fixes leaf certs to use leaf cert extensions (#776)

* fixes leaf certs to use leaf cert extensions * adds CN to SAN because Firefox is a fussbucket
2026-03-30 12:11:56 +00:00 · 2021-11-11 15:55:50 -07:00
parent 21a21444ce
commit 9f3909188a
1 changed files with 6 additions and 12 deletions
--- a/appmgr/src/net/ssl.rs
+++ b/appmgr/src/net/ssl.rs
@@ -422,21 +422,15 @@ fn make_leaf_cert(
        Some(&cfg),
        Some(&ctx),
        Nid::AUTHORITY_KEY_IDENTIFIER,
-        "keyid:always,issuer",
+        "keyid,issuer:always",
    )?;
-    // basicConstraints = critical, CA:true, pathlen:0
-    let basic_constraints = X509Extension::new_nid(
-        Some(&cfg),
-        Some(&ctx),
-        Nid::BASIC_CONSTRAINTS,
-        "critical,CA:true,pathlen:0",
-    )?;
-    // keyUsage = critical, digitalSignature, cRLSign, keyCertSign
+    let basic_constraints =
+        X509Extension::new_nid(Some(&cfg), Some(&ctx), Nid::BASIC_CONSTRAINTS, "CA:FALSE")?;
    let key_usage = X509Extension::new_nid(
        Some(&cfg),
        Some(&ctx),
        Nid::KEY_USAGE,
-        "critical,digitalSignature,cRLSign,keyCertSign",
+        "critical,digitalSignature,keyEncipherment",
    )?;

    let subject_alt_name = X509Extension::new_nid(
@@ -444,8 +438,8 @@ fn make_leaf_cert(
        Some(&ctx),
        Nid::SUBJECT_ALT_NAME,
        &format!(
-            "DNS:*.{}.local,DNS:{}.onion,DNS:*.{}.onion",
-            &applicant.1, &applicant.1, &applicant.1
+            "DNS:{}.local,DNS:*.{}.local,DNS:{}.onion,DNS:*.{}.onion",
+            &applicant.1, &applicant.1, &applicant.1, &applicant.1
        ),
    )?;
    builder.append_extension(subject_key_identifier)?;