Description of problem: According to Common Criteria, Server certificates presented for TLS shall have the Server Authentication· purpose (id-kp 1 with OID 1.3.6.1.5.5.7.3.1) in the extendedKeyUsage field. but sscg's certificate does not have an EKU field. CC'ing Steve Grubb who found this issue during a Cockpit review. Version-Release number of selected component (if applicable): sscg-2.6.2-1.fc32.x86_64 How reproducible: Always Steps to Reproduce: 1. sscg --cert-key-file /tmp/x.key --cert-file /tmp/x.crt --ca-file /tmp/ca.crt --hostname `hostname -f` --subject-alt-name localhost 2. openssl x509 -in /tmp/x.crt -text Actual results: No extendedKeyUsage field in x.crt Expected results: Should have extendedKeyUsage for "serverAuth". Additional info: See https://stackoverflow.com/questions/17089889/openssl-x509v3-extended-key-usage how to do that with OpenSSL.
Are you sure you verified this with Cockpit using SSCG? I just ran the exact command you specified above and then viewed the x.crt: openssl x509 -text -noout -in /tmp/x.crt Certificate: Data: Version: 3 (0x2) Serial Number: 6141212879388356455 (0x5539f89385ff2f67) Signature Algorithm: sha256WithRSAEncryption Issuer: C = US, O = Unspecified, OU = ca-4465204251473438007, CN = t490s.sgallagh.rht Validity Not Before: Jul 24 13:06:55 2020 GMT Not After : Sep 11 05:46:55 2030 GMT Subject: C = US, O = Unspecified, CN = t490s.sgallagh.rht Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public-Key: (2048 bit) Modulus: 00:aa:6f:cb:cd:12:21:9c:43:84:b3:ba:02:a8:12: dc:47:b2:c7:80:d5:8f:b1:9d:d8:63:b7:af:17:1d: d6:fd:0c:eb:49:d9:ad:05:09:a7:b4:04:63:81:0f: e6:1b:40:a2:a6:f8:9c:b9:10:80:82:80:a1:1a:f4: d2:cb:6c:9c:84:ed:e2:ea:e5:cb:23:23:16:13:e0: 10:a5:67:62:a8:19:e9:04:0e:e6:b8:36:bf:b6:f0: 94:58:42:17:d6:a0:32:b7:73:a2:ce:42:fe:44:e7: e6:b8:a8:76:f3:1f:a2:71:d8:4c:46:7b:aa:06:11: 97:f1:28:e3:08:b4:30:79:c2:81:b5:ae:60:91:80: 66:b5:35:b1:90:03:d0:bf:5d:ef:2d:e0:d1:c3:02: 84:30:64:65:66:95:3f:59:9d:48:5f:75:ea:f1:d5: c0:3f:39:da:74:1f:a7:d1:b5:6c:42:6b:40:3c:c0: 4d:21:b2:42:24:c9:96:81:3b:f7:9e:f0:f5:84:f7: f2:28:d0:33:b7:41:b7:6b:0a:cd:14:94:06:5b:c0: 98:ea:05:3c:4f:d3:47:19:7d:d1:f5:d9:45:1f:60: 03:26:f1:28:4d:50:1d:62:e2:0a:1c:d7:52:01:70: fb:25:93:ae:47:f7:7d:2a:4e:53:39:31:07:19:39: d4:2d Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Key Usage: critical Digital Signature, Key Encipherment X509v3 Extended Key Usage: TLS Web Server Authentication X509v3 Basic Constraints: CA:FALSE X509v3 Subject Alternative Name: DNS:t490s.sgallagh.rht, DNS:localhost X509v3 Authority Key Identifier: keyid:F4:78:EC:2D:55:04:47:1F:B7:2C:31:E9:22:EF:81:17:BC:ED:15:A7 Signature Algorithm: sha256WithRSAEncryption af:b4:72:ae:14:9d:9d:56:92:43:25:7d:53:45:f8:24:50:90: ed:5f:73:dd:ed:70:e7:ac:3d:85:20:f1:52:23:4c:2b:30:cc: 67:10:64:77:09:0f:d6:7c:6d:65:f0:eb:97:a2:8f:fb:48:11: a9:e3:b7:53:29:d0:13:38:e7:e7:3b:fd:76:ec:3a:14:2b:fe: 1c:34:10:3a:5a:20:52:2c:89:d2:32:22:df:6a:9b:c5:6c:4e: b6:a1:b3:66:ec:dd:b2:16:bd:e6:8b:23:63:ed:be:22:1c:7b: 89:64:18:68:53:22:6f:dc:9e:db:16:3f:2e:96:2a:59:ac:ec: 04:9c:de:7e:a1:54:16:d0:be:3b:78:60:a4:51:6e:b8:31:46: 2e:5e:60:66:a1:b9:a5:77:c2:57:9d:36:d0:b0:69:90:63:16: f9:de:bf:15:a0:fd:63:2b:27:a1:12:1b:d3:25:7a:66:7c:6e: c2:80:76:d3:2f:d4:dd:5d:0a:8e:bf:9c:74:2e:72:e0:2f:f2: 94:20:b8:49:be:00:db:b5:dd:8d:b7:47:f6:9e:fa:b4:2f:a5: e1:3c:99:39:13:33:27:50:0b:7c:7f:66:14:f1:7f:2a:7c:e3: 04:bb:58:11:42:96:3b:58:9b:79:1b:30:da:1f:75:d0:92:97: 94:3b:10:df:6b:ce:3d:53:e1:14:0b:d2:ef:dc:17:f4:99:7a: c0:0c:a2:85:ba:a6:b0:79:16:e2:af:b2:45:4f:11:4f:ec:47: e8:e2:97:fd:8b:f7:c7:15:25:cc:69:9f:34:77:6b:29:42:f0: aa:72:45:81:13:67:64:45:d2:b9:51:84:1a:71:8b:a7:7d:90: 91:a9:18:ac:7d:cc:ac:10:63:06:7a:fc:5f:bc:a5:a1:58:a7: 8f:8e:07:89:91:70:a9:f9:e2:f3:09:23:5d:9c:e5:c2:45:da: c7:dd:fa:d5:9f:e1:a5:6d:82:09:af:12:2b:c7:1f:23:e5:e3: ff:b6:16:08:bd:6a:62:5f:79:cd:a0:e5:4b:ca:97:a5:44:0f: 89:b6:46:d4:21:54:93:e9:5b:10:63:c7:f1:19:9d:76:a1:38: f5:53:aa:85:b6:8a:70:43:58:e4:9f:e1:27:d1:33:db:1a:d0: 28:7f:c7:74:b0:68:c0:ad:e1:34:43:a6:12:93:cb:74:b9:f2: 9f:45:df:73:68:8e:b7:74:ca:d7:2b:04:43:f8:d7:3f:94:fa: c8:45:bd:f2:04:8b:a0:eb:d9:f7:10:2d:c7:61:71:4b:93:f1: 1f:d2:77:6c:2b:62:05:2c:27:6c:54:a6:60:c8:56:ac:14:b2: 29:58:dd:b0:52:6f:f2:28 ``` It definitely has ``` X509v3 Extended Key Usage: TLS Web Server Authentication ```
D'oh, I re-checked that on Fedora 32 and RHEL 8.3, and it indeed is there. Sorry for the noise, I must have been blind yesterday!