]> git.ipfire.org Git - thirdparty/unbound.git/commitdiff
projects / thirdparty / unbound.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: fca884a)
Add modern X.509v3 extensions to unbound-control TLS certificates 324/head
authorJames Renken <jrenken@letsencrypt.org>
Tue, 13 Oct 2020 05:06:20 +0000 (22:06 -0700)
committerJames Renken <jrenken@letsencrypt.org>
Tue, 13 Oct 2020 05:06:20 +0000 (22:06 -0700)
smallapp/unbound-control-setup.sh.in patch | blob | blame | history

diff --git a/smallapp/unbound-control-setup.sh.in b/smallapp/unbound-control-setup.sh.in
index 3e506e84e2363d51eddddf41c6b9c186a9b405c7..6b5e0dbbf205bcdcf7b55016863a59ea54f1ec95 100644 (file)
--- a/smallapp/unbound-control-setup.sh.in
+++ b/smallapp/unbound-control-setup.sh.in
@@ -124,8 +124,14 @@ default_bits=$BITS
 default_md=$HASH
 prompt=no
 distinguished_name=req_distinguished_name
+x509_extensions=v3_ca
 [req_distinguished_name]
 commonName=$SERVERNAME
+[v3_ca]
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid:always,issuer:always
+basicConstraints=critical,CA:TRUE,pathlen:0
+subjectAltName=DNS:$SERVERNAME
 EOF
 
 [ -f server.cnf ] || fatal "cannot create openssl configuration"
@@ -156,8 +162,12 @@ default_bits=$BITS
 default_md=$HASH
 prompt=no
 distinguished_name=req_distinguished_name
+req_extensions=v3_req
 [req_distinguished_name]
 commonName=$CLIENTNAME
+[v3_req]
+basicConstraints=critical,CA:FALSE
+subjectAltName=DNS:$CLIENTNAME
 EOF
 
 [ -f client.cnf ] || fatal "cannot create openssl configuration"
Mirror of https://github.com/NLnetLabs/unbound.git