From 255ae5e81cb9ce16785805bcef7f80d7ce2eb68f Mon Sep 17 00:00:00 2001
From: tobhe <tobhe@openbsd.org>
Date: Fri, 17 Nov 2023 14:43:36 +0000
Subject: [PATCH] Set "unique_subject = no" to allow renewing expired
 certificates. Without this, openssl throws an error when creating a second
 req for the same subject which leads to ikectl deleting the old cert without
 creating a new one.

Reported by Ryan Kavanagh in openiked-portable here:
https://github.com/openiked/openiked-portable/issues/125

discussed with tb@
ok patrick@
---
 usr.sbin/ikectl/ikeca.cnf | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/usr.sbin/ikectl/ikeca.cnf b/usr.sbin/ikectl/ikeca.cnf
index 47207ac7df0..86ae67add1a 100644
--- a/usr.sbin/ikectl/ikeca.cnf
+++ b/usr.sbin/ikectl/ikeca.cnf
@@ -1,4 +1,4 @@
-# $OpenBSD: ikeca.cnf,v 1.9 2017/01/31 21:35:07 sthen Exp $
+# $OpenBSD: ikeca.cnf,v 1.10 2023/11/17 14:43:36 tobhe Exp $
 
 CERT_C			= DE
 CERT_ST			= Lower Saxony
@@ -104,6 +104,6 @@ serial				= $ENV::CASERIAL
 default_md			= sha256
 default_days			= 365
 default_crl_days		= 365
-unique_subject			= yes
+unique_subject			= no
 email_in_dn			= yes
 policy				= CA_sign_policy
-- 
2.20.1