1 files changed, 36 insertions, 0 deletions

diff --git a/tests/auth/cert b/tests/auth/cert
new file mode 100755
index 0000000..41b3b9c
--- /dev/null
+++ b/tests/auth/cert
@@ -0,0 +1,36 @@
+#! /bin/sh
+
+# Normally, you don't need to regenerate the private key.
+#
+# openssl genrsa 4096 > key.pem
+
+openssl req -x509 -new -key key.pem -days 1825 -config default-openssl.cnf > \
+	default-cert.pem
+
+cat default-cert.pem | openssl x509 -sha256 -noout -fingerprint | \
+  sed -n 's/^SHA256 Fingerprint=\(.*\)$/\1/p' >default-cert-fp
+
+openssl req -x509 -new -key key.pem -days 1825 -config mismatch-openssl.cnf > \
+        mismatch-cert.pem
+
+openssl req -x509 -new -key key.pem -days 1825 -config noemail-openssl.cnf > \
+        noemail-cert.pem
+
+# Normally, you have no reason to regenerate expired-cert.pem, as need to keep
+# it expired for the testing purposes. But if you do, copy expired-cert.pem
+# content to the certificate value of the following manifest files:
+#   ../rep-auth/expired/repositories
+#
+# To regenerate the packages and signature manifest files run bpkg rep-create
+# command, for example:
+#
+# ../../bpkg/bpkg rep-create ../rep-auth/expired --key key.pem
+#
+# We cannot do it in the testscript since the certificate has expired. This is
+# also the reason why we store these auto-generated manifests in git.
+#
+# Will have to wait 1 day until the certificate expires. Until then testscript
+# will be failing.
+#
+# openssl req -x509 -new -key key.pem -days 1 -config default-openssl.cnf > \
+#         expired-cert.pem