This document describes how to use the built-in Certificate Authority (CA) functionality in the QUIC Test Suite.
The QUIC Test Suite includes a built-in Certificate Authority that automatically generates and manages TLS certificates for testing. This eliminates certificate warnings and provides a more realistic testing environment.
- Automatic CA certificate generation
- Server certificate generation with multiple SANs (Subject Alternative Names)
- Support for localhost, IP addresses, and custom domains
- System trust store integration
- Command-line certificate generation tool
When you run a test without specifying certificates, the system automatically:
- Creates a CA certificate (if it doesn't exist)
- Generates a server certificate for localhost, 127.0.0.1, and ::1
- Uses these certificates for secure QUIC connections
./quic-test -mode=test -addr=localhost:9000 -duration=10sOutput:
Created new CA certificate: certs/ca.crt
Generated server certificate for hosts [localhost 127.0.0.1 ::1]: certs/server.crt
Use the cert-gen tool to create certificates for specific hosts:
# Initialize CA (optional - done automatically)
./cert-gen -init-ca
# Generate certificate for specific hosts
./cert-gen -hosts="example.com,*.example.com,api.example.com" \
-cert="certs/example.crt" \
-key="certs/example.key"The system creates the following files in the certs/ directory:
ca.crt- CA certificate (public)ca.key- CA private keyserver.crt- Default server certificateserver.key- Default server private key
To eliminate certificate warnings in browsers and system tools:
sudo cp certs/ca.crt /usr/local/share/ca-certificates/quic-test-ca.crt
sudo update-ca-certificatessudo cp certs/ca.crt /etc/pki/ca-trust/source/anchors/quic-test-ca.crt
sudo update-ca-trustsudo trust anchor certs/ca.crtUse the provided script:
./scripts/install-ca.sh- Go to Settings → Privacy & Security → Certificates
- Click "View Certificates"
- Go to "Authorities" tab
- Click "Import..." and select
certs/ca.crt - Check "Trust this CA to identify websites"
- Go to Settings → Privacy and security → Security
- Click "Manage certificates"
- Go to "Authorities" tab
- Click "Import" and select
certs/ca.crt
Verify that certificates are properly signed:
# Verify server certificate against CA
openssl verify -CAfile certs/ca.crt certs/server.crt
# View certificate details
openssl x509 -in certs/server.crt -text -noout
# Check certificate chain
openssl s_client -connect localhost:9000 -CAfile certs/ca.crtSpecify custom certificate paths:
./quic-test -mode=server -cert=custom/server.crt -key=custom/server.keyGenerate certificates for multiple domains:
./cert-gen -hosts="localhost,example.com,*.example.com,192.168.1.100" \
-cert="certs/multi-domain.crt" \
-key="certs/multi-domain.key"Regenerate certificates periodically:
# Remove old certificates
rm certs/server.crt certs/server.key
# Run test to generate new certificates
./quic-test -mode=test -addr=localhost:9000 -duration=1s- CA private key (
ca.key) should be protected - Certificates are valid for 1 year by default
- Use different CAs for different environments (dev/staging/prod)
- Remove test CA from production systems
- Ensure CA is installed in system trust store
- Check browser certificate settings
- Verify certificate chain with
openssl verify
- Ensure write permissions to
certs/directory - Use
sudofor system trust store installation
- Remove old certificates and regenerate
- Check system clock synchronization
The CA system integrates seamlessly with all test modes:
# Server mode with automatic certificates
./quic-test -mode=server -addr=localhost:9000
# Client mode connecting to CA-signed server
./quic-test -mode=client -addr=localhost:9000
# Integrated test with automatic certificate setup
./quic-test -mode=test -addr=localhost:9000 -connections=5 -duration=30sThis provides a complete testing environment with proper TLS security without manual certificate management.