From patchwork Sun Jul 17 18:28:28 2016 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Subject: [5,of,5] tests: update test certificate generation instructions From: Gregory Szorc X-Patchwork-Id: 15919 Message-Id: To: mercurial-devel@mercurial-scm.org Date: Sun, 17 Jul 2016 11:28:28 -0700 # HG changeset patch # User Gregory Szorc # Date 1468780081 25200 # Sun Jul 17 11:28:01 2016 -0700 # Node ID b5500a927816d1c4efdc192f01bad293ba250c7e # Parent 306645544688957bf8729e1b03301e5240b0b8ed tests: update test certificate generation instructions Suggestions from Anton Shestakov and Julien Cristau to use -subj and faketime, respectively. diff --git a/tests/sslcerts/README b/tests/sslcerts/README --- a/tests/sslcerts/README +++ b/tests/sslcerts/README @@ -1,35 +1,30 @@ Generate a private key (priv.pem): $ openssl genrsa -out priv.pem 2048 Generate 2 self-signed certificates from this key (pub.pem, pub-other.pem): - $ printf '.\n.\n.\n.\n.\nlocalhost\nhg@localhost\n' | \ - openssl req -new -x509 -key priv.pem -nodes -sha256 -days 9000 -out pub.pem - - $ printf '.\n.\n.\n.\n.\nlocalhost\nhg@localhost\n' | \ - openssl req -new -x509 -key priv.pem -nodes -sha256 -days 9000 -out pub-other.pem + $ openssl req -new -x509 -key priv.pem -nodes -sha256 -days 9000 \ + -out pub.pem -batch -subj '/CN=localhost/emailAddress=hg@localhost/' + $ openssl req -new -x509 -key priv.pem -nodes -sha256 -days 9000 \ + -out pub-other.pem -batch -subj '/CN=localhost/emailAddress=hg@localhost/' Now generate an expired certificate by turning back the system time: - $ date --set='2016-01-01T00:00:00Z' - $ printf '.\n.\n.\n.\n.\nlocalhost\nhg@localhost\n' | \ - openssl req -new -x509 -key priv.pem -nodes -sha256 -days 1 -out pub-expired.pem + $ faketime 2016-01-01T00:00:00Z \ + openssl req -new -x509 -key priv.pem -nodes -sha256 -days 1 \ + -out pub-expired.pem -batch -subj '/CN=localhost/emailAddress=hg@localhost/' Generate a certificate not yet active by advancing the system time: - $ date --set='2030-01-01T00:00:00Z' - $ printf '.\n.\n.\n.\n.\nlocalhost\nhg@localhost\n' | \ - openssl req -new -x509 -key priv.pem -nodes -sha256 -days 1 -out pub-not-yet.pem - -Note: When adjusting system time, verify the time change sticks. If running -systemd, you may want to use `timedatectl set-ntp false` and e.g. -`timedatectl set-time '2016-01-01 00:00:00'` to set system time. + $ faketime 2030-01-1T00:00:00Z \ + openssl req -new -x509 -key priv.pem -nodes -sha256 -days 1 \ + -out pub-not-yet.pem -batch -subj '/CN=localhost/emailAddress=hg@localhost/' Generate a passphrase protected client certificate private key: $ openssl genrsa -aes256 -passout pass:1234 -out client-key.pem 2048 Create a copy of the private key without a passphrase: $ openssl rsa -in client-key.pem -passin pass:1234 -out client-key-decrypted.pem