From ba11980e881547a6612e70be6a07dd2f35c03fd1 Mon Sep 17 00:00:00 2001
From: Slawomir Koszewski <slawek@koszewscy.waw.pl>
Date: Wed, 8 Apr 2026 22:51:49 +0200
Subject: [PATCH] Update: add keyUsage extension to CA and certificate
 generation

---
 simple-ca.sh | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/simple-ca.sh b/simple-ca.sh
index 62a5832..cd26b63 100755
--- a/simple-ca.sh
+++ b/simple-ca.sh
@@ -123,7 +123,8 @@ function make_ca() {
             -noenc \
             -subj "/CN=${CA_NAME}" \
             -text \
-            -addext "basicConstraints=critical,CA:TRUE,pathlen:1"; then
+            -addext "basicConstraints=critical,CA:TRUE,pathlen:1" \
+            -addext "keyUsage=critical,keyCertSign,cRLSign"; then
             echo "ERROR: Failed to generate CA certificate and key." >&2
             return 1
         fi
@@ -146,6 +147,7 @@ function make_ca() {
             -noenc \
             -subj "/CN=${CA_NAME}" \
             -addext "basicConstraints=critical,CA:TRUE,pathlen:0" \
+            -addext "keyUsage=critical,keyCertSign,cRLSign" \
             ${AIA_BASE_URL:+-addext "authorityInfoAccess=caIssuers;URI:${AIA_BASE_URL}/ca_cert.crt"} \
         | openssl x509 \
             -req \
@@ -301,7 +303,7 @@ function make_cert() {
             -noenc \
             -subj "/CN=${CERT_SUBJECT_NAME}" \
             -addext "basicConstraints=critical,CA:FALSE" \
-            -addext "keyUsage=digitalSignature,keyEncipherment" \
+            -addext "keyUsage=critical,digitalSignature,keyEncipherment" \
             -addext "extendedKeyUsage=serverAuth,clientAuth" \
             -addext "$SANS_EXT" \
             ${AIA_URL:+-addext "authorityInfoAccess=caIssuers;URI:${AIA_URL}"} \