Amend HSM cert usage (#151)

There was an issue with invalid key types when verifying cosign signed registry sigs with a fulcio cert generated using the fuclio createca command This PR makes the resulting createca generated cert have partity to GCA generated certs The result is a HSM / createca root cert can be used to both sign and verify registry entries Resolves: #150 Signed-off-by: Luke Hinds <[email protected]>
sigstore · Jul 26, 2021 · e36f98f · e36f98f
1 parent d2344e5
commit e36f98f
Showing 1 changed file with 2 additions and 3 deletions.
diff --git a/cmd/app/createca.go b/cmd/app/createca.go
@@ -91,9 +91,8 @@ certificate authority for an instance of sigstore fulcio`,
 			NotBefore:             time.Now(),
 			NotAfter:              time.Now().AddDate(10, 0, 0),
 			IsCA:                  true,
-			ExtKeyUsage:           []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth, x509.ExtKeyUsageServerAuth},
-			KeyUsage:              x509.KeyUsageDigitalSignature | x509.KeyUsageCertSign,
-			BasicConstraintsValid: true,
+			KeyUsage:              x509.KeyUsageCertSign | x509.KeyUsageCRLSign,
+			BasicConstraintsValid: true, MaxPathLen: 1,
 		}
 
 		caBytes, err := x509.CreateCertificate(rand.Reader, rootCA, rootCA, pubKey, privKey)