# README FOR unittests.* files

These files are used in unit tests that create TLS connections between a
localhost server and client. We use a single self-signed certificate which
serves as both the server's certificate and the client's root CA.

* unittests.key: private key
* unittests.crt: self-signed certificate
* unittests.conf: configuration for generating unittests.crt
* unittests.p12: pkcs#12 file bundling the certificate and private key. Password is "1234"

Apple won't trust any certificate whose lifetime is over 825 days.
Once it expires unit tests will start failing and it will need to be updated like so:

```sh
$ openssl req -x509 -new -key unittests.key -config unittests.conf -out unittests.crt -days 824
$ openssl pkcs12 -export -out unittests.p12 -inkey unittests.key -in unittests.crt -password pass:1234 -keypbe PBE-SHA1-3DES -certpbe PBE-SHA1-3DES -macalg sha1
```

Note:
1. The PKCS#12 command uses SHA1 and 3DES encryption for macOS compatibility. Modern OpenSSL 3.x defaults to algorithms that macOS Security Framework cannot import. Thus, force it fallback to use the algo that the current macOS Security Framework supports.
2. .github/workflows/cert-renewal.yml serves to automatically renew the certifications and runs every month to check if the cert is closer to expire.
If new cert added/changed/removed, the automation scripts also need to be updated accordingly.
