Hi,
> I'm guessing this has been already asked, I searched the archives to no avail.
No, as far as I am concerned I have never seen this requirement before.
> I generate my CSR with key usage information “DigitalSignature” and “Key
> encipherment” (using OpenSSL API).
> But when I get my enrolled certificate I have a new key usage “key agreement”.
> I saw is configurable in tls_server.yaml, but is it possible to have
> automatically and only the key usage asked by the CSR?
This is a feature, not a deficiency. By design OpenXPKI ignores most data
supplied by the client in the CSR (with certain exceptions, such as subject,
SANs and of course the public key) and strictly enforces the defined
certificate issuance policy, in this case the profile properties when issuing
the certificate.
If certificates with the DigitalSignature and KeyEncipherment key usage bits
should be generated, the CA designer needs to define a profile which explicitly
sets these key usage bits and have the client reference this profile.
If a client should be able to request different types of certificates the
client should either choose the correct profile (when using the manual request
workflow) or provide profile information with the request when using automated
enrollment interfaces.
Cheers
Martin
___
OpenXPKI-users mailing list
OpenXPKI-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openxpki-users