mirror of
https://github.com/mozilla/gecko-dev.git
synced 2024-10-19 00:05:36 +00:00
dda53de0ba
Differential Revision: https://phabricator.services.mozilla.com/D11611 --HG-- extra : rebase_source : eebb084d0fed7a66b0dc5bbe7bc5e06b040a0275 extra : amend_source : f8070e363841ad3d9b2418920e0f695c906de105 |
||
---|---|---|
.. | ||
alternateroot.ca | ||
alternateroot.ca.keyspec | ||
alternateroot.certspec | ||
bug413909cert.certspec | ||
cert9.db | ||
dynamicPinningBad.certspec | ||
dynamicPinningBad.server.keyspec | ||
dynamicPinningGood.certspec | ||
escapeattack1.certspec | ||
evintermediate.ca | ||
evintermediate.ca.keyspec | ||
evintermediate.certspec | ||
expired.certspec | ||
imminently_distrusted.certspec | ||
key4.db | ||
mochitest.certspec | ||
mochitest.client | ||
mochitest.client.keyspec | ||
pgoca.ca | ||
pgoca.ca.keyspec | ||
pgoca.certspec | ||
README | ||
selfsigned.certspec | ||
sha1_end_entity.certspec | ||
sha256_end_entity.certspec | ||
staticPinningBad.certspec | ||
staticPinningBad.server.keyspec | ||
unknown_ca.certspec | ||
untrusted.certspec | ||
untrustedandexpired.certspec |
The certificate authority and server certificates here are generated by $topsrcdir/build/pgo/genpgocert.py. You can regenerate the certificates by running: ./mach python build/pgo/genpgocert.py To add a new CA, add a ${cert_name}.ca.keyspec as well as a corresponding ${cert_name}.certspec to this folder. To add new server certificates, add a ${cert_name}.certspec file to this folder. If it needs a non-default private key, add a corresponding ${cert_name}.server.keyspec. For new client certificates, add a ${cert_name}.client.keyspec and corresponding ${cert_name}.certspec. The naming convention here is because the generated ".client" and ".ca" PEM files need to be copied into this folder for Mochitests' runtests.py to import. These commands will modify cert9.db and key4.db. The changes to these should be committed. Specific notes for certs: dynamicPinningGood: Changing this keyspec will require changing browser/base/content/test/general/pinning_headers.sjs . You can obtain a new valid pin via: certutil -L -d . -n dynamicPinningGood -r | openssl x509 -inform der -pubkey \ -noout | openssl pkey -pubin -outform der | openssl dgst -sha256 -binary \ | openssl enc -base64