Skip to content

Commit

Permalink
added x509.KeyUsageDataEncipherment to client certs to enable s/mime
Browse files Browse the repository at this point in the history
  • Loading branch information
@ps-spb
ps-spb committed Jul 4, 2023
1 parent 53746a9 commit 03ff2d5
Showing 1 changed file with 3 additions and 2 deletions.
5 changes: 3 additions & 2 deletions depot/signer.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -117,7 +117,7 @@ func (s *Signer) SignCSR(m *scep.CSRReqMessage) (*x509.Certificate, error) {
NotBefore: time.Now().Add(time.Second * -600).UTC(),
NotAfter: time.Now().AddDate(0, 0, s.validityDays).UTC(),
SubjectKeyId: id,
KeyUsage: x509.KeyUsageDigitalSignature,
KeyUsage: x509.KeyUsageDigitalSignature | x509.KeyUsageDataEncipherment,
ExtKeyUsage: []x509.ExtKeyUsage{
x509.ExtKeyUsageClientAuth,
x509.ExtKeyUsageEmailProtection,
Expand All @@ -128,7 +128,8 @@ func (s *Signer) SignCSR(m *scep.CSRReqMessage) (*x509.Certificate, error) {
IPAddresses: m.CSR.IPAddresses,
URIs: m.CSR.URIs,
}

// if wanting to perform s/mime encryption too, you'll need to enable the serverAttrs flag via
// -sign-server-attrs true, or SCEP_SIGN_SERVER_ATTRS env variable
if s.serverAttrs {
tmpl.KeyUsage |= x509.KeyUsageDataEncipherment | x509.KeyUsageKeyEncipherment
tmpl.ExtKeyUsage = append(tmpl.ExtKeyUsage, x509.ExtKeyUsageServerAuth)
Expand Down

0 comments on commit 03ff2d5

Please sign in to comment.