Mercurial: tests/sslcerts/README@b81486b609a3 (annotated)

29526 9d02bed8477b tests: regenerate x509 test certificates Gregory Szorc <gregory.szorc@gmail.com> parents: 29331 diff changeset	1	Generate a private key (priv.pem):
9d02bed8477b tests: regenerate x509 test certificates Gregory Szorc <gregory.szorc@gmail.com> parents: 29331 diff changeset	2
9d02bed8477b tests: regenerate x509 test certificates Gregory Szorc <gregory.szorc@gmail.com> parents: 29331 diff changeset	3	$ openssl genrsa -out priv.pem 2048
9d02bed8477b tests: regenerate x509 test certificates Gregory Szorc <gregory.szorc@gmail.com> parents: 29331 diff changeset	4
9d02bed8477b tests: regenerate x509 test certificates Gregory Szorc <gregory.szorc@gmail.com> parents: 29331 diff changeset	5	Generate 2 self-signed certificates from this key (pub.pem, pub-other.pem):
9d02bed8477b tests: regenerate x509 test certificates Gregory Szorc <gregory.szorc@gmail.com> parents: 29331 diff changeset	6
29579 43f3c0df2fab tests: update test certificate generation instructions Gregory Szorc <gregory.szorc@gmail.com> parents: 29526 diff changeset	7	$ openssl req -new -x509 -key priv.pem -nodes -sha256 -days 9000 \
43f3c0df2fab tests: update test certificate generation instructions Gregory Szorc <gregory.szorc@gmail.com> parents: 29526 diff changeset	8	-out pub.pem -batch -subj '/CN=localhost/emailAddress=hg@localhost/'
43f3c0df2fab tests: update test certificate generation instructions Gregory Szorc <gregory.szorc@gmail.com> parents: 29526 diff changeset	9	$ openssl req -new -x509 -key priv.pem -nodes -sha256 -days 9000 \
43f3c0df2fab tests: update test certificate generation instructions Gregory Szorc <gregory.szorc@gmail.com> parents: 29526 diff changeset	10	-out pub-other.pem -batch -subj '/CN=localhost/emailAddress=hg@localhost/'
29331 1e02d9576194 tests: extract SSL certificates from test-https.t Yuya Nishihara <yuya@tcha.org> parents: diff changeset	11
29526 9d02bed8477b tests: regenerate x509 test certificates Gregory Szorc <gregory.szorc@gmail.com> parents: 29331 diff changeset	12	Now generate an expired certificate by turning back the system time:
9d02bed8477b tests: regenerate x509 test certificates Gregory Szorc <gregory.szorc@gmail.com> parents: 29331 diff changeset	13
29579 43f3c0df2fab tests: update test certificate generation instructions Gregory Szorc <gregory.szorc@gmail.com> parents: 29526 diff changeset	14	$ faketime 2016-01-01T00:00:00Z \
43f3c0df2fab tests: update test certificate generation instructions Gregory Szorc <gregory.szorc@gmail.com> parents: 29526 diff changeset	15	openssl req -new -x509 -key priv.pem -nodes -sha256 -days 1 \
43f3c0df2fab tests: update test certificate generation instructions Gregory Szorc <gregory.szorc@gmail.com> parents: 29526 diff changeset	16	-out pub-expired.pem -batch -subj '/CN=localhost/emailAddress=hg@localhost/'
29331 1e02d9576194 tests: extract SSL certificates from test-https.t Yuya Nishihara <yuya@tcha.org> parents: diff changeset	17
29526 9d02bed8477b tests: regenerate x509 test certificates Gregory Szorc <gregory.szorc@gmail.com> parents: 29331 diff changeset	18	Generate a certificate not yet active by advancing the system time:
9d02bed8477b tests: regenerate x509 test certificates Gregory Szorc <gregory.szorc@gmail.com> parents: 29331 diff changeset	19
29579 43f3c0df2fab tests: update test certificate generation instructions Gregory Szorc <gregory.szorc@gmail.com> parents: 29526 diff changeset	20	$ faketime 2030-01-1T00:00:00Z \
43f3c0df2fab tests: update test certificate generation instructions Gregory Szorc <gregory.szorc@gmail.com> parents: 29526 diff changeset	21	openssl req -new -x509 -key priv.pem -nodes -sha256 -days 1 \
43f3c0df2fab tests: update test certificate generation instructions Gregory Szorc <gregory.szorc@gmail.com> parents: 29526 diff changeset	22	-out pub-not-yet.pem -batch -subj '/CN=localhost/emailAddress=hg@localhost/'
29526 9d02bed8477b tests: regenerate x509 test certificates Gregory Szorc <gregory.szorc@gmail.com> parents: 29331 diff changeset	23
9d02bed8477b tests: regenerate x509 test certificates Gregory Szorc <gregory.szorc@gmail.com> parents: 29331 diff changeset	24	Generate a passphrase protected client certificate private key:
9d02bed8477b tests: regenerate x509 test certificates Gregory Szorc <gregory.szorc@gmail.com> parents: 29331 diff changeset	25
9d02bed8477b tests: regenerate x509 test certificates Gregory Szorc <gregory.szorc@gmail.com> parents: 29331 diff changeset	26	$ openssl genrsa -aes256 -passout pass:1234 -out client-key.pem 2048
9d02bed8477b tests: regenerate x509 test certificates Gregory Szorc <gregory.szorc@gmail.com> parents: 29331 diff changeset	27
9d02bed8477b tests: regenerate x509 test certificates Gregory Szorc <gregory.szorc@gmail.com> parents: 29331 diff changeset	28	Create a copy of the private key without a passphrase:
9d02bed8477b tests: regenerate x509 test certificates Gregory Szorc <gregory.szorc@gmail.com> parents: 29331 diff changeset	29
9d02bed8477b tests: regenerate x509 test certificates Gregory Szorc <gregory.szorc@gmail.com> parents: 29331 diff changeset	30	$ openssl rsa -in client-key.pem -passin pass:1234 -out client-key-decrypted.pem
29331 1e02d9576194 tests: extract SSL certificates from test-https.t Yuya Nishihara <yuya@tcha.org> parents: diff changeset	31
29526 9d02bed8477b tests: regenerate x509 test certificates Gregory Szorc <gregory.szorc@gmail.com> parents: 29331 diff changeset	32	Create a CSR and sign the key using the server keypair:
9d02bed8477b tests: regenerate x509 test certificates Gregory Szorc <gregory.szorc@gmail.com> parents: 29331 diff changeset	33
9d02bed8477b tests: regenerate x509 test certificates Gregory Szorc <gregory.szorc@gmail.com> parents: 29331 diff changeset	34	$ printf '.\n.\n.\n.\n.\n.\nhg-client@localhost\n.\n.\n' \| \
9d02bed8477b tests: regenerate x509 test certificates Gregory Szorc <gregory.szorc@gmail.com> parents: 29331 diff changeset	35	openssl req -new -key client-key.pem -passin pass:1234 -out client-csr.pem
9d02bed8477b tests: regenerate x509 test certificates Gregory Szorc <gregory.szorc@gmail.com> parents: 29331 diff changeset	36	$ openssl x509 -req -days 9000 -in client-csr.pem -CA pub.pem -CAkey priv.pem \
9d02bed8477b tests: regenerate x509 test certificates Gregory Szorc <gregory.szorc@gmail.com> parents: 29331 diff changeset	37	-set_serial 01 -out client-cert.pem
29331 1e02d9576194 tests: extract SSL certificates from test-https.t Yuya Nishihara <yuya@tcha.org> parents: diff changeset	38
29526 9d02bed8477b tests: regenerate x509 test certificates Gregory Szorc <gregory.szorc@gmail.com> parents: 29331 diff changeset	39	When replacing the certificates, references to certificate fingerprints will
9d02bed8477b tests: regenerate x509 test certificates Gregory Szorc <gregory.szorc@gmail.com> parents: 29331 diff changeset	40	need to be updated in test files.
9d02bed8477b tests: regenerate x509 test certificates Gregory Szorc <gregory.szorc@gmail.com> parents: 29331 diff changeset	41
9d02bed8477b tests: regenerate x509 test certificates Gregory Szorc <gregory.szorc@gmail.com> parents: 29331 diff changeset	42	Fingerprints for certs can be obtained by running:
9d02bed8477b tests: regenerate x509 test certificates Gregory Szorc <gregory.szorc@gmail.com> parents: 29331 diff changeset	43
9d02bed8477b tests: regenerate x509 test certificates Gregory Szorc <gregory.szorc@gmail.com> parents: 29331 diff changeset	44	$ openssl x509 -in pub.pem -noout -sha1 -fingerprint
9d02bed8477b tests: regenerate x509 test certificates Gregory Szorc <gregory.szorc@gmail.com> parents: 29331 diff changeset	45	$ openssl x509 -in pub.pem -noout -sha256 -fingerprint

author	Pierre-Yves David <pierre-yves.david@octobus.net>
	Tue, 14 Apr 2020 03:16:23 +0200
changeset 44791	b81486b609a3
parent 29579	43f3c0df2fab
permissions	-rw-r--r--