Sometimes we need to write tests for scenarios that require custom client, server or certificate authority (CA) certificates. For that purpose, you can generate such certificates using build/pgo/genpgocert.py.
The certificate specifications (and key specifications) are located in build/pgo/certs/.
To add a new server certificate, add a ${cert_name}.certspec file to that folder.
If it needs a non-default private key, add a corresponding ${cert_name}.server.keyspec.
For a new client certificate, add a ${cert_name}.client.keyspec and corresponding ${cert_name}.certspec.
To add a new CA, add a ${cert_name}.ca.keyspec as well as a corresponding ${cert_name}.certspec to that folder.
Hint
- The full syntax for .certspec files is documented at https://searchfox.org/mozilla-central/source/security/manager/ssl/tests/unit/pycert.py
- The full syntax for .keyspec files is documented at https://searchfox.org/mozilla-central/source/security/manager/ssl/tests/unit/pykey.py
Then regenerate the certificates by running::
./mach python build/pgo/genpgocert.py
These commands will modify cert9.db and key4.db, and if you have added a .keyspec file will generate a {$cert_name}.client or {$cert_name}.ca file.
These files need to be committed.
If you've created a new server certificate, you probably want to modify build/pgo/server-locations.txt to add a location with your specified certificate::
https://my-test.example.com:443 cert=${cert_name}
You will need to run ./mach build again afterwards.
Important
Make sure to exactly follow the naming conventions and use the same cert_name in all places