diff options
| author | Tobias Heider <tobhe@cvs.openbsd.org> | 2023-11-17 14:43:37 +0000 |
|---|---|---|
| committer | Tobias Heider <tobhe@cvs.openbsd.org> | 2023-11-17 14:43:37 +0000 |
| commit | cefe3ec27d88a6ab0f0c1c39f669ac02b6d1bdfe (patch) | |
| tree | abb821a170a981f3dffbee6c360983a19a678143 /usr.sbin/ikectl | |
| parent | 421ea294913a3fb0e29688fcfb27a32365314009 (diff) | |
Set "unique_subject = no" to allow renewing expired certificates.
Without this, openssl throws an error when creating a second req for
the same subject which leads to ikectl deleting the old cert without
creating a new one.
Reported by Ryan Kavanagh in openiked-portable here:
https://github.com/openiked/openiked-portable/issues/125
discussed with tb@
ok patrick@
Diffstat (limited to 'usr.sbin/ikectl')
| -rw-r--r-- | usr.sbin/ikectl/ikeca.cnf | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/usr.sbin/ikectl/ikeca.cnf b/usr.sbin/ikectl/ikeca.cnf index 47207ac7df0..86ae67add1a 100644 --- a/usr.sbin/ikectl/ikeca.cnf +++ b/usr.sbin/ikectl/ikeca.cnf @@ -1,4 +1,4 @@ -# $OpenBSD: ikeca.cnf,v 1.9 2017/01/31 21:35:07 sthen Exp $ +# $OpenBSD: ikeca.cnf,v 1.10 2023/11/17 14:43:36 tobhe Exp $ CERT_C = DE CERT_ST = Lower Saxony @@ -104,6 +104,6 @@ serial = $ENV::CASERIAL default_md = sha256 default_days = 365 default_crl_days = 365 -unique_subject = yes +unique_subject = no email_in_dn = yes policy = CA_sign_policy |