itsscb/sqlx
1
0
Fork 0
mirror of https://github.com/launchbadge/sqlx.git synced 2025-12-30 05:11:13 +00:00
Code Issues Packages Projects Releases Wiki Activity
sqlx/tests/certs/README.md
Austin Bonander a0e40540e3 fix: regenerate test certificates 
New versions of RusTLS validate and reject v1 client certificates.
2025-07-01 00:43:52 -07:00

88 lines
2.9 KiB
Markdown
Raw Permalink Blame History

# SQLx Test TLS Certificates
This directory contains the following files for testing TLS connections.
* `ca.crt`: Self-signed Certificate Authority for `client.crt`
* `client.crt`: Client certificate signed by `ca.crt`
* `server.crt`: Server certificate signed by `ca.crt`
These certificates are **not** to be used outside of testing with SQLx.
The private keys are publicly available in the `keys` directory.
These certificates should be valid until the year 2035.
RusTLS requires TLS certificates to be x509v3.
OpenSSL 3.2 and up create v3 certificates by default.
## (Re)generating
When generating certificates, OpenSSL prompts for a number of fields:
```
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:
Email Address []:
```
These are purely informational and can _generally_ be left blank or filled with arbitrary values
(except for `Common Name` with client certificates; see below for details).
### CA Certificate
Create a self-signed root certificate:
```shell
openssl req -x509 -sha256 -days 3650 -key keys/ca.key -out ca.crt
```
This is passed as a trust root when testing certificate authentication.
### Client Certificate
**Note**: Postgres expects the Common Name (`CN`) field of the certificate to match the database username:
<https://www.postgresql.org/docs/current/auth-cert.html>
At the prompt `Common Name (e.g. server FQDN or YOUR name) []:`, enter `postgres`.
Create a certificate signing request (CSR) to "submit" to our fake certificate authority:
```
openssl req -key keys/client.key -new -out client.csr
```
Create a signed certificate using our CA key and the CSR:
```
openssl x509 -req -CA ca.crt -CAkey keys/ca.key -in client.csr -out client.crt -days 3650 -CAcreateserial
```
### Server Certificate
Create a certificate signing request (CSR) to "submit" to our fake certificate authority:
```
openssl req -key keys/server.key -new -out server.csr -addext subjectAltName=DNS:sqlx.rs
```
This adds a required x509 v3 extension:
* `subjectAltName=DNS:sqlx.rs` supplies the Subject Alternative Name that RusTLS uses to verify the hostname.
* Only checked if using SSL mode `ssl_mode=verify_identity` (MySQL/MariaDB) or `sslmode=verify-full` (Postgres).
Create a signed certificate using our CA key and the CSR:
```
openssl x509 -req -CA ca.crt -CAkey keys/ca.key -in server.csr -out server.crt -days 3650 -CAcreateserial
```
Reference in New Issue View Git Blame Copy Permalink