From 759451c0460faacf763f5897a91a4477a1002816 Mon Sep 17 00:00:00 2001 From: Dave Collins Date: Wed, 29 Jan 2014 03:41:59 -0600 Subject: [PATCH] Correct and improve cert generation. This commit changes three things with cert generation. - The extended key usage field has been removed since specifying the extended key usage field prevents the cert from working with firefox even when it specifies it can be used as a server - Creates a random serial number since browsers like firefox and chrome won't accept two certificates with the same issuer and serial number - Adds the digital signature key usage capability since some validators like node.js expect that instead of key encipherment --- certgen.go | 16 +++++++++++----- 1 file changed, 11 insertions(+), 5 deletions(-) diff --git a/certgen.go b/certgen.go index 6ad14ba..a410bf4 100644 --- a/certgen.go +++ b/certgen.go @@ -42,17 +42,23 @@ func NewTLSCertPair(organization string, validUntil time.Time, extraHosts []stri validUntil = endOfTime } + serialNumberLimit := new(big.Int).Lsh(big.NewInt(1), 128) + serialNumber, err := rand.Int(rand.Reader, serialNumberLimit) + if err != nil { + return nil, nil, fmt.Errorf("failed to generate serial number: %s", err) + } + template := x509.Certificate{ - SerialNumber: new(big.Int).SetInt64(0), + SerialNumber: serialNumber, Subject: pkix.Name{ Organization: []string{organization}, }, - NotBefore: now, + NotBefore: now.Add(-time.Hour * 24), NotAfter: validUntil, - KeyUsage: x509.KeyUsageKeyEncipherment | x509.KeyUsageCertSign, - ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth}, - IsCA: true, // so can sign self. + KeyUsage: x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature | + x509.KeyUsageCertSign, + IsCA: true, // so can sign self. BasicConstraintsValid: true, }