Simplify KU, EKU, and SKID fields of issued certs

letsencrypt · Aug 20, 2024 · 2b72a11 · 2b72a11
1 parent 17d64a3
commit 2b72a11
Showing 1 changed file with 7 additions and 12 deletions.
diff --git a/ca/ca.go b/ca/ca.go
@@ -108,7 +108,7 @@ func makeKey() (*rsa.PrivateKey, []byte, error) {
 	return key, ski, nil
 }
 
-func (ca *CAImpl) makeRootCert(
+func (ca *CAImpl) makeCACert(
 	subjectKey crypto.Signer,
 	subject pkix.Name,
 	subjectKeyID []byte,
@@ -122,7 +122,7 @@ func (ca *CAImpl) makeRootCert(
 		NotAfter:     time.Now().AddDate(30, 0, 0),
 
 		KeyUsage:              x509.KeyUsageDigitalSignature | x509.KeyUsageCertSign,
-		ExtKeyUsage:           []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth, x509.ExtKeyUsageClientAuth},
+		ExtKeyUsage:           []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth},
 		SubjectKeyId:          subjectKeyID,
 		BasicConstraintsValid: true,
 		IsCA:                  true,
@@ -175,7 +175,7 @@ func (ca *CAImpl) newRootIssuer(name string) (*issuer, error) {
 	subject := pkix.Name{
 		CommonName: rootCAPrefix + name,
 	}
-	rc, err := ca.makeRootCert(rk, subject, subjectKeyID, nil)
+	rc, err := ca.makeCACert(rk, subject, subjectKeyID, nil)
 	if err != nil {
 		return nil, err
 	}
@@ -192,7 +192,7 @@ func (ca *CAImpl) newIntermediateIssuer(root *issuer, intermediateKey crypto.Sig
 		return nil, errors.New("internal error: root must not be nil")
 	}
 	// Make an intermediate certificate with the root issuer
-	ic, err := ca.makeRootCert(intermediateKey, subject, subjectKeyID, root)
+	ic, err := ca.makeCACert(intermediateKey, subject, subjectKeyID, root)
 	if err != nil {
 		return nil, err
 	}
@@ -257,18 +257,14 @@ func (ca *CAImpl) newCertificate(domains []string, ips []net.IP, key crypto.Publ
 	if len(domains) == 0 && len(ips) == 0 {
 		return nil, errors.New("must specify at least one domain name or IP address")
 	}
+	var err error
 
 	defaultChain := ca.chains[0].intermediates
 	if len(defaultChain) == 0 || defaultChain[0].cert == nil {
 		return nil, errors.New("cannot sign certificate - nil issuer")
 	}
 	issuer := defaultChain[0]
 
-	subjectKeyID, err := makeSubjectKeyID(key)
-	if err != nil {
-		return nil, fmt.Errorf("cannot create subject key ID: %s", err.Error())
-	}
-
 	certNotBefore := time.Now()
 	if notBefore != "" {
 		certNotBefore, err = time.Parse(time.RFC3339, notBefore)
@@ -297,9 +293,8 @@ func (ca *CAImpl) newCertificate(domains []string, ips []net.IP, key crypto.Publ
 		NotBefore:    certNotBefore,
 		NotAfter:     certNotAfter,
 
-		KeyUsage:              x509.KeyUsageDigitalSignature | x509.KeyUsageKeyEncipherment,
-		ExtKeyUsage:           []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth, x509.ExtKeyUsageClientAuth},
-		SubjectKeyId:          subjectKeyID,
+		KeyUsage:              x509.KeyUsageDigitalSignature,
+		ExtKeyUsage:           []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth},
 		ExtraExtensions:       extensions,
 		BasicConstraintsValid: true,
 		IsCA:                  false,