Mercurial > hg
annotate tests/sslcerts/README @ 29526:9d02bed8477b
tests: regenerate x509 test certificates
The old x509 test certificates were using cryptographic settings
that are ancient by today's standards, namely 512 bit RSA keys.
To put things in perspective, browsers have been dropping support
for 1024 bit RSA keys.
I think it is important that tests match the realities of the times.
And 2048 bit RSA keys with SHA-2 hashing are what the world is
moving to.
This patch replaces all the x509 certificates with new versions using
modern best practices. In addition, the docs for generating the
keys have been updated, as the existing docs left out a few steps,
namely how to generate certs that were not active yet or expired.
| author | Gregory Szorc <gregory.szorc@gmail.com> |
|---|---|
| date | Tue, 12 Jul 2016 22:26:04 -0700 |
| parents | 1e02d9576194 |
| children | 43f3c0df2fab |
| rev | line source |
|---|---|
|
29526
9d02bed8477b
tests: regenerate x509 test certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
1 Generate a private key (priv.pem): |
|
9d02bed8477b
tests: regenerate x509 test certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
2 |
|
9d02bed8477b
tests: regenerate x509 test certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
3 $ openssl genrsa -out priv.pem 2048 |
|
9d02bed8477b
tests: regenerate x509 test certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
4 |
|
9d02bed8477b
tests: regenerate x509 test certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
5 Generate 2 self-signed certificates from this key (pub.pem, pub-other.pem): |
|
9d02bed8477b
tests: regenerate x509 test certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
6 |
|
9d02bed8477b
tests: regenerate x509 test certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
7 $ printf '.\n.\n.\n.\n.\nlocalhost\nhg@localhost\n' | \ |
|
9d02bed8477b
tests: regenerate x509 test certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
8 openssl req -new -x509 -key priv.pem -nodes -sha256 -days 9000 -out pub.pem |
|
9d02bed8477b
tests: regenerate x509 test certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
9 |
|
9d02bed8477b
tests: regenerate x509 test certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
10 $ printf '.\n.\n.\n.\n.\nlocalhost\nhg@localhost\n' | \ |
|
9d02bed8477b
tests: regenerate x509 test certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
11 openssl req -new -x509 -key priv.pem -nodes -sha256 -days 9000 -out pub-other.pem |
|
29331
1e02d9576194
tests: extract SSL certificates from test-https.t
Yuya Nishihara <yuya@tcha.org>
parents:
diff
changeset
|
12 |
|
29526
9d02bed8477b
tests: regenerate x509 test certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
13 Now generate an expired certificate by turning back the system time: |
|
9d02bed8477b
tests: regenerate x509 test certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
14 |
|
9d02bed8477b
tests: regenerate x509 test certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
15 $ date --set='2016-01-01T00:00:00Z' |
|
9d02bed8477b
tests: regenerate x509 test certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
16 $ printf '.\n.\n.\n.\n.\nlocalhost\nhg@localhost\n' | \ |
|
9d02bed8477b
tests: regenerate x509 test certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
17 openssl req -new -x509 -key priv.pem -nodes -sha256 -days 1 -out pub-expired.pem |
|
29331
1e02d9576194
tests: extract SSL certificates from test-https.t
Yuya Nishihara <yuya@tcha.org>
parents:
diff
changeset
|
18 |
|
29526
9d02bed8477b
tests: regenerate x509 test certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
19 Generate a certificate not yet active by advancing the system time: |
|
9d02bed8477b
tests: regenerate x509 test certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
20 |
|
9d02bed8477b
tests: regenerate x509 test certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
21 $ date --set='2030-01-01T00:00:00Z' |
|
9d02bed8477b
tests: regenerate x509 test certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
22 $ printf '.\n.\n.\n.\n.\nlocalhost\nhg@localhost\n' | \ |
|
9d02bed8477b
tests: regenerate x509 test certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
23 openssl req -new -x509 -key priv.pem -nodes -sha256 -days 1 -out pub-not-yet.pem |
|
29331
1e02d9576194
tests: extract SSL certificates from test-https.t
Yuya Nishihara <yuya@tcha.org>
parents:
diff
changeset
|
24 |
|
29526
9d02bed8477b
tests: regenerate x509 test certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
25 Note: When adjusting system time, verify the time change sticks. If running |
|
9d02bed8477b
tests: regenerate x509 test certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
26 systemd, you may want to use `timedatectl set-ntp false` and e.g. |
|
9d02bed8477b
tests: regenerate x509 test certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
27 `timedatectl set-time '2016-01-01 00:00:00'` to set system time. |
|
9d02bed8477b
tests: regenerate x509 test certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
28 |
|
9d02bed8477b
tests: regenerate x509 test certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
29 Generate a passphrase protected client certificate private key: |
|
9d02bed8477b
tests: regenerate x509 test certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
30 |
|
9d02bed8477b
tests: regenerate x509 test certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
31 $ openssl genrsa -aes256 -passout pass:1234 -out client-key.pem 2048 |
|
9d02bed8477b
tests: regenerate x509 test certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
32 |
|
9d02bed8477b
tests: regenerate x509 test certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
33 Create a copy of the private key without a passphrase: |
|
9d02bed8477b
tests: regenerate x509 test certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
34 |
|
9d02bed8477b
tests: regenerate x509 test certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
35 $ openssl rsa -in client-key.pem -passin pass:1234 -out client-key-decrypted.pem |
|
29331
1e02d9576194
tests: extract SSL certificates from test-https.t
Yuya Nishihara <yuya@tcha.org>
parents:
diff
changeset
|
36 |
|
29526
9d02bed8477b
tests: regenerate x509 test certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
37 Create a CSR and sign the key using the server keypair: |
|
9d02bed8477b
tests: regenerate x509 test certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
38 |
|
9d02bed8477b
tests: regenerate x509 test certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
39 $ printf '.\n.\n.\n.\n.\n.\nhg-client@localhost\n.\n.\n' | \ |
|
9d02bed8477b
tests: regenerate x509 test certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
40 openssl req -new -key client-key.pem -passin pass:1234 -out client-csr.pem |
|
9d02bed8477b
tests: regenerate x509 test certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
41 $ openssl x509 -req -days 9000 -in client-csr.pem -CA pub.pem -CAkey priv.pem \ |
|
9d02bed8477b
tests: regenerate x509 test certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
42 -set_serial 01 -out client-cert.pem |
|
29331
1e02d9576194
tests: extract SSL certificates from test-https.t
Yuya Nishihara <yuya@tcha.org>
parents:
diff
changeset
|
43 |
|
29526
9d02bed8477b
tests: regenerate x509 test certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
44 When replacing the certificates, references to certificate fingerprints will |
|
9d02bed8477b
tests: regenerate x509 test certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
45 need to be updated in test files. |
|
9d02bed8477b
tests: regenerate x509 test certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
46 |
|
9d02bed8477b
tests: regenerate x509 test certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
47 Fingerprints for certs can be obtained by running: |
|
9d02bed8477b
tests: regenerate x509 test certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
48 |
|
9d02bed8477b
tests: regenerate x509 test certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
49 $ openssl x509 -in pub.pem -noout -sha1 -fingerprint |
|
9d02bed8477b
tests: regenerate x509 test certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
50 $ openssl x509 -in pub.pem -noout -sha256 -fingerprint |