Even it complicates things, use an intermediate server cert and let CA cert only have KeyUsageCertSign (KeyUsageDigitalSignature might also be required). Leave key encipherment, client/server validation, etc. key usage flags to the intermediate certificate.
Also publishing a CRL and using OCSP would be useful in case of a server cert is compromised.
soygul
commented
8 years ago
Even it complicates things, use an intermediate server cert and let CA cert only have
KeyUsageCertSign(KeyUsageDigitalSignaturemight also be required). Leave key encipherment, client/server validation, etc. key usage flags to the intermediate certificate.Also publishing a CRL and using OCSP would be useful in case of a server cert is compromised.