Mercurial > hg
diff tests/sslcerts/README @ 29526:9d02bed8477b
tests: regenerate x509 test certificates
The old x509 test certificates were using cryptographic settings
that are ancient by today's standards, namely 512 bit RSA keys.
To put things in perspective, browsers have been dropping support
for 1024 bit RSA keys.
I think it is important that tests match the realities of the times.
And 2048 bit RSA keys with SHA-2 hashing are what the world is
moving to.
This patch replaces all the x509 certificates with new versions using
modern best practices. In addition, the docs for generating the
keys have been updated, as the existing docs left out a few steps,
namely how to generate certs that were not active yet or expired.
| author | Gregory Szorc <gregory.szorc@gmail.com> |
|---|---|
| date | Tue, 12 Jul 2016 22:26:04 -0700 |
| parents | 1e02d9576194 |
| children | 43f3c0df2fab |
line wrap: on
line diff
--- a/tests/sslcerts/README Tue Jul 12 15:09:07 2016 +0200 +++ b/tests/sslcerts/README Tue Jul 12 22:26:04 2016 -0700 @@ -1,26 +1,50 @@ -Certificates created with: - printf '.\n.\n.\n.\n.\nlocalhost\nhg@localhost\n' | \ - openssl req -newkey rsa:512 -keyout priv.pem -nodes -x509 -days 9000 -out pub.pem -Can be dumped with: - openssl x509 -in pub.pem -text +Generate a private key (priv.pem): + + $ openssl genrsa -out priv.pem 2048 + +Generate 2 self-signed certificates from this key (pub.pem, pub-other.pem): + + $ printf '.\n.\n.\n.\n.\nlocalhost\nhg@localhost\n' | \ + openssl req -new -x509 -key priv.pem -nodes -sha256 -days 9000 -out pub.pem + + $ printf '.\n.\n.\n.\n.\nlocalhost\nhg@localhost\n' | \ + openssl req -new -x509 -key priv.pem -nodes -sha256 -days 9000 -out pub-other.pem - - priv.pem - - pub.pem - - pub-other.pem +Now generate an expired certificate by turning back the system time: + + $ date --set='2016-01-01T00:00:00Z' + $ printf '.\n.\n.\n.\n.\nlocalhost\nhg@localhost\n' | \ + openssl req -new -x509 -key priv.pem -nodes -sha256 -days 1 -out pub-expired.pem -pub.pem patched with other notBefore / notAfter: +Generate a certificate not yet active by advancing the system time: + + $ date --set='2030-01-01T00:00:00Z' + $ printf '.\n.\n.\n.\n.\nlocalhost\nhg@localhost\n' | \ + openssl req -new -x509 -key priv.pem -nodes -sha256 -days 1 -out pub-not-yet.pem - - pub-not-yet.pem - - pub-expired.pem +Note: When adjusting system time, verify the time change sticks. If running +systemd, you may want to use `timedatectl set-ntp false` and e.g. +`timedatectl set-time '2016-01-01 00:00:00'` to set system time. + +Generate a passphrase protected client certificate private key: + + $ openssl genrsa -aes256 -passout pass:1234 -out client-key.pem 2048 + +Create a copy of the private key without a passphrase: + + $ openssl rsa -in client-key.pem -passin pass:1234 -out client-key-decrypted.pem -Client certificates created with: - openssl genrsa -aes128 -passout pass:1234 -out client-key.pem 512 - openssl rsa -in client-key.pem -passin pass:1234 -out client-key-decrypted.pem - printf '.\n.\n.\n.\n.\n.\nhg-client@localhost\n.\n.\n' | \ - openssl req -new -key client-key.pem -passin pass:1234 -out client-csr.pem - openssl x509 -req -days 9000 -in client-csr.pem -CA pub.pem -CAkey priv.pem \ - -set_serial 01 -out client-cert.pem +Create a CSR and sign the key using the server keypair: + + $ printf '.\n.\n.\n.\n.\n.\nhg-client@localhost\n.\n.\n' | \ + openssl req -new -key client-key.pem -passin pass:1234 -out client-csr.pem + $ openssl x509 -req -days 9000 -in client-csr.pem -CA pub.pem -CAkey priv.pem \ + -set_serial 01 -out client-cert.pem - - client-key.pem - - client-key-decrypted.pem - - client-cert.pem +When replacing the certificates, references to certificate fingerprints will +need to be updated in test files. + +Fingerprints for certs can be obtained by running: + + $ openssl x509 -in pub.pem -noout -sha1 -fingerprint + $ openssl x509 -in pub.pem -noout -sha256 -fingerprint