Update test cert generation scripts to use SHA-256 by default

net/data/ssl/certificates/README

 This directory contains various certificates for use with SSL-related
 unit tests.
 
+===== Real-world certificates that need manual updating
 - google.binary.p7b
 - google.chain.pem
 - google.pem_cert.p7b
 - google.pem_pkcs7.p7b
 - google.pkcs7.p7b
 - google.single.der
 - google.single.pem
 - thawte.single.pem : Certificates for testing parsing of different formats.
 
 - googlenew.chain.pem : The refreshed Google certificate
      (valid until Sept 30 2013).
 
 - mit.davidben.der : An expired MIT client certificate.
 
 - foaf.me.chromium-test-cert.der : A client certificate for a FOAF.ME identity
      created for testing.
 
 - www_us_army_mil_cert.der
 - dod_ca_17_cert.der
 - dod_root_ca_2_cert.der : 
      A certificate chain used for testing certificate imports
 
 - unosoft_hu_cert : Certificate used by X509CertificateTest.UnoSoftCertParsing.
 
+- google_diginotar.pem
+- diginotar_public_ca_2025.pem : A certificate chain for the regression test
+      of http://crbug.com/94673
+
+- salesforce_com_test.pem
+- verisign_intermediate_ca_2011.pem
+- verisign_intermediate_ca_2016.pem : Certificates for testing two
+     X509Certificate objects that contain the same server certificate but
+     different intermediate CA certificates.  The two intermediate CA
+     certificates actually represent the same intermediate CA but have
+     different validity periods.
+
+- cybertrust_gte_root.pem
+- cybertrust_baltimore_root.pem
+- cybertrust_omniroot_chain.pem
+- cybertrust_baltimore_cross_certified_1.pem
+- cybertrust_baltimore_cross_certified_2.pem
+     These certificates are reflect a portion of the CyberTrust (Verizon
+     Business) CA hierarchy. _gte_root.pem is a legacy 1024-bit root that is
+     still widely supported, while _baltimore_root.pem reflects the newer
+     2048-bit root. For clients that only support the GTE root, two versions
+     of the Baltimore root were cross-signed by GTE, namely
+     _cross_certified_[1,2].pem. _omniroot_chain.pem contains a certificate
+     chain that was issued under the Baltimore root. Combined, these
+     certificates can be used to test real-world cross-signing; in practice,
+     they are used to test certain workarounds for OS X's chain building code.
+
+- ndn.ca.crt: "New Dream Network Certificate Authority" root certificate.
+     This is an X.509 v1 certificate that omits the version field. Used to
+     test that the certificate version gets the default value v1.
+
+- ct-test-embedded-cert.pem
+- ct-test-embedded-with-intermediate-chain.pem
+- ct-test-embedded-with-intermediate-preca-chain.pem
+- ct-test-embedded-with-preca-chain.pem
+     Test certificate chains for Certificate Transparency: Each of these
+     files contains a leaf certificate as the first certificate, which has
+     embedded SCTs, followed by the issuer certificates chain.
+     All files are from the src/test/testdada directory in
+     https://code.google.com/p/certificate-transparency/
+
+- comodo.chain.pem : A certificate chain for www.comodo.com which should be
+     recognised as EV. Expires Jun 20 2015.
+
+===== Manually generated certificates
 - client.p12 : A PKCS #12 file containing a client certificate and a private
      key created for testing.  The password is "12345".
 
 - client-nokey.p12 : A PKCS #12 file containing a client certificate (the same
      as the one in client.p12) but no private key. The password is "12345".
 
-- punycodetest.der : A test self-signed server certificate with punycode name.
-     The common name is "xn--wgv71a119e.com" (日本語.com)
-
 - unittest.selfsigned.der : A self-signed certificate generated using private
      key in unittest.key.bin. The common name is "unittest".
 
 - unittest.key.bin : private key stored unencrypted.
 
 - unittest.originbound.der: A test origin-bound certificate for
      https://www.google.com:443.
 - unittest.originbound.key.der: matching PrivateKeyInfo.
 
 - x509_verify_results.chain.pem : A simple certificate chain used to test that
     the correctly ordered, filtered certificate chain is returned during
     verification, regardless of the order in which the intermediate/root CA
     certificates are provided.
 
-- google_diginotar.pem
-- diginotar_public_ca_2025.pem : A certificate chain for the regression test
-      of http://crbug.com/94673
-
 - test_mail_google_com.pem : A certificate signed by the test CA for
     "mail.google.com". Because it is signed by that CA instead of the true CA
     for that host, it will fail the
     TransportSecurityState::IsChainOfPublicKeysPermitted test.
 
-- salesforce_com_test.pem
-- verisign_intermediate_ca_2011.pem
-- verisign_intermediate_ca_2016.pem : Certificates for testing two
-     X509Certificate objects that contain the same server certificate but
-     different intermediate CA certificates.  The two intermediate CA
-     certificates actually represent the same intermediate CA but have
-     different validity periods.
-
 - multivalue_rdn.pem : A regression test for http://crbug.com/101009. A
      certificate with all of the AttributeTypeAndValues stored within a single
      RelativeDistinguishedName, rather than one AVA per RDN as normally seen.
 
 - unescaped.pem : Regression test for http://crbug.com/102839. Contains
      characters such as '=' and '"' that would normally be escaped when
      converting a subject/issuer name to their stringized form.
 
+- ocsp-test-root.pem : A root certificate for the code in
+      net/tools/testserver/minica.py
+
+- websocket_cacert.pem : The testing root CA for testing WebSocket client
+     certificate authentication.
+     This file is used in SSLUITest.TestWSSClientCert.
+
+- websocket_client_cert.p12 : A PKCS #12 file containing a client certificate
+     and a private key created for WebSocket testing. The password is "".
+     This file is used in SSLUITest.TestWSSClientCert.
+
+- no_subject_common_name_cert.pem: Used to test the function that generates a
+  NSS certificate nickname for a user certificate. This certificate's Subject
+  field doesn't have a common name.
+
+- quic_intermediate.crt
+- quic_test_ecc.example.com.crt
+- quic_test.example.com.crt
+- quic_root.crt
+     These certificates are used by the ProofVerifier's unit tests of QUIC.
+
+===== From net/data/ssl/scripts/generate-test-certs.sh
+- expired_cert.pem
+- ok_cert.pem
+- root_ca_cert.pem
+     These certificates are the common certificates used by the Python test
+     server for simulating HTTPS connections.
+
+- name_constraint_bad.pem
+- name_constraint_good.pem
+    Two certificates used to test the built-in ability to restrict a root to
+    a particular namespace.
+
+- sha256.pem: Used to test the handling of SHA-256 certs on Windows.
+
+- spdy_pooling.pem : Used to test the handling of spdy IP connection pooling
+
+- subjectAltName_sanity_check.pem : Used to test the handling of various types
+     within the subjectAltName extension of a certificate.
+
+- punycodetest.pem : A test self-signed server certificate with punycode name.
+     The common name is "xn--wgv71a119e.com" (日本語.com)
+
+===== From net/data/ssl/scripts/generate-weak-test-chains.sh
 - 2048-rsa-root.pem
 - {768-rsa,1024-rsa,2048-rsa,prime256v1-ecdsa}-intermediate.pem
 - {768-rsa,1024-rsa,2048-rsa,prime256v1-ecdsa}-ee-by-
       {768-rsa,1024-rsa,2048-rsa,prime256v1-ecdsa}-intermediate.pem
-     These certficates are generated by
-     net/data/ssl/scripts/generate-weak-test-chains.sh and used in the
-     RejectWeakKeys test in net/base/x509_certificate_unittest.cc.
+      Test certificates used to ensure that weak keys are detected and rejected
 
+===== From net/data/ssl/scripts/generate-cross-signed-certs.sh
 - cross-signed-leaf.pem
 - cross-signed-root-md5.pem
 - cross-signed-root-sha1.pem
-     A certificate chain for regression testing http://crbug.com/108514,
-     generated via scripts/generate-cross-signed-certs.sh
+     A certificate chain for regression testing http://crbug.com/108514
 
+===== From net/data/ssl/scripts/generate-redundant-test-chains.sh
 - redundant-validated-chain.pem
 - redundant-server-chain.pem
 - redundant-validated-chain-root.pem
 
      Two chains, A -> B -> C -> D and A -> B -> C2 (C and C2 share the same
      public key) to test that SSLInfo gets the reconstructed, re-ordered
      chain instead of the chain as served. See
      SSLClientSocketTest.VerifyReturnChainProperlyOrdered in
      net/socket/ssl_client_socket_unittest.cc. These chains are valid until
      26 Feb 2022 and are generated by
      net/data/ssl/scripts/generate-redundant-test-chains.sh.
 
-- multi-root-chain1.pem
-- multi-root-chain2.pem
-     Two chains, A -> B -> C -> D and A -> B -> C2 -> E (C and C2 share the
-     same public key) to test that certificate validation caching does not
-     interfere with the chain_verify_callback used by CertVerifyProcChromeOS.
-     See CertVerifyProcChromeOSTest.
+===== From net/data/ssl/scripts/generate-policy-certs.sh
+- explicit-policy-chain.pem
+     A test certificate chain with requireExplicitPolicy field set on the
+     intermediate, with SkipCerts=0. This is used for regression testing
+     http://crbug.com/31497.
 
-- comodo.chain.pem : A certificate chain for www.comodo.com which should be
-     recognised as EV. Expires Jun 21 2013.
-
-- ocsp-test-root.pem : A root certificate for the code in
-      net/tools/testserver/minica.py
-
-- sha256.pem: Used to test the handling of SHA-256 certs on Windows.
-     Generated by using the command:
-     "openssl req -x509 -days 3650 -sha256 -newkey rsa:2048 -text \
-          -config ../scripts/ee.cnf -out sha256.pem"
-
-- spdy_pooling.pem : Used to test the handling of spdy IP connection pooling
-     Generated by using the command
-     "openssl req -x509 -days 3650 -sha1 -extensions req_spdy_pooling \
-          -config ../scripts/ee.cnf -newkey rsa:1024 -text \
-          -out spdy_pooling.pem"
-
-- subjectAltName_sanity_check.pem : Used to test the handling of various types
-     within the subjectAltName extension of a certificate. Generated by using
-     the command
-     "openssl req -x509 -days 3650 -sha1 -extensions req_san_sanity \
-          -config ../scripts/ee.cnf -newkey rsa:1024 -text \
-          -out subjectAltName_sanity_check.pem"
-
-- ndn.ca.crt: "New Dream Network Certificate Authority" root certificate.
-     This is an X.509 v1 certificate that omits the version field. Used to
-     test that the certificate version gets the default value v1.
-
-- websocket_cacert.pem : The testing root CA for testing WebSocket client
-     certificate authentication.
-     This file is used in SSLUITest.TestWSSClientCert.
-
-- websocket_client_cert.p12 : A PKCS #12 file containing a client certificate
-     and a private key created for WebSocket testing. The password is "".
-     This file is used in SSLUITest.TestWSSClientCert.
-
-- android-test-key-rsa.pem
-- android-test-key-dsa.pem
-- android-test-key-dsa-public.pem
-- android-test-key-ecdsa.pem
-- android-test-key-ecdsa-public.pem
-     This is a set of test RSA/DSA/ECDSA keys used by the Android-specific
-     unit test in net/android/keystore_unittest.c. They are used to verify
-     that the OpenSSL-specific wrapper for platform PrivateKey objects
-     works properly. See the generate-android-test-keys.sh script.
-
+===== From net/data/ssl/scripts/generate-client-certificates.sh
 - client_1.pem
 - client_1.key
 - client_1.pk8
 - client_1_ca.pem
 - client_2.pem
 - client_2.key
 - client_2.pk8
 - client_2_ca.pem
      This is a set of files used to unit test SSL client certificate
-     authentication. These are generated by
-     net/data/ssl/scripts/generate-client-certificates.sh
+     authentication.
      - client_1_ca.pem and client_2_ca.pem are the certificates of
        two distinct signing CAs.
      - client_1.pem and client_1.key correspond to the certificate and
        private key for a first certificate signed by client_1_ca.pem.
      - client_2.pem and client_2.key correspond to the certificate and
        private key for a second certificate signed by client_2_ca.pem.
      - each .pk8 file contains the same key as the corresponding .key file
        as PKCS#8 PrivateKeyInfo in DER encoding.
 
+===== From net/data/ssl/scripts/generate-android-test-key.sh
+- android-test-key-rsa.pem
+- android-test-key-dsa.pem
+- android-test-key-dsa-public.pem
+- android-test-key-ecdsa.pem
+- android-test-key-ecdsa-public.pem
+     This is a set of test RSA/DSA/ECDSA keys used by the Android-specific
+     unit test in net/android/keystore_unittest.c. They are used to verify
+     that the OpenSSL-specific wrapper for platform PrivateKey objects
+     works properly. See the generate-android-test-keys.sh script.
+
+===== From net/data/ssl/scripts/generate-bad-eku-certs.sh
 - eku-test-root.pem
 - non-crit-codeSigning-chain.pem
 - crit-codeSigning-chain.pem
      Two code-signing certificates (eKU: codeSigning; eKU: critical,
      codeSigning) which we use to test that clients are making sure that web
      server certs are checked for correct eKU fields (when an eKU field is
      present). Since codeSigning is not valid for web server auth, the checks
      should fail.
 
+===== From net/data/ssl/scripts/generate-multi-root-test-chains.sh
+- multi-root-chain1.pem
+- multi-root-chain2.pem
+     Two chains, A -> B -> C -> D and A -> B -> C2 -> E (C and C2 share the
+     same public key) to test that certificate validation caching does not
+     interfere with the chain_verify_callback used by CertVerifyProcChromeOS.
+     See CertVerifyProcChromeOSTest.
+
+===== From net/data/ssl/scripts/generate-duplicate-cn-certs.sh
 - duplicate_cn_1.p12
 - duplicate_cn_1.pem
 - duplicate_cn_2.p12
 - duplicate_cn_2.pem
      Two certificates from the same issuer that share the same common name,
      but have distinct subject names (namely, their O fields differ). NSS
      requires that certificates have unique nicknames if they do not share the
      same subject, and these certificates are used to test that the nickname
      generation algorithm generates unique nicknames.
      The .pem versions contain just the certs, while the .p12 versions contain
      both the cert and a private key, since there are multiple ways to import
      certificates into NSS.
 
+===== From net/data/ssl/scripts/generate-aia-certs.sh
 - aia-cert.pem
 - aia-intermediate.der
 - aia-root.pem
      A certificate chain which we use to ensure AIA fetching works correctly
      when using NSS to verify certificates (which uses our HTTP stack).
      aia-cert.pem has a caIssuers that points to "aia-test.invalid" as the URL
      containing the intermediate, which can be served via a URLRequestFilter.
      aia-intermediate.der is stored in DER form for convenience, since that is
      the form expected of certificates discovered via AIA.
 
-- cybertrust_gte_root.pem
-- cybertrust_baltimore_root.pem
-- cybertrust_omniroot_chain.pem
-- cybertrust_baltimore_cross_certified_1.pem
-- cybertrust_baltimore_cross_certified_2.pem
-     These certificates are reflect a portion of the CyberTrust (Verizon
-     Business) CA hierarchy. _gte_root.pem is a legacy 1024-bit root that is
-     still widely supported, while _baltimore_root.pem reflects the newer
-     2048-bit root. For clients that only support the GTE root, two versions
-     of the Baltimore root were cross-signed by GTE, namely
-     _cross_certified_[1,2].pem. _omniroot_chain.pem contains a certificate
-     chain that was issued under the Baltimore root. Combined, these
-     certificates can be used to test real-world cross-signing; in practice,
-     they are used to test certain workarounds for OS X's chain building code.
 
-- no_subject_common_name_cert.pem: Used to test the function that generates a
-  NSS certificate nickname for a user certificate. This certificate's Subject
-  field doesn't have a common name.
-
-- expired_cert.pem
-- ok_cert.pem
-- root_ca_cert.pem
-     These certificates are the common certificates used by the Python test
-     server for simulating HTTPS connections. They are generated by running
-     the script net/data/ssl/scripts/generate-test-certs.sh.
-
-- quic_intermediate.crt
-- quic_test_ecc.example.com.crt
-- quic_test.example.com.crt
-- quic_root.crt
-     These certificates are used by the ProofVerifier's unit tests of QUIC.
-
-- explicit-policy-chain.pem
-     A test certificate chain with requireExplicitPolicy field set on the
-     intermediate, with SkipCerts=0. This is used for regression testing
-     http://crbug.com/31497. It is generated by running the script
-     net/data/ssl/scripts/generate-policy-certs.sh
-
-- ct-test-embedded-cert.pem
-- ct-test-embedded-with-intermediate-chain.pem
-- ct-test-embedded-with-intermediate-preca-chain.pem
-- ct-test-embedded-with-preca-chain.pem
-     Test certificate chains for Certificate Transparency: Each of these
-     files contains a leaf certificate as the first certificate, which has
-     embedded SCTs, followed by the issuer certificates chain.
-     All files are from the src/test/testdada directory in
-     https://code.google.com/p/certificate-transparency/