Fix: do not add keyEncipherment or keyAgreement to our TLS cert

These are not relevant for the EC key type. Signed-off-by: Volodymyr Khoroz <[email protected]>
foundriesio · Feb 13, 2024 · 39d585c · 39d585c
1 parent b900e29
commit 39d585c
Show file tree

Hide file tree

Showing 2 changed files with 2 additions and 2 deletions.
diff --git a/x509/bash.go b/x509/bash.go
@@ -182,7 +182,7 @@ dns=$(openssl req -text -noout -verify -in $csr | grep DNS:)
 echo "signing with dns name: $dns" 1>&2
 
 cat >server.ext <<EOF
-keyUsage=critical, digitalSignature, keyEncipherment, keyAgreement
+keyUsage=critical, digitalSignature
 extendedKeyUsage=critical, serverAuth
 subjectAltName=$dns
 EOF

diff --git a/x509/golang.go b/x509/golang.go
@@ -185,7 +185,7 @@ func genTlsCert(subject pkix.Name, dnsNames []string, pubkey crypto.PublicKey) s
 		NotAfter:     time.Now().AddDate(10, 0, 0),
 
 		IsCA:        false,
-		KeyUsage:    x509.KeyUsageDigitalSignature | x509.KeyUsageKeyEncipherment | x509.KeyUsageKeyAgreement,
+		KeyUsage:    x509.KeyUsageDigitalSignature,
 		ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth},
 		DNSNames:    dnsNames,
 	}