From 3aa3bacae92b7beb9caf679479860a2d940e1c92 Mon Sep 17 00:00:00 2001
From: Daniel Barlow <dan@telent.net>
Date: Wed, 2 Oct 2024 00:26:44 +0100
Subject: [PATCH] fiddle with ca cert gen options

this is because s6-tlsclient refused to connect with
 Not a CA, or path length constraint violation. (BR_ERR_X509_NOT_CA)
error
---
 README.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/README.md b/README.md
index ac66631..08cb084 100644
--- a/README.md
+++ b/README.md
@@ -36,7 +36,7 @@ chmod 0700 psk
 
 # create CA key and cert used for signing
 openssl genrsa -out ca.key 4096
-CN=CA openssl req -config openssl.cnf -x509 -new -nodes -key ca.key -sha256 -days 3650  -out ca.crt
+CN=CA openssl req -config openssl.cnf -addext basicConstraints=critical,CA:TRUE,pathlen:1  --x509 -new -nodes -key ca.key -sha256 -days 3650  -out ca.crt
 
 # create key for the server and sign it with the CA
 CN=localhost openssl req -config openssl.cnf -newkey rsa:2048 -nodes -keyout server.key --out server.csr