From 957bbab440614725019369ae31c5b01aa261b761 Mon Sep 17 00:00:00 2001 From: Matt Mower Date: Sat, 4 May 2024 11:43:01 -0700 Subject: [PATCH] feat: Support manually defining extended key usage in CSR - New CLI param: --extended-key-usage - When --extended-key-usage is defined: 1. Set [v3_req]extendedKeyUsage to the provided value. 2. Store the value in domain conf Le_ExtKeyUse for reuse. --- acme.sh | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) diff --git a/acme.sh b/acme.sh index d154cf77..0d882ba6 100755 --- a/acme.sh +++ b/acme.sh @@ -1243,7 +1243,14 @@ _createcsr() { _debug2 csr "$csr" _debug2 csrconf "$csrconf" - printf "[ req_distinguished_name ]\n[ req ]\ndistinguished_name = req_distinguished_name\nreq_extensions = v3_req\n[ v3_req ]\nextendedKeyUsage=serverAuth,clientAuth\n" >"$csrconf" + printf "[ req_distinguished_name ]\n[ req ]\ndistinguished_name = req_distinguished_name\nreq_extensions = v3_req\n[ v3_req ]" >"$csrconf" + + if [ "$Le_ExtKeyUse" ]; then + _savedomainconf Le_ExtKeyUse "$Le_ExtKeyUse" + printf "\nextendedKeyUsage=$Le_ExtKeyUse\n" >>"$csrconf" + else + printf "\nextendedKeyUsage=serverAuth,clientAuth\n" >>"$csrconf" + fi if [ "$acmeValidationv1" ]; then domainlist="$(_idn "$domainlist")" @@ -7007,6 +7014,7 @@ Parameters: --post-hook Command to be run after attempting to obtain/renew certificates. Runs regardless of whether obtain/renew succeeded or failed. --renew-hook Command to be run after each successfully renewed certificate. --deploy-hook The hook file to deploy cert + --extended-key-usage Manually define the CSR extended key usage value. The default is serverAuth,clientAuth. --ocsp, --ocsp-must-staple Generate OCSP-Must-Staple extension. --always-force-new-domain-key Generate new domain key on renewal. Otherwise, the domain key is not changed by default. --auto-upgrade [0|1] Valid for '--upgrade' command, indicating whether to upgrade automatically in future. Defaults to 1 if argument is omitted. @@ -7698,6 +7706,10 @@ _process() { _deploy_hook="$_deploy_hook$2," shift ;; + --extended-key-usage) + Le_ExtKeyUse="$2" + shift + ;; --ocsp-must-staple | --ocsp) Le_OCSP_Staple="1" ;;