Commit 3c0d63c3 authored by Gari Singh's avatar Gari Singh
Browse files

Explicitly set ext key usage for CA



The generated CA certificates currently have
contain anyExtendedKeyUsage in their
Extended Key Usage attributes.  This is
actually not allowed and is now enforced by
openssl 1.1 and later.

This change explicitly adds only ClientAuth
and ServerAuth to the CA's Extended Key
Usage attributes.

FAB-13439 #done

Change-Id: Ia2586563bd46c2978704999d1d9307d110bbcc98
Signed-off-by: default avatarGari Singh <gari.r.singh@gmail.com>
parent 7d09ca64
......@@ -59,7 +59,10 @@ func NewCA(baseDir, org, name, country, province, locality, orgUnit, streetAddre
template.KeyUsage |= x509.KeyUsageDigitalSignature |
x509.KeyUsageKeyEncipherment | x509.KeyUsageCertSign |
x509.KeyUsageCRLSign
template.ExtKeyUsage = []x509.ExtKeyUsage{x509.ExtKeyUsageAny}
template.ExtKeyUsage = []x509.ExtKeyUsage{
x509.ExtKeyUsageClientAuth,
x509.ExtKeyUsageServerAuth,
}
//set the organization for the subject
subject := subjectTemplateAdditional(country, province, locality, orgUnit, streetAddress, postalCode)
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment