From 75dc93db016862d17cd14d61b115aab53bfe183c Mon Sep 17 00:00:00 2001 From: Roland Bracewell Shoemaker Date: Thu, 27 Aug 2020 13:40:16 -0700 Subject: [PATCH] Document EKU inclusion (#5055) --- cmd/ceremony/README.md | 2 ++ cmd/ceremony/cert.go | 5 +++++ 2 files changed, 7 insertions(+) diff --git a/cmd/ceremony/README.md b/cmd/ceremony/README.md index aa6ff2869..cb2431e73 100644 --- a/cmd/ceremony/README.md +++ b/cmd/ceremony/README.md @@ -129,6 +129,8 @@ certificate-profile: This config generates an intermediate certificate signed by a key in the HSM, identified by the object label `root signing key` and the object ID `ffff`. The subject key used is taken from `/home/user/intermediate-signing-pub.pem` and the issuer is `/home/user/root-cert.pem`, the resulting certificate is written to `/home/user/intermediate-cert.pem`. +Note: Intermediate certificates always include the extended key usages id-kp-serverAuth as required by 7.1.2.2.g of the CABF Baseline Requirements. Since we also include id-kp-clientAuth in end-entity certificates in boulder we also include it in intermediates, if this changes we may remove this inclusion. + ### OCSP Signing Certificate ceremony - `ceremony-type`: string describing the ceremony type, `ocsp-signer`. diff --git a/cmd/ceremony/cert.go b/cmd/ceremony/cert.go index 276e81346..8e596d7bd 100644 --- a/cmd/ceremony/cert.go +++ b/cmd/ceremony/cert.go @@ -272,6 +272,11 @@ func makeTemplate(randReader io.Reader, profile *certProfile, pubKey []byte, ct case crlCert: cert.IsCA = false case intermediateCert: + // id-kp-serverAuth and id-kp-clientAuth are included in intermediate + // certificates in order to technically constrain them. id-kp-serverAuth + // is required by 7.1.2.2.g of the CABF Baseline Requirements, but + // id-kp-clientAuth isn't. We include id-kp-clientAuth as we also include + // it in our end-entity certificates. cert.ExtKeyUsage = []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth, x509.ExtKeyUsageServerAuth} cert.MaxPathLenZero = true }