Add clientAuth EKU to Server type certificates
Some cases may require a server certificate to be used to authenticate a server (to client) and authenticate as a client (to another server). Currently, server certificates only include the serverAuth EKU, but both may be present.
Additionally, the ISRG-CPS-v2.6 standard followed by Let's Encrypt contains both for end entity certificates.
Looking at some other standards like RFC 5280 (EKU), RFC 5216/RFC 5281 (EAP-[T]TLS) they all mention things in a permissive way, meaning that the presence of specific values enables uses. I don't see anything that would exclude or fail based on the presence of an EKU.
#2 Updated by Viktor Gurov 2 months ago
Jim Pingle wrote:
Applied in changeset 46869dd2b5ebf32e8297d65f98444fb38d314336.
Tested on 2.5.0.a.20191109.1723
Signature Digest: RSA-SHA256
SAN: DNS:servertest, IP Address:192.168.1.1
KU: Digital Signature, Key Encipherment
EKU: TLS Web Server Authentication, TLS Web Client Authentication, IP Security IKE Intermediate
Key Type: RSA
Key Size: 2048