]> git.ipfire.org Git - thirdparty/unbound.git/commitdiff
projects / thirdparty / unbound.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 6568841)
- Fix unbound-control-setup.cmd to have CA v3 basicConstraints,
authorW.C.A. Wijngaards <wouter@nlnetlabs.nl>
Fri, 8 Mar 2024 16:18:05 +0000 (17:18 +0100)
committerW.C.A. Wijngaards <wouter@nlnetlabs.nl>
Fri, 8 Mar 2024 16:18:05 +0000 (17:18 +0100)
  like unbound-control-setup.sh has.

doc/Changelog patch | blob | blame | history
winrc/unbound-control-setup.cmd patch | blob | blame | history

diff --git a/doc/Changelog b/doc/Changelog
index a22d5b80f4d52f7ac422d715d60aee6ffa9854ea..c80843887a0b099418d51f716cb789518a5b7ef9 100644 (file)
--- a/doc/Changelog
+++ b/doc/Changelog
@@ -10,6 +10,8 @@
        - Fix qname minimisation for reply with a DNAME for qtype CNAME that
          answers it.
        - Fix doc test so it ignores but outputs unsupported doxygen options.
+       - Fix unbound-control-setup.cmd to have CA v3 basicConstraints,
+         like unbound-control-setup.sh has.
 
 8 March 2024: Yorgos
        - Update doc/unbound.doxygen with 'doxygen -u'. Fixes option
diff --git a/winrc/unbound-control-setup.cmd b/winrc/unbound-control-setup.cmd
index 31c21efa82ae3ec63a59789f34e2831877a0cae7..a5ffe04e914e239f5a4c1121759bac1d7a87741d 100644 (file)
--- a/winrc/unbound-control-setup.cmd
+++ b/winrc/unbound-control-setup.cmd
@@ -98,9 +98,14 @@ echo default_bits=%BITS%>>request.cfg
 echo default_md=%HASH%>>request.cfg\r
 echo prompt=no>>request.cfg\r
 echo distinguished_name=req_distinguished_name>>request.cfg\r
-echo.>>request.cfg\r
+echo x509_extensions=v3_ca>>request.cfg\r
 echo [req_distinguished_name]>>request.cfg\r
 echo commonName=%SERVERNAME%>>request.cfg\r
+echo [v3_ca]>>request.cfg\r
+echo subjectKeyIdentifier=hash>>request.cfg\r
+echo authorityKeyIdentifier=keyid:always,issuer:always>>request.cfg\r
+echo basicConstraints=critical,CA:TRUE,pathlen:0>>request.cfg\r
+echo subjectAltName=DNS:%SERVERNAME%>>request.cfg\r
 \r
 if not exist request.cfg (\r
 echo could not create request.cfg\r
@@ -119,9 +124,12 @@ echo default_bits=%BITS%>>request.cfg
 echo default_md=%HASH%>>request.cfg\r
 echo prompt=no>>request.cfg\r
 echo distinguished_name=req_distinguished_name>>request.cfg\r
-echo.>>request.cfg\r
+echo req_extensions=v3_req>>request.cfg\r
 echo [req_distinguished_name]>>request.cfg\r
 echo commonName=%CLIENTNAME%>>request.cfg\r
+echo [v3_req]>>request.cfg\r
+echo basicConstraints=critical,CA:FALSE>>request.cfg\r
+echo subjectAltName=DNS:%CLIENTNAME%>>request.cfg\r
 \r
 if not exist request.cfg (\r
 echo could not create request.cfg\r
@@ -129,7 +137,7 @@ exit 1
 )\r
 \r
 echo create %CTL_BASE%.pem (signed client certificate)\r
-"%SSL_PROGRAM%" req -key %CTL_BASE%.key -config request.cfg -new | "%SSL_PROGRAM%" x509 -req -days %DAYS% -CA %SVR_BASE%_trust.pem -CAkey %SVR_BASE%.key -CAcreateserial -%HASH% -out %CTL_BASE%.pem\r
+"%SSL_PROGRAM%" req -key %CTL_BASE%.key -config request.cfg -new | "%SSL_PROGRAM%" x509 -req -days %DAYS% -CA %SVR_BASE%_trust.pem -CAkey %SVR_BASE%.key -CAcreateserial -%HASH% -extfile request.cfg -extensions v3_req -out %CTL_BASE%.pem\r
 \r
 if not exist %CTL_BASE%.pem (\r
 echo could not create %CTL_BASE%.pem\r
Mirror of https://github.com/NLnetLabs/unbound.git