diff --git a/dnssec-trigger-0.17-openssl-3.2.patch b/dnssec-trigger-0.17-openssl-3.2.patch
new file mode 100644
index 0000000..d1b9474
--- /dev/null
+++ b/dnssec-trigger-0.17-openssl-3.2.patch
@@ -0,0 +1,34 @@
+From 7c3ff5b59952bc6bf11f988c9dbd961ae3c626ea Mon Sep 17 00:00:00 2001
+From: Petr Mensik <pemensik@redhat.com>
+Date: Tue, 10 Sep 2024 16:22:07 +0200
+Subject: [PATCH] Mark explicitly server cert with CA flag
+
+Since OpenSSL 3.2 it did not connect from control to server cert. Create
+server with indication is it CA.
+
+Also use clientAuth trust for CA cert. That allows control cert to be
+used for client authentication.
+---
+ dnssec-trigger-control-setup.sh.in | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/dnssec-trigger-control-setup.sh.in b/dnssec-trigger-control-setup.sh.in
+index 7cc305a..eede665 100644
+--- a/dnssec-trigger-control-setup.sh.in
++++ b/dnssec-trigger-control-setup.sh.in
+@@ -200,9 +200,9 @@ EOF
+ test -f request.cfg || error "could not create request.cfg"
+ 
+ echo "create $SVR_BASE.pem (self signed certificate)"
+-openssl req -key $SVR_BASE.key -config request.cfg  -new -x509 -days $DAYS -out $SVR_BASE.pem || error "could not create $SVR_BASE.pem"
+-# create trusted usage pem
+-openssl x509 -in $SVR_BASE.pem -addtrust serverAuth -out $SVR_BASE"_trust.pem"
++openssl req -key $SVR_BASE.key -config request.cfg  -new -x509 -days $DAYS -addext "basicConstraints=critical,CA:TRUE,pathlen:0" -out $SVR_BASE.pem || error "could not create $SVR_BASE.pem"
++# create trusted usage pem for CA, what are signed certs allowed to do?
++openssl x509 -in "$SVR_BASE.pem" -addtrust clientAuth -out "${SVR_BASE}_trust.pem"
+ 
+ # create client request and sign it, piped
+ cat >request.cfg <<EOF
+-- 
+2.46.0
+
diff --git a/dnssec-trigger-0.17-server-recipe.patch b/dnssec-trigger-0.17-server-recipe.patch
new file mode 100644
index 0000000..a3f70d8
--- /dev/null
+++ b/dnssec-trigger-0.17-server-recipe.patch
@@ -0,0 +1,59 @@
+From f6b4cd17294d8faa8fd4d70110ac9da9916e7d61 Mon Sep 17 00:00:00 2001
+From: Petr Mensik <pemensik@redhat.com>
+Date: Wed, 20 Nov 2024 16:58:48 +0100
+Subject: [PATCH] Add recipe for adding own server
+
+Until someone adds nice support for using just CA bundle and server
+name, allow specification by fingerprint obtained manually. Do not rely
+only on server provided by upstream.
+---
+ dnssec.conf     | 4 ++--
+ example.conf.in | 6 +++++-
+ 2 files changed, 7 insertions(+), 3 deletions(-)
+
+diff --git a/dnssec.conf b/dnssec.conf
+index bf896d3..4726ca1 100644
+--- a/dnssec.conf
++++ b/dnssec.conf
+@@ -38,7 +38,7 @@
+ #
+ #  - See also security notes on the `add_wifi_provided_zones` option.
+ #
+-# validate_connection_provided_zones=yes
++# validate_connection_provided_zones=no
+ #
+ #  - Connection provided zones will be configured in Unbound as secure forward
+ #    zones, validated using DNSSEC.
+@@ -63,7 +63,7 @@
+ #    Turning this option off has security implications, See the security
+ #    notice above.
+ #
+-validate_connection_provided_zones=yes
++validate_connection_provided_zones=no
+ 
+ # add_wifi_provided_zones:
+ # ------------------------
+diff --git a/example.conf.in b/example.conf.in
+index dafd35d..f7e8a54 100644
+--- a/example.conf.in
++++ b/example.conf.in
+@@ -79,6 +79,11 @@ tcp80: 2a04:b900::10:0:0:67
+ ssl443: 185.49.140.67 7E:CF:B4:BE:B9:9A:56:0D:F7:3B:40:51:A4:78:E6:A6:FD:66:0F:10:58:DC:A8:2E:C0:43:D4:77:5A:71:8A:CF
+ ssl443: 2a04:b900::10:0:0:67 7E:CF:B4:BE:B9:9A:56:0D:F7:3B:40:51:A4:78:E6:A6:FD:66:0F:10:58:DC:A8:2E:C0:43:D4:77:5A:71:8A:CF
+ 
++# How to add your own record:
++# openssl s_client -connect example.com:443 -showcerts </dev/null > /tmp/dns.crt
++# openssl x509 -noout -in /tmp/dns.crt -fingerprint -sha256
++# Append returned sha256 Fingerprint after ssl443: IP-address section.
++
+ # Use VPN servers for all traffic
+ # use-vpn-forwarders: no
+ 
+@@ -87,4 +92,3 @@ ssl443: 2a04:b900::10:0:0:67 7E:CF:B4:BE:B9:9A:56:0D:F7:3B:40:51:A4:78:E6:A6:FD:
+ 
+ # Add domains provided by VPN connections into Unbound forward zones
+ # add-wifi-provided-zones: no
+-
+-- 
+2.47.0
+
diff --git a/dnssec-trigger.spec b/dnssec-trigger.spec
index 422708c..9928104 100644
--- a/dnssec-trigger.spec
+++ b/dnssec-trigger.spec
@@ -33,6 +33,9 @@ Patch4: 0004-Add-options-edns0-and-trust-ad.patch
 Patch5: dnssec-trigger-configure-c99.patch
 # https://github.com/NLnetLabs/dnssec-trigger/commit/f187c2be221a26f3c4ef4d9b16f1df67104ae634
 Patch6: dnssec-trigger-0.17-allowed-characters.patch
+Patch7: dnssec-trigger-0.17-openssl-3.2.patch
+# https://github.com/NLnetLabs/dnssec-trigger/pull/15
+Patch8: dnssec-trigger-0.17-server-recipe.patch
 
 # to obsolete the version in which the panel was in main package
 Obsoletes: %{name} < 0.12-22