> When debugging another issue, I found that my test Registrar had stopped
> being able to connect to my MASA. Some upgrades to Openssl, Apache meant
> that one of those two decided the Extended Key Usage for the client
> certificates had better be right.
> What I found:
> 1) If there is no EKU, then it's all okay.
> 2) If there is an EKU, and it contains only cmcRA, then it is rejected.
> 3) If I add "clientAuth" EKU, then it works.
> Consequence for a Registrar server, that MUST have id-kp-cmcRA set, is
> that it also needs id-kp-serverAuth set in the EKU. Older DTLS 1.2
> stacks for example may not check EKU yet in such a way (e.g. an older
> Scandium I used did not check) but I expect never 1.2/1.3 stacks to
> check EKU.