2 files changed, 5 insertions, 6 deletions

diff --git a/Changelog b/Changelog
index 035451c..451eace 100644
--- a/Changelog
+++ b/Changelog
@@ -7,6 +7,9 @@ lacme (0.3) upstream;
   - new-cert: sort section names if not passed explicitely.
   - new-cert: new CLI option "min-days" overriding the value found in
     the configuration file.
+  - new-cert: mark the basicConstraints (CA:FALSE) and keyUsage x509v3
+    extensions as critical in the CSR, following upstream fix of
+    Boulder's issue #565.
 
  -- Guilhem Moulin <guilhem@guilhem.org>  Sun, 19 Feb 2017 13:08:41 +0100
 
diff --git a/lacme b/lacme
index 75c1465..b654c7d 100755
--- a/lacme
+++ b/lacme
@@ -147,14 +147,10 @@ sub gen_csr(%) {
         "[ req_distinguished_name ]\n",
 
         "[ v3_req ]\n",
-        # XXX Golang errors on extensions marked critical
-        # https://github.com/letsencrypt/boulder/issues/565
-        #"basicConstraints     = critical, CA:FALSE\n",
-        "basicConstraints     = CA:FALSE\n",
+        "basicConstraints     = critical, CA:FALSE\n",
         "subjectKeyIdentifier = hash\n"
     );
-    #$config->print("keyUsage = critical, $args{keyUsage}\n")   if defined $args{keyUsage};
-    $config->print("keyUsage = $args{keyUsage}\n")             if defined $args{keyUsage};
+    $config->print("keyUsage = critical, $args{keyUsage}\n")   if defined $args{keyUsage};
     $config->print("subjectAltName = $args{subjectAltName}\n") if defined $args{subjectAltName};
     $config->close() or die "Can't close: $!";