[PATCH 5 of 5] tests: update test certificate generation instructions
Gregory Szorc
gregory.szorc at gmail.com
Sun Jul 17 14:28:28 EDT 2016
# HG changeset patch
# User Gregory Szorc <gregory.szorc at gmail.com>
# Date 1468780081 25200
# Sun Jul 17 11:28:01 2016 -0700
# Node ID b5500a927816d1c4efdc192f01bad293ba250c7e
# Parent 306645544688957bf8729e1b03301e5240b0b8ed
tests: update test certificate generation instructions
Suggestions from Anton Shestakov and Julien Cristau to use
-subj and faketime, respectively.
diff --git a/tests/sslcerts/README b/tests/sslcerts/README
--- a/tests/sslcerts/README
+++ b/tests/sslcerts/README
@@ -1,35 +1,30 @@
Generate a private key (priv.pem):
$ openssl genrsa -out priv.pem 2048
Generate 2 self-signed certificates from this key (pub.pem, pub-other.pem):
- $ printf '.\n.\n.\n.\n.\nlocalhost\nhg at localhost\n' | \
- openssl req -new -x509 -key priv.pem -nodes -sha256 -days 9000 -out pub.pem
-
- $ printf '.\n.\n.\n.\n.\nlocalhost\nhg at localhost\n' | \
- openssl req -new -x509 -key priv.pem -nodes -sha256 -days 9000 -out pub-other.pem
+ $ openssl req -new -x509 -key priv.pem -nodes -sha256 -days 9000 \
+ -out pub.pem -batch -subj '/CN=localhost/emailAddress=hg at localhost/'
+ $ openssl req -new -x509 -key priv.pem -nodes -sha256 -days 9000 \
+ -out pub-other.pem -batch -subj '/CN=localhost/emailAddress=hg at localhost/'
Now generate an expired certificate by turning back the system time:
- $ date --set='2016-01-01T00:00:00Z'
- $ printf '.\n.\n.\n.\n.\nlocalhost\nhg at localhost\n' | \
- openssl req -new -x509 -key priv.pem -nodes -sha256 -days 1 -out pub-expired.pem
+ $ faketime 2016-01-01T00:00:00Z \
+ openssl req -new -x509 -key priv.pem -nodes -sha256 -days 1 \
+ -out pub-expired.pem -batch -subj '/CN=localhost/emailAddress=hg at localhost/'
Generate a certificate not yet active by advancing the system time:
- $ date --set='2030-01-01T00:00:00Z'
- $ printf '.\n.\n.\n.\n.\nlocalhost\nhg at localhost\n' | \
- openssl req -new -x509 -key priv.pem -nodes -sha256 -days 1 -out pub-not-yet.pem
-
-Note: When adjusting system time, verify the time change sticks. If running
-systemd, you may want to use `timedatectl set-ntp false` and e.g.
-`timedatectl set-time '2016-01-01 00:00:00'` to set system time.
+ $ faketime 2030-01-1T00:00:00Z \
+ openssl req -new -x509 -key priv.pem -nodes -sha256 -days 1 \
+ -out pub-not-yet.pem -batch -subj '/CN=localhost/emailAddress=hg at localhost/'
Generate a passphrase protected client certificate private key:
$ openssl genrsa -aes256 -passout pass:1234 -out client-key.pem 2048
Create a copy of the private key without a passphrase:
$ openssl rsa -in client-key.pem -passin pass:1234 -out client-key-decrypted.pem
More information about the Mercurial-devel
mailing list