Re: Help, I broke sso.debian.org for chrome

[Ian Jackson <ijackson@chiark.greenend.org.uk>]

Christoph Berg writes ("Re: Help, I broke sso.debian.org for chrome"):
> Re: Enrico Zini 2017-09-05 <[🔎] 20170905093701.xncmprl2x4so6hu4@enricozini.org>
> > I refactored the certificate generation code for sso.debian.org, and the
> > certificates it generates now still work in Firefox but not in Chrome.
> 
> My guess is that the new-style certificates are missing some
> attributes:
> 
> Old certificate from 2015:
> 
>         X509v3 extensions:
>             X509v3 Basic Constraints: critical
>                 CA:FALSE
>             X509v3 Key Usage: critical
>                 Digital Signature, Key Encipherment, Key Agreement
>             X509v3 Extended Key Usage: 
>                 TLS Web Client Authentication

This last one seems like it ought to be there.  I don't know about the
Key Usage.

IIRC there are ways to get the openssl CLI to add specific extenstions
but I don't know how to do that in the API Enrico is using in sso.

FYI, Enrico, the openssl CLI tool can dump this kind of thing so you
can compare before and after.  I forget the exact runes I'm afraid.

Ian.