5050
5151These are deterministic test fixtures, not secrets. They're committed once and reused.
5252
53- - [ ] ** Step 1: Ensure the fixture directory exists**
53+ - [x ] ** Step 1: Ensure the fixture directory exists**
5454
5555Run:
5656
5757``` bash
5858mkdir -p src/test/resources/tls
5959```
6060
61- - [ ] ** Step 2: Generate the RSA self-signed cert + PKCS #8 key**
61+ - [x ] ** Step 2: Generate the RSA self-signed cert + PKCS #8 key**
6262
6363Run from the repo root:
6464
@@ -72,7 +72,7 @@ openssl req -x509 -newkey rsa:2048 -nodes -days 3650 \
7272
7373` -nodes ` makes the key unencrypted. ` openssl req ` writes PKCS #8 (` -----BEGIN PRIVATE KEY----- ` ) by default on modern OpenSSL (1.1.1+). ` subjectAltName ` is required for Java's ` HttpClient ` to accept the cert without warning.
7474
75- - [ ] ** Step 3: Verify the RSA key is PKCS #8 unencrypted**
75+ - [x ] ** Step 3: Verify the RSA key is PKCS #8 unencrypted**
7676
7777Run:
7878
@@ -88,7 +88,7 @@ openssl pkcs8 -topk8 -nocrypt -in src/test/resources/tls/rsa-key.pem \
8888 && mv src/test/resources/tls/rsa-key.pem.tmp src/test/resources/tls/rsa-key.pem
8989```
9090
91- - [ ] ** Step 4: Generate the EC (P-256) self-signed cert + PKCS #8 key**
91+ - [x ] ** Step 4: Generate the EC (P-256) self-signed cert + PKCS #8 key**
9292
9393Run:
9494
@@ -100,7 +100,7 @@ openssl req -x509 -newkey ec -pkeyopt ec_paramgen_curve:P-256 -nodes -days 3650
100100 -addext " subjectAltName=DNS:localhost,IP:127.0.0.1"
101101```
102102
103- - [ ] ** Step 5: Verify the EC key is PKCS #8 unencrypted**
103+ - [x ] ** Step 5: Verify the EC key is PKCS #8 unencrypted**
104104
105105Run:
106106
@@ -116,7 +116,7 @@ openssl pkcs8 -topk8 -nocrypt -in src/test/resources/tls/ec-key.pem \
116116 && mv src/test/resources/tls/ec-key.pem.tmp src/test/resources/tls/ec-key.pem
117117```
118118
119- - [ ] ** Step 6: Generate a second RSA key (does NOT match ` rsa-cert.pem ` )**
119+ - [x ] ** Step 6: Generate a second RSA key (does NOT match ` rsa-cert.pem ` )**
120120
121121Run:
122122
@@ -127,7 +127,7 @@ openssl genpkey -algorithm RSA -pkeyopt rsa_keygen_bits:2048 \
127127
128128This produces an unencrypted PKCS #8 key by default.
129129
130- - [ ] ** Step 7: Create a deliberately-broken PEM file**
130+ - [x ] ** Step 7: Create a deliberately-broken PEM file**
131131
132132Write ` src/test/resources/tls/garbage.pem ` with this exact content:
133133
@@ -137,7 +137,7 @@ this is not actually base64 encoded certificate data at all
137137-----END CERTIFICATE-----
138138```
139139
140- - [ ] ** Step 8: Sanity-check both happy-path fixtures**
140+ - [x ] ** Step 8: Sanity-check both happy-path fixtures**
141141
142142Run:
143143
@@ -150,7 +150,7 @@ openssl pkey -in src/test/resources/tls/ec-key.pem -noout -text 2>&1 | head -3
150150
151151Expected: subject ` CN = localhost ` , validity ~ 10 years, key text confirms RSA 2048 and EC P-256 respectively.
152152
153- - [ ] ** Step 9: Commit the fixtures**
153+ - [x ] ** Step 9: Commit the fixtures**
154154
155155``` bash
156156git add src/test/resources/tls/
0 commit comments