Must-Staple certificate on staging?

2 days ago, Must-Staple support was added to the master branch and 20 hours ago, the master branch was pulled into the staging branch. (And boulder is already sporting this commit: Boulder=( +d08ec6a Wed Feb 17 20:48:12 UTC 2016)

So, I thought, let’s generate a certificate with the Must-Staple feature in it! This, with the following command to generate the CSR:

openssl req -new -sha256 -key ../keys/example.com.privkey.pem -subj "/CN=example.com" -reqexts SAN -config <(cat /etc/ssl/openssl.cnf <(printf "[SAN]\nsubjectAltName=DNS:example.com\n1.3.6.1.5.5.7.1.24=DER:30:03:02:01:05")) -out example.com.must-staple.csr.pem

At the moment I’m still running OpenSSL 1.0.2, so no official support for RFC 7633. Therefore, the feature is hard-coded into the CSR…

Unfortunately, Boulder generates an “Internal server error” (or something)… See my issue @ GitHub

Has anyone already experimented with the Must-Staple extension?

1 Like