awslabs · TingDaoK · Dec 29, 2025 · Dec 22, 2025 · Dec 22, 2025 · Dec 22, 2025
diff --git a/.github/workflows/cert-renewal.yml b/.github/workflows/cert-renewal.yml
@@ -0,0 +1,145 @@
+name: Certificate Renewal
+
+on:
+  schedule:
+    # Run on the 1st of every month at 00:00 UTC
+    # GitHub Actions doesn't support "every 800 days" directly,
+    # so we check monthly if renewal is needed
+    - cron: '0 0 1 * *'
+  workflow_dispatch: # Allow manual triggering
+
+permissions:
+  contents: write
+  pull-requests: write
+
+jobs:
+  check-and-renew-certificates:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Check certificate expiration
+        id: check-cert
+        run: |
+          # Get the expiration date of the current certificate
+          CERT_FILE="tests/resources/unittests.crt"
+
+          if [ ! -f "$CERT_FILE" ]; then
+            echo "Certificate file not found!"
+            echo "needs_renewal=true" >> $GITHUB_OUTPUT
+            exit 0
+          fi
+
+          # Get certificate expiration date in seconds since epoch
+          EXPIRY_DATE=$(openssl x509 -enddate -noout -in "$CERT_FILE" | cut -d= -f2)
+          EXPIRY_EPOCH=$(date -d "$EXPIRY_DATE" +%s 2>/dev/null || date -j -f "%b %d %H:%M:%S %Y %Z" "$EXPIRY_DATE" +%s)
+
+          # Get current date in seconds since epoch
+          CURRENT_EPOCH=$(date +%s)
+
+          # Calculate days until expiration
+          DAYS_UNTIL_EXPIRY=$(( ($EXPIRY_EPOCH - $CURRENT_EPOCH) / 86400 ))
+
+          echo "Certificate expires in $DAYS_UNTIL_EXPIRY days"
+
+          # Renew if less than 30 days until expiration
+          # This gives us buffer time before the 825-day Apple limit
+          if [ $DAYS_UNTIL_EXPIRY -lt 30 ]; then
+            echo "Certificate needs renewal (less than 30 days until expiration)"
+            echo "needs_renewal=true" >> $GITHUB_OUTPUT
+          else
+            echo "Certificate is still valid"
+            echo "needs_renewal=false" >> $GITHUB_OUTPUT
+          fi
+
+      - name: Install OpenSSL
+        if: steps.check-cert.outputs.needs_renewal == 'true'
+        run: |
+          sudo apt-get update
+          sudo apt-get install -y openssl
+
+      - name: Regenerate certificates
+        if: steps.check-cert.outputs.needs_renewal == 'true'
+        working-directory: tests/resources
+        run: |
+          # Regenerate the certificate (824 days to stay under Apple's 825-day limit)
+          openssl req -x509 -new -key unittests.key -config unittests.conf -out unittests.crt -days 824
+
+          # Regenerate the PKCS#12 bundle with macOS-compatible encryption
+          # Using SHA1 and 3DES instead of modern algorithms that macOS Security Framework doesn't support
+          openssl pkcs12 -export -out unittests.p12 -inkey unittests.key -in unittests.crt -password pass:1234 -keypbe PBE-SHA1-3DES -certpbe PBE-SHA1-3DES -macalg sha1
+
+          # Verify the new certificate
+          echo "New certificate details:"
+          openssl x509 -in unittests.crt -noout -dates -subject
+
+      - name: Check for changes
+        if: steps.check-cert.outputs.needs_renewal == 'true'
+        id: check-changes
+        run: |
+          if git diff --quiet tests/resources/unittests.crt tests/resources/unittests.p12; then
+            echo "No changes detected"
+            echo "has_changes=false" >> $GITHUB_OUTPUT
+          else
+            echo "Changes detected"
+            echo "has_changes=true" >> $GITHUB_OUTPUT
+          fi
+
+      - name: Create Pull Request
+        if: steps.check-cert.outputs.needs_renewal == 'true' && steps.check-changes.outputs.has_changes == 'true'
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          # Configure git
+          git config user.name "github-actions[bot]"
+          git config user.email "github-actions[bot]@users.noreply.github.com"
+
+          # Create branch
+          BRANCH_NAME="cert-renewal-${{ github.run_number }}"
+          git checkout -b "$BRANCH_NAME"
+
+          # Stage and commit changes
+          git add tests/resources/unittests.crt tests/resources/unittests.p12
+          git commit -m "chore: renew test certificates for 824 days
+
+          Automatically regenerated test certificates to comply with Apple's
+          825-day certificate lifetime requirement.
+
+          Generated using:
+          - openssl req -x509 -new -key unittests.key -config unittests.conf -out unittests.crt -days 824
+          - openssl pkcs12 -export -out unittests.p12 -inkey unittests.key -in unittests.crt -password pass:1234 -keypbe PBE-SHA1-3DES -certpbe PBE-SHA1-3DES -macalg sha1
+
+          🤖 Assisted by GenAI"
+
+          # Push branch
+          git push origin "$BRANCH_NAME"
+
+          # Create pull request using GitHub CLI
+          gh pr create \
+            --title "chore: renew test certificates" \
+            --body "## Certificate Renewal
+
+          This PR automatically renews the test certificates in \`tests/resources/\`.
+
+          ### Changes
+          - Updated \`tests/resources/unittests.crt\` (renewed for 824 days)
+          - Updated \`tests/resources/unittests.p12\` (PKCS#12 bundle)
+
+          ### Background
+          Apple requires that certificate lifetimes be 825 days or less. These certificates are used in unit tests that create TLS connections between localhost server and client.
+
+          ### Verification
+          The certificates were regenerated using the commands documented in \`tests/resources/unittests.readme\`:
+          \`\`\`bash
+          openssl req -x509 -new -key unittests.key -config unittests.conf -out unittests.crt -days 824
+          openssl pkcs12 -export -out unittests.p12 -inkey unittests.key -in unittests.crt -password pass:1234 -keypbe PBE-SHA1-3DES -certpbe PBE-SHA1-3DES -macalg sha1
+          \`\`\`
+
+          ### Testing
+          Please verify that the unit tests pass with the new certificates before merging.
+
+          ---
+          🤖 This PR was automatically generated by the certificate renewal workflow." \
+            --base main \
+            --head "$BRANCH_NAME"
diff --git a/tests/resources/README b/tests/resources/README
@@ -0,0 +1,23 @@
+# README FOR unittests.* files
+
+These files are used in unit tests that create TLS connections between a
+localhost server and client. We use a single self-signed certificate which
+serves as both the server's certificate and the client's root CA.
+
+* unittests.key: private key
+* unittests.crt: self-signed certificate
+* unittests.conf: configuration for generating unittests.crt
+* unittests.p12: pkcs#12 file bundling the certificate and private key. Password is "1234"
+
+Apple won't trust any certificate whose lifetime is over 825 days.
+Once it expires unit tests will start failing and it will need to be updated like so:
+
+```sh
+$ openssl req -x509 -new -key unittests.key -config unittests.conf -out unittests.crt -days 824
+$ openssl pkcs12 -export -out unittests.p12 -inkey unittests.key -in unittests.crt -password pass:1234 -keypbe PBE-SHA1-3DES -certpbe PBE-SHA1-3DES -macalg sha1
+```
+
+Note:
+1. The PKCS#12 command uses SHA1 and 3DES encryption for macOS compatibility. Modern OpenSSL 3.x defaults to algorithms that macOS Security Framework cannot import. Thus, force it fallback to use the algo that the current macOS Security Framework supports.
+2. .github/workflows/cert-renewal.yml serves to automatically renew the certifications and runs every month to check if the cert is closer to expire.
+If new cert added/changed/removed, the automation scripts also need to be updated accordingly.
diff --git a/tests/resources/unittests.readme b/tests/resources/unittests.readme