How to Set or Remove the critical Flag on Key Usage or Extended Key Usage Extensions #353
Description
Hi
I've the following function that I'm using to generate a CSR,
pub fn generate_csr(config: &CommonConfig) -> Result<model::CsrBundle> {
let mut params: CertificateParams = CertificateParams::new(config.dns_array())?;
params.is_ca = IsCa::NoCa;
let mut dn = DistinguishedName::new();
// dn information....
params.distinguished_name = dn;
let now = time::OffsetDateTime::now_utc();
params.not_before = now;
params.not_after = now + time::Duration::days(365);
// key usage attributes
params.key_usages = vec![
KeyUsagePurpose::DigitalSignature,
KeyUsagePurpose::KeyEncipherment,
KeyUsagePurpose::KeyAgreement,
];
params.extended_key_usages = vec![ExtendedKeyUsagePurpose::ServerAuth];
// CSR creation and signing
let key = generate_private_key();
let csr = params.serialize_request(&key)?;
Ok(model::CsrBundle { csr, key })
}The resulting CSR contains:
Attributes:
Requested Extensions:
X509v3 Key Usage: critical
Digital Signature, Key Encipherment, Key Agreement
X509v3 Extended Key Usage:
TLS Web Server AuthenticationHowever, I would like to configure the CSR so that:
- Key Usage is marked non-critical
- Extended Key Usage is marked critical
Is there a way to configure this in rcgen? I couldn’t find any options in CertificateParams to change the criticality of individual extensions.
Thanks in advance for any help!