From 096fa22d07aaef747f7d52d94578b73048ece10c Mon Sep 17 00:00:00 2001
From: James Munnelly <james@munnelly.eu>
Date: Fri, 5 Jul 2019 17:25:54 +0100
Subject: [PATCH] Set ExtKeyUsageServerAuth in
 GenerateTemplateFromCertificateRequest

Signed-off-by: James Munnelly <james@munnelly.eu>
---
 pkg/util/pki/csr.go | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/pkg/util/pki/csr.go b/pkg/util/pki/csr.go
index 04872451f..c4f4e87a2 100644
--- a/pkg/util/pki/csr.go
+++ b/pkg/util/pki/csr.go
@@ -243,7 +243,11 @@ func GenerateTemplateFromCertificateRequest(cr *v1alpha1.CertificateRequest) (*x
 		DNSNames:    csr.DNSNames,
 		IPAddresses: csr.IPAddresses,
 		URIs:        csr.URIs,
-		ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth},
+		// TODO: we should expose ExtKeyUsage via the API and not set x509.ExtKeyUsageClientAuth
+		// by default. This is a known change in behaviour between the Certificate and CertificateRequest
+		// controller and should be rectified before the CertificateRequest feature exits
+		// alpha.
+		ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth, x509.ExtKeyUsageClientAuth},
 	}, nil
 }