excessive extention usage on CA certificates

kairoaraujo / goca

Golang Certificate Authority (CA) package

MIT License

42 stars 14 forks source link

excessive extention usage on CA certificates #24

Open necheffa opened 2 years ago

necheffa commented 2 years ago

When GoCA generates a certificate authority (either root or intermediate) the TLS Web Client Authentication and TLS Web Server Authentication extensions are set. CA certificates should be limited to CA activities (Digital Signature, Certificate Sign, CRL Sign).

This behavior can be validated via visual inspection of a certificate with the OpenSSL command: openssl x509 -noout -text -in myca.crt

necheffa commented 2 years ago

cert.CreateCACert() appears to be where we setup the usage extensions for CA certificates. Should just be a matter of pruning excessive uses from the ExtKeyUsage and KeyUsage fields.

I want to do some more research to make sure our extension selection meets best practices and to design a test case or two.