Mercurial > hg
annotate tests/sslcerts/README @ 44588:2a98b0cd4995
setup: build C extensions with -Werror=declaration-after-statement
MSVC 2008 still needs declarations at the top of the scope. I added it to the
3rd party code too in case somebody vendors a new version with a problem-
they'll get an early warning. Clang seems to ignore this (at least on 10.14
with Xcode 10), and gcc 7.4 will error out as desired on Ubuntu 18.04. Thanks
to Yuya for remembering the name of the option.
Differential Revision: https://phab.mercurial-scm.org/D8318
author | Matt Harbison <matt_harbison@yahoo.com> |
---|---|
date | Fri, 20 Mar 2020 23:30:23 -0400 |
parents | 43f3c0df2fab |
children |
rev | line source |
---|---|
29526
9d02bed8477b
tests: regenerate x509 test certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
1 Generate a private key (priv.pem): |
9d02bed8477b
tests: regenerate x509 test certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
2 |
9d02bed8477b
tests: regenerate x509 test certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
3 $ openssl genrsa -out priv.pem 2048 |
9d02bed8477b
tests: regenerate x509 test certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
4 |
9d02bed8477b
tests: regenerate x509 test certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
5 Generate 2 self-signed certificates from this key (pub.pem, pub-other.pem): |
9d02bed8477b
tests: regenerate x509 test certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
6 |
29579
43f3c0df2fab
tests: update test certificate generation instructions
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29526
diff
changeset
|
7 $ openssl req -new -x509 -key priv.pem -nodes -sha256 -days 9000 \ |
43f3c0df2fab
tests: update test certificate generation instructions
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29526
diff
changeset
|
8 -out pub.pem -batch -subj '/CN=localhost/emailAddress=hg@localhost/' |
43f3c0df2fab
tests: update test certificate generation instructions
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29526
diff
changeset
|
9 $ openssl req -new -x509 -key priv.pem -nodes -sha256 -days 9000 \ |
43f3c0df2fab
tests: update test certificate generation instructions
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29526
diff
changeset
|
10 -out pub-other.pem -batch -subj '/CN=localhost/emailAddress=hg@localhost/' |
29331
1e02d9576194
tests: extract SSL certificates from test-https.t
Yuya Nishihara <yuya@tcha.org>
parents:
diff
changeset
|
11 |
29526
9d02bed8477b
tests: regenerate x509 test certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
12 Now generate an expired certificate by turning back the system time: |
9d02bed8477b
tests: regenerate x509 test certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
13 |
29579
43f3c0df2fab
tests: update test certificate generation instructions
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29526
diff
changeset
|
14 $ faketime 2016-01-01T00:00:00Z \ |
43f3c0df2fab
tests: update test certificate generation instructions
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29526
diff
changeset
|
15 openssl req -new -x509 -key priv.pem -nodes -sha256 -days 1 \ |
43f3c0df2fab
tests: update test certificate generation instructions
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29526
diff
changeset
|
16 -out pub-expired.pem -batch -subj '/CN=localhost/emailAddress=hg@localhost/' |
29331
1e02d9576194
tests: extract SSL certificates from test-https.t
Yuya Nishihara <yuya@tcha.org>
parents:
diff
changeset
|
17 |
29526
9d02bed8477b
tests: regenerate x509 test certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
18 Generate a certificate not yet active by advancing the system time: |
9d02bed8477b
tests: regenerate x509 test certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
19 |
29579
43f3c0df2fab
tests: update test certificate generation instructions
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29526
diff
changeset
|
20 $ faketime 2030-01-1T00:00:00Z \ |
43f3c0df2fab
tests: update test certificate generation instructions
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29526
diff
changeset
|
21 openssl req -new -x509 -key priv.pem -nodes -sha256 -days 1 \ |
43f3c0df2fab
tests: update test certificate generation instructions
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29526
diff
changeset
|
22 -out pub-not-yet.pem -batch -subj '/CN=localhost/emailAddress=hg@localhost/' |
29526
9d02bed8477b
tests: regenerate x509 test certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
23 |
9d02bed8477b
tests: regenerate x509 test certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
24 Generate a passphrase protected client certificate private key: |
9d02bed8477b
tests: regenerate x509 test certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
25 |
9d02bed8477b
tests: regenerate x509 test certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
26 $ openssl genrsa -aes256 -passout pass:1234 -out client-key.pem 2048 |
9d02bed8477b
tests: regenerate x509 test certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
27 |
9d02bed8477b
tests: regenerate x509 test certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
28 Create a copy of the private key without a passphrase: |
9d02bed8477b
tests: regenerate x509 test certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
29 |
9d02bed8477b
tests: regenerate x509 test certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
30 $ openssl rsa -in client-key.pem -passin pass:1234 -out client-key-decrypted.pem |
29331
1e02d9576194
tests: extract SSL certificates from test-https.t
Yuya Nishihara <yuya@tcha.org>
parents:
diff
changeset
|
31 |
29526
9d02bed8477b
tests: regenerate x509 test certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
32 Create a CSR and sign the key using the server keypair: |
9d02bed8477b
tests: regenerate x509 test certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
33 |
9d02bed8477b
tests: regenerate x509 test certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
34 $ printf '.\n.\n.\n.\n.\n.\nhg-client@localhost\n.\n.\n' | \ |
9d02bed8477b
tests: regenerate x509 test certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
35 openssl req -new -key client-key.pem -passin pass:1234 -out client-csr.pem |
9d02bed8477b
tests: regenerate x509 test certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
36 $ openssl x509 -req -days 9000 -in client-csr.pem -CA pub.pem -CAkey priv.pem \ |
9d02bed8477b
tests: regenerate x509 test certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
37 -set_serial 01 -out client-cert.pem |
29331
1e02d9576194
tests: extract SSL certificates from test-https.t
Yuya Nishihara <yuya@tcha.org>
parents:
diff
changeset
|
38 |
29526
9d02bed8477b
tests: regenerate x509 test certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
39 When replacing the certificates, references to certificate fingerprints will |
9d02bed8477b
tests: regenerate x509 test certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
40 need to be updated in test files. |
9d02bed8477b
tests: regenerate x509 test certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
41 |
9d02bed8477b
tests: regenerate x509 test certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
42 Fingerprints for certs can be obtained by running: |
9d02bed8477b
tests: regenerate x509 test certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
43 |
9d02bed8477b
tests: regenerate x509 test certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
44 $ openssl x509 -in pub.pem -noout -sha1 -fingerprint |
9d02bed8477b
tests: regenerate x509 test certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
45 $ openssl x509 -in pub.pem -noout -sha256 -fingerprint |