[PATCH 5 of 5] tests: update test certificate generation instructions

Gregory Szorc gregory.szorc at gmail.com
Sun Jul 17 14:28:28 EDT 2016 

# HG changeset patch
# User Gregory Szorc <gregory.szorc at gmail.com>
# Date 1468780081 25200
#      Sun Jul 17 11:28:01 2016 -0700
# Node ID b5500a927816d1c4efdc192f01bad293ba250c7e
# Parent  306645544688957bf8729e1b03301e5240b0b8ed
tests: update test certificate generation instructions

Suggestions from Anton Shestakov and Julien Cristau to use
-subj and faketime, respectively.

diff --git a/tests/sslcerts/README b/tests/sslcerts/README
--- a/tests/sslcerts/README
+++ b/tests/sslcerts/README
@@ -1,35 +1,30 @@
 Generate a private key (priv.pem):
 
   $ openssl genrsa -out priv.pem 2048
 
 Generate 2 self-signed certificates from this key (pub.pem, pub-other.pem):
 
-  $ printf '.\n.\n.\n.\n.\nlocalhost\nhg at localhost\n' | \
-    openssl req -new -x509 -key priv.pem -nodes -sha256 -days 9000 -out pub.pem
-
-  $ printf '.\n.\n.\n.\n.\nlocalhost\nhg at localhost\n' | \
-    openssl req -new -x509 -key priv.pem -nodes -sha256 -days 9000 -out pub-other.pem
+  $ openssl req -new -x509 -key priv.pem -nodes -sha256 -days 9000 \
+    -out pub.pem -batch -subj '/CN=localhost/emailAddress=hg at localhost/'
+  $ openssl req -new -x509 -key priv.pem -nodes -sha256 -days 9000 \
+    -out pub-other.pem -batch -subj '/CN=localhost/emailAddress=hg at localhost/'
 
 Now generate an expired certificate by turning back the system time:
 
-  $ date --set='2016-01-01T00:00:00Z'
-  $ printf '.\n.\n.\n.\n.\nlocalhost\nhg at localhost\n' | \
-    openssl req -new -x509 -key priv.pem -nodes -sha256 -days 1 -out pub-expired.pem
+  $ faketime 2016-01-01T00:00:00Z \
+    openssl req -new -x509 -key priv.pem -nodes -sha256 -days 1 \
+    -out pub-expired.pem -batch -subj '/CN=localhost/emailAddress=hg at localhost/'
 
 Generate a certificate not yet active by advancing the system time:
 
-  $ date --set='2030-01-01T00:00:00Z'
-  $ printf '.\n.\n.\n.\n.\nlocalhost\nhg at localhost\n' | \
-    openssl req -new -x509 -key priv.pem -nodes -sha256 -days 1 -out pub-not-yet.pem
-
-Note: When adjusting system time, verify the time change sticks. If running
-systemd, you may want to use `timedatectl set-ntp false` and e.g.
-`timedatectl set-time '2016-01-01 00:00:00'` to set system time.
+  $ faketime 2030-01-1T00:00:00Z \
+    openssl req -new -x509 -key priv.pem -nodes -sha256 -days 1 \
+    -out pub-not-yet.pem -batch -subj '/CN=localhost/emailAddress=hg at localhost/'
 
 Generate a passphrase protected client certificate private key:
 
   $ openssl genrsa -aes256 -passout pass:1234 -out client-key.pem 2048
 
 Create a copy of the private key without a passphrase:
 
   $ openssl rsa -in client-key.pem -passin pass:1234 -out client-key-decrypted.pem

More information about the Mercurial-devel mailing list