Document EKU inclusion (#5055)

2020-08-27 13:40:16 -07:00 · 2020-08-27 13:40:16 -07:00 · 75dc93db01
parent 1d31d60450
commit 75dc93db01
2 changed files with 7 additions and 0 deletions
--- a/cmd/ceremony/README.md
+++ b/cmd/ceremony/README.md
@ -129,6 +129,8 @@ certificate-profile:

 This config generates an intermediate certificate signed by a key in the HSM, identified by the object label `root signing key` and the object ID `ffff`. The subject key used is taken from `/home/user/intermediate-signing-pub.pem` and the issuer is `/home/user/root-cert.pem`, the resulting certificate is written to `/home/user/intermediate-cert.pem`.

+Note: Intermediate certificates always include the extended key usages id-kp-serverAuth as required by 7.1.2.2.g of the CABF Baseline Requirements. Since we also include id-kp-clientAuth in end-entity certificates in boulder we also include it in intermediates, if this changes we may remove this inclusion.
+
 ### OCSP Signing Certificate ceremony

 - `ceremony-type`: string describing the ceremony type, `ocsp-signer`.
--- a/cmd/ceremony/cert.go
+++ b/cmd/ceremony/cert.go
@ -272,6 +272,11 @@ func makeTemplate(randReader io.Reader, profile *certProfile, pubKey []byte, ct
 	case crlCert:
 		cert.IsCA = false
 	case intermediateCert:
+		// id-kp-serverAuth and id-kp-clientAuth are included in intermediate
+		// certificates in order to technically constrain them. id-kp-serverAuth
+		// is required by 7.1.2.2.g of the CABF Baseline Requirements, but
+		// id-kp-clientAuth isn't. We include id-kp-clientAuth as we also include
+		// it in our end-entity certificates.
 		cert.ExtKeyUsage = []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth, x509.ExtKeyUsageServerAuth}
 		cert.MaxPathLenZero = true
 	}