Feature Request - Adding Key Attributes to CSR (SCEP Client)

[brokoler]

Hello,

I would like to ask if it is possible to add specific Key Usage and Extended Key Usage attributes to the CSR generated by the SCEP client.
For example I would like to add the Key Usage option "CRL Sign" and "Certificate Sign".

From my testings following attributes are set with the default CSR generated by the Go SCEP client:

Would be great if the Go SCEP client would add multiple configuration parameters to set the values.
As long this is not possible, is the client compatible to a manually generated CSR?

Reason for my request: I'm using Aruba Clearpass as a SCEP server which is working with the client application, but it's not possible to set the Key Usage attributes for clients on my CA itself.

Best regards

[brokoler]

Alternatively would it be possible to add following parameter?

-existing-csr string
path to existing csr, which is used for SCEP request

I only see the option to import an existing private-key

[avanide]

Hi,
Did you find a solution? I would like to change the key usage too.
I see the client has an option "-certificate string". Could it be used to create the certificate "by hand" before requesting the signature (CSR)?

[jessepeterson]

I'd recommend taking a look at smallstep's CA: https://github.com/smallstep/certificates

Thanks!