mkcert icon indicating copy to clipboard operation
mkcert copied to clipboard
verified publisher icon FiloSottile

Missing Extended Key Usage

Open efa2d19 opened this issue 3 years ago • 2 comments

Environment

  • Operating system (including version): MacOS 13.1
  • mkcert version (from mkcert -version): v1.4.4
  • Server (where the certificate is loaded): Locally
  • Client (e.g. browser, CLI tool, or script): Proxyman

What you did

  • mkcert -install
  • added root ca to Proxyman
  • launched Proxyman

What went wrong

Basically nothing, everything still works fine, but Proxyman always throws an error in my face at launch

It turns out that EKU is required for MacOS ≥10.15 link to apple article

EKU_proxyman

efa2d19 avatar Feb 06 '23 10:02 efa2d19

@Drugsosos i think only ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth}, should also work. Based on this description: TLS server certificates must contain an ExtendedKeyUsage (EKU) extension containing the id-kp-serverAuth OID.

lublak avatar Mar 03 '23 09:03 lublak

I think you just skipped a step of generating a leaf cert after you generated the CA cert because it kind of looks like you're using your root CA as your server certificate.

You'll find x509.ExtKeyUsageServerAuth in both makeCert and makeCertFromCSR

goldstar611 avatar Apr 28 '23 23:04 goldstar611