goca
goca copied to clipboard
excessive extention usage on CA certificates
When GoCA generates a certificate authority (either root or intermediate) the TLS Web Client Authentication
and TLS Web Server Authentication
extensions are set. CA certificates should be limited to CA activities (Digital Signature
, Certificate Sign
, CRL Sign
).
This behavior can be validated via visual inspection of a certificate with the OpenSSL command: openssl x509 -noout -text -in myca.crt