From b1e869e12515c6d1b91634ebda6ee214b345f714 Mon Sep 17 00:00:00 2001
From: Daniel Barlow <dan@telent.net>
Date: Fri, 4 Oct 2024 23:20:20 +0100
Subject: [PATCH] add key usage/extended key usage extensions

---
 main.fnl | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/main.fnl b/main.fnl
index f929aa7..cab4c6a 100644
--- a/main.fnl
+++ b/main.fnl
@@ -98,8 +98,11 @@
     (for [i 1 (csr:getRequestedExtensionCount) 1]
       (let [ext (csr:getRequestedExtension i)]
         (crt:addExtension ext)))
+    ;; https://www.golinuxcloud.com/add-x509-extensions-to-certificate-openssl/
     (doto crt
       (: :addExtension (extension.new "basicConstraints" "critical,CA:FALSE"))
+      (: :addExtension (extension.new "keyUsage" "digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment")) ;; all of these?
+      (: :addExtension (extension.new "extendedKeyUsage" "clientAuth"))
       (: :sign ca-key))))
 
 (fn approve-request? [csr]