Skip to content

Commit

Permalink
Set "unique_subject = no" to allow renewing expired certificates.
Browse files Browse the repository at this point in the history
Without this, openssl throws an error when creating a second req for
the same subject which leads to ikectl deleting the old cert without
creating a new one.

Reported by Ryan Kavanagh in openiked-portable here:
#125

discussed with tb@
ok patrick@
  • Loading branch information
tobhe committed Nov 17, 2023
1 parent a56a2d1 commit 6a36fe8
Showing 1 changed file with 2 additions and 2 deletions.
4 changes: 2 additions & 2 deletions ikectl/ikeca.cnf
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
# $OpenBSD: ikeca.cnf,v 1.9 2017/01/31 21:35:07 sthen Exp $
# $OpenBSD: ikeca.cnf,v 1.10 2023/11/17 14:43:36 tobhe Exp $

CERT_C = DE
CERT_ST = Lower Saxony
@@ -104,6 +104,6 @@ serial = $ENV::CASERIAL
default_md = sha256
default_days = 365
default_crl_days = 365
unique_subject = yes
unique_subject = no
email_in_dn = yes
policy = CA_sign_policy

0 comments on commit 6a36fe8

Please sign in to comment.