# HG changeset patch
# Parent  b51c46800184668c6c39242e200a0473a7a4f8c8
Issue #25940: Set "basic constraints" CA flag in self-signed certificate

This should allow test_ssl to switch from testing https://svn.python.org to
https://self-signed.pythontest.net. The serial number of the certificate was
also incremented, to stop Firefox from complaining and to keep it unique.
Commands used to modify the certificate:

openssl x509 < tls/self-signed-cert.pem \
    -x509toreq -signkey tls/self-signed-key.pem > req.pem
cat <<'CONFIG' > config
[x509_extensions]
subjectAltName = DNS:self-signed.pythontest.net
basicConstraints = CA:true

[ ca ]
default_ca = CA_default

[ CA_default ]
database = index.txt
default_md = sha1
default_days = 3
certificate = tls/self-signed-cert.pem
private_key = tls/self-signed-key.pem
serial = serial

policy = policy_anything

default_startdate = 141102180929Z
default_enddate = 241030180929Z

[ policy_anything ]
countryName = optional
localityName = optional
organizationName = optional
commonName = optional
CONFIG
: > index.txt
echo A194F79c0A47CA53 > serial
openssl ca -config config -outdir . -notext \
    -batch -extensions x509_extensions -infiles req.pem
mv A194F79C0A47CA53.pem tls/self-signed-cert.pem

diff -r b51c46800184 tls/self-signed-cert.pem
--- a/tls/self-signed-cert.pem	Fri Nov 07 09:56:11 2014 -0500
+++ b/tls/self-signed-cert.pem	Tue Jan 12 08:23:11 2016 +0000
@@ -1,5 +1,5 @@
 -----BEGIN CERTIFICATE-----
-MIIChzCCAfCgAwIBAgIJAKGU95wKR8pSMA0GCSqGSIb3DQEBBQUAMHAxCzAJBgNV
+MIIClTCCAf6gAwIBAgIJAKGU95wKR8pTMA0GCSqGSIb3DQEBBQUAMHAxCzAJBgNV
 BAYTAlhZMRcwFQYDVQQHDA5DYXN0bGUgQW50aHJheDEjMCEGA1UECgwaUHl0aG9u
 IFNvZnR3YXJlIEZvdW5kYXRpb24xIzAhBgNVBAMMGnNlbGYtc2lnbmVkLnB5dGhv
 bnRlc3QubmV0MB4XDTE0MTEwMjE4MDkyOVoXDTI0MTAzMDE4MDkyOVowcDELMAkG
@@ -8,9 +8,9 @@
 aG9udGVzdC5uZXQwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBANDXQXW9tjyZ
 Xt0Iv2tLL1+jinr4wGg36ioLDLFkMf+2Y1GL0v0BnKYG4N1OKlAU15LXGeGer8vm
 Sv/yIvmdrELvhAbbo3w4a9TMYQA4XkIVLdvu3mvNOAet+8PMJxn26dbDhG809ALv
-EHY57lQsBS3G59RZyBPVqAqmImWNJnVzAgMBAAGjKTAnMCUGA1UdEQQeMByCGnNl
-bGYtc2lnbmVkLnB5dGhvbnRlc3QubmV0MA0GCSqGSIb3DQEBBQUAA4GBAIOXmdtM
-eG9qzP9TiXW/Gc/zI4cBfdCpC+Y4gOfC9bQUC7hefix4iO3+iZjgy3X/FaRxUUoV
-HKiXcXIaWqTSUWp45cSh0MbwZXudp6JIAptzdAhvvCrPKeC9i9GvxsPD4LtDAL97
-vSaxQBezA7hdxZd90/EeyMgVZgAnTCnvAWX9
+EHY57lQsBS3G59RZyBPVqAqmImWNJnVzAgMBAAGjNzA1MCUGA1UdEQQeMByCGnNl
+bGYtc2lnbmVkLnB5dGhvbnRlc3QubmV0MAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcN
+AQEFBQADgYEAIuzAhgMouJpNdf3URCHIineyoSt6WK/9+eyUcjlKOrDoXNZaD72h
+TXMeKYoWvJyVcSLKL8ckPtDobgP2OTt0UkyAaj0n+ZHaqq1lH2yVfGUA1ILJv515
+C8BqbvVZuqm3i7ygmw3bqE/lYMgOrYtXXnqOrz6nvsE6Yc9V9rFflOM=
 -----END CERTIFICATE-----