[easyca] for intermediary add eku client/server CA

Also add DigitalSignature to certificates generated.

1 files changed, 6 insertions, 6 deletions

diff --git a/pkg/easypki/easyca.go b/pkg/easypki/easyca.go
index c38a295..17d0192 100644
--- a/pkg/easypki/easyca.go
+++ b/pkg/easypki/easyca.go
@@ -67,7 +67,7 @@ func GeneratePrivateKey(path string) (*rsa.PrivateKey, error) {
 }
 
 // GenerationRequest is a struct for providing configuration to
-// GenerateCertifcate when actioning a certification generation request.
+// GenerateCertificate when actioning a certification generation request.
 type GenerationRequest struct {
 	PKIRoot             string
 	Name                string
@@ -120,7 +120,7 @@ func GenerateCertificate(genReq *GenerationRequest) error {
 			return fmt.Errorf("failed to generate ca serial number: %s", err)
 		}
 		genReq.Template.SerialNumber = serialNumber
-		genReq.Template.KeyUsage = x509.KeyUsageCertSign | x509.KeyUsageCRLSign
+		genReq.Template.KeyUsage = x509.KeyUsageDigitalSignature | x509.KeyUsageCertSign | x509.KeyUsageCRLSign
 		genReq.Template.BasicConstraintsValid = true
 		genReq.Template.Issuer = genReq.Template.Subject
 		genReq.Template.AuthorityKeyId = genReq.Template.SubjectKeyId
@@ -131,10 +131,10 @@ func GenerateCertificate(genReq *GenerationRequest) error {
 			genReq.Template.MaxPathLenZero = true // doesn't force to zero
 		}
 
-		// Go performs validation not according to spec but according to the Windows
-		// Crypto API, so we add all usages to CA certs
-		// - https://github.com/hashicorp/vault/pull/852
-		genReq.Template.ExtKeyUsage = []x509.ExtKeyUsage{x509.ExtKeyUsageAny}
+		genReq.Template.ExtKeyUsage = []x509.ExtKeyUsage{
+			x509.ExtKeyUsageClientAuth,
+			x509.ExtKeyUsageServerAuth,
+		}
 
 		caCrt = genReq.Template
 		caKey = privateKey