-
-
Notifications
You must be signed in to change notification settings - Fork 2.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Client certs also specify Server usage #273
Comments
mTLS certificates are often used for both the client and server sides. What's a use case where the extra serverAuth usage is a problem rather than just superfluous? |
If you're using mkcert for test certificates, you can unintentionally write code that is only validating the client certificate against Server usage, and looks correct until faced with real world client-only certs. This is the scenario I encountered. I'm not sure I've directly seen any client certs also marked for server usage, but you are correct; that probably happens in mTLS services that aren't on the edge of a system. Maybe it's best to have additional control over both usages. The least surprising behavior would probably be:
|
The real issue is that server certs should set client usage too, to match LetsEncrypt (and most other CAs ?) |
Using the
-client
flag results in a certificate valid for both Client and Server usage. This can lead to some unexpected validation scenarios. I think they should be mutually exclusive in practice.The text was updated successfully, but these errors were encountered: