Mercurial Mercurial > mercurial / diff
summary | shortlog | changelog | graph | tags | bookmarks | branches | files | changeset | file | latest | revisions | annotate | diff | comparison | raw | help
Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
tests/sslcerts/README
changeset 29526 9d02bed8477b
parent 29331 1e02d9576194
child 29579 43f3c0df2fab 
--- a/tests/sslcerts/README	Tue Jul 12 15:09:07 2016 +0200
+++ b/tests/sslcerts/README	Tue Jul 12 22:26:04 2016 -0700
@@ -1,26 +1,50 @@
-Certificates created with:
- printf '.\n.\n.\n.\n.\nlocalhost\nhg@localhost\n' | \
- openssl req -newkey rsa:512 -keyout priv.pem -nodes -x509 -days 9000 -out pub.pem
-Can be dumped with:
- openssl x509 -in pub.pem -text
+Generate a private key (priv.pem):
+
+  $ openssl genrsa -out priv.pem 2048
+
+Generate 2 self-signed certificates from this key (pub.pem, pub-other.pem):
+
+  $ printf '.\n.\n.\n.\n.\nlocalhost\nhg@localhost\n' | \
+    openssl req -new -x509 -key priv.pem -nodes -sha256 -days 9000 -out pub.pem
+
+  $ printf '.\n.\n.\n.\n.\nlocalhost\nhg@localhost\n' | \
+    openssl req -new -x509 -key priv.pem -nodes -sha256 -days 9000 -out pub-other.pem
 
- - priv.pem
- - pub.pem
- - pub-other.pem
+Now generate an expired certificate by turning back the system time:
+
+  $ date --set='2016-01-01T00:00:00Z'
+  $ printf '.\n.\n.\n.\n.\nlocalhost\nhg@localhost\n' | \
+    openssl req -new -x509 -key priv.pem -nodes -sha256 -days 1 -out pub-expired.pem
 
-pub.pem patched with other notBefore / notAfter:
+Generate a certificate not yet active by advancing the system time:
+
+  $ date --set='2030-01-01T00:00:00Z'
+  $ printf '.\n.\n.\n.\n.\nlocalhost\nhg@localhost\n' | \
+    openssl req -new -x509 -key priv.pem -nodes -sha256 -days 1 -out pub-not-yet.pem
 
- - pub-not-yet.pem
- - pub-expired.pem
+Note: When adjusting system time, verify the time change sticks. If running
+systemd, you may want to use `timedatectl set-ntp false` and e.g.
+`timedatectl set-time '2016-01-01 00:00:00'` to set system time.
+
+Generate a passphrase protected client certificate private key:
+
+  $ openssl genrsa -aes256 -passout pass:1234 -out client-key.pem 2048
+
+Create a copy of the private key without a passphrase:
+
+  $ openssl rsa -in client-key.pem -passin pass:1234 -out client-key-decrypted.pem
 
-Client certificates created with:
- openssl genrsa -aes128 -passout pass:1234 -out client-key.pem 512
- openssl rsa -in client-key.pem -passin pass:1234 -out client-key-decrypted.pem
- printf '.\n.\n.\n.\n.\n.\nhg-client@localhost\n.\n.\n' | \
- openssl req -new -key client-key.pem -passin pass:1234 -out client-csr.pem
- openssl x509 -req -days 9000 -in client-csr.pem -CA pub.pem -CAkey priv.pem \
- -set_serial 01 -out client-cert.pem
+Create a CSR and sign the key using the server keypair:
+
+  $ printf '.\n.\n.\n.\n.\n.\nhg-client@localhost\n.\n.\n' | \
+    openssl req -new -key client-key.pem -passin pass:1234 -out client-csr.pem
+  $ openssl x509 -req -days 9000 -in client-csr.pem -CA pub.pem -CAkey priv.pem \
+    -set_serial 01 -out client-cert.pem
 
- - client-key.pem
- - client-key-decrypted.pem
- - client-cert.pem
+When replacing the certificates, references to certificate fingerprints will
+need to be updated in test files.
+
+Fingerprints for certs can be obtained by running:
+
+  $ openssl x509 -in pub.pem -noout -sha1 -fingerprint
+  $ openssl x509 -in pub.pem -noout -sha256 -fingerprint
mercurial