-
Notifications
You must be signed in to change notification settings - Fork 4.4k
Allow Root + Intermediate Key_Usage to be set #30034
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Conversation
CI Results: |
Build Results: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM. 👍
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'd rather we follow the CAB forum guidelines section 7.1.2.10.7 and limit CA key_usages to just digitalSignature
, keyCertSign
and cRLSign
.
Can we add a check within the root generate and sign-intermediate paths to error out if we are provided any key usage value outside of those , along with updating the relevant docs?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
👍
…low DigitalSignature.
514a09d
to
32bd832
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
👍
Style correction suggested by Sarah Chavis. Co-authored-by: Sarah Chavis <62406755+schavis@users.noreply.github.com>
Description
Allows Root and Intermediate Key_Usage to be set via CLI, not just in the CSR
Fixes: #29362
The test here doesn't successfully fail on a bad branch, so this is a draft right now.
TODO only if you're a HashiCorp employee
backport/
label that matches the desired release branch. Note that in the CE repo, the latest release branch will look likebackport/x.x.x
, but older release branches will bebackport/ent/x.x.x+ent
.of a public function, even if that change is in a CE file, double check that
applying the patch for this PR to the ENT repo and running tests doesn't
break any tests. Sometimes ENT only tests rely on public functions in CE
files.
in the PR description, commit message, or branch name.