Mercurial > hg

view tests/sslcerts/README @ 43506:9f70512ae2cf

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
cleanup: remove pointless r-prefixes on single-quoted strings This is the promised second step on single-quoted strings. These had existed because our source transformer didn't turn r'' into b'', so we had tagged some strings as r-strings to get "native" strings on both Pythons. Now that the transformer is gone, we can dispense with this nonsense. Methodology: I ran hg locate 'set:added() or modified() or clean()' | egrep '.*\.py$' | xargs egrep --color=never -n -- \[\^b\]\[\^a-z\]r\'\[\^\'\\\\\]\*\'\[\^\'\ in an emacs grep-mode buffer, and then used a keyboard macro to iterate over the results and remove the r prefix as needed. # skip-blame removing unneeded r prefixes left over from Python 3 migration. Differential Revision: https://phab.mercurial-scm.org/D7306
author Augie Fackler <augie@google.com>
date Fri, 08 Nov 2019 11:19:20 -0800
parents 43f3c0df2fab
children
line wrap: on
line source

Generate a private key (priv.pem):

  $ openssl genrsa -out priv.pem 2048

Generate 2 self-signed certificates from this key (pub.pem, pub-other.pem):

  $ openssl req -new -x509 -key priv.pem -nodes -sha256 -days 9000 \
    -out pub.pem -batch -subj '/CN=localhost/emailAddress=hg@localhost/'
  $ openssl req -new -x509 -key priv.pem -nodes -sha256 -days 9000 \
    -out pub-other.pem -batch -subj '/CN=localhost/emailAddress=hg@localhost/'

Now generate an expired certificate by turning back the system time:

  $ faketime 2016-01-01T00:00:00Z \
    openssl req -new -x509 -key priv.pem -nodes -sha256 -days 1 \
    -out pub-expired.pem -batch -subj '/CN=localhost/emailAddress=hg@localhost/'

Generate a certificate not yet active by advancing the system time:

  $ faketime 2030-01-1T00:00:00Z \
    openssl req -new -x509 -key priv.pem -nodes -sha256 -days 1 \
    -out pub-not-yet.pem -batch -subj '/CN=localhost/emailAddress=hg@localhost/'

Generate a passphrase protected client certificate private key:

  $ openssl genrsa -aes256 -passout pass:1234 -out client-key.pem 2048

Create a copy of the private key without a passphrase:

  $ openssl rsa -in client-key.pem -passin pass:1234 -out client-key-decrypted.pem

Create a CSR and sign the key using the server keypair:

  $ printf '.\n.\n.\n.\n.\n.\nhg-client@localhost\n.\n.\n' | \
    openssl req -new -key client-key.pem -passin pass:1234 -out client-csr.pem
  $ openssl x509 -req -days 9000 -in client-csr.pem -CA pub.pem -CAkey priv.pem \
    -set_serial 01 -out client-cert.pem

When replacing the certificates, references to certificate fingerprints will
need to be updated in test files.

Fingerprints for certs can be obtained by running:

  $ openssl x509 -in pub.pem -noout -sha1 -fingerprint
  $ openssl x509 -in pub.pem -noout -sha256 -fingerprint