diff --git a/python-pyOpenSSL.changes b/python-pyOpenSSL.changes
index f9fb1e0..416357f 100644
--- a/python-pyOpenSSL.changes
+++ b/python-pyOpenSSL.changes
@@ -1,3 +1,10 @@
+-------------------------------------------------------------------
+Tue Jun 13 07:05:41 UTC 2017 - dimstar@opensuse.org
+
+- Add python-pyOpenSSL=replace-expired-cert.patch: the root cert
+  expired, mking the test suite fail. Replace the certificate with
+  a new one, valid for 20 years (gh#pyca/pyopenssl#637).
+
 -------------------------------------------------------------------
 Fri May  5 21:32:55 UTC 2017 - toddrme2178@gmail.com
 
@@ -27,7 +34,7 @@ Wed Apr 26 14:20:27 UTC 2017 - toddrme2178@gmail.com
     For applications that process a lot of TLS data or that use
     very lage allocations this can provide considerable performance
     improvements.
-  * Automatically set ``SSL_CTX_set_ecdh_auto()`` on 
+  * Automatically set ``SSL_CTX_set_ecdh_auto()`` on
     ``OpenSSL.SSL.Context``.
   - Fix empty exceptions from ``OpenSSL.crypto.load_privatekey()``.
 - Rebase bug-lp-1265482.diff
diff --git a/python-pyOpenSSL.spec b/python-pyOpenSSL.spec
index 9a842fa..206ec47 100644
--- a/python-pyOpenSSL.spec
+++ b/python-pyOpenSSL.spec
@@ -31,13 +31,15 @@ Source:         https://files.pythonhosted.org/packages/source/p/pyOpenSSL/pyOpe
 Patch0:         bug-lp-1265482.diff
 Patch1:         skip-networked-test.patch
 Patch2:         rsa128-i586.patch
+# PATCH-FIX-UPSTREAM python-pyOpenSSL=replace-expired-cert.patch gh#pyca/pyopenssl#637 dimstar@opensuse.org -- the root cert expired
+Patch3:         python-pyOpenSSL=replace-expired-cert.patch
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
-BuildRequires:  openssl-devel
-BuildRequires:  fdupes
-BuildRequires:  python-rpm-macros
+BuildRequires:  %{python_module cryptography >= 1.3.4}
 BuildRequires:  %{python_module devel}
 BuildRequires:  %{python_module setuptools}
-BuildRequires:  %{python_module cryptography >= 1.3.4}
+BuildRequires:  fdupes
+BuildRequires:  openssl-devel
+BuildRequires:  python-rpm-macros
 BuildRequires:  python3-Sphinx
 %if %{with tests}
 BuildRequires:  %{python_module pytest}
@@ -72,6 +74,7 @@ Provides documentation for %{name}.
 %patch0 -p1
 %patch1 -p1
 %patch2 -p1
+%patch3 -p1
 
 %build
 %python_build
diff --git a/python-pyOpenSSL=replace-expired-cert.patch b/python-pyOpenSSL=replace-expired-cert.patch
new file mode 100644
index 0000000..12259eb
--- /dev/null
+++ b/python-pyOpenSSL=replace-expired-cert.patch
@@ -0,0 +1,222 @@
+From 6eeb0ef13e578d8b51ca332e43c581484ac965b2 Mon Sep 17 00:00:00 2001
+From: Paul Kehrer <paul.l.kehrer@gmail.com>
+Date: Sun, 11 Jun 2017 12:36:25 -1000
+Subject: [PATCH 1/4] the root cert expired, make a new one (using the same
+ values)
+
+The new one lasts 20 years. If this project is still in use in 20 years
+we have failed.
+---
+ tests/test_crypto.py | 24 ++++++++++++++++++++++--
+ 1 file changed, 22 insertions(+), 2 deletions(-)
+
+diff --git a/tests/test_crypto.py b/tests/test_crypto.py
+index 10f47180..7f54a11d 100644
+--- a/tests/test_crypto.py
++++ b/tests/test_crypto.py
+@@ -58,7 +58,7 @@ def normalize_privatekey_pem(pem):
+ GOOD_DIGEST = "SHA1"
+ BAD_DIGEST = "monkeys"
+ 
+-root_cert_pem = b"""-----BEGIN CERTIFICATE-----
++old_root_cert_pem = b"""-----BEGIN CERTIFICATE-----
+ MIIC7TCCAlagAwIBAgIIPQzE4MbeufQwDQYJKoZIhvcNAQEFBQAwWDELMAkGA1UE
+ BhMCVVMxCzAJBgNVBAgTAklMMRAwDgYDVQQHEwdDaGljYWdvMRAwDgYDVQQKEwdU
+ ZXN0aW5nMRgwFgYDVQQDEw9UZXN0aW5nIFJvb3QgQ0EwIhgPMjAwOTAzMjUxMjM2
+@@ -78,6 +78,26 @@ def normalize_privatekey_pem(pem):
+ -----END CERTIFICATE-----
+ """
+ 
++root_cert_pem = b"""-----BEGIN CERTIFICATE-----
++MIIC6TCCAlKgAwIBAgIIPQzE4MbeufQwDQYJKoZIhvcNAQEFBQAwWDELMAkGA1UE
++BhMCVVMxCzAJBgNVBAgTAklMMRAwDgYDVQQHEwdDaGljYWdvMRAwDgYDVQQKEwdU
++ZXN0aW5nMRgwFgYDVQQDEw9UZXN0aW5nIFJvb3QgQ0EwHhcNMTcwNjExMjIzMjU5
++WhcNMzcwNjA2MjIzMjU5WjBYMQswCQYDVQQGEwJVUzELMAkGA1UECBMCSUwxEDAO
++BgNVBAcTB0NoaWNhZ28xEDAOBgNVBAoTB1Rlc3RpbmcxGDAWBgNVBAMTD1Rlc3Rp
++bmcgUm9vdCBDQTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA+ZpC6Yu6ukTn
++bu5IQd0vWmpwNGZbO773xjpgfNP8nspYRqbIwI1np9FbUkJHvzZRDxrTt/LbFewr
++LhZ0prHIbwJxq3CZe+m9FDjh1IA0yKEcQukA1N3JWnoMLKwQPrCRAW6seUXV2yER
++onDxv/KkOGZtUijoKLXG8ImqK9ssWdsCAwEAAaOBuzCBuDAdBgNVHQ4EFgQUg1V3
++LV4h8UkMCSTnVAkSjch+BK4wgYgGA1UdIwSBgDB+gBSDVXctXiHxSQwJJOdUCRKN
++yH4ErqFcpFowWDELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAklMMRAwDgYDVQQHEwdD
++aGljYWdvMRAwDgYDVQQKEwdUZXN0aW5nMRgwFgYDVQQDEw9UZXN0aW5nIFJvb3Qg
++Q0GCCD0MxODG3rn0MAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADgYEANFYQ
++R+T70VcZ+SnvURnwviFgCXeedBzCr21meo+DNHbkp2gudB9W8Xrned/wtUBVymy9
++gjB5jINfU7Lci0H57Evsw96UJJVfhXdUMHpqt1RGCoEd9FWnrDyrSy0NysnBT2bH
++lEqxh3aFEUx9IOQ4sgnx1/NOFXBpkRtivl6O0Ec=
++-----END CERTIFICATE-----
++"""
++
+ root_key_pem = b"""-----BEGIN RSA PRIVATE KEY-----
+ MIICXQIBAAKBgQD5mkLpi7q6ROdu7khB3S9aanA0Zls7vvfGOmB80/yeylhGpsjA
+ jWen0VtSQke/NlEPGtO38tsV7CsuFnSmschvAnGrcJl76b0UOOHUgDTIoRxC6QDU
+@@ -1646,7 +1666,7 @@ def test_digest(self):
+         `X509.digest` returns a string giving ":"-separated hex-encoded
+         words of the digest of the certificate.
+         """
+-        cert = load_certificate(FILETYPE_PEM, root_cert_pem)
++        cert = load_certificate(FILETYPE_PEM, old_root_cert_pem)
+         assert (
+             # This is MD5 instead of GOOD_DIGEST because the digest algorithm
+             # actually matters to the assertion (ie, another arbitrary, good
+
+From 30bd9ab3c337900d32b945c8e989e56a524b09f7 Mon Sep 17 00:00:00 2001
+From: Paul Kehrer <paul.l.kehrer@gmail.com>
+Date: Sun, 11 Jun 2017 13:38:34 -1000
+Subject: [PATCH 2/4] this is the same cert. wtf
+
+---
+ tests/test_crypto.py | 30 +++++++++++++++---------------
+ 1 file changed, 15 insertions(+), 15 deletions(-)
+
+diff --git a/tests/test_crypto.py b/tests/test_crypto.py
+index 7f54a11d..5d0d2aa2 100644
+--- a/tests/test_crypto.py
++++ b/tests/test_crypto.py
+@@ -250,22 +250,22 @@ def normalize_privatekey_pem(pem):
+ """)
+ 
+ cleartextCertificatePEM = b"""-----BEGIN CERTIFICATE-----
+-MIIC7TCCAlagAwIBAgIIPQzE4MbeufQwDQYJKoZIhvcNAQEFBQAwWDELMAkGA1UE
++MIIC6TCCAlKgAwIBAgIIPQzE4MbeufQwDQYJKoZIhvcNAQEFBQAwWDELMAkGA1UE
+ BhMCVVMxCzAJBgNVBAgTAklMMRAwDgYDVQQHEwdDaGljYWdvMRAwDgYDVQQKEwdU
+-ZXN0aW5nMRgwFgYDVQQDEw9UZXN0aW5nIFJvb3QgQ0EwIhgPMjAwOTAzMjUxMjM2
+-NThaGA8yMDE3MDYxMTEyMzY1OFowWDELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAklM
+-MRAwDgYDVQQHEwdDaGljYWdvMRAwDgYDVQQKEwdUZXN0aW5nMRgwFgYDVQQDEw9U
+-ZXN0aW5nIFJvb3QgQ0EwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAPmaQumL
+-urpE527uSEHdL1pqcDRmWzu+98Y6YHzT/J7KWEamyMCNZ6fRW1JCR782UQ8a07fy
+-2xXsKy4WdKaxyG8CcatwmXvpvRQ44dSANMihHELpANTdyVp6DCysED6wkQFurHlF
+-1dshEaJw8b/ypDhmbVIo6Ci1xvCJqivbLFnbAgMBAAGjgbswgbgwHQYDVR0OBBYE
+-FINVdy1eIfFJDAkk51QJEo3IfgSuMIGIBgNVHSMEgYAwfoAUg1V3LV4h8UkMCSTn
+-VAkSjch+BK6hXKRaMFgxCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJJTDEQMA4GA1UE
+-BxMHQ2hpY2FnbzEQMA4GA1UEChMHVGVzdGluZzEYMBYGA1UEAxMPVGVzdGluZyBS
+-b290IENBggg9DMTgxt659DAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBBQUAA4GB
+-AGGCDazMJGoWNBpc03u6+smc95dEead2KlZXBATOdFT1VesY3+nUOqZhEhTGlDMi
+-hkgaZnzoIq/Uamidegk4hirsCT/R+6vsKAAxNTcBjUeZjlykCJWy5ojShGftXIKY
+-w/njVbKMXrvc83qmTdGl3TAM0fxQIpqgcglFLveEBgzn
++ZXN0aW5nMRgwFgYDVQQDEw9UZXN0aW5nIFJvb3QgQ0EwHhcNMTcwNjExMjIzMjU5
++WhcNMzcwNjA2MjIzMjU5WjBYMQswCQYDVQQGEwJVUzELMAkGA1UECBMCSUwxEDAO
++BgNVBAcTB0NoaWNhZ28xEDAOBgNVBAoTB1Rlc3RpbmcxGDAWBgNVBAMTD1Rlc3Rp
++bmcgUm9vdCBDQTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA+ZpC6Yu6ukTn
++bu5IQd0vWmpwNGZbO773xjpgfNP8nspYRqbIwI1np9FbUkJHvzZRDxrTt/LbFewr
++LhZ0prHIbwJxq3CZe+m9FDjh1IA0yKEcQukA1N3JWnoMLKwQPrCRAW6seUXV2yER
++onDxv/KkOGZtUijoKLXG8ImqK9ssWdsCAwEAAaOBuzCBuDAdBgNVHQ4EFgQUg1V3
++LV4h8UkMCSTnVAkSjch+BK4wgYgGA1UdIwSBgDB+gBSDVXctXiHxSQwJJOdUCRKN
++yH4ErqFcpFowWDELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAklMMRAwDgYDVQQHEwdD
++aGljYWdvMRAwDgYDVQQKEwdUZXN0aW5nMRgwFgYDVQQDEw9UZXN0aW5nIFJvb3Qg
++Q0GCCD0MxODG3rn0MAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADgYEANFYQ
++R+T70VcZ+SnvURnwviFgCXeedBzCr21meo+DNHbkp2gudB9W8Xrned/wtUBVymy9
++gjB5jINfU7Lci0H57Evsw96UJJVfhXdUMHpqt1RGCoEd9FWnrDyrSy0NysnBT2bH
++lEqxh3aFEUx9IOQ4sgnx1/NOFXBpkRtivl6O0Ec=
+ -----END CERTIFICATE-----
+ """
+ 
+
+From 15fbcdad3ffeb63e267ccec5265e5b456832660e Mon Sep 17 00:00:00 2001
+From: Paul Kehrer <paul.l.kehrer@gmail.com>
+Date: Sun, 11 Jun 2017 14:12:36 -1000
+Subject: [PATCH 3/4] replace the other certs we need to replace...
+
+---
+ tests/test_crypto.py | 48 ++++++++++++++++++++++++------------------------
+ 1 file changed, 24 insertions(+), 24 deletions(-)
+
+diff --git a/tests/test_crypto.py b/tests/test_crypto.py
+index 5d0d2aa2..58caebfa 100644
+--- a/tests/test_crypto.py
++++ b/tests/test_crypto.py
+@@ -150,18 +150,18 @@ def normalize_privatekey_pem(pem):
+ """
+ 
+ server_cert_pem = b"""-----BEGIN CERTIFICATE-----
+-MIICKDCCAZGgAwIBAgIJAJn/HpR21r/8MA0GCSqGSIb3DQEBBQUAMFgxCzAJBgNV
+-BAYTAlVTMQswCQYDVQQIEwJJTDEQMA4GA1UEBxMHQ2hpY2FnbzEQMA4GA1UEChMH
+-VGVzdGluZzEYMBYGA1UEAxMPVGVzdGluZyBSb290IENBMCIYDzIwMDkwMzI1MTIz
+-NzUzWhgPMjAxNzA2MTExMjM3NTNaMBgxFjAUBgNVBAMTDWxvdmVseSBzZXJ2ZXIw
+-gZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAL6m+G653V0tpBC/OKl22VxOi2Cv
+-lK4TYu9LHSDP9uDVTe7V5D5Tl6qzFoRRx5pfmnkqT5B+W9byp2NU3FC5hLm5zSAr
+-b45meUhjEJ/ifkZgbNUjHdBIGP9MAQUHZa5WKdkGIJvGAvs8UzUqlr4TBWQIB24+
+-lJ+Ukk/CRgasrYwdAgMBAAGjNjA0MB0GA1UdDgQWBBS4kC7Ij0W1TZXZqXQFAM2e
+-gKEG2DATBgNVHSUEDDAKBggrBgEFBQcDATANBgkqhkiG9w0BAQUFAAOBgQBh30Li
+-dJ+NlxIOx5343WqIBka3UbsOb2kxWrbkVCrvRapCMLCASO4FqiKWM+L0VDBprqIp
+-2mgpFQ6FHpoIENGvJhdEKpptQ5i7KaGhnDNTfdy3x1+h852G99f1iyj0RmbuFcM8
+-uzujnS8YXWvM7DM1Ilozk4MzPug8jzFp5uhKCQ==
++MIICJDCCAY2gAwIBAgIJAJn/HpR21r/8MA0GCSqGSIb3DQEBBQUAMFgxCzAJBgNV
++BAYTAlVTMQswCQYDVQQIDAJJTDEQMA4GA1UEBwwHQ2hpY2FnbzEQMA4GA1UECgwH
++VGVzdGluZzEYMBYGA1UEAwwPVGVzdGluZyBSb290IENBMB4XDTE3MDYxMjAwMTA1
++N1oXDTM3MDYwNzAwMTA1N1owGDEWMBQGA1UEAwwNbG92ZWx5IHNlcnZlcjCBnzAN
++BgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAvqb4brndXS2kEL84qXbZXE6LYK+UrhNi
++70sdIM/24NVN7tXkPlOXqrMWhFHHml+aeSpPkH5b1vKnY1TcULmEubnNICtvjmZ5
++SGMQn+J+RmBs1SMd0EgY/0wBBQdlrlYp2QYgm8YC+zxTNSqWvhMFZAgHbj6Un5SS
++T8JGBqytjB0CAwEAAaM2MDQwHQYDVR0OBBYEFINVdy1eIfFJDAkk51QJEo3IfgSu
++MBMGA1UdJQQMMAoGCCsGAQUFBwMBMA0GCSqGSIb3DQEBBQUAA4GBAGki1K6WgHHJ
++qC6aY2EowjaWOXLO6jUZIhGk7BA7vMRfNug429AOZ4m5F6OQhzmJmlw67Jyu2FeI
++h0VtBuQoHPtjqZXF59oX6hMMmGLMs9pV0UA3fJs5MYA4/V5ZcQy0Ie0QoJNejLzE
++6V1Qz1rRTYLUyEcpI7ZCmBg2KQQI8YZI
+ -----END CERTIFICATE-----
+ """
+ 
+@@ -217,18 +217,18 @@ def normalize_privatekey_pem(pem):
+ """
+ 
+ client_cert_pem = b"""-----BEGIN CERTIFICATE-----
+-MIICJjCCAY+gAwIBAgIJAKxpFI5lODkjMA0GCSqGSIb3DQEBBQUAMFgxCzAJBgNV
+-BAYTAlVTMQswCQYDVQQIEwJJTDEQMA4GA1UEBxMHQ2hpY2FnbzEQMA4GA1UEChMH
+-VGVzdGluZzEYMBYGA1UEAxMPVGVzdGluZyBSb290IENBMCIYDzIwMDkwMzI1MTIz
+-ODA1WhgPMjAxNzA2MTExMjM4MDVaMBYxFDASBgNVBAMTC3VnbHkgY2xpZW50MIGf
+-MA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDAZh/SRtNm5ntMT4qb6YzEpTroMlq2
+-rn+GrRHRiZ+xkCw/CGNhbtPir7/QxaUj26BSmQrHw1bGKEbPsWiW7bdXSespl+xK
+-iku4G/KvnnmWdeJHqsiXeUZtqurMELcPQAw9xPHEuhqqUJvvEoMTsnCEqGM+7Dtb
+-oCRajYyHfluARQIDAQABozYwNDAdBgNVHQ4EFgQUNQB+qkaOaEVecf1J3TTUtAff
+-0fAwEwYDVR0lBAwwCgYIKwYBBQUHAwIwDQYJKoZIhvcNAQEFBQADgYEAyv/Jh7gM
+-Q3OHvmsFEEvRI+hsW8y66zK4K5de239Y44iZrFYkt7Q5nBPMEWDj4F2hLYWL/qtI
+-9Zdr0U4UDCU9SmmGYh4o7R4TZ5pGFvBYvjhHbkSFYFQXZxKUi+WUxplP6I0wr2KJ
+-PSTJCjJOn3xo2NTKRgV1gaoTf2EhL+RG8TQ=
++MIICIjCCAYugAwIBAgIJAKxpFI5lODkjMA0GCSqGSIb3DQEBBQUAMFgxCzAJBgNV
++BAYTAlVTMQswCQYDVQQIDAJJTDEQMA4GA1UEBwwHQ2hpY2FnbzEQMA4GA1UECgwH
++VGVzdGluZzEYMBYGA1UEAwwPVGVzdGluZyBSb290IENBMB4XDTE3MDYxMjAwMDQx
++M1oXDTM3MDYwNzAwMDQxM1owFjEUMBIGA1UEAwwLdWdseSBjbGllbnQwgZ8wDQYJ
++KoZIhvcNAQEBBQADgY0AMIGJAoGBAMBmH9JG02bme0xPipvpjMSlOugyWrauf4at
++EdGJn7GQLD8IY2Fu0+Kvv9DFpSPboFKZCsfDVsYoRs+xaJbtt1dJ6ymX7EqKS7gb
++8q+eeZZ14keqyJd5Rm2q6swQtw9ADD3E8cS6GqpQm+8SgxOycISoYz7sO1ugJFqN
++jId+W4BFAgMBAAGjNjA0MB0GA1UdDgQWBBSDVXctXiHxSQwJJOdUCRKNyH4ErjAT
++BgNVHSUEDDAKBggrBgEFBQcDAjANBgkqhkiG9w0BAQUFAAOBgQAMqcHyweaCOZNN
++dWQQOsBKQlL5wqVVZwucHPWqobjxpULKy9gS2ha2zbgkXcB/BnBOSwe0Fm+MJV0T
++NbnTghcGJNpEH7VKn4xSLvIGZmnZZWgxeIB16z4GhpkK2fShBJ+6GKZjsgjT0lSH
++JRgjHbWutZfZvbSHXr9n7PIphG1Ojg==
+ -----END CERTIFICATE-----
+ """
+ 
+
+From 323f50412b06c3c32a7a5837c3426762b451d7cb Mon Sep 17 00:00:00 2001
+From: Paul Kehrer <paul.l.kehrer@gmail.com>
+Date: Sun, 11 Jun 2017 14:18:55 -1000
+Subject: [PATCH 4/4] this too
+
+---
+ tests/test_crypto.py | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/tests/test_crypto.py b/tests/test_crypto.py
+index 58caebfa..5efb9041 100644
+--- a/tests/test_crypto.py
++++ b/tests/test_crypto.py
+@@ -1573,7 +1573,7 @@ def test_get_notBefore(self):
+         ASN1 GENERALIZEDTIME even for certificates which store it as UTCTIME
+         internally.
+         """
+-        cert = load_certificate(FILETYPE_PEM, self.pemData)
++        cert = load_certificate(FILETYPE_PEM, old_root_cert_pem)
+         assert cert.get_notBefore() == b"20090325123658Z"
+ 
+     def test_get_notAfter(self):
+@@ -1582,7 +1582,7 @@ def test_get_notAfter(self):
+         ASN1 GENERALIZEDTIME even for certificates which store it as UTCTIME
+         internally.
+         """
+-        cert = load_certificate(FILETYPE_PEM, self.pemData)
++        cert = load_certificate(FILETYPE_PEM, old_root_cert_pem)
+         assert cert.get_notAfter() == b"20170611123658Z"
+ 
+     def test_gmtime_adj_notBefore_wrong_args(self):
+