SCEP certificate validation fails when a custom certificate with ext key usages is provided

[roperzh]

Fleet version: 4.56.0

---

💥  Actual behavior

🧑‍💻  Steps to reproduce

1. Create a keypair that reproduces the issue

First, create a file openssl.conf with this content:

[ req ]
default_bits       = 2048
default_md         = sha256
default_keyfile    = key.pem
prompt             = no
distinguished_name = dn
x509_extensions    = v3_ca

[ dn ]
CN = Test JSS Built-in Certificate Authority

[ v3_ca ]
keyUsage = critical, digitalSignature, keyEncipherment, cRLSign, keyCertSign
basicConstraints = critical, CA:TRUE
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
extendedKeyUsage = serverAuth

Afterwards, create the keypair by running:

$ openssl req -x509 -new -nodes -keyout privatekey.pem -out certificate.pem -days 3650 -config openssl.conf

2. Configure Fleet to use the keypair as the SCEP keypair

1. Ensure your mdm_config_assets table is empty
2. Set FLEET_MDM_APPLE_SCEP_CERT_BYTES to the value of certificate.pem
3. Set FLEET_MDM_APPLE_SCEP_KEY_BYTES to the value of privatekey.pem

3. Try to turn on MDM for a host

Try to turn on mdm for a host

[PezHub]

QA Notes:

I was able to create the key pair and start my server using the instructions mentioned above. I successfully enrolled my host and turned on mdm.

I was able to push a config profile to the host and send an mdm command successfully.

[fleet-release]

Custom keys in use, Fleet adapts, certifies truth, Safeguarding each host.