Missing Extended Key Usage

FiloSottile / mkcert

A simple zero-config tool to make locally trusted development certificates with any names you'd like.

https://mkcert.dev

BSD 3-Clause "New" or "Revised" License

48.79k stars 2.52k forks source link

Missing Extended Key Usage #504

Open efa2d19 opened 1 year ago

efa2d19 commented 1 year ago

Environment

Operating system (including version): MacOS 13.1
mkcert version (from mkcert -version): v1.4.4
Server (where the certificate is loaded): Locally
Client (e.g. browser, CLI tool, or script): Proxyman

What you did

mkcert -install
added root ca to Proxyman
launched Proxyman

What went wrong

Basically nothing, everything still works fine, but Proxyman always throws an error in my face at launch

It turns out that EKU is required for MacOS ≥10.15 link to apple article

EKU_proxyman

lublak commented 1 year ago

@Drugsosos i think only ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth}, should also work. Based on this description: TLS server certificates must contain an ExtendedKeyUsage (EKU) extension containing the id-kp-serverAuth OID.

goldstar611 commented 1 year ago

I think you just skipped a step of generating a leaf cert after you generated the CA cert because it kind of looks like you're using your root CA as your server certificate.

You'll find x509.ExtKeyUsageServerAuth in both makeCert and makeCertFromCSR