From 7a06f387ca7fd6dea91a9c94adeaf44cf7d6fd8e Mon Sep 17 00:00:00 2001
From: kulikov-a <36099472+kulikov-a@users.noreply.github.com>
Date: Mon, 12 Sep 2022 20:42:56 +0300
Subject: [PATCH] OpenSSL: add keyUsage extension in CA config (#6017)

see https://www.rfc-editor.org/rfc/rfc5280.html#section-4.2.1.3
---
 src/etc/ssl/opnsense.cnf | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/src/etc/ssl/opnsense.cnf b/src/etc/ssl/opnsense.cnf
index d75a70eda..f196ab6b2 100644
--- a/src/etc/ssl/opnsense.cnf
+++ b/src/etc/ssl/opnsense.cnf
@@ -211,6 +211,10 @@ authorityKeyIdentifier=keyid:always,issuer
 #basicConstraints = critical,CA:true
 # So we do this instead.
 basicConstraints = CA:true
+# keyUsage (rfc5280): Conforming CAs MUST include this extension in certificates that contain public keys
+# that are used to validate digital signatures on other public key certificates or CRLs.
+# When present, conforming CAs SHOULD mark this extension as critical.
+keyUsage = critical, cRLSign, digitalSignature, keyCertSign
 
 ###OPNsense:subjectAltName###