Can step-ca generate a certificate with KeySpec option to be AT_EXCHANGE?

[datbq]

I'm working on setting up MSSQL Server with certificate from step-ca, but from my research, the certificate's KeySpec must be AT_EXCHANGE:
The certificate must be created by using the KeySpec option of AT_KEYEXCHANGE. This requires a legacy certificate. Usually, the certificate's key usage property (KEY_USAGE) will also include key encipherment (CERT_KEY_ENCIPHERMENT_KEY_USAGE).
Link to document for Certificate requirements:
https://docs.microsoft.com/en-us/sql/database-engine/configure-windows/enable-encrypted-connections-to-the-database-engine?redirectedfrom=MSDN&view=sql-server-ver15#certificate-requirements
Please help me to verify this!

[iamllama]

While waiting for a proper answer, in the meantime you might be able use a TLS initiator/terminator like hitch/stunnel etc. instead of relying on mssql's encryption capabilities

[tashian]

I don't think we support this legacy KeySpec option on X.509 certificates.
If you want to request it as a feature, I could create an issue from this discussion.
Let me know if you'd like to do that.

[maraino]

@datbq I'm not sure what's the meaning of AT_KEYEXCHANGE, but key encipherment key usage, can be added to any certificate using certificate templates. In fact, if you sign a certificate with an RSA key, key encipherment is always included using the default template:

{
	"subject": {{ toJson .Subject }},
	"sans": {{ toJson .SANs }},
{{- if typeIs "*rsa.PublicKey" .Insecure.CR.PublicKey }}
	"keyUsage": ["keyEncipherment", "digitalSignature"],
{{- else }}
	"keyUsage": ["digitalSignature"],
{{- end }}
	"extKeyUsage": ["serverAuth", "clientAuth"]
}

[maraino]

With RSA you can also use dataEncipherment. In TLS, the keyEncipherment key usage means that the RSA key can be used to encrypt a secret used to generate the symmetric key used for communication. dataEncipherment would be that the key is used for encrypting application data.