Enhanced Key usages for certificates

Heya,

To configure a single certificate for both server and client authentication using Easy-RSA, you’ll need to modify the configuration for your certificates to specify the desired Enhanced Key Usage (EKU) extensions. Easy-RSA is a simple script that helps you manage a PKI (Public Key Infrastructure) based on OpenSSL. Below are the steps to create a certificate with both server and client authentication EKUs.

Initialize the PKI (Public Key Infrastructure):

• Navigate to the Easy-RSA directory, usually /usr/share/easy-rsa or /etc/easy-rsa.
• Initialize the PKI:

./easyrsa init-pki

Configure Easy-RSA Variables:

• Edit the vars file (usually located in the Easy-RSA directory) to set up the certificate parameters. Find and edit the following lines:

set_var EASYRSA_KEY_SIZE 2048
set_var EASYRSA_CA_EXPIRE 3650
set_var EASYRSA_CERT_EXPIRE 365

Build the Certificate Authority (CA):

• To build the CA, run:

./easyrsa build-ca

Modify the OpenSSL Configuration for Enhanced Key Usage (EKU):

• Open the openssl-easyrsa.cnf file (usually located in the Easy-RSA directory or the pki subdirectory) in a text editor.
• Find the [ server_cert ] section, and add the following lines to specify both client and server authentication for the EKU:

extendedKeyUsage = serverAuth, clientAuth

Generate the Server/Client Certificate:

• To build the keypair for a server or client, run the following command (replace “server_client_name” with a name of your choice):

./easyrsa build-server-full server_client_name nopass

• The ‘nopass’ option generates a keypair without a passphrase. Verify the Certificate:

• After you’ve created the certificate, you should verify that the EKU settings are correct. To do this, you can run:

openssl x509 -in pki/issued/server_client_name.crt -text -noout

• This should display the details of the certificate, including the X509v3 Extended Key Usage section, which should show both TLS Web Server Authentication and TLS Web Client Authentication. Deploy the Certificate:

• Once you have verified that the certificate has been created with the desired EKUs, you can deploy this certificate to your server or client. The private key will be in pki/private/ and the certificate will be in pki/issued/ in the Easy-RSA directory.

Please note that while using the same certificate for both server and client authentication can be convenient, it may not be the most secure configuration, especially in a production environment. In a typical production setting, you might have separate certificates for servers and clients, each with their own appropriate usage constraints.