]> git.ipfire.org Git - thirdparty/unbound.git/commitdiff
projects / thirdparty / unbound.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 0c967e0)
- Fix unbound-control-setup.cmd to have CA v3 basicConstraints, branch-1.19.3 release-1.19.3 release-1.19.3rc2
authorW.C.A. Wijngaards <wouter@nlnetlabs.nl>
Fri, 8 Mar 2024 16:18:05 +0000 (17:18 +0100)
committerW.C.A. Wijngaards <wouter@nlnetlabs.nl>
Mon, 11 Mar 2024 09:47:34 +0000 (10:47 +0100)
  like unbound-control-setup.sh has.

doc/Changelog patch | blob | blame | history
winrc/unbound-control-setup.cmd patch | blob | blame | history

diff --git a/doc/Changelog b/doc/Changelog
index 9dbd2263750dec9d478f8cdf6e2bb2b1937fc101..328e832891025fa0b95d4548953bbad0bb99b76b 100644 (file)
--- a/doc/Changelog
+++ b/doc/Changelog
@@ -2,6 +2,8 @@
        - Fix unbound-control-setup.cmd to use 3072 bits so that certificates
          are long enough for newer OpenSSL versions.
        - Fix TTL of synthesized CNAME when a DNAME is used from cache.
+       - Fix unbound-control-setup.cmd to have CA v3 basicConstraints,
+         like unbound-control-setup.sh has.
 
 7 March 2024: Wouter
        - Version set to 1.19.3 for release. After 1.19.2 point release with
diff --git a/winrc/unbound-control-setup.cmd b/winrc/unbound-control-setup.cmd
index 31c21efa82ae3ec63a59789f34e2831877a0cae7..a5ffe04e914e239f5a4c1121759bac1d7a87741d 100644 (file)
--- a/winrc/unbound-control-setup.cmd
+++ b/winrc/unbound-control-setup.cmd
@@ -98,9 +98,14 @@ echo default_bits=%BITS%>>request.cfg
 echo default_md=%HASH%>>request.cfg\r
 echo prompt=no>>request.cfg\r
 echo distinguished_name=req_distinguished_name>>request.cfg\r
-echo.>>request.cfg\r
+echo x509_extensions=v3_ca>>request.cfg\r
 echo [req_distinguished_name]>>request.cfg\r
 echo commonName=%SERVERNAME%>>request.cfg\r
+echo [v3_ca]>>request.cfg\r
+echo subjectKeyIdentifier=hash>>request.cfg\r
+echo authorityKeyIdentifier=keyid:always,issuer:always>>request.cfg\r
+echo basicConstraints=critical,CA:TRUE,pathlen:0>>request.cfg\r
+echo subjectAltName=DNS:%SERVERNAME%>>request.cfg\r
 \r
 if not exist request.cfg (\r
 echo could not create request.cfg\r
@@ -119,9 +124,12 @@ echo default_bits=%BITS%>>request.cfg
 echo default_md=%HASH%>>request.cfg\r
 echo prompt=no>>request.cfg\r
 echo distinguished_name=req_distinguished_name>>request.cfg\r
-echo.>>request.cfg\r
+echo req_extensions=v3_req>>request.cfg\r
 echo [req_distinguished_name]>>request.cfg\r
 echo commonName=%CLIENTNAME%>>request.cfg\r
+echo [v3_req]>>request.cfg\r
+echo basicConstraints=critical,CA:FALSE>>request.cfg\r
+echo subjectAltName=DNS:%CLIENTNAME%>>request.cfg\r
 \r
 if not exist request.cfg (\r
 echo could not create request.cfg\r
@@ -129,7 +137,7 @@ exit 1
 )\r
 \r
 echo create %CTL_BASE%.pem (signed client certificate)\r
-"%SSL_PROGRAM%" req -key %CTL_BASE%.key -config request.cfg -new | "%SSL_PROGRAM%" x509 -req -days %DAYS% -CA %SVR_BASE%_trust.pem -CAkey %SVR_BASE%.key -CAcreateserial -%HASH% -out %CTL_BASE%.pem\r
+"%SSL_PROGRAM%" req -key %CTL_BASE%.key -config request.cfg -new | "%SSL_PROGRAM%" x509 -req -days %DAYS% -CA %SVR_BASE%_trust.pem -CAkey %SVR_BASE%.key -CAcreateserial -%HASH% -extfile request.cfg -extensions v3_req -out %CTL_BASE%.pem\r
 \r
 if not exist %CTL_BASE%.pem (\r
 echo could not create %CTL_BASE%.pem\r
Mirror of https://github.com/NLnetLabs/unbound.git