Hi, > I'm guessing this has been already asked, I searched the archives to no avail.
No, as far as I am concerned I have never seen this requirement before. > I generate my CSR with key usage information “DigitalSignature” and “Key > encipherment” (using OpenSSL API). > But when I get my enrolled certificate I have a new key usage “key agreement”. > I saw is configurable in tls_server.yaml, but is it possible to have > automatically and only the key usage asked by the CSR? This is a feature, not a deficiency. By design OpenXPKI ignores most data supplied by the client in the CSR (with certain exceptions, such as subject, SANs and of course the public key) and strictly enforces the defined certificate issuance policy, in this case the profile properties when issuing the certificate. If certificates with the DigitalSignature and KeyEncipherment key usage bits should be generated, the CA designer needs to define a profile which explicitly sets these key usage bits and have the client reference this profile. If a client should be able to request different types of certificates the client should either choose the correct profile (when using the manual request workflow) or provide profile information with the request when using automated enrollment interfaces. Cheers Martin _______________________________________________ OpenXPKI-users mailing list OpenXPKI-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openxpki-users
