PenaDevops/mkcert
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Simplify EKU logic

Browse Source 
With -client, you get clientAuth. With a non-email SAN, you also get
serverAuth. With an email SAN, you also get emailProtection.
This commit is contained in:
Filippo Valsorda 2020-10-27 12:51:28 +01:00
parent 9f583c670f
commit e28ee7df01
1 changed files with 6 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
cert.go
View File

@ -68,11 +68,9 @@ func (m *mkcert) makeCert(hosts []string) {
OrganizationalUnit: []string{userAndHostname}, OrganizationalUnit: []string{userAndHostname},
}, },
NotAfter: expiration, NotBefore: time.Now(), NotAfter: expiration,
NotBefore: time.Now(),
KeyUsage: x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature, KeyUsage: x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature,
BasicConstraintsValid: true,
} }
for _, h := range hosts { for _, h := range hosts {
@ -88,9 +86,10 @@ func (m *mkcert) makeCert(hosts []string) {
} }
if m.client { if m.client {
tpl.ExtKeyUsage = []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth, x509.ExtKeyUsageServerAuth} tpl.ExtKeyUsage = append(tpl.ExtKeyUsage, x509.ExtKeyUsageClientAuth)
} else if len(tpl.IPAddresses) > 0 || len(tpl.DNSNames) > 0 { }
tpl.ExtKeyUsage = []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth} if len(tpl.IPAddresses) > 0 || len(tpl.DNSNames) > 0 || len(tpl.URIs) > 0 {
tpl.ExtKeyUsage = append(tpl.ExtKeyUsage, x509.ExtKeyUsageServerAuth)
} }
if len(tpl.EmailAddresses) > 0 { if len(tpl.EmailAddresses) > 0 {
tpl.ExtKeyUsage = append(tpl.ExtKeyUsage, x509.ExtKeyUsageEmailProtection) tpl.ExtKeyUsage = append(tpl.ExtKeyUsage, x509.ExtKeyUsageEmailProtection)