From e6c560e5c9d7c1f332dadf47ddf3861f3289cbc9 Mon Sep 17 00:00:00 2001
From: James Renken <jrenken@letsencrypt.org>
Date: Mon, 12 Oct 2020 22:06:20 -0700
Subject: [PATCH] Add modern X.509v3 extensions to unbound-control TLS
 certificates

---
 smallapp/unbound-control-setup.sh.in | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/smallapp/unbound-control-setup.sh.in b/smallapp/unbound-control-setup.sh.in
index 3e506e84e..6b5e0dbbf 100644
--- a/smallapp/unbound-control-setup.sh.in
+++ b/smallapp/unbound-control-setup.sh.in
@@ -124,8 +124,14 @@ default_bits=$BITS
 default_md=$HASH
 prompt=no
 distinguished_name=req_distinguished_name
+x509_extensions=v3_ca
 [req_distinguished_name]
 commonName=$SERVERNAME
+[v3_ca]
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid:always,issuer:always
+basicConstraints=critical,CA:TRUE,pathlen:0
+subjectAltName=DNS:$SERVERNAME
 EOF
 
 [ -f server.cnf ] || fatal "cannot create openssl configuration"
@@ -156,8 +162,12 @@ default_bits=$BITS
 default_md=$HASH
 prompt=no
 distinguished_name=req_distinguished_name
+req_extensions=v3_req
 [req_distinguished_name]
 commonName=$CLIENTNAME
+[v3_req]
+basicConstraints=critical,CA:FALSE
+subjectAltName=DNS:$CLIENTNAME
 EOF
 
 [ -f client.cnf ] || fatal "cannot create openssl configuration"
-- 
2.47.2