMfyXP0C5q1XrkmEILMfU9nfN1AoIBAByhRqdXU459lMaY3gSzr40dWWEV
+m+xG48nFpqT4uOBfHEpfLZDKzaFL8uqKsNgg3TJTbHHVMW3F2IfgqnRTmMoqdvm5
+pGn0Ig+8PqCMfajtXmpEKAstAvie13Wob5iurTlSO5cWq25VVYMK+uwwwVEcN6Ma
+KI6grnGK0M+t2PUVYkrCw4eT8FbrphL2BcjluINxSlSY4QnZvesKBxSpnTnLqSep
+aVftFApOeiv3nJE6pFQKCWZfAF0gWBvr5ERNBBjikhkB0pryVQpQdESNsjQBdbQS
+lWdzPuwFckcohNl2cwgdMPuopGHvNToG1HFxuxnLychrBDqkcIZGjKx+PcU=
+-----END RSA PRIVATE KEY-----
diff --git a/test/testdata/tsa-mtls-client.pem b/test/testdata/tsa-mtls-client.pem
new file mode 100644
index 000000000000..a0286d287ffe
--- /dev/null
+++ b/test/testdata/tsa-mtls-client.pem
@@ -0,0 +1,32 @@
+-----BEGIN CERTIFICATE-----
+MIIFmDCCA4CgAwIBAgICB+MwDQYJKoZIhvcNAQELBQAwNTEOMAwGA1UEChMFbG9j
+YWwxIzAhBgNVBAMTGlRlc3QgVFNBIFRpbWVzdGFtcGluZyBSb290MB4XDTIzMDcx
+NDIyMjczNloXDTMzMDcxNDIyMjczNlowdTELMAkGA1UEBhMCVVMxCTAHBgNVBAgT
+ADEWMBQGA1UEBxMNU2FuIEZyYW5jaXNjbzEbMBkGA1UECRMSR29sZGVuIEdhdGUg
+QnJpZGdlMQ4wDAYDVQQREwU5NDAxNjEWMBQGA1UEChMNQ29tcGFueSwgSU5DLjCC
+AiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAMFwJEd6Nv4oP/9EVpnxPH4y
+fII2UxlVjZYAR8azytExZxyvqL4KFAgbPrLRK3Vf+YZ33g7ApdXE46kj/gC+gjPF
+UFN3p9QHmcPbl3XxReDGMqb44mR3V0aPXhn0MwMGWcj14o9UuyqTevLsZP5Tu3ZX
+niCeRTO2wFc4CoA2H3w7FkiAthryi26CnW9CVEg6/PtRzl+jOuHobOSq+pymjr8z
+5/ZqfmNNCe7ezvQ3+6gy7uxL3rwpNCmXLMQeDej24PxhNf0JWH7/BX26jg1youU0
+phR+NlDKhZ7I95e2B0O4IP5pZPyugUGHWtsvxTDmyea+c7bzZFkWK7C7cIHvBFSw
+9f02sowfLpxohgWY+UDa2xMBA19zsSnYKd4guZVibVg977nmtUnh91e+7zNp1zpu
+k8Q/Neb0OFnEVAwQr5IRBLfjpZomxSXtpCv89+HplnGwl05BuSmV6elcbF6XTqLv
+bxsT3Eo7JOJ3G6vth0OCuINJmSQYyTFMrtufjyImGvm+7zsGdFUjAEOOEzx1wQDU
+GG8dFJxoaGf5TBy+oSNmF7JEjsIKjaDfiA5TB+4olIX0HK/lmYOe4B0Wd7jtFnKR
+5WFihzz8me7w3p/5UrTh5EAgFbeAyrA9NcZYceQUTV7o4BTYRg3OtwoJCsoAXdT/
+JBpA5v9iAZW8FFsI2uYTAgMBAAGjcjBwMBMGA1UdJQQMMAoGCCsGAQUFBwMCMA4G
+A1UdDgQHBAUBAgMEBjBJBgNVHREEQjBAghJjbGllbnQuZXhhbXBsZS5jb22BEmNs
+aWVudEBleGFtcGxlLmNvbYcEfwAAAYcQAAAAAAAAAAAAAAAAAAAAATANBgkqhkiG
+9w0BAQsFAAOCAgEAP6BGs5aZD+TJcPuaoRLg54rZNzDrjrM8rClvnlKkKct7P9vz
++43GQy2VT9oFSCxbR+Vh9qJ7VeIfhV9Q44ANBjoXJiCA7d4pIXF9OiNyXgv+/ub6
+X8kOeyI/NGHndDI18mI5Obfujf6B2ZN2J1m/4MTG+Hqrz9oxSYzjTclPRyG6yd3/
+fDASfQ40j4VInu31UYyOSnCDJVQAdyAKAHkKQtkS6xlDVtZpp2eZRwslx56CeR9l
+OP76Djt4kLlGV69u41Y5l1R6OjqYEXs6AKnCiVqBI+u20SJGPVUFYbYqPsuzPj75
+Krbz46vlNPhtetJQJGasPo/a/F+r2KFIr1C4li9GW62Y5SZy2mw2vsQNca0dXj1r
+F/KdlPfpq48qUKrdriP/f33VmFgrLggzytzUnYdcgVDVImLI/ORtL7XivPaOoZyv
+Ugtew/LlZyJAYv7Xv5j8W/lacGUAaE6m/zdvhLG6a9oxxqd3yhcb7XfF5TVtbE+7
+RhTQDOeHSDG6J8w7JD2cuXq0omcZCDV8f/7UByYKz5q4yuA0+2MVpSb2h1Eloh5u
+LLt1ZaDZIaK+MLKZIXYeR7uBYFSyB+7/6FTRiFjfbbvH4/w2PA0/Y+8BHKJpQFna
+QYTHWmzOZeWuzPnGpXNVKEPdPcILwh/Z9/2Gr2/SFQT7V3spgw0ybxIcAvQ=
+-----END CERTIFICATE-----
diff --git a/test/testdata/tsa-mtls-server-key.pem b/test/testdata/tsa-mtls-server-key.pem
new file mode 100644
index 000000000000..fd3419d26e3f
--- /dev/null
+++ b/test/testdata/tsa-mtls-server-key.pem
@@ -0,0 +1,51 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIJKAIBAAKCAgEAwZTs2PzRw9JgVv1h5Q0EZvhYHe0WBkD04bkpS0SVTy+X0Mww
+jR3MsuSlZq1nSYHMdzop/bM11bmdYVveMtMFJBBNxPx4IPvpd5psURoSLDtTu/N0
+7pPNEUh7sdKqRkbAM7E9LwvO7zsS7WsO51X8O+bNTYWffQzuXghsMWukbMPYnUAG
+NllCytLIlIQ48SKTy6GiURPvpwPftqXnWTPSOQzaBJ+OxOOSI8XliGPirDjPMv2u
+jpaHaVC9O3wLehsz6gC0QNHeBDZu/teL2L0+ydmCIpM+Yj+d+zjh/hdzWr+d7yHt
+yPZxUYO23RyAQ55GtQ+hxUtJRmoNq84k23FcTM+1yMiZkSSu7rrh6ZWX57W8h486
+NtSLIbF0qgniGGUQi01LYw2AkjmiAnjU4utL6HB2OJt07UbkywbEm3pPobAGkRMx
+IEqVu7OI1+e3xQitocfRoy8F4DMnx12UdyjZImX1fw4UnRLslx7yPSEKJKfD2PGB
+Lh5NoEJeepPRYARkCbMp0yrRxYP5nJV1+srAoONvYCVFOhjSdQ62csLg2f5eNXmz
+rxhkEAqLJzs8rt9c4of5ok2ekFn4GAOXI8ifY/2eP7ySnHlis+hJelOBLAzb0PTE
+wG4dm0urRIBGSvkaWDiNO9kFe1H7AtdweaX4nSDMoex8jYkeTX9XWq62cEUCAwEA
+AQKCAgBMDcqP5aQ0Hy8ifiI770VPfzp/Z2pDwrlzBWAn5iYTGku3CMH6bz7A+fvR
+v0bZJlnCbeOZfRMliOtAGOvPZACdDpq/TcGUk+RBzTXJF0kUf6qCKUBDi2YB6ExQ
+rMehHKLerD+xgB4o9ziUdn9AfBPBJQh78IechbwQzZZUREoxQTCVd1X5fFA1h2Ku
+ltQYSNFwK2yuFfsNzwPRqpSeAzIQn+/36Qgaap4718A6OaQQrbEaA3jVJGbHBaWS
+/UU1EALxaJ1o6gsj9I7fKKgU2yUUAJSUKO1VhFD5JnwDbAsyGB5gmR/m2Ivkzq7F
+aDEsX76/3AhejxmWxIvid/cbEAqGovTEL70BZcAk2l0N1FoxLnWT7wx28MaJlaQM
+lp13vtK2lsWZbvJRTGhqjtnx5aDuovIckJ3ietMbcvXdVSw0Ph3Ac+H77x4Mf4tX
+reSbAqWrYgOsMnCp6tC9xhvUP9o0zZU5Z58y2iU0QleKxh7bnTjb4O14Vbttx0PM
+JfZdr7mdfkRAb6oYkpsf0UvtJFzjfhNWxexPYhbhcJh3np14GiZoHolCicq/GCC/
+cSpbhco8O1bft8LYToPN550jt9e2P8Vq5en/q49GHe56zfzncr3Zs9QcLrzWp+79
+jn20efvCcunsyfiKoOYZBkGHwFrQQEIVvh6JBW8wPbtIyEoKgQKCAQEAxp7HOUH2
+oZT3p5AjRM5Ys0thiVB/X5VY4MF5I2o2nSk63Jwn0Y5tHmJeSXzkohGkFVdugUB9
+TvAh5M7iNq+momNA5gYEpJnYeiifpL7TAcy53gAETgh/c8CDp6oS/zDX3ABxo8IB
+qNeaPIYQ75bK8XNH38ZPAiGjulHmhWhq6W4TDRSRXbRPoxVCU8oUjYohKrPgyJgc
+xa3n5XpcEm4RSC6fFwsvjhUBehfRRnohDXPmD42seh6wei7RTmiWAH1YyeITId2y
+sr+0knm+NtXyBljbFT4QbDeKOQC/N5z6pBfl9cKcSjlAUG6iwd1e4OjhGCuFZDE8
+ScN/NX4MWDKiWQKCAQEA+YGE1gB0vi83W9dSF+p5FvnGVH6iw5xRbHaPKyuotToZ
++uxlTjPsFrzO3ZJJ7teD6OSmhVIxwtjMjBfX77wLVf/pg3wpR0+6C9c4NaWJ4F/U
+8jg+xfoxWM9WQUEG3YNWl2EeJm3dYSxE6Z93Bh/vchq1AO7/XxtybEYhqPimdYYy
+iy5dZwo1mmH2T2ULa9fOy3nJ9Uh7tw/+tbk0AkjMsUTr4bW7IBH2E7uui3h+yRBM
+eN46pFizR0RSFngOOrdcD08ZH6YuuMR3loLudM1f+DigMROXwlYBb4NK4voEfl47
+O3hXiQSUJ/+wfvCfs9DFvzDH5k7TYB+IH/nF7koHzQKCAQAh60uqg5FS1tXUT9E2
+Fuce92iYwp59/EtJVsERQzpAbKIYurIyH1iTL8laU3HYG5sh6eR9Pj4oFOo04P/Q
+xv52DO0wWya/1WYatoVM5SmzzPqQ5v/VM65QXjgdkfXcjsLOV2UQyjjuVKOKYnrR
+77aItV843+zuOEB1uTbc4ZAgfSPTwAdzMS/IcgD5vjD0Wvp/CGkC2LdRKvnHPrYq
+j5Fz+kJA9TAR25R8/URH/ONYIMrRLSifUk5hD02/Ti0PuFhJYcpSpkG2NPbpbNEH
+HFJQsyv23LqBQJriUTZWkQBctZgX+DwokM5i7gHtiZiCYELQld4Z1i6tii1XPUdu
+aHdBAoIBAHKUF/xumS39YN68MubotlLmwT1sKjLKRloY2AZrNj6DQAsLJDqVfYWz
+jwwRcgJM1jbNSetPo6pnBQgQqwlcwZfsvb+z9QDajAWEADwimP6BA7l4OtuP2bl+
+/Y1Z3106QzmhT8c2DMPjIIJoyK/3Wm579UNIfd2fLRyr2ClQhqDRz8Q6tonrFlKf
+Sg2LyYLsx/qJI0WQ079tiPrK4idqZxXBING2Mwi3Nto5Bh7mZtLOuU+IPkXatfm0
+Vj4bQ+2S5qPhHxh5qFsRXhmwZvEcn0XOO0JOTRLhjCc5k9pIFmgxveHBkfFKOP9l
+XBfvSGe7KBR0wlfxOwCZelm0ykBznsECggEBAJHfFt7E5mb0iaacC3Rm0bO4iiao
+30YbCsnSpVY48mEbKH33Kq3/mt7fs1rO05O1nUfsV0jyzLHYwZJfSX/xlxMOMuUM
+PQXi4f4LfAx6D9B/hInYCFeFc4g2hBqGY/AvpxYY71JHY3/XccWq3b4XmTptog11
+kiBVIqALpf7zaLD//sacg70CtA9E+Jj4DG33cKjN2lxIEhRODgMwGEcgzZb1Cv16
+hqe7EApS8KMDLzyjSf6dK5V7A4jkJvJwRAaJZ9obg9djrnCeZldV8JHILTwV4boH
+TSI4lYXQqSuLn7Ej2WRB2Wi6DrRnVvqYwbIFPvcE6Hv6EwkQ7C4U+mbtqB4=
+-----END RSA PRIVATE KEY-----
diff --git a/test/testdata/tsa-mtls-server.pem b/test/testdata/tsa-mtls-server.pem
new file mode 100644
index 000000000000..6fafab0d488b
--- /dev/null
+++ b/test/testdata/tsa-mtls-server.pem
@@ -0,0 +1,32 @@
+-----BEGIN CERTIFICATE-----
+MIIFmDCCA4CgAwIBAgICB+MwDQYJKoZIhvcNAQELBQAwNTEOMAwGA1UEChMFbG9j
+YWwxIzAhBgNVBAMTGlRlc3QgVFNBIFRpbWVzdGFtcGluZyBSb290MB4XDTIzMDcx
+NDIyMjczNVoXDTMzMDcxNDIyMjczNVowdTELMAkGA1UEBhMCVVMxCTAHBgNVBAgT
+ADEWMBQGA1UEBxMNU2FuIEZyYW5jaXNjbzEbMBkGA1UECRMSR29sZGVuIEdhdGUg
+QnJpZGdlMQ4wDAYDVQQREwU5NDAxNjEWMBQGA1UEChMNQ29tcGFueSwgSU5DLjCC
+AiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAMGU7Nj80cPSYFb9YeUNBGb4
+WB3tFgZA9OG5KUtElU8vl9DMMI0dzLLkpWatZ0mBzHc6Kf2zNdW5nWFb3jLTBSQQ
+TcT8eCD76XeabFEaEiw7U7vzdO6TzRFIe7HSqkZGwDOxPS8Lzu87Eu1rDudV/Dvm
+zU2Fn30M7l4IbDFrpGzD2J1ABjZZQsrSyJSEOPEik8uholET76cD37al51kz0jkM
+2gSfjsTjkiPF5Yhj4qw4zzL9ro6Wh2lQvTt8C3obM+oAtEDR3gQ2bv7Xi9i9PsnZ
+giKTPmI/nfs44f4Xc1q/ne8h7cj2cVGDtt0cgEOeRrUPocVLSUZqDavOJNtxXEzP
+tcjImZEkru664emVl+e1vIePOjbUiyGxdKoJ4hhlEItNS2MNgJI5ogJ41OLrS+hw
+djibdO1G5MsGxJt6T6GwBpETMSBKlbuziNfnt8UIraHH0aMvBeAzJ8ddlHco2SJl
+9X8OFJ0S7Jce8j0hCiSnw9jxgS4eTaBCXnqT0WAEZAmzKdMq0cWD+ZyVdfrKwKDj
+b2AlRToY0nUOtnLC4Nn+XjV5s68YZBAKiyc7PK7fXOKH+aJNnpBZ+BgDlyPIn2P9
+nj+8kpx5YrPoSXpTgSwM29D0xMBuHZtLq0SARkr5Glg4jTvZBXtR+wLXcHml+J0g
+zKHsfI2JHk1/V1qutnBFAgMBAAGjcjBwMBMGA1UdJQQMMAoGCCsGAQUFBwMBMA4G
+A1UdDgQHBAUBAgMEBjBJBgNVHREEQjBAghJzZXJ2ZXIuZXhhbXBsZS5jb22BEnNl
+cnZlckBleGFtcGxlLmNvbYcEfwAAAYcQAAAAAAAAAAAAAAAAAAAAATANBgkqhkiG
+9w0BAQsFAAOCAgEAJXVHzcT4WU9WkAJj4joALB7HQYU/uKLkb4S4CVlLvS1UvZ2X
+TIsyEpsKR2bPOADXh627OEuP5RIRx4TIgRvYy7ESzQHDad3qoy442kW8QBbt0ed1
+X6LfHKX2tG9XW3RYIRV5cmYNG0Jmxz2udf47LzOBe9SghuAWMO+yG5Sq1HNGKtRf
+H4/mmkK6umd+/REc86fLeMvMWlafzdLg65dFE4kOUzQVdJvuPmS8BSExk1skvBBp
+XuLOVg5sJGHHnPt96pAZODtKlWS4rimuLWZxTXjAxTHAIWXu0lhCbvwpiZ0Oi/oO
+hrKOdb7XP7wxGNktt92VeRYs/cnHtVyM+acijym4l6S1NWXtH4imVJnxV8eUvRXC
+x82Lc9RoIdlBf+WcT6OysL4OyNDGjQ3YvVj5hpN4xuFAXnnDWJfq6OLyIoWwapZg
+CqaM5qOvR3Ej+uSc61nu8WkDvIc7lUkfJiucW/89F2PRKPxSqBRyejywJMneg6C2
+TDAYEpuSERfbBiM9td17p07jjesW6zpAqcyXWM0N8MbDr4/gPjOoyN78cVVBquFu
+DI1duVMOxQAG46xz/oId0or98eVlMqbVtuqn73qia/3uYRRiv8hk5tGFxiCQnxMt
+iCZDD7PZeyEyg9zgR4f0HQt2t89FD0O+QiFeIpi6kCDI2LIYQOZ5735hst4=
+-----END CERTIFICATE-----
diff --git a/test/tsa-mtls.sh b/test/tsa-mtls.sh
new file mode 100755
index 000000000000..3cf40ded2abf
--- /dev/null
+++ b/test/tsa-mtls.sh
@@ -0,0 +1,70 @@
+#!/bin/bash
+set -euo pipefail
+
+## Requirements
+# - cosign
+# - crane
+# - go
+
+which cosign
+
+CERT_BASE="testdata"
+
+TIMESTAMP_CACERT=$CERT_BASE/tsa-mtls-cacert.pem
+TIMESTAMP_CLIENT_CERT=$CERT_BASE/tsa-mtls-client.pem
+TIMESTAMP_CLIENT_KEY=$CERT_BASE/tsa-mtls-client-key.pem
+TIMESTAMP_SERVER_CERT=$CERT_BASE/tsa-mtls-server.pem
+TIMESTAMP_SERVER_KEY=$CERT_BASE/tsa-mtls-server-key.pem
+TIMESTAMP_SERVER_NAME="server.example.com"
+TIMESTAMP_SERVER_URL=https://localhost:3000/api/v1/timestamp
+
+rm -fr /tmp/timestamp-authority
+git clone https://github.com/sigstore/timestamp-authority /tmp/timestamp-authority
+pushd /tmp/timestamp-authority
+make
+popd
+/tmp/timestamp-authority/bin/timestamp-server serve --disable-ntp-monitoring --tls-host 0.0.0.0 --tls-port 3000 \
+	--scheme https --tls-ca $TIMESTAMP_CACERT --tls-key $TIMESTAMP_SERVER_KEY --tls-certificate $TIMESTAMP_SERVER_CERT &
+export PATH="/tmp/timestampserver:$PATH"
+
+IMG=${IMAGE_URI_DIGEST:-}
+if [[ "$#" -ge 1 ]]; then
+	IMG=$1
+elif [[ -z "${IMG}" ]]; then
+	# Upload an image to ttl.sh - commands from https://docs.sigstore.dev/cosign/keyless/
+	SRC_IMAGE=busybox
+	SRC_DIGEST=$(crane digest busybox)
+	IMAGE_URI=ttl.sh/$(uuidgen | head -c 8 | tr 'A-Z' 'a-z')
+	crane cp $SRC_IMAGE@$SRC_DIGEST $IMAGE_URI:3h
+	IMG=$IMAGE_URI@$SRC_DIGEST
+fi
+
+echo "IMG (IMAGE_URI_DIGEST): $IMG, TIMESTAMP_SERVER_URL: $TIMESTAMP_SERVER_URL"
+
+GOBIN=/tmp GOPROXY=https://proxy.golang.org,direct go install -v github.com/dmitris/gencert@latest
+
+rm -f *.pem import-cosign.* key.pem
+
+
+# use gencert to generate CA, keys and certificates
+echo "generate keys and certificates with gencert"
+
+passwd=$(uuidgen | head -c 32 | tr 'A-Z' 'a-z')
+rm -f *.pem import-cosign.* && /tmp/gencert && COSIGN_PASSWORD="$passwd" cosign import-key-pair --key key.pem
+
+COSIGN_PASSWORD="$passwd" cosign sign --timestamp-server-url "${TIMESTAMP_SERVER_URL}" \
+	--timestamp-client-cacert ${TIMESTAMP_CACERT} --timestamp-client-cert ${TIMESTAMP_CLIENT_CERT} \
+	--timestamp-client-key ${TIMESTAMP_CLIENT_KEY} --timestamp-server-name ${TIMESTAMP_SERVER_NAME}\
+	--upload=true --tlog-upload=false --key import-cosign.key --certificate-chain cacert.pem --cert cert.pem $IMG
+
+# key is now longer needed
+rm -f key.pem import-cosign.*
+
+echo "cosign verify:"
+cosign verify --insecure-ignore-tlog --insecure-ignore-sct --check-claims=true \
+	--certificate-identity-regexp 'xyz@nosuchprovider.com' --certificate-oidc-issuer-regexp '.*' \
+	--certificate-chain cacert.pem $IMG
+
+# cleanup
+rm -fr ca-key.pem cacert.pem cert.pem /tmp/timestamp-authority
+pkill timestamp-server
\ No newline at end of file