Since the beginning of 2009 it is possible to use self-signed or almost any commercial certificates for AAI as described on the AAI Certificate Acceptance page. Therefore, certificates issued by the "AAI Test CA" are no longer provided (the CA certificate expired in 2011, in any case).
We recommend to generate a self-signed certificate. For Service Providers, you can use the keygen.sh script to generate certificates that meet the requirements for SWITCHaai and AAI Test. Use keygen.sh -y 3 -h #HOSTNAME# -e https://#HOSTNAME#/shibboleth to generate a sp-key.pem and sp-cert.pem in your /etc/shibboleth/ directory.
For Identity Providers, the certificate/key pair is automatically generated during installation time. Make sure that you set the IdPCertLifetime environment variable accordingly when executing install.sh, as documented in our Identity Provider deployment guide.