Merge pull request #320 from Dstack-TEE/ca-cert-sign

kvinwang · web-flow · commit b6baa526c452 · 2025-09-03T09:22:52.000+08:00
ra-tls: Add KeyCertSign and CrlSign usages for CA certs
diff --git a/ra-tls/src/cert.rs b/ra-tls/src/cert.rs
@@ -258,6 +258,8 @@ impl<Key> CertRequest<'_, Key> {
         }
         if let Some(ca_level) = self.ca_level {
             params.is_ca = IsCa::Ca(BasicConstraints::Constrained(ca_level));
+            params.key_usages.push(KeyUsagePurpose::KeyCertSign);
+            params.key_usages.push(KeyUsagePurpose::CrlSign);
         }
         if let Some(not_before) = self.not_before {
             params.not_before = not_before.into();

Original file line number	Diff line number	Diff line change
`@@ -258,6 +258,8 @@ impl<Key> CertRequest<'_, Key> {`
`258`	`258`	`}`
`259`	`259`	`if let Some(ca_level) = self.ca_level {`
`260`	`260`	`params.is_ca = IsCa::Ca(BasicConstraints::Constrained(ca_level));`
	`261`	`+ params.key_usages.push(KeyUsagePurpose::KeyCertSign);`
	`262`	`+ params.key_usages.push(KeyUsagePurpose::CrlSign);`
`261`	`263`	`}`
`262`	`264`	`if let Some(not_before) = self.not_before {`
`263`	`265`	`params.not_before = not_before.into();`