necheffa
commented
1 year ago cert.CreateCACert() appears to be where we setup the usage extensions for CA certificates. Should just be a matter of pruning excessive uses from the ExtKeyUsage and KeyUsage fields.
I want to do some more research to make sure our extension selection meets best practices and to design a test case or two.
When GoCA generates a certificate authority (either root or intermediate) the
TLS Web Client AuthenticationandTLS Web Server Authenticationextensions are set. CA certificates should be limited to CA activities (Digital Signature,Certificate Sign,CRL Sign).This behavior can be validated via visual inspection of a certificate with the OpenSSL command:
openssl x509 -noout -text -in myca.crt