- Fix unbound-control-setup.cmd to have CA v3 basicConstraints,

like unbound-control-setup.sh has.
NLnetLabs · Mar 11, 2024 · 48b6c60 · 48b6c60
1 parent 0c967e0
commit 48b6c60
Show file tree

Hide file tree

Showing 2 changed files with 13 additions and 3 deletions.
diff --git a/doc/Changelog b/doc/Changelog
@@ -2,6 +2,8 @@
 	- Fix unbound-control-setup.cmd to use 3072 bits so that certificates
 	  are long enough for newer OpenSSL versions.
 	- Fix TTL of synthesized CNAME when a DNAME is used from cache.
+	- Fix unbound-control-setup.cmd to have CA v3 basicConstraints,
+	  like unbound-control-setup.sh has.
 
 7 March 2024: Wouter
 	- Version set to 1.19.3 for release. After 1.19.2 point release with

diff --git a/winrc/unbound-control-setup.cmd b/winrc/unbound-control-setup.cmd
@@ -98,9 +98,14 @@ echo default_bits=%BITS%>>request.cfg
 echo default_md=%HASH%>>request.cfg
 echo prompt=no>>request.cfg
 echo distinguished_name=req_distinguished_name>>request.cfg
-echo.>>request.cfg
+echo x509_extensions=v3_ca>>request.cfg
 echo [req_distinguished_name]>>request.cfg
 echo commonName=%SERVERNAME%>>request.cfg
+echo [v3_ca]>>request.cfg
+echo subjectKeyIdentifier=hash>>request.cfg
+echo authorityKeyIdentifier=keyid:always,issuer:always>>request.cfg
+echo basicConstraints=critical,CA:TRUE,pathlen:0>>request.cfg
+echo subjectAltName=DNS:%SERVERNAME%>>request.cfg
 
 if not exist request.cfg (
 echo could not create request.cfg
@@ -119,17 +124,20 @@ echo default_bits=%BITS%>>request.cfg
 echo default_md=%HASH%>>request.cfg
 echo prompt=no>>request.cfg
 echo distinguished_name=req_distinguished_name>>request.cfg
-echo.>>request.cfg
+echo req_extensions=v3_req>>request.cfg
 echo [req_distinguished_name]>>request.cfg
 echo commonName=%CLIENTNAME%>>request.cfg
+echo [v3_req]>>request.cfg
+echo basicConstraints=critical,CA:FALSE>>request.cfg
+echo subjectAltName=DNS:%CLIENTNAME%>>request.cfg
 
 if not exist request.cfg (
 echo could not create request.cfg
 exit 1
 )
 
 echo create %CTL_BASE%.pem (signed client certificate)
-"%SSL_PROGRAM%" req -key %CTL_BASE%.key -config request.cfg -new | "%SSL_PROGRAM%" x509 -req -days %DAYS% -CA %SVR_BASE%_trust.pem -CAkey %SVR_BASE%.key -CAcreateserial -%HASH% -out %CTL_BASE%.pem
+"%SSL_PROGRAM%" req -key %CTL_BASE%.key -config request.cfg -new | "%SSL_PROGRAM%" x509 -req -days %DAYS% -CA %SVR_BASE%_trust.pem -CAkey %SVR_BASE%.key -CAcreateserial -%HASH% -extfile request.cfg -extensions v3_req -out %CTL_BASE%.pem
 
 if not exist %CTL_BASE%.pem (
 echo could not create %CTL_BASE%.pem