From 4a63e8c258025f91f4f3e37385fe2dfc0fc579ad Mon Sep 17 00:00:00 2001 From: elijah Date: Tue, 11 Dec 2012 02:19:27 -0800 Subject: add keyEncipherment to server certs --- lib/leap_cli/commands/ca.rb | 15 +++++++++++---- 1 file changed, 11 insertions(+), 4 deletions(-) diff --git a/lib/leap_cli/commands/ca.rb b/lib/leap_cli/commands/ca.rb index d6fd975..c87dcea 100644 --- a/lib/leap_cli/commands/ca.rb +++ b/lib/leap_cli/commands/ca.rb @@ -267,8 +267,15 @@ module LeapCli; module Commands end # - # for keyusage, openvpn server certs can have keyEncipherment or keyAgreement. I am not sure which is preferable. - # going with keyAgreement for now. + # For keyusage, openvpn server certs can have keyEncipherment or keyAgreement. + # Web browsers seem to break without keyEncipherment. + # + # * digitalSignature ==> for (EC)DHE cipher suites + # * keyEncipherment ==> for plain RSA cipher suites + # * keyAgreement ==> for used with DH, not RSA. + # + # I am including all three because that seems to work in all cases. I am not sure if this + # is the right thing to do. # # digest options: SHA512, SHA256, SHA1 # @@ -277,10 +284,10 @@ module LeapCli; module Commands "digest" => manager.provider.ca.server_certificates.digest, "extensions" => { "keyUsage" => { - "usage" => ["digitalSignature", "keyAgreement"] + "usage" => ["digitalSignature", "keyEncipherment", "keyAgreement"] }, "extendedKeyUsage" => { - "usage" => ["serverAuth"] + "usage" => ["serverAuth", "clientAuth"] }, "subjectAltName" => { "ips" => [node.ip_address], -- cgit v1.2.3