From bc210282ea3e468b9bf79878092d1b6479343c62 Mon Sep 17 00:00:00 2001 From: Tim Heckman Date: Wed, 26 Oct 2016 12:00:08 +1300 Subject: [easyca] for intermediary add eku client/server CA Also add DigitalSignature to certificates generated. --- pkg/easypki/easyca.go | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/pkg/easypki/easyca.go b/pkg/easypki/easyca.go index c38a295..17d0192 100644 --- a/pkg/easypki/easyca.go +++ b/pkg/easypki/easyca.go @@ -67,7 +67,7 @@ func GeneratePrivateKey(path string) (*rsa.PrivateKey, error) { } // GenerationRequest is a struct for providing configuration to -// GenerateCertifcate when actioning a certification generation request. +// GenerateCertificate when actioning a certification generation request. type GenerationRequest struct { PKIRoot string Name string @@ -120,7 +120,7 @@ func GenerateCertificate(genReq *GenerationRequest) error { return fmt.Errorf("failed to generate ca serial number: %s", err) } genReq.Template.SerialNumber = serialNumber - genReq.Template.KeyUsage = x509.KeyUsageCertSign | x509.KeyUsageCRLSign + genReq.Template.KeyUsage = x509.KeyUsageDigitalSignature | x509.KeyUsageCertSign | x509.KeyUsageCRLSign genReq.Template.BasicConstraintsValid = true genReq.Template.Issuer = genReq.Template.Subject genReq.Template.AuthorityKeyId = genReq.Template.SubjectKeyId @@ -131,10 +131,10 @@ func GenerateCertificate(genReq *GenerationRequest) error { genReq.Template.MaxPathLenZero = true // doesn't force to zero } - // Go performs validation not according to spec but according to the Windows - // Crypto API, so we add all usages to CA certs - // - https://github.com/hashicorp/vault/pull/852 - genReq.Template.ExtKeyUsage = []x509.ExtKeyUsage{x509.ExtKeyUsageAny} + genReq.Template.ExtKeyUsage = []x509.ExtKeyUsage{ + x509.ExtKeyUsageClientAuth, + x509.ExtKeyUsageServerAuth, + } caCrt = genReq.Template caKey = privateKey -- cgit v1.3