Priority: P2: Important
Affects Version/s: 5.12, 5.15, 6.1, 6.2
Fix Version/s: None
Component/s: Network: SSL
Currently when changing certificates in the test server we need to go through a few steps:
- Generate the new server certificate with whatever changes are needed (or just regenerate if expired)
- prepare all current branches for the change (e.g. must be able to accept one of two certificates in the ServerHello).
- It needs to be in all branches before the next step to avoid breaking CI for everyone else
- Deploy the certificate to the server
- Done through one of the qtqa repositories
- Switch over the test to only use the new certificate
However, if we use a long-lived certificate authority which we can add to trusted CAs in the test, and don't keep a copy of the server's certificate in the source we can skip step 2 and 4. The process would be more like this
- Generate the new server certificate with whatever changes needed
- Sign the certificate using our certificate authority
- Deploy to server
All branches still trust the CA so the new certificate will automatically be accepted. If we need to test specific things about a certificate (such as comparing fields and/or testing parsing) then this test should be done in-process.