[IMPROVEMENT] Remove extendedKeyUsage from certificates

[aborroy]

Currently certificates include "extendedKeyUsage" restrictions:

• https://github.com/Alfresco/alfresco-ssl-generator/blob/master/ssl-tool/openssl.cnf#L90
• https://github.com/Alfresco/alfresco-ssl-generator/blob/master/ssl-tool/openssl.cnf#L100

Improvement

Removing this restrictions would help to mitigate configuration problems.

[hi-ko]

relates to #18
an alternative option would be to add both required usage types

extendedKeyUsage = serverAuth, clientAuth

but better using no restrictions and therefore remove config if we don't have a use case we want to cover..

[binduwavell]

@hi-ko, I'm curious if you could share what configuration problems you see with the current restrictions?

@aborroy I'm curious why these restrictions were added, are there specific concerns that lead to these being added?

[hi-ko]

I'm curious if you could share what configuration problems you see with the current restrictions?

@binduwavell: the problem was actually fixed by @AFaust 's change by adding both possible roles in the restriction. Before, the server certificates were restricted to the serverAuth role only, which did not allow authentication as a client with the same certificate. The Alfresco implementation ignored this configured restriction, so authentication between repo and solr still worked accidently, but any other implementation like a browser or e.g. a monitoring client would refuse to use this certificate to authenticate to the server part. In Alfresco, the certificates are always used for both roles: for serverAuth and clientAuth. So if we don't have anything we want to restrict, we shouldn't use the extendedKeyUsage feature at all, because it is boiler code, at least for repo and solr ...

Another story is, if we really want/need explict client certs to be used in a admin's browser, monitoring or debug environment, which should be limited on clientAuth role only. If so we would need to keep the client_cert config section including the extendedKeyUsage = clientAuth role only. However, we could also use the respective server certificates for this purpose including none of these restrictions, as we have done for the last 10 years.