diff --git a/go.mod b/go.mod
index 636b2e19..ba2a6662 100644
--- a/go.mod
+++ b/go.mod
@@ -1,6 +1,6 @@
 module github.com/sigstore/scaffolding
 
-go 1.18
+go 1.19
 
 require (
 	github.com/go-openapi/strfmt v0.21.3
@@ -8,6 +8,7 @@ require (
 	github.com/go-sql-driver/mysql v1.6.0
 	github.com/golang/glog v1.0.0
 	github.com/google/certificate-transparency-go v1.1.3
+	github.com/google/go-cmp v0.5.8
 	github.com/google/trillian v1.5.0
 	github.com/google/uuid v1.3.0
 	github.com/hashicorp/hcl v1.0.0
@@ -17,10 +18,10 @@ require (
 	github.com/sigstore/cosign v1.11.1
 	github.com/sigstore/fulcio v0.5.3
 	github.com/sigstore/rekor v0.11.0
-	github.com/sigstore/sigstore v1.4.0
-	github.com/theupdateframework/go-tuf v0.3.1
+	github.com/sigstore/sigstore v1.4.1-0.20220908184735-abe183b160e9
+	github.com/theupdateframework/go-tuf v0.5.0
 	github.com/titanous/rocacheck v0.0.0-20171023193734-afe73141d399
-	golang.org/x/crypto v0.0.0-20220722155217-630584e8d5aa
+	golang.org/x/crypto v0.0.0-20220829220503-c86fa9a7ed90
 	google.golang.org/genproto v0.0.0-20220805133916-01dd62135a58
 	google.golang.org/grpc v1.49.0
 	google.golang.org/protobuf v1.28.1
@@ -43,7 +44,7 @@ require (
 	contrib.go.opencensus.io/exporter/stackdriver v0.13.12 // indirect
 	github.com/Microsoft/go-winio v0.5.2 // indirect
 	github.com/asaskevich/govalidator v0.0.0-20210307081110-f21760c49a8d // indirect
-	github.com/aws/aws-sdk-go v1.44.80 // indirect
+	github.com/aws/aws-sdk-go v1.44.93 // indirect
 	github.com/benbjohnson/clock v1.1.0 // indirect
 	github.com/beorn7/perks v1.0.1 // indirect
 	github.com/bgentry/speakeasy v0.1.0 // indirect
@@ -56,7 +57,7 @@ require (
 	github.com/cncf/xds/go v0.0.0-20211130200136-a8f946100490 // indirect
 	github.com/common-nighthawk/go-figure v0.0.0-20210622060536-734e95fb86be // indirect
 	github.com/containerd/stargz-snapshotter/estargz v0.12.0 // indirect
-	github.com/coreos/go-oidc/v3 v3.2.0 // indirect
+	github.com/coreos/go-oidc/v3 v3.3.0 // indirect
 	github.com/coreos/go-semver v0.3.0 // indirect
 	github.com/coreos/go-systemd/v22 v22.3.2 // indirect
 	github.com/cpuguy83/go-md2man/v2 v2.0.2 // indirect
@@ -93,7 +94,6 @@ require (
 	github.com/golang/protobuf v1.5.2 // indirect
 	github.com/golang/snappy v0.0.4 // indirect
 	github.com/google/btree v1.1.2 // indirect
-	github.com/google/go-cmp v0.5.8 // indirect
 	github.com/google/go-containerregistry v0.11.0 // indirect
 	github.com/google/gofuzz v1.2.0 // indirect
 	github.com/googleapis/enterprise-certificate-proxy v0.1.0 // indirect
@@ -156,7 +156,7 @@ require (
 	github.com/spiffe/go-spiffe/v2 v2.1.1 // indirect
 	github.com/stretchr/testify v1.8.0 // indirect
 	github.com/subosito/gotenv v1.3.0 // indirect
-	github.com/syndtr/goleveldb v1.0.1-0.20210819022825-2ae1ddf74ef7 // indirect
+	github.com/syndtr/goleveldb v1.0.1-0.20220721030215-126854af5e6d // indirect
 	github.com/tent/canonical-json-go v0.0.0-20130607151641-96e4ba3a7613 // indirect
 	github.com/tmc/grpc-websocket-proxy v0.0.0-20201229170055-e5319fda7802 // indirect
 	github.com/tomasen/realip v0.0.0-20180522021738-f0c99a92ddce // indirect
@@ -191,15 +191,15 @@ require (
 	go.uber.org/multierr v1.8.0 // indirect
 	go.uber.org/zap v1.22.0 // indirect
 	golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4 // indirect
-	golang.org/x/net v0.0.0-20220805013720-a33c5aa5df48 // indirect
-	golang.org/x/oauth2 v0.0.0-20220722155238-128564f6959c // indirect
+	golang.org/x/net v0.0.0-20220826154423-83b083e8dc8b // indirect
+	golang.org/x/oauth2 v0.0.0-20220822191816-0ebed06d0094 // indirect
 	golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4 // indirect
-	golang.org/x/sys v0.0.0-20220728004956-3c1f35247d10 // indirect
+	golang.org/x/sys v0.0.0-20220907062415-87db552b00fd // indirect
 	golang.org/x/term v0.0.0-20220526004731-065cf7ba2467 // indirect
 	golang.org/x/text v0.3.8-0.20211004125949-5bd84dd9b33b // indirect
 	golang.org/x/time v0.0.0-20220722155302-e5dcc9cfc0b9 // indirect
 	golang.org/x/tools v0.1.12 // indirect
-	google.golang.org/api v0.93.0 // indirect
+	google.golang.org/api v0.95.0 // indirect
 	google.golang.org/appengine v1.6.7 // indirect
 	gopkg.in/cheggaaa/pb.v1 v1.0.28 // indirect
 	gopkg.in/inf.v0 v0.9.1 // indirect
diff --git a/go.sum b/go.sum
index fb032e8c..6aa64029 100644
--- a/go.sum
+++ b/go.sum
@@ -181,8 +181,8 @@ github.com/aws/aws-sdk-go v1.25.37/go.mod h1:KmX6BPdI08NWTb3/sm4ZGu5ShLoqVDhKgpi
 github.com/aws/aws-sdk-go v1.27.0/go.mod h1:KmX6BPdI08NWTb3/sm4ZGu5ShLoqVDhKgpiN924inxo=
 github.com/aws/aws-sdk-go v1.36.30/go.mod h1:hcU610XS61/+aQV88ixoOzUoG7v3b31pl2zKMmprdro=
 github.com/aws/aws-sdk-go v1.37.0/go.mod h1:hcU610XS61/+aQV88ixoOzUoG7v3b31pl2zKMmprdro=
-github.com/aws/aws-sdk-go v1.44.80 h1:jEXGecSgPdvM5KnyDsSgFhZSm7WwaTp4h544Im4SfhI=
-github.com/aws/aws-sdk-go v1.44.80/go.mod h1:y4AeaBuwd2Lk+GepC1E9v0qOiTws0MIWAX4oIKwKHZo=
+github.com/aws/aws-sdk-go v1.44.93 h1:hAgd9fuaptBatSft27/5eBMdcA8+cIMqo96/tZ6rKl8=
+github.com/aws/aws-sdk-go v1.44.93/go.mod h1:y4AeaBuwd2Lk+GepC1E9v0qOiTws0MIWAX4oIKwKHZo=
 github.com/aws/aws-sdk-go-v2 v0.18.0/go.mod h1:JWVYvqSMppoMJC0x5wdwiImzgXTI9FuZwxzkQq9wy+g=
 github.com/aybabtme/rgbterm v0.0.0-20170906152045-cc83f3b3ce59/go.mod h1:q/89r3U2H7sSsE2t6Kca0lfwTK8JdoNGS/yzM/4iH5I=
 github.com/beevik/etree v1.1.0/go.mod h1:r8Aw8JqVegEf0w2fDnATrX9VpkMcyFeM0FhwO62wh+A=
@@ -262,8 +262,8 @@ github.com/coreos/bbolt v1.3.2/go.mod h1:iRUV2dpdMOn7Bo10OQBFzIJO9kkE559Wcmn+qkE
 github.com/coreos/etcd v3.3.10+incompatible/go.mod h1:uF7uidLiAD3TWHmW31ZFd/JWoc32PjwdhPthX9715RE=
 github.com/coreos/etcd v3.3.13+incompatible/go.mod h1:uF7uidLiAD3TWHmW31ZFd/JWoc32PjwdhPthX9715RE=
 github.com/coreos/go-etcd v2.0.0+incompatible/go.mod h1:Jez6KQU2B/sWsbdaef3ED8NzMklzPG4d5KIOhIy30Tk=
-github.com/coreos/go-oidc/v3 v3.2.0 h1:2eR2MGR7thBXSQ2YbODlF0fcmgtliLCfr9iX6RW11fc=
-github.com/coreos/go-oidc/v3 v3.2.0/go.mod h1:rEJ/idjfUyfkBit1eI1fvyr+64/g9dcKpAm8MJMesvo=
+github.com/coreos/go-oidc/v3 v3.3.0 h1:Y1LV3mP+QT3MEycATZpAiwfyN+uxZLqVbAHJUuOJEe4=
+github.com/coreos/go-oidc/v3 v3.3.0/go.mod h1:eHUXhZtXPQLgEaDrOVTgwbgmz1xGOkJNye6h3zkD2Pw=
 github.com/coreos/go-semver v0.2.0/go.mod h1:nnelYz7RCh+5ahJtPPxZlU+153eP4D4r3EedlOD2RNk=
 github.com/coreos/go-semver v0.3.0 h1:wkHLiw0WNATZnSG7epLsujiMCgPAc9xhjJ4tgnAxmfM=
 github.com/coreos/go-semver v0.3.0/go.mod h1:nnelYz7RCh+5ahJtPPxZlU+153eP4D4r3EedlOD2RNk=
@@ -452,7 +452,7 @@ github.com/go-playground/validator/v10 v10.11.0 h1:0W+xRM511GY47Yy3bZUbJVitCNg2B
 github.com/go-playground/validator/v10 v10.11.0/go.mod h1:i+3WkQ1FvaUjjxh1kSvIA4dMGDBiPU55YFDl0WbKdWU=
 github.com/go-redis/redis v6.15.8+incompatible/go.mod h1:NAIEuMOZ/fxfXJIrKDQDz8wamY7mA7PouImQ2Jvg6kA=
 github.com/go-redis/redis v6.15.9+incompatible/go.mod h1:NAIEuMOZ/fxfXJIrKDQDz8wamY7mA7PouImQ2Jvg6kA=
-github.com/go-rod/rod v0.109.1 h1:658X/G9xyQKjFUNo5apMsIyHpEb/KJnJ5LkAl6a62AI=
+github.com/go-rod/rod v0.109.3 h1:MxuSJGK9lEUq07K+QPfnxnuvQpsQT+YI4SoQjSE0LVg=
 github.com/go-sql-driver/mysql v1.4.0/go.mod h1:zAC/RDZ24gD3HViQzih4MyKcchzm+sOG5ZlKdlhCg5w=
 github.com/go-sql-driver/mysql v1.4.1/go.mod h1:zAC/RDZ24gD3HViQzih4MyKcchzm+sOG5ZlKdlhCg5w=
 github.com/go-sql-driver/mysql v1.5.0/go.mod h1:DCzpHaOWr8IXmIStZouvnhqoel9Qv2LBy8hT2VhHyBg=
@@ -624,6 +624,7 @@ github.com/google/pprof v0.0.0-20201203190320-1bf35d6f28c2/go.mod h1:kpwsk12EmLe
 github.com/google/pprof v0.0.0-20201218002935-b9804c9f04c2/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE=
 github.com/google/pprof v0.0.0-20210122040257-d980be63207e/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE=
 github.com/google/pprof v0.0.0-20210226084205-cbba55b83ad5/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE=
+github.com/google/pprof v0.0.0-20210407192527-94a9f03dee38/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE=
 github.com/google/pprof v0.0.0-20210601050228-01bbb1931b22/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE=
 github.com/google/pprof v0.0.0-20210609004039-a478d1d731e9/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE=
 github.com/google/pprof v0.0.0-20210720184732-4bb14d4b1be1/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE=
@@ -1007,13 +1008,17 @@ github.com/onsi/ginkgo v1.12.1/go.mod h1:zj2OWP4+oCPe1qIXoGWkgMRwljMUYCdkwsT2108
 github.com/onsi/ginkgo v1.14.0/go.mod h1:iSB4RoI2tjJc9BBv4NKIKWKya62Rps+oPG/Lv9klQyY=
 github.com/onsi/ginkgo v1.16.4/go.mod h1:dX+/inL/fNMqNlz0e9LfyB9TswhZpCVdJM/Z6Vvnwo0=
 github.com/onsi/ginkgo v1.16.5 h1:8xi0RTUf59SOSfEtZMvwTvXYMzG4gV23XVHOZiXNtnE=
+github.com/onsi/ginkgo v1.16.5/go.mod h1:+E8gABHa3K6zRBolWtd+ROzc/U5bkGt0FwiG042wbpU=
+github.com/onsi/ginkgo/v2 v2.1.3/go.mod h1:vw5CSIxN1JObi/U8gcbwft7ZxR2dgaR70JSE3/PpL4c=
 github.com/onsi/gomega v0.0.0-20170829124025-dcabb60a477c/go.mod h1:C1qb7wdrVGGVU+Z6iS04AVkA3Q65CEZX59MT0QO5uiA=
 github.com/onsi/gomega v1.4.3/go.mod h1:ex+gbHU/CVuBBDIJjb2X0qEXbFg53c61hWP/1CpauHY=
 github.com/onsi/gomega v1.5.0/go.mod h1:ex+gbHU/CVuBBDIJjb2X0qEXbFg53c61hWP/1CpauHY=
 github.com/onsi/gomega v1.7.1/go.mod h1:XdKZgCCFLUoM/7CFJVPcG8C1xQ1AJ0vpAezJrB7JYyY=
 github.com/onsi/gomega v1.10.1/go.mod h1:iN09h71vgCQne3DLsj+A5owkum+a2tYe+TOCB1ybHNo=
 github.com/onsi/gomega v1.16.0/go.mod h1:HnhC7FXeEQY45zxNK3PPoIUhzk/80Xly9PcubAlGdZY=
-github.com/onsi/gomega v1.18.1 h1:M1GfJqGRrBrrGGsbxzV5dqM2U2ApXefZCQpkukxYRLE=
+github.com/onsi/gomega v1.17.0/go.mod h1:HnhC7FXeEQY45zxNK3PPoIUhzk/80Xly9PcubAlGdZY=
+github.com/onsi/gomega v1.19.0 h1:4ieX6qQjPP/BfC3mpsAtIGGlxTWPeA3Inl/7DtXw1tw=
+github.com/onsi/gomega v1.19.0/go.mod h1:LY+I3pBVzYsTBU1AnDwOSxaYi9WoWiqgwooUqq9yPro=
 github.com/op/go-logging v0.0.0-20160315200505-970db520ece7/go.mod h1:HzydrMdWErDVzsI23lYNej1Htcns9BCg93Dk0bBINWk=
 github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8Oi/yOhh5U=
 github.com/opencontainers/go-digest v1.0.0/go.mod h1:0JzlMkj0TRzQZfJkVvzbP0HBR3IKzErnv2BNG4W4MAM=
@@ -1179,8 +1184,8 @@ github.com/sigstore/fulcio v0.5.3 h1:fwdl2BHv1RjL3GJJ44T+tPsvmQ028zv54psxVhSwUGA
 github.com/sigstore/fulcio v0.5.3/go.mod h1:4yzMqOao6r9Nul1Dgt4LL7loKdkkgbDemLYrXUuAc+Y=
 github.com/sigstore/rekor v0.11.0 h1:2x1Sy3fu3VSWbl/2fwTyFPqs5fehY++EqdTFWWT6+Mo=
 github.com/sigstore/rekor v0.11.0/go.mod h1:xEfHnfiQJ/yJVCz41/OglUrDID71gICzixJjYFrQeN0=
-github.com/sigstore/sigstore v1.4.0 h1:5A3eUhbSQkhiqJNUPi/2UMKdTyb3NKfWcVjaTBkkaJk=
-github.com/sigstore/sigstore v1.4.0/go.mod h1:z3kt1jm2A39M+g7emkQ8jdErL/haCMEjkNxvqTf41/k=
+github.com/sigstore/sigstore v1.4.1-0.20220908184735-abe183b160e9 h1:yvNMALJQjiRSjOB3bHWE1bfyhwoKYEq/nJ2fetXd2kM=
+github.com/sigstore/sigstore v1.4.1-0.20220908184735-abe183b160e9/go.mod h1:dZodsbajYeE3w4kyKpv2V18mZo29lb7zVY/oDn8UHIU=
 github.com/sirupsen/logrus v1.2.0/go.mod h1:LxeOpSwHxABJmUn/MG1IvRgCAasNZTLOkJPxbbu5VWo=
 github.com/sirupsen/logrus v1.4.0/go.mod h1:LxeOpSwHxABJmUn/MG1IvRgCAasNZTLOkJPxbbu5VWo=
 github.com/sirupsen/logrus v1.4.1/go.mod h1:ni0Sbl8bgC9z8RoU9G6nDWqqs/fq4eDPysMBDgk/93Q=
@@ -1262,22 +1267,23 @@ github.com/stretchr/testify v1.5.1/go.mod h1:5W2xD1RspED5o8YsWQXVCued0rvSQ+mT+I5
 github.com/stretchr/testify v1.6.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
+github.com/stretchr/testify v1.7.2/go.mod h1:R6va5+xMeoiuVRoj+gSkQ7d3FALtqAAGI1FQKckRals=
 github.com/stretchr/testify v1.8.0 h1:pSgiaMZlXftHpm5L7V1+rVB+AZJydKsMxsQBIJw4PKk=
 github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU=
 github.com/subosito/gotenv v1.2.0/go.mod h1:N0PQaV/YGNqwC0u51sEeR/aUtSLEXKX9iv69rRypqCw=
 github.com/subosito/gotenv v1.3.0 h1:mjC+YW8QpAdXibNi+vNWgzmgBH4+5l5dCXv8cNysBLI=
 github.com/subosito/gotenv v1.3.0/go.mod h1:YzJjq/33h7nrwdY+iHMhEOEEbW0ovIz0tB6t6PwAXzs=
 github.com/sylvia7788/contextcheck v1.0.4/go.mod h1:vuPKJMQ7MQ91ZTqfdyreNKwZjyUg6KO+IebVyQDedZQ=
-github.com/syndtr/goleveldb v1.0.1-0.20210819022825-2ae1ddf74ef7 h1:epCh84lMvA70Z7CTTCmYQn2CKbY8j86K7/FAIr141uY=
-github.com/syndtr/goleveldb v1.0.1-0.20210819022825-2ae1ddf74ef7/go.mod h1:q4W45IWZaF22tdD+VEXcAWRA037jwmWEB5VWYORlTpc=
+github.com/syndtr/goleveldb v1.0.1-0.20220721030215-126854af5e6d h1:vfofYNRScrDdvS342BElfbETmL1Aiz3i2t0zfRj16Hs=
+github.com/syndtr/goleveldb v1.0.1-0.20220721030215-126854af5e6d/go.mod h1:RRCYJbIwD5jmqPI9XoAFR0OcDxqUctll6zUj/+B4S48=
 github.com/tdakkota/asciicheck v0.0.0-20200416200610-e657995f937b/go.mod h1:yHp0ai0Z9gUljN3o0xMhYJnH/IcvkdTBOX2fmJ93JEM=
 github.com/tenntenn/modver v1.0.1/go.mod h1:bePIyQPb7UeioSRkw3Q0XeMhYZSMx9B8ePqg6SAMGH0=
 github.com/tenntenn/text/transform v0.0.0-20200319021203-7eef512accb3/go.mod h1:ON8b8w4BN/kE1EOhwT0o+d62W65a6aPw1nouo9LMgyY=
 github.com/tent/canonical-json-go v0.0.0-20130607151641-96e4ba3a7613 h1:iGnD/q9160NWqKZZ5vY4p0dMiYMRknzctfSkqA4nBDw=
 github.com/tent/canonical-json-go v0.0.0-20130607151641-96e4ba3a7613/go.mod h1:g6AnIpDSYMcphz193otpSIzN+11Rs+AAIIC6rm1enug=
 github.com/tetafro/godot v1.4.11/go.mod h1:LR3CJpxDVGlYOWn3ZZg1PgNZdTUvzsZWu8xaEohUpn8=
-github.com/theupdateframework/go-tuf v0.3.1 h1:NkjMlCuLcDpHNtsWXY4lTmbbQQ5nOM7JSBbOKEEiI1c=
-github.com/theupdateframework/go-tuf v0.3.1/go.mod h1:lhHZ3Vt2pdAh15h0Cc6gWdlI+Okn2ZznD3q/cNjd5jw=
+github.com/theupdateframework/go-tuf v0.5.0 h1:aQ7i9CBw4q9QEZifCaW6G8qGQwoN23XGaZkOA+F50z4=
+github.com/theupdateframework/go-tuf v0.5.0/go.mod h1:vAqWV3zEs89byeFsAYoh/Q14vJTgJkHwnnRCWBBBINY=
 github.com/tidwall/pretty v1.0.0/go.mod h1:XNkn88O1ChpSDQmQeStsy+sBenx6DDtFZJxhVysOjyk=
 github.com/tidwall/pretty v1.2.0 h1:RWIZEg2iJ8/g6fDDYzMpobmaoGh5OLl4AXtGUGPcqCs=
 github.com/timakin/bodyclose v0.0.0-20200424151742-cb6215831a94/go.mod h1:Qimiffbc6q9tBWlVV6x0P9sat/ao1xEkREYPPj9hphk=
@@ -1516,8 +1522,8 @@ golang.org/x/crypto v0.0.0-20211215153901-e495a2d5b3d3/go.mod h1:IxCIyHEi3zRg3s0
 golang.org/x/crypto v0.0.0-20220131195533-30dcbda58838/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=
 golang.org/x/crypto v0.0.0-20220411220226-7b82a4e95df4/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=
 golang.org/x/crypto v0.0.0-20220622213112-05595931fe9d/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=
-golang.org/x/crypto v0.0.0-20220722155217-630584e8d5aa h1:zuSxTR4o9y82ebqCUJYNGJbGPo6sKVl54f/TVDObg1c=
-golang.org/x/crypto v0.0.0-20220722155217-630584e8d5aa/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=
+golang.org/x/crypto v0.0.0-20220829220503-c86fa9a7ed90 h1:Y/gsMcFOcR+6S6f3YeMKl5g+dZMEWqcz5Czj/GWYbkM=
+golang.org/x/crypto v0.0.0-20220829220503-c86fa9a7ed90/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=
 golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
 golang.org/x/exp v0.0.0-20190306152737-a1d7652674e8/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
 golang.org/x/exp v0.0.0-20190510132918-efd6b22b2522/go.mod h1:ZjyILWgesfNpC6sMxTJOJm9Kp84zZh5NQWvqDGG3Qr8=
@@ -1594,14 +1600,12 @@ golang.org/x/net v0.0.0-20200301022130-244492dfa37a/go.mod h1:z5CRVTTTmAJ677TzLL
 golang.org/x/net v0.0.0-20200324143707-d3edc9973b7e/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A=
 golang.org/x/net v0.0.0-20200421231249-e086a090c8fd/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A=
 golang.org/x/net v0.0.0-20200501053045-e0ff5e5a1de5/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A=
-golang.org/x/net v0.0.0-20200505041828-1ed23360d12c/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A=
 golang.org/x/net v0.0.0-20200506145744-7e3656a0809f/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A=
 golang.org/x/net v0.0.0-20200513185701-a91f0712d120/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A=
 golang.org/x/net v0.0.0-20200520004742-59133d7f0dd7/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A=
 golang.org/x/net v0.0.0-20200520182314-0ba52f642ac2/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A=
 golang.org/x/net v0.0.0-20200625001655-4c5254603344/go.mod h1:/O7V0waA8r7cgGh81Ro3o1hOxt32SMVPicZroKQ2sZA=
 golang.org/x/net v0.0.0-20200707034311-ab3426394381/go.mod h1:/O7V0waA8r7cgGh81Ro3o1hOxt32SMVPicZroKQ2sZA=
-golang.org/x/net v0.0.0-20200813134508-3edf25e44fcc/go.mod h1:/O7V0waA8r7cgGh81Ro3o1hOxt32SMVPicZroKQ2sZA=
 golang.org/x/net v0.0.0-20200822124328-c89045814202/go.mod h1:/O7V0waA8r7cgGh81Ro3o1hOxt32SMVPicZroKQ2sZA=
 golang.org/x/net v0.0.0-20200930145003-4acb6c075d10/go.mod h1:/O7V0waA8r7cgGh81Ro3o1hOxt32SMVPicZroKQ2sZA=
 golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
@@ -1633,8 +1637,8 @@ golang.org/x/net v0.0.0-20220421235706-1d1ef9303861/go.mod h1:CfG3xpIq0wQ8r1q4Su
 golang.org/x/net v0.0.0-20220425223048-2871e0cb64e4/go.mod h1:CfG3xpIq0wQ8r1q4Su4UZFWDARRcnwPjda9FqA0JpMk=
 golang.org/x/net v0.0.0-20220607020251-c690dde0001d/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c=
 golang.org/x/net v0.0.0-20220624214902-1bab6f366d9e/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c=
-golang.org/x/net v0.0.0-20220805013720-a33c5aa5df48 h1:N9Vc/rorQUDes6B9CNdIxAn5jODGj2wzfrei2x4wNj4=
-golang.org/x/net v0.0.0-20220805013720-a33c5aa5df48/go.mod h1:YDH+HFinaLZZlnHAfSS6ZXJJ9M9t4Dl22yv3iI2vPwk=
+golang.org/x/net v0.0.0-20220826154423-83b083e8dc8b h1:ZmngSVLe/wycRns9MKikG9OWIEjGcGAkacif7oYQaUY=
+golang.org/x/net v0.0.0-20220826154423-83b083e8dc8b/go.mod h1:YDH+HFinaLZZlnHAfSS6ZXJJ9M9t4Dl22yv3iI2vPwk=
 golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
 golang.org/x/oauth2 v0.0.0-20181106182150-f42d05182288/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
 golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
@@ -1661,9 +1665,8 @@ golang.org/x/oauth2 v0.0.0-20220223155221-ee480838109b/go.mod h1:DAh4E804XQdzx2j
 golang.org/x/oauth2 v0.0.0-20220309155454-6242fa91716a/go.mod h1:DAh4E804XQdzx2j+YRIaUnCqCV2RuMz24cGBJ5QYIrc=
 golang.org/x/oauth2 v0.0.0-20220411215720-9780585627b5/go.mod h1:DAh4E804XQdzx2j+YRIaUnCqCV2RuMz24cGBJ5QYIrc=
 golang.org/x/oauth2 v0.0.0-20220608161450-d0670ef3b1eb/go.mod h1:jaDAt6Dkxork7LmZnYtzbRWj0W47D86a3TGe0YHBvmE=
-golang.org/x/oauth2 v0.0.0-20220622183110-fd043fe589d2/go.mod h1:jaDAt6Dkxork7LmZnYtzbRWj0W47D86a3TGe0YHBvmE=
-golang.org/x/oauth2 v0.0.0-20220722155238-128564f6959c h1:q3gFqPqH7NVofKo3c3yETAP//pPI+G5mvB7qqj1Y5kY=
-golang.org/x/oauth2 v0.0.0-20220722155238-128564f6959c/go.mod h1:h4gKUeWbJ4rQPri7E0u6Gs4e9Ri2zaLxzw5DI5XGrYg=
+golang.org/x/oauth2 v0.0.0-20220822191816-0ebed06d0094 h1:2o1E+E8TpNLklK9nHiPiK1uzIYrIHt+cQx3ynCwq9V8=
+golang.org/x/oauth2 v0.0.0-20220822191816-0ebed06d0094/go.mod h1:h4gKUeWbJ4rQPri7E0u6Gs4e9Ri2zaLxzw5DI5XGrYg=
 golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
@@ -1738,7 +1741,6 @@ golang.org/x/sys v0.0.0-20200523222454-059865788121/go.mod h1:h1NjWce9XRLGQEsW7w
 golang.org/x/sys v0.0.0-20200615200032-f1bc736245b1/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200625212154-ddb9806d33ae/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200803210538-64077c9b5642/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20200814200057-3d37ad5750ed/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200905004654-be1d3432aa8f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200923182605-d9f96fdee20d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
@@ -1798,8 +1800,9 @@ golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBc
 golang.org/x/sys v0.0.0-20220610221304-9f5ed59c137d/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220624220833-87e55d714810/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20220728004956-3c1f35247d10 h1:WIoqL4EROvwiPdUtaip4VcDdpZ4kha7wBWZrbVKCIZg=
 golang.org/x/sys v0.0.0-20220728004956-3c1f35247d10/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20220907062415-87db552b00fd h1:AZeIEzg+8RCELJYq8w+ODLVxFgLMMigSwO/ffKPEd9U=
+golang.org/x/sys v0.0.0-20220907062415-87db552b00fd/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/term v0.0.0-20201117132131-f5c789dd3221/go.mod h1:Nr5EML6q2oocZ2LXRh80K7BxOlk5/8JxuGnuhpl+muw=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/term v0.0.0-20210615171337-6886f2dfbf5b/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
@@ -2004,8 +2007,8 @@ google.golang.org/api v0.77.0/go.mod h1:pU9QmyHLnzlpar1Mjt4IbapUCy8J+6HD6GeELN69
 google.golang.org/api v0.78.0/go.mod h1:1Sg78yoMLOhlQTeF+ARBoytAcH1NNyyl390YMy6rKmw=
 google.golang.org/api v0.80.0/go.mod h1:xY3nI94gbvBrE0J6NHXhxOmW97HG7Khjkku6AFB3Hyg=
 google.golang.org/api v0.84.0/go.mod h1:NTsGnUFJMYROtiquksZHBWtHfeMC7iYthki7Eq3pa8o=
-google.golang.org/api v0.93.0 h1:T2xt9gi0gHdxdnRkVQhT8mIvPaXKNsDNWz+L696M66M=
-google.golang.org/api v0.93.0/go.mod h1:+Sem1dnrKlrXMR/X0bPnMWyluQe4RsNoYfmNLhOIkzw=
+google.golang.org/api v0.95.0 h1:d1c24AAS01DYqXreBeuVV7ewY/U8Mnhh47pwtsgVtYg=
+google.golang.org/api v0.95.0/go.mod h1:eADj+UBuxkh5zlrSntJghuNeg8HwQ1w5lTKkuqaETEI=
 google.golang.org/appengine v1.1.0/go.mod h1:EbEs0AVv82hx2wNQdGPgUI5lhzA/G0D9YwlJXL52JkM=
 google.golang.org/appengine v1.2.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4=
 google.golang.org/appengine v1.3.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4=
@@ -2216,7 +2219,6 @@ gopkg.in/natefinch/lumberjack.v2 v2.0.0 h1:1Lc07Kr7qY4U2YPouBjpCLxpiyxIVoxqXgkXL
 gopkg.in/natefinch/lumberjack.v2 v2.0.0/go.mod h1:l0ndWWf7gzL7RNwBG7wST/UCcT4T24xpD6X8LsfU/+k=
 gopkg.in/resty.v1 v1.12.0/go.mod h1:mDo4pnntr5jdWRML875a/NmxYqAlA73dVijT2AXvQQo=
 gopkg.in/square/go-jose.v2 v2.4.1/go.mod h1:M9dMgbHiYLoDGQrXy7OpJDJWiKiU//h+vD76mk0e1AI=
-gopkg.in/square/go-jose.v2 v2.5.1/go.mod h1:M9dMgbHiYLoDGQrXy7OpJDJWiKiU//h+vD76mk0e1AI=
 gopkg.in/square/go-jose.v2 v2.6.0 h1:NGk74WTnPKBNUhNzQX7PYcTLUjoq7mzKk2OKbvwk2iI=
 gopkg.in/square/go-jose.v2 v2.6.0/go.mod h1:M9dMgbHiYLoDGQrXy7OpJDJWiKiU//h+vD76mk0e1AI=
 gopkg.in/src-d/go-billy.v4 v4.3.2/go.mod h1:nDjArDMp+XMs1aFAESLRjfGSgfvoYN0hDfzEk0GjC98=
diff --git a/pkg/ctlog/config.go b/pkg/ctlog/config.go
index 66fcd88c..75f016a8 100644
--- a/pkg/ctlog/config.go
+++ b/pkg/ctlog/config.go
@@ -22,7 +22,7 @@ package ctlog
 import (
 	"bytes"
 	"context"
-	"crypto/ecdsa"
+	"crypto"
 	"crypto/rand"
 	"crypto/x509"
 	"encoding/pem"
@@ -65,9 +65,9 @@ const (
 // technically they are not part of the config, however because we create a
 // secret/CM that we then mount, they need to be synced.
 type CTLogConfig struct {
-	PrivKey         *ecdsa.PrivateKey
+	PrivKey         crypto.PrivateKey
 	PrivKeyPassword string
-	PubKey          *ecdsa.PublicKey
+	PubKey          crypto.PublicKey
 	LogID           int64
 	LogPrefix       string
 
@@ -115,14 +115,19 @@ func (c *CTLogConfig) String() string {
 	for _, fulcioCert := range c.FulcioCerts {
 		sb.WriteString(fmt.Sprintf("fulciocert:\n%s\n", string(fulcioCert)))
 	}
-	if marshaledPub, err := x509.MarshalPKIXPublicKey(c.PrivKey.Public()); err == nil {
-		pubPEM := pem.EncodeToMemory(
-			&pem.Block{
-				Type:  "PUBLIC KEY",
-				Bytes: marshaledPub,
-			},
-		)
-		sb.WriteString(fmt.Sprintf("PublicKey:\n%s\n", pubPEM))
+	// Note this goofy cast to crypto.Signer since the any interface has no
+	// methods so cast here so that we get the Public method which all core
+	// keys support.
+	if signer, ok := c.PrivKey.(crypto.Signer); ok {
+		if marshaledPub, err := x509.MarshalPKIXPublicKey(signer.Public()); err == nil {
+			pubPEM := pem.EncodeToMemory(
+				&pem.Block{
+					Type:  "PUBLIC KEY",
+					Bytes: marshaledPub,
+				},
+			)
+			sb.WriteString(fmt.Sprintf("PublicKey:\n%s\n", pubPEM))
+		}
 	}
 	return sb.String()
 }
@@ -169,20 +174,10 @@ func Unmarshal(ctx context.Context, in map[string][]byte) (*CTLogConfig, error)
 	ret.TrillianServerAddr = multiConfig.Backends.GetBackend()[0].GetBackendSpec()
 
 	// Then we need to decode public key
-	pubPEM, _ := pem.Decode(public)
-	if pubPEM == nil {
-		return nil, fmt.Errorf("did not find valid public PEM data")
-	}
-	pubKey, err := x509.ParsePKIXPublicKey(pubPEM.Bytes)
+	var err error
+	ret.PubKey, err = cryptoutils.UnmarshalPEMToPublicKey(public)
 	if err != nil {
-		return nil, fmt.Errorf("failed to parse public key from PEM data: %w", err)
-	}
-	if ret.PubKey, ok = pubKey.(*ecdsa.PublicKey); !ok {
-		return nil, fmt.Errorf("Not an ecdsa PublicKey")
-	}
-	privPEM, _ := pem.Decode(private)
-	if privPEM == nil {
-		return nil, fmt.Errorf("did not find valid private PEM data")
+		return nil, fmt.Errorf("failed to unmarshal public key: %w", err)
 	}
 
 	privProto, err := logConfig.PrivateKey.UnmarshalNew()
@@ -194,17 +189,22 @@ func Unmarshal(ctx context.Context, in map[string][]byte) (*CTLogConfig, error)
 		return nil, fmt.Errorf("Not a valid PEMKeyFile in proto")
 	}
 
-	privatePEMBlock, err := x509.DecryptPEMBlock(privPEM, []byte(pb.Password))
-	if err != nil {
-		return nil, fmt.Errorf("failed to decrypt private PEMKeyFile: %w", err)
+	privPEM, _ := pem.Decode(private)
+	if privPEM == nil {
+		return nil, fmt.Errorf("did not find valid private PEM data")
 	}
 	ret.PrivKeyPassword = pb.Password
-	privKey, err := x509.ParsePKCS8PrivateKey(privatePEMBlock)
+
+	privatePEMBlock, err := x509.DecryptPEMBlock(privPEM, []byte(pb.Password))
 	if err != nil {
-		return nil, fmt.Errorf("failed to parse private key PEM: %w", err)
+		return nil, fmt.Errorf("failed to decrypt private PEMKeyFile: %w", err)
 	}
-	if ret.PrivKey, ok = privKey.(*ecdsa.PrivateKey); !ok {
-		return nil, fmt.Errorf("Not an ecdsa PrivateKey")
+
+	if ret.PrivKey, err = x509.ParsePKCS8PrivateKey(privatePEMBlock); err != nil {
+		// Try it as RSA
+		if ret.PrivKey, err = x509.ParsePKCS1PrivateKey(privatePEMBlock); err != nil {
+			return nil, fmt.Errorf("failed to parse private key PEM: %w", err)
+		}
 	}
 
 	// If there's legacy rootCA entry, check it first.
@@ -238,7 +238,15 @@ func (c *CTLogConfig) MarshalConfig(ctx context.Context) (map[string][]byte, err
 	for i := range c.FulcioCerts {
 		rootPems = append(rootPems, fmt.Sprintf("%sfulcio-%d", rootsPemFileDir, i))
 	}
-	keyDER, err := x509.MarshalPKIXPublicKey(c.PrivKey.Public())
+	var pubkey crypto.Signer
+	var ok bool
+	// Note this goofy cast to crypto.Signer since the any interface has no
+	// methods so cast here so that we get the Public method which all core
+	// keys support.
+	if pubkey, ok = c.PrivKey.(crypto.Signer); !ok {
+		logging.FromContext(ctx).Fatalf("Failed to convert private key to crypto.Signer")
+	}
+	keyDER, err := x509.MarshalPKIXPublicKey(pubkey.Public())
 	if err != nil {
 		logging.FromContext(ctx).Panicf("Failed to marshal the public key: %v", err)
 	}
@@ -301,7 +309,17 @@ func (c *CTLogConfig) marshalSecrets() (map[string][]byte, error) {
 		return nil, fmt.Errorf("failed to encode encrypted private key")
 	}
 	// Encode public key to PKIX ASN.1 PEM.
-	marshalledPubKey, err := x509.MarshalPKIXPublicKey(c.PrivKey.Public())
+	var pubkey crypto.Signer
+	var ok bool
+
+	// Note this goofy cast to crypto.Signer since the any interface has no
+	// methods so cast here so that we get the Public method which all core
+	// keys support.
+	if pubkey, ok = c.PrivKey.(crypto.Signer); !ok {
+		return nil, fmt.Errorf("failed to convert private key to crypto.Signer")
+	}
+
+	marshalledPubKey, err := x509.MarshalPKIXPublicKey(pubkey.Public())
 	if err != nil {
 		return nil, fmt.Errorf("failed to marshal public key: %w", err)
 	}
diff --git a/pkg/ctlog/config_test.go b/pkg/ctlog/config_test.go
index dbca028e..03e21975 100644
--- a/pkg/ctlog/config_test.go
+++ b/pkg/ctlog/config_test.go
@@ -17,9 +17,11 @@ package ctlog
 import (
 	"bytes"
 	"context"
+	"crypto"
 	"crypto/ecdsa"
 	"crypto/elliptic"
 	"crypto/rand"
+	"crypto/rsa"
 	"crypto/x509"
 	b64 "encoding/base64"
 	"encoding/pem"
@@ -71,118 +73,162 @@ GGAJmZL9EFfEmELHi1+ygSM2QxjRSzcPk1oEZeHY/PyTyFIu1X/HSZW8i9m5VOfy
 KTkomoSY/OxE/5doBCACehThH+96joWfgC0rXi9qAwZ6hwIMJAKy
 -----END CERTIFICATE-----
 `
-	testConfig = "YmFja2VuZHM6e2JhY2tlbmQ6e25hbWU6InRyaWxsaWFuIn19ICBsb2dfY29uZmlnczp7Y29uZmlnOntsb2dfaWQ6MjAyMiAgcHJlZml4OiIyMDIyLWN0bG9nIiAgcm9vdHNfcGVtX2ZpbGU6Ii9jdGZlLWtleXMvZnVsY2lvLTAiICBwcml2YXRlX2tleTp7W3R5cGUuZ29vZ2xlYXBpcy5jb20va2V5c3BiLlBFTUtleUZpbGVdOntwYXRoOiIvY3RmZS1rZXlzL3ByaXZrZXkucGVtIiAgcGFzc3dvcmQ6Im15dGVzdHBhc3N3b3JkIn19ICBwdWJsaWNfa2V5OntkZXI6IjBZMFx4MTNceDA2XHgwNypceDg2SFx4Y2U9XHgwMlx4MDFceDA2XHgwOCpceDg2SFx4Y2U9XHgwM1x4MDFceDA3XHgwM0JceDAwXHgwNNWwXHhlM1x4YTZYXHhjZS9ceGE1XHg5NFx4ZjZceGM2Plx4ODJceGJje1x4ZGVceGYwfG0rXHhkMVx4Y2U7XHg4NVx4YmZceGYyXHhmOFx4OTRceGYwfVx4ZDlceDFkPlx4N2ZKKFx4YzY+cVx4OGZceGM4XHgwZVx4YTJdXHgxNFx4ODhceGM4XHhkNX7Du2ZzXHhlZVx4OTlceDFicVx4MGVgR1x4ZWZceGUyQlx4ZjQifSAgZXh0X2tleV91c2FnZXM6IkNvZGVTaWduaW5nIiAgbG9nX2JhY2tlbmRfbmFtZToidHJpbGxpYW4ifX0="
 
-	privateKeyEncoded = "LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tClByb2MtVHlwZTogNCxFTkNSWVBURUQKREVLLUluZm86IEFFUy0yNTYtQ0JDLDJiNDU2MGUyY2RlMGE3ZWM0NjZlMzkzYWRmYmE0Y2I0CiAgICAgICAKVUk4d2lUbXhNajhKWXVHSUFEMnpKVjRmQjZHUE9wUGhxSldYdlR3RWFucHBzTXN3UUFCaVZ5NWdkSi9BNThQVAo0ZTFFSDM4Y3Z3YTBMQjQ2SHBoZW9vWCtJM2RHdHlzRUpFR0d3QXMwYUhkU25aeVV3TnRpalRUQkZJcWxzd3pKCnI2WmJ4dmlxZVRmRm80ZUtEMGorRjlja2R3d2dGT2YzRHdaUUMrNEN1cVNqczdaZkFKZEF6Lys0c2JRd1ZzQUIKLS0tLS1FTkQgUFJJVkFURSBLRVktLS0tLQo="
+	// testConfigECDSA contains above cert in it as well as privateKeyEncoded and
+	// publicKeyEncoded.
+	testConfigECDSA = "YmFja2VuZHM6e2JhY2tlbmQ6e25hbWU6InRyaWxsaWFuIn19ICBsb2dfY29uZmlnczp7Y29uZmlnOntsb2dfaWQ6MjAyMiAgcHJlZml4OiIyMDIyLWN0bG9nIiAgcm9vdHNfcGVtX2ZpbGU6Ii9jdGZlLWtleXMvZnVsY2lvLTAiICBwcml2YXRlX2tleTp7W3R5cGUuZ29vZ2xlYXBpcy5jb20va2V5c3BiLlBFTUtleUZpbGVdOntwYXRoOiIvY3RmZS1rZXlzL3ByaXZrZXkucGVtIiAgcGFzc3dvcmQ6Im15dGVzdHBhc3N3b3JkIn19ICBwdWJsaWNfa2V5OntkZXI6IjBZMFx4MTNceDA2XHgwNypceDg2SFx4Y2U9XHgwMlx4MDFceDA2XHgwOCpceDg2SFx4Y2U9XHgwM1x4MDFceDA3XHgwM0JceDAwXHgwNNWwXHhlM1x4YTZYXHhjZS9ceGE1XHg5NFx4ZjZceGM2Plx4ODJceGJje1x4ZGVceGYwfG0rXHhkMVx4Y2U7XHg4NVx4YmZceGYyXHhmOFx4OTRceGYwfVx4ZDlceDFkPlx4N2ZKKFx4YzY+cVx4OGZceGM4XHgwZVx4YTJdXHgxNFx4ODhceGM4XHhkNX7Du2ZzXHhlZVx4OTlceDFicVx4MGVgR1x4ZWZceGUyQlx4ZjQifSAgZXh0X2tleV91c2FnZXM6IkNvZGVTaWduaW5nIiAgbG9nX2JhY2tlbmRfbmFtZToidHJpbGxpYW4ifX0="
 
-	publicKeyEncoded = "LS0tLS1CRUdJTiBQVUJMSUMgS0VZLS0tLS0KTUZrd0V3WUhLb1pJemowQ0FRWUlLb1pJemowREFRY0RRZ0FFT3Y1bzVXV0tZaVVSODdzNGZpMEpKbU1EUVV2cQpSck1mNGRlQnpzV3BCWVdVK1Y4TXVDMkh6aTFOTHI4czRlQ0J5dWVDZmFQWFN4STgzUkowamEwbnd3PT0KLS0tLS1FTkQgUFVCTElDIEtFWS0tLS0tCg=="
+	// ECDSA private key
+	privateKeyEncodedECDSA = "LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tClByb2MtVHlwZTogNCxFTkNSWVBURUQKREVLLUluZm86IEFFUy0yNTYtQ0JDLDJiNDU2MGUyY2RlMGE3ZWM0NjZlMzkzYWRmYmE0Y2I0CiAgICAgICAKVUk4d2lUbXhNajhKWXVHSUFEMnpKVjRmQjZHUE9wUGhxSldYdlR3RWFucHBzTXN3UUFCaVZ5NWdkSi9BNThQVAo0ZTFFSDM4Y3Z3YTBMQjQ2SHBoZW9vWCtJM2RHdHlzRUpFR0d3QXMwYUhkU25aeVV3TnRpalRUQkZJcWxzd3pKCnI2WmJ4dmlxZVRmRm80ZUtEMGorRjlja2R3d2dGT2YzRHdaUUMrNEN1cVNqczdaZkFKZEF6Lys0c2JRd1ZzQUIKLS0tLS1FTkQgUFJJVkFURSBLRVktLS0tLQo="
+
+	// ECDSA public key
+	publicKeyEncodedECDSA = "LS0tLS1CRUdJTiBQVUJMSUMgS0VZLS0tLS0KTUZrd0V3WUhLb1pJemowQ0FRWUlLb1pJemowREFRY0RRZ0FFT3Y1bzVXV0tZaVVSODdzNGZpMEpKbU1EUVV2cQpSck1mNGRlQnpzV3BCWVdVK1Y4TXVDMkh6aTFOTHI4czRlQ0J5dWVDZmFQWFN4STgzUkowamEwbnd3PT0KLS0tLS1FTkQgUFVCTElDIEtFWS0tLS0tCg=="
+
+	// This is for RSA, since previously deployed CTLog used RSA.
+	testConfigRSA = "YmFja2VuZHM6e2JhY2tlbmQ6e25hbWU6InRyaWxsaWFuIiBiYWNrZW5kX3NwZWM6ImxvZy1zZXJ2ZXIudHJpbGxpYW4tc3lzdGVtLnN2Yzo4MCJ9fSBsb2dfY29uZmlnczp7Y29uZmlnOntsb2dfaWQ6ODMxMzUyNzQxMDgyOTkwNTY3OSBwcmVmaXg6InNpZ3N0b3Jlc2NhZmZvbGRpbmciIHJvb3RzX3BlbV9maWxlOiIvY3RmZS1rZXlzL3Jvb3RzLnBlbSIgcHJpdmF0ZV9rZXk6e1t0eXBlLmdvb2dsZWFwaXMuY29tL2tleXNwYi5QRU1LZXlGaWxlXTp7cGF0aDoiL2N0ZmUta2V5cy9wcml2a2V5LnBlbSIgcGFzc3dvcmQ6InRlc3QifX0gcHVibGljX2tleTp7ZGVyOiIwXHg4Mlx4MDJcIjBcclx4MDZcdCpceDg2SFx4ODZceGY3XHJceDAxXHgwMVx4MDFceDA1XHgwMFx4MDNceDgyXHgwMlx4MGZceDAwMFx4ODJceDAyXG5ceDAyXHg4Mlx4MDJceDAxXHgwMFx4YjlceGEzSVx4YTVceGI4XHgxNTlceGU0Qlx4ODdceGMzWlx4MTZceDExXHgwMHPknY1ceGVmXHhiYzlkXHg4YVx4YjZTXHg5Zlx4YThMXHgxMNWGXHgwNVx4MGJceGU1XHgwY01ceGNlMlx4YjZceGYwXHg4MFx4OTVceDAxd1x4YTBA0rdGXHg4NipceDgxRFx4YWU3XHhmZFx4ZDlrMlx4YmNzflx4ZTF5XHhkOFx4MTZceGY2XHRceDEyXHLKm1xuXHJceDFhXHg5N1x4ZTZceGIyXHhlYVx4YzBceGZhXHhiY2VceGE1cFx4ODhceDk3XHg4YTdceGZmXHhmMVx4Y2V2XHgxY1x4ZGZcbsiwLVx4ZGNceGQ0e1x4Zjl+XHgxMCRceDk2XHhiYzggXHhlMlx4MWVceGMyXHhkMlx4ZjNceGM3aVx4MGUtXHg4ZVx4YjZceDg0Llx4MDVceDE3JVx4ZTRceGExXHgwZlx4Y2POjVVWOVx4MThEJVx4YTdceDgzT1wielx4YTdceGU3ZHRceGExRExceGFjXHhlN3pybFx4MTBceGQ3QFx4OWVdXHhmMGRceGQxUl5fOVx4ZmRceGE3PzQgXHhmN1x4MTNcXFx4Y2ZceGU5XHhjN2xceDAzKVx4ZTljXHhkYlx4MDE4MVx4OTl9XHhlZjJceDhmRVNIXHhmZmdceGY4XHhjYklceGI5XHhiOVx4ODNceGEyXHhhNlx4ZDBceDAxY1x4ODc/c1x4MDNceGZiXHg4N1x4ZTlIXHhkYXlceDAzXHhmM2RdXHhiYXtceDgzXHgxY1x4YjdcXFx4YTZceDA2PVx4MTNceGU0XHhlYlx4ZDNceGRlXHgxMVx4YTdWX2tQXHg4Ylx4YzBceDhkXHhmY1x4ZmFnXHhiOFx4YzBmS1x4YjQtYVx4Y2RTXHhlY25ceDhhXHg4MUxdXHgwNFx4MDBceGFmXHhlMVnUl1x4MGZiIVx4MDNceGJhOXYlXHgwY1x4ODNceGYxXHgxOVx4YWM6XHgwYnRceGZjXHg4NlFceGIyXHhjY1x4ZjBceGJiMVx4ZWVceGFiXHhlMERceDAzXHg5Yy1ceGRkalx4YTRceDg4MllQVFx4OTBceDEyXHg4Y0R5dFx4Y2RvcDVceDFmeVx4ZmR2XHhjN1x4MTZceGIwXHgwNDFccnRDXHgxOTckXHgxMFx4ZDJceGUxXHgxZFx4OTBFXHgxNSnuqYtceGNjXHhlZDp1XHhhMFx4ZTRceDEwXHhkNGJZXHhmY1x4MDTDsybOgVFceGRkRlBFXHhmMWs6Wlx4YjZceDlibWpceDE1XHhkN1dceGM1XHhkZVx4ZTdBXHhmMlx4ODdceGRiXHgxNVx4ZTBAXHg4Zlx0XHg4M9mWXHg4MEVJXHgxZFx4YTVceGFjXHg5Mlx4Y2Jmelx4ODJceDg1M3dceDkzXHg4MVx4ZWVceGM0a1x4YjZceGJlWWxceDk0XHgxYTpgXHhlNFx4ZjJceDBjXHhmMFx4YTAjXHg3Zlx4YmEvWlx4ZDA6fVx4ZTNceDAyXHgwYlVbXHhmNi1ceGQzUlx4OWRceDBi4pGE2ZJceDk3XHg5Y1RceDdmXHhmMVhceGIw66yvXHgxOVx4OGNceDg3XHhmNlx4ZTBceDFhTV9aZ9yXXHhmMng9XHhhMVJsXHhhYlx4OWRiXHhmMVx4ZjFnPVZceDhmaVx4ZWNceDdmXHhlM1x4ZjhceDFmXHhkYlx4MWJiXHhlMGtceDkxXHhkN1x4YzdeXHgwMFx4MTQ0XHhkM1dceGViXHhhZFVceGQ1XHhkZlx4MDJceDAzXHgwMVx4MDBceDAxIn0gZXh0X2tleV91c2FnZXM6IkNvZGVTaWduaW5nIiBsb2dfYmFja2VuZF9uYW1lOiJ0cmlsbGlhbiJ9fQ=="
+
+	privateKeyEncodedRSA = "LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpQcm9jLVR5cGU6IDQsRU5DUllQVEVECkRFSy1JbmZvOiBBRVMtMjU2LUNCQyw3NWUxNTkxNzQ0NTc4MjMwNGUzYjY1NGQ5NjhjY2M4MAoKV1pPQ1QrQXlaUmlaaFpDdXMveGxuR2dFbzNwTk1GRSsra0YvWVdBZUxMQjhmclNuL2NlL3VjbURuOURGQ01VZApORlNhSks1YzNvWEJCckt0Uk1sQ0I2S2RGblJucHNpVHUzbU1sVzVPdzRNTVh0L3JJaEFXbDFDaUFYUkdqL0NWClg4clRvQldpOFN4dXh3aWgrOHlrY0VpaVg3Ti9aWkNYOUppbjFQeTc0QUczWHBPT28rbFhwKzRTN1BwQmlZbzAKU0pzaUZ4Mlk0LzF4RXBWMEVWdmZobmN1R0k1R0ROcm0wUnBBNnNraGRSbU5iMW1HYkR5ZXdnMndPTTJTRHRGQwpSWEE5aFAxV1czUWx0VGhXRml2VTU0SngrYktMc3Fnem9JMzNZRmRFdnRPNmNxWCtoOVprN1pORmxaMDNaREk4Ck5RdzEyT3Z3VnpEeE5XdmFYVFhIMEpJc2tUSTE5cjFCTnB6aW1xdWg4ZWRYSTFuT2ppbUM5VjlRQTF0TVNmWmkKVmM2RW9VSG55N0xNVXkydG1yN3R2M2pLRWJHT09nclNRcXhJejAxcjFtV0dpREU2YkNDeFFueUhOUHExQmlIRQp1WTR3K25iU2V5UDhVc3h6YjlVNkRSd2IxVzZkMjlmbGNsdFp1TFlqdEhRL1JwRUdxbWRNc1RmRU1wRUVTNU9jClJPVmtsQlpQM0NHN3I4NGN0aVBMUGpvZnk0aG4rai9SeTBtT2tzcFcyVjNlQ2FvdGQwU0lQZFhxT3h6K2p3U1kKaDRBelg1VHdMSlg2UDlSaVdVZ2xQUWZKNjhCclpOT1Ywc3IwaEIwc1NXY25mSWorWWxSSzMvUXJTZGdhellRRQo0ZHBrK0hDUUE4bkdwN1M1Uks4ZGdxek1QYS96Z1AvR1dnN0t5K0dVWFB3cXRhalBFd1ZVWFJPNGViWUJCQ1RwClFHYnRSSmdRRjFzSmtqN1F0d0J4NzVoM25ZSjlWdEhiMWR2d2FKL09mWklhSklKQkRROVlyRGtqMjVmdDdtWlEKZVlGN1c5NlhCU0xHc2ZhdzlDMXhNRXZVY081UGtkS3ArR3pvMFhUaXhNb1U1Q0h6Yk0rQnFqMFZycGpNV29XbQphbHZpYVc4RlNYQkZQZUNoNFIrOXhwN1Q3ZWl6OU9uRFpKRVdnR1B1YXZyN29XL0t6blE1RS9SVlJtRllaZVY2CkluRXlmUVlRVE5QMnVBWjdibFRCeEc0VlhWdjA4ZUhWVHJ4YkVBcmE4VXJrZkQ1Nm02U3M3YWsrYU1mdG0vSnkKZHBxbTJ5YWlpSDd1SmRiZ1hyNTBnNEFDUThtZlE1QjNpbk1Ea0NFZ2RyQTRTQXg1YXNaQjJ0V2l1VC9SZFVSLworMUpXbjNKdXBEL2dhWU5CTVBTRzhjL0hKa0xmeE5UdzZVaHBBTlg5TkErTlE1UVdCUTVaaWNhbUNLQWJUczEvCjhUUlJlbnBLdUdhZXVsazhneVNOTm5xa0plZUNlZ1c5RGR1d3BZcUpjVkJ3L3lrY3BDc0hleVVZSTFOZkd0dCsKcTJ0Z2h0WGhaSGpFV1ZhcWVIb0JOTHlxZ0NET0l6U1QyTnFSeC9yYXhXckl1K0JwMTJTazNpQm5pc1Y0cE02NQprMnFaTDVhY2FDb3lIWTlSWStKSThYdHBzcHVjclViZnp6K0F3ZVZpdkcwN0hkOWRnV0dMRHRwMDJ4VGFMb09pCnp1NnV1dU9heUtZaUI4N2RBYlJlZUY0RVNrTlZOM3k4c1hIS3lnRlFvN2pqRExWVnBwRVVYWC8vN081VU9aZ0wKMWtWcVJ4K2hLeTQvTnVqQUVReWJubnMzRlpIMHBDMDQvcnAwS2xBeHlmRzBRNWJvTWdBeUR0VGlyUFBzK2lwTQpveDh1aWdlQlFaTmZyWW41TVA2UWVUSWY0QWx4NWNzSktxb1Nzb2dZclljbWhoSkhkc1Q4QUpidlpXSUo4L01JCjRFKzJ6UEZSNUlOYzNGbjVoVFpnRzNMQjh4N0ErTHlCbEdNR2owdW9melVzdnZMNnpxeEtqZ3F1Qm5DbTNmTHYKSjFnaDFYbkUyeENVekZhSlpQOVVNU1N2bmVmci92TzBFMjFxL0NlSGRUNWZsaUl4UjBZQ0t5MENvd3ZIeUdyYwpmc2JWWS92dGhIcUxLYmx0Vkh0bndPOExFTmhWZmVweGhFUy9sQUZrWmgrbmZFYjVsUnRZb2hZSW9RUkFOR1A0CmhCS1BhWldua0kwbFl5TmJNU1h3d3U0R2lScFdUUjhUYW84WDlXSWlJdmgyc3hHd0NleTBPSGZCVGtoYnR3Y2sKQzlaT0pERW9SNXBlOGZXSitzWXBia1laYjd3TzhSVEMyNlBGZTRQdEtKRFNGWXlOMzM2T1ZVdzM2RkZmVzR0QQpvcGtBdkRVbDdXVEZ1TlB4RVZ3SXZQSnN2ZDdnaG9Kdm1MYm4xQldQTS8wY0lobkQ0YkdrbjBsVURTTUFjUXIvCkV2R0h4Z2xpeU4wdktnOWU5SE9VNkVOYVdMaTRzemhwdE05RzF6UnBic01CV05zRW5TTEEwL3BaS01TOXdGdk8KL1N2VEVFc3dlM2xKWjV3WFc2R3lUdURFMzQ4Z011UFk4RmpCajZjQVo3RUJLTmYrWG1TY3VQTHYxVzd3Nm52cApKTGtQRS8wQmswdEZWRndlZUlERHJOTEg4Z0dseTY3MHk5cUxQSi8rMUhwdXpwR2tqc3RwWEs2QkRqWXUzeEFlCkhsd3E2RDNmRTMrZ0VkcW5RUmhZeHRacWxqaGIydFIxYUErZndhcWVBT2dNOG43RkNaY0gvK0ZBakdhRis3YjEKQ0RIdjA0cktKdVFGZjZTKzNzQktaVW9aVllJakxidE9VWko4c2QvZEZaQ01mNGhnN3RiaXNQeVFxMjQ2MUI3Wgp1SnFidlozdHhiT0lpd3k0cklCT2VtTnJaR3ArYmMzT3FuOHZQaEtpM3c2aDd4M2lvUzBxS250bStMbG11MXBqCnZOZnQwNmFZYklGcUhkY3ZqQ1AxajZNemY1Rm9TMGhmVnlpRmltOVFUOVpGeDl4bDNGeHBkK2VsYkxYY09pM0YKU2dISWE5SUdYQXNsSmo5dE5zdC9GaHBxeFdQbmt5c3dNTjRCQkJ2SDJNZU5odWpVUGdWblp5bEVodU1jQTBrcgpzdWMrNmliMEdRYUhRSW1pOHpmQ1FyQUVXMzZ2WWRxK1M0ZjBOeEZVNFZkclFzd2tpYlJhSytBTkZGY1ZKUzFJClcxWFdoU0FKV2VPUjJONmxJVFNqZVNDbXc5bnlXb1prZXBvSEkrcTlDZ0cvV09qRy9ZUkdjZUJNSFZQbk1zNDYKanA1NitvQkdXSUVpK3dvRU51UFV0aDNlZnZNT2dGTlBGZWh1QUFUUHBOeGtaMlBheHpRVmp6NXJGR09tNmJtZgoyWExIQVZxcTFjYVhEY1RidGxoSWh0Q3A5cmlGcXIzc2R6YlFxWThCWUsyQjdyQ0JHbXFjZld0akgvWUZadkNrCnFWNWpoOHQ2MFp2Z2F1bU15Y2h2NGNVaFRWMFJzZ1BteE9GMzdUenY1T0d3OVBKeS9sdFphNncveFFZQWVMaHQKRnVWN0I0WFJvdERyYklvZkNNM1ZObXdXTnN4R29LNWY1LzV6bVBEQ1JQNjZDNkkwbWVLNjZXb3prY0N2NTRMcQpJZDJaZTN5aUY2bjE0K05xZUZMWGVsdnRvay9RSWdiTEd3ME9XVEQyaFJtZGVYMjhUMEVMMW5kZ0ZUYU0xV3NlCkVJdXQxWXNLWXk1Vml2bDg1V0JiZEsvKzZuMjVIa2l3SGV5bHRsOWZ1cFEwSlcyM01yc1I2RWwybU1qQ0FFTEwKQ0l4TjdrOGFRTk92SndmV25LWjQ0U3BIalFPUXdtTTJySlVpZzBhZURUMWNMck9sVDNSVndUeG5DK00rN2V6SwpTZElza0ZZR0ZXdW12NlBZSVZBMy9MOE16T3dWeGs1WWwzcnpJaVh4UGlrdU1FeEtqNlRsNU8rQjBXQ2c0UVVUCjFGdk1zZksxNUwrRjdaeExuVi96WTVmQ2VBUEY2dXZDYjJ4VFBBeGZwN0VxK0tsSEdybzBWb1UwSGRSNFJLR2YKZlg0TytkZ3NNUHB1K1lQWTBWVGZTVjdVN2dWdklPcHhzc2lQbXQwdmRLSjJLK04xWUV5TmdKVlBCNUtyVXZveQotLS0tLUVORCBSU0EgUFJJVkFURSBLRVktLS0tLQo="
+
+	publicKeyEncodedRSA = "LS0tLS1CRUdJTiBSU0EgUFVCTElDIEtFWS0tLS0tCk1JSUNDZ0tDQWdFQXVhTkpwYmdWT2VSQ2g4TmFGaEVBYytTZGplKzhPV1NLdGxPZnFFd1ExWVlGQytVTVRjNHkKdHZDQWxRRjNvRURTdDBhR0tvRkVyamY5MldzeXZITis0WG5ZRnZZSkVnM0ttd29OR3BmbXN1ckErcnhscFhDSQpsNG8zLy9IT2RoemZDc2l3TGR6VWUvbCtFQ1NXdkRnZzRoN0MwdlBIYVE0dGpyYUVMZ1VYSmVTaEQ4ek9qVlZXCk9SaEVKYWVEVHlKNnArZGtkS0ZFVEt6bmVuSnNFTmRBbmwzd1pORlNYbDg1L2FjL05DRDNFMXpQNmNkc0F5bnAKWTlzQk9ER1pmZTh5ajBWVFNQOW4rTXRKdWJtRG9xYlFBV09IUDNNRCs0ZnBTTnA1QS9Oa1hicDdneHkzWEtZRwpQUlBrNjlQZUVhZFdYMnRRaThDTi9QcG51TUJtUzdRdFljMVQ3RzZLZ1V4ZEJBQ3Y0Vm5VbHc5aUlRTzZPWFlsCkRJUHhHYXc2QzNUOGhsR3l6UEM3TWU2cjRFUURuQzNkYXFTSU1sbFFWSkFTakVSNWRNMXZjRFVmZWYxMnh4YXcKQkRFTmRFTVpOeVFRMHVFZGtFVVZLZTZwaTh6dE9uV2c1QkRVWWxuOEJNT3pKczZCVWQxR1VFWHhhenBhdHB0dAphaFhYVjhYZTUwSHloOXNWNEVDUENZUFpsb0JGU1IybHJKTExabnFDaFROM2s0SHV4R3Uydmxsc2xCbzZZT1R5CkRQQ2dJMys2TDFyUU9uM2pBZ3RWVy9ZdDAxS2RDK0tSaE5tU2w1eFVmL0ZZc091c3J4bU1oL2JnR2sxZldtZmMKbC9KNFBhRlNiS3VkWXZIeFp6MVdqMm5zZitQNEg5c2JZdUJya2RmSFhnQVVOTk5YNjYxVjFkOENBd0VBQVE9PQotLS0tLUVORCBSU0EgUFVCTElDIEtFWS0tLS0tCg=="
 )
 
+// testConfig wraps the private,public, and config into a single struct
+// so that we can test with different keys.
+type testConfig struct {
+	private string
+	public  string
+	config  string
+}
+
+var testConfigs = map[string]testConfig{
+	"rsa": {
+		private: privateKeyEncodedRSA,
+		public:  publicKeyEncodedRSA,
+		config:  testConfigRSA},
+	"ecdsa": {
+		private: privateKeyEncodedECDSA,
+		public:  publicKeyEncodedECDSA,
+		config:  testConfigECDSA},
+}
+
 func TestUnmarshal(t *testing.T) {
-	in, err := createBaseConfig(t)
-	if err != nil {
-		t.Fatalf("failed to createBaseConfig: %v", err)
-	}
-	config, err := Unmarshal(context.Background(), in)
-	if err != nil {
-		t.Fatalf("Failed to unmarshal: %v", err)
-	}
-	t.Logf("Got: %s", config.String())
-	if len(config.FulcioCerts) != 1 || bytes.Compare(config.FulcioCerts[0], []byte(existingRootCert)) != 0 {
-		t.Errorf("Fulciosecrets differ")
+	for k, v := range testConfigs {
+		t.Logf("unmarshaling with %s", k)
+		in, err := createBaseConfig(t, v)
+		if err != nil {
+			t.Fatalf("failed to createBaseConfig: %v", err)
+		}
+		config, err := Unmarshal(context.Background(), in)
+		if err != nil {
+			t.Fatalf("Failed to unmarshal: %v", err)
+		}
+		t.Logf("Got: %s", config.String())
+		if len(config.FulcioCerts) != 1 || bytes.Compare(config.FulcioCerts[0], []byte(existingRootCert)) != 0 {
+			t.Errorf("Fulciosecrets differ")
+		}
 	}
 }
 
 func TestRoundTrip(t *testing.T) {
-	privateKey, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
+	privateKeyECDSA, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
 	if err != nil {
 		t.Fatalf("Failed to generate Private Key: %v", err)
 	}
-
-	configIn := &CTLogConfig{
-		PrivKey:         privateKey,
-		PrivKeyPassword: "mytestpassword",
-		PubKey:          privateKey.Public().(*ecdsa.PublicKey),
-		LogID:           2022,
-		LogPrefix:       "2022-ctlog",
-	}
-	configIn.FulcioCerts = append(configIn.FulcioCerts, []byte(existingRootCert))
-
-	marshaledConfig, err := configIn.MarshalConfig(context.Background())
+	privateKeyRSA, err := rsa.GenerateKey(rand.Reader, bitSize)
 	if err != nil {
-		t.Fatalf("Failed to marshal: %v", err)
-	}
-	configOut, err := Unmarshal(context.Background(), marshaledConfig)
-	if err != nil {
-		t.Fatalf("Failed to unmarshal: %v", err)
-	}
-	if !reflect.DeepEqual(configIn, configOut) {
-		t.Errorf("Things differ=%s", cmp.Diff(configIn, configOut, cmpopts.IgnoreUnexported(CTLogConfig{})))
+		t.Fatalf("Failed to generate Private Key: %v", err)
 	}
+	for k, v := range map[string]crypto.PrivateKey{"rsa": privateKeyRSA, "ecdsa": privateKeyECDSA} {
+		t.Logf("testing with %s", k)
+		var ok bool
+		var signer crypto.Signer
+		if signer, ok = v.(crypto.Signer); !ok {
+			t.Errorf("failed to convert to Signer")
+		}
+		configIn := &CTLogConfig{
+			PrivKey:         v,
+			PrivKeyPassword: "mytestpassword",
+			PubKey:          signer.Public(),
+			LogID:           2022,
+			LogPrefix:       "2022-ctlog",
+		}
+		configIn.FulcioCerts = append(configIn.FulcioCerts, []byte(existingRootCert))
 
-	if configIn.PrivKey == nil || configOut.PrivKey == nil || !configOut.PrivKey.Equal(configIn.PrivKey) {
-		t.Errorf("Private Keys differ")
+		marshaledConfig, err := configIn.MarshalConfig(context.Background())
+		if err != nil {
+			t.Fatalf("Failed to marshal: %v", err)
+		}
+		configOut, err := Unmarshal(context.Background(), marshaledConfig)
+		if err != nil {
+			t.Fatalf("Failed to unmarshal: %v", err)
+		}
+		if !reflect.DeepEqual(configIn, configOut) {
+			t.Errorf("Things differ=%s", cmp.Diff(configIn, configOut, cmpopts.IgnoreUnexported(CTLogConfig{})))
+		}
 	}
 }
 
 func TestAddNewFulcioAndRemoveOld(t *testing.T) {
 	ctx := context.TODO()
-	in, err := createBaseConfig(t)
-	if err != nil {
-		t.Fatalf("failed to createBaseConfig: %v", err)
-	}
-	config, err := Unmarshal(ctx, in)
-	if err != nil {
-		t.Fatalf("Failed to unmarshal: %v", err)
-	}
+	for k, v := range testConfigs {
+		t.Logf("testing with %s", k)
+		in, err := createBaseConfig(t, v)
+		if err != nil {
+			t.Fatalf("failed to createBaseConfig: %v", err)
+		}
+		config, err := Unmarshal(ctx, in)
+		if err != nil {
+			t.Fatalf("Failed to unmarshal %s: %v", k, err)
+		}
 
-	newFulcioCert, err := createTestCert(t)
-	if err != nil {
-		t.Fatalf("Failed to create a test certificate: %v", err)
-	}
-	config.AddFulcioRoot(ctx, newFulcioCert)
-	marshaled, err := config.MarshalConfig(context.Background())
-	if err != nil {
-		t.Fatalf("Failed to MarshalConfig: %v", err)
-	}
+		newFulcioCert, err := createTestCert(t)
+		if err != nil {
+			t.Fatalf("Failed to create a test certificate: %v", err)
+		}
+		config.AddFulcioRoot(ctx, newFulcioCert)
+		marshaled, err := config.MarshalConfig(context.Background())
+		if err != nil {
+			t.Fatalf("Failed to MarshalConfig: %v", err)
+		}
 
-	// Now test that we have configuration that trusts both Fulcio roots
-	// simulating while one is being spun down.
-	expected := [][]byte{}
-	expected = append(expected, []byte(existingRootCert), newFulcioCert)
-	validateFulcioEntries(ctx, marshaled, expected, t)
+		// Now test that we have configuration that trusts both Fulcio roots
+		// simulating while one is being spun down.
+		expected := [][]byte{}
+		expected = append(expected, []byte(existingRootCert), newFulcioCert)
+		validateFulcioEntries(ctx, marshaled, expected, t)
 
-	newConfig, err := Unmarshal(ctx, marshaled)
-	if len(newConfig.FulcioCerts) != 2 {
-		t.Fatalf("Unexpected number of FulcioCerts, got %d", len(newConfig.FulcioCerts))
-	}
+		newConfig, err := Unmarshal(ctx, marshaled)
+		if len(newConfig.FulcioCerts) != 2 {
+			t.Fatalf("Unexpected number of FulcioCerts, got %d", len(newConfig.FulcioCerts))
+		}
 
-	// Now for our next trick, pretend we're rotating, so take out the
-	// existing entry from the trusted certs.
-	newConfig.RemoveFulcioRoot(ctx, []byte(existingRootCert))
-	marshaledNew, err := newConfig.MarshalConfig(context.Background())
-	if err != nil {
-		t.Fatalf("Failed to marshal new configuration after removal: %v", err)
-	}
+		// Now for our next trick, pretend we're rotating, so take out the
+		// existing entry from the trusted certs.
+		newConfig.RemoveFulcioRoot(ctx, []byte(existingRootCert))
+		marshaledNew, err := newConfig.MarshalConfig(context.Background())
+		if err != nil {
+			t.Fatalf("Failed to marshal new configuration after removal: %v", err)
+		}
 
-	// Now test that we have configuration that trusts only the new Fulcio
-	// root, simulating that the old one has been spun down.
-	expected = make([][]byte, 0)
-	expected = append(expected, []byte(newFulcioCert))
-	validateFulcioEntries(ctx, marshaledNew, expected, t)
+		// Now test that we have configuration that trusts only the new Fulcio
+		// root, simulating that the old one has been spun down.
+		expected = make([][]byte, 0)
+		expected = append(expected, []byte(newFulcioCert))
+		validateFulcioEntries(ctx, marshaledNew, expected, t)
+	}
 }
 
-func createBaseConfig(t *testing.T) (map[string][]byte, error) {
+func createBaseConfig(t *testing.T, tc testConfig) (map[string][]byte, error) {
 	t.Helper()
-	c, err := b64.StdEncoding.DecodeString(testConfig)
+	c, err := b64.StdEncoding.DecodeString(tc.config)
 	if err != nil {
 		return nil, fmt.Errorf("Failed to decode testConfig: %w", err)
 	}
-	private, err := b64.StdEncoding.DecodeString(privateKeyEncoded)
+	private, err := b64.StdEncoding.DecodeString(tc.private)
 	if err != nil {
 		return nil, fmt.Errorf("Failed to decode privateKeyEncoded: %w", err)
 	}
-	public, err := b64.StdEncoding.DecodeString(publicKeyEncoded)
+	public, err := b64.StdEncoding.DecodeString(tc.public)
 	if err != nil {
 		return nil, fmt.Errorf("Failed to decode publicKeyEncoded: %w", err)
 	}