OpenVPN and Extended Key Usage for client certs

Hi Turris team,

let me ask you - is there any reason why the client certificates generated through Foris interface do not have “Extended Key Usage” attribute set - to “TLS Web Client Authentication”?

I’m trying to enhance the security of generated server/client configs and added tls-auth keys and “remote-cert-tls server” into client configs as the server certificate has the “Extended Key Usage” attribute. When I tried to add “remote-cert-tls client” that didn’t work due to the missing attribute.

I know I can use “ns-cert-type client” but I’m just curious if there was any reason for not having the EKU for client certs.

Thanks.

1 Like