1

In a software library, I wrote, large parts of the code use x509 certificates for various purposes like signing documents digitally.

Is there a best practice for storing test certificates used for the unit tests? Should they be stored in git/the same versioning system where the code is?

Improve this question
3
  • A certificate is not secret like a private key, so no security issues arise. Commented Feb 28, 2019 at 12:54
  • Some certificates are used along with their private keys for signing documents. So, they do have private keys, but in my case for test purposes. Commented Feb 28, 2019 at 12:58
  • 2
    Then it may be useful to run your own CA (not very complicated, just a couple of OpenSSL command line steps). You can then create certificates that are not trusted outside of your tests. This requires that your system can import the CA root certificate temporarily. Do not let the system trust the test CA permanently, as that would be a Lenovo/Superfish style vulnerability. Commented Feb 28, 2019 at 13:07

1 Answer 1

Reset to default
4

Certificates are small. And there is no problem with security if they are only used for testing.

So I see no problem storing them in source control.

Improve this answer

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.