Correct and improve cert generation.

This commit changes three things with cert generation. - The extended key usage field has been removed since specifying the extended key usage field prevents the cert from working with firefox even when it specifies it can be used as a server - Creates a random serial number since browsers like firefox and chrome won't accept two certificates with the same issuer and serial number - Adds the digital signature key usage capability since some validators like node.js expect that instead of key encipherment
2014-01-29 03:41:59 -06:00 · 2014-01-29 03:41:59 -06:00 · 759451c046
commit 759451c046
parent 4edc4ceb9e
1 changed files with 11 additions and 5 deletions
--- a/certgen.go
+++ b/certgen.go
@ -42,17 +42,23 @@ func NewTLSCertPair(organization string, validUntil time.Time, extraHosts []stri
 		validUntil = endOfTime
 	}

+	serialNumberLimit := new(big.Int).Lsh(big.NewInt(1), 128)
+	serialNumber, err := rand.Int(rand.Reader, serialNumberLimit)
+	if err != nil {
+		return nil, nil, fmt.Errorf("failed to generate serial number: %s", err)
+	}
+
 	template := x509.Certificate{
-		SerialNumber: new(big.Int).SetInt64(0),
+		SerialNumber: serialNumber,
 		Subject: pkix.Name{
 			Organization: []string{organization},
 		},
-		NotBefore: now,
+		NotBefore: now.Add(-time.Hour * 24),
 		NotAfter:  validUntil,

-		KeyUsage:    x509.KeyUsageKeyEncipherment | x509.KeyUsageCertSign,
-		ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth},
-		IsCA:        true, // so can sign self.
+		KeyUsage: x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature |
+			x509.KeyUsageCertSign,
+		IsCA: true, // so can sign self.
 		BasicConstraintsValid: true,
 	}