Project

General

Profile

Todo #9868

Add clientAuth EKU to Server type certificates

Added by Jim Pingle 3 months ago. Updated about 2 months ago.

Status:
Resolved
Priority:
Low
Assignee:
Category:
Certificates
Target version:
Start date:
10/31/2019
Due date:
% Done:

100%

Estimated time:

Description

Some cases may require a server certificate to be used to authenticate a server (to client) and authenticate as a client (to another server). Currently, server certificates only include the serverAuth EKU, but both may be present.

Additionally, the ISRG-CPS-v2.6 standard followed by Let's Encrypt contains both for end entity certificates.

Looking at some other standards like RFC 5280 (EKU), RFC 5216/RFC 5281 (EAP-[T]TLS) they all mention things in a permissive way, meaning that the presence of specific values enables uses. I don't see anything that would exclude or fail based on the presence of an EKU.

Associated revisions

Revision 46869dd2 (diff)
Added by Jim Pingle 3 months ago

Add clientAuth EKU to Server type certificates. Fixes #9868

Revision 58b2334f (diff)
Added by Jim Pingle 2 months ago

Add clientAuth EKU to Server type certificates. Fixes #9868

(cherry picked from commit 46869dd2b5ebf32e8297d65f98444fb38d314336)

History

#1 Updated by Jim Pingle 3 months ago

  • Status changed from New to Feedback
  • % Done changed from 0 to 100

#2 Updated by Viktor Gurov 2 months ago

Jim Pingle wrote:

Applied in changeset 46869dd2b5ebf32e8297d65f98444fb38d314336.

Tested on 2.5.0.a.20191109.1723

Resolved -

Serial: 11
Signature Digest: RSA-SHA256
SAN: DNS:servertest, IP Address:192.168.1.1
KU: Digital Signature, Key Encipherment
EKU: TLS Web Server Authentication, TLS Web Client Authentication, IP Security IKE Intermediate
Key Type: RSA
Key Size: 2048
DN: /CN=servertest
...

#3 Updated by Jim Pingle 2 months ago

  • Status changed from Feedback to Resolved

#4 Updated by Jim Pingle about 2 months ago

  • Target version changed from 2.5.0 to 2.4.5

#5 Updated by Jim Pingle about 2 months ago

  • Status changed from Resolved to Feedback

Needs checked and/or tested again on 2.4.5 snapshots

#6 Updated by Viktor Gurov about 2 months ago

Jim Pingle wrote:

Needs checked and/or tested again on 2.4.5 snapshots

tested on 2.4.5.a.20191205.1442_3:
...
EKU: TLS Web Server Authentication, TLS Web Client Authentication, IP Security IKE Intermediate

ok, Resolved

#7 Updated by Jim Pingle about 2 months ago

  • Status changed from Feedback to Resolved

Also available in: Atom PDF