2 days ago, Must-Staple support was added to the master
branch and 20 hours ago, the master
branch was pulled into the staging
branch. (And boulder is already sporting this commit: Boulder=( +d08ec6a Wed Feb 17 20:48:12 UTC 2016)
So, I thought, let’s generate a certificate with the Must-Staple feature in it! This, with the following command to generate the CSR:
openssl req -new -sha256 -key ../keys/example.com.privkey.pem -subj "/CN=example.com" -reqexts SAN -config <(cat /etc/ssl/openssl.cnf <(printf "[SAN]\nsubjectAltName=DNS:example.com\n1.3.6.1.5.5.7.1.24=DER:30:03:02:01:05")) -out example.com.must-staple.csr.pem
At the moment I’m still running OpenSSL 1.0.2
, so no official support for RFC 7633. Therefore, the feature is hard-coded into the CSR…
Unfortunately, Boulder generates an “Internal server error” (or something)… See my issue @ GitHub…
Has anyone already experimented with the Must-Staple extension?