diff options
| -rw-r--r-- | lib/leap_cli/commands/ca.rb | 15 |
1 files changed, 11 insertions, 4 deletions
diff --git a/lib/leap_cli/commands/ca.rb b/lib/leap_cli/commands/ca.rb index d6fd975..c87dcea 100644 --- a/lib/leap_cli/commands/ca.rb +++ b/lib/leap_cli/commands/ca.rb @@ -267,8 +267,15 @@ module LeapCli; module Commands end # - # for keyusage, openvpn server certs can have keyEncipherment or keyAgreement. I am not sure which is preferable. - # going with keyAgreement for now. + # For keyusage, openvpn server certs can have keyEncipherment or keyAgreement. + # Web browsers seem to break without keyEncipherment. + # + # * digitalSignature ==> for (EC)DHE cipher suites + # * keyEncipherment ==> for plain RSA cipher suites + # * keyAgreement ==> for used with DH, not RSA. + # + # I am including all three because that seems to work in all cases. I am not sure if this + # is the right thing to do. # # digest options: SHA512, SHA256, SHA1 # @@ -277,10 +284,10 @@ module LeapCli; module Commands "digest" => manager.provider.ca.server_certificates.digest, "extensions" => { "keyUsage" => { - "usage" => ["digitalSignature", "keyAgreement"] + "usage" => ["digitalSignature", "keyEncipherment", "keyAgreement"] }, "extendedKeyUsage" => { - "usage" => ["serverAuth"] + "usage" => ["serverAuth", "clientAuth"] }, "subjectAltName" => { "ips" => [node.ip_address], |