Set "unique_subject = no" to allow renewing expired certificates.

Without this, openssl throws an error when creating a second req for
the same subject which leads to ikectl deleting the old cert without
creating a new one.

Reported by Ryan Kavanagh in openiked-portable here:
https://github.com/openiked/openiked-portable/issues/125

discussed with tb@
ok patrick@

diff --git a/usr.sbin/ikectl/ikeca.cnf b/usr.sbin/ikectl/ikeca.cnf
index 47207ac..86ae67a 100644 (file)
--- a/usr.sbin/ikectl/ikeca.cnf
+++ b/usr.sbin/ikectl/ikeca.cnf
@@ -1,4 +1,4 @@
-# $OpenBSD: ikeca.cnf,v 1.9 2017/01/31 21:35:07 sthen Exp $
+# $OpenBSD: ikeca.cnf,v 1.10 2023/11/17 14:43:36 tobhe Exp $
 
 CERT_C                 = DE
 CERT_ST                        = Lower Saxony
@@ -104,6 +104,6 @@ serial                              = $ENV::CASERIAL
 default_md                     = sha256
 default_days                   = 365
 default_crl_days               = 365
-unique_subject                 = yes
+unique_subject                 = no
 email_in_dn                    = yes
 policy                         = CA_sign_policy