From a105787b560bf775098d3ac92fe40b42ee0a4e49 Mon Sep 17 00:00:00 2001
From: Nathaniel Clark <nclark@whamcloud.com>
Date: Thu, 23 Mar 2023 09:09:58 -0400
Subject: [PATCH 1/2] Add clientAuth to certificates

Signed-off-by: Nathaniel Clark <nclark@whamcloud.com>
---
 src/acme/ca.rs | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/acme/ca.rs b/src/acme/ca.rs
index 314b113..fdddcf6 100644
--- a/src/acme/ca.rs
+++ b/src/acme/ca.rs
@@ -90,7 +90,7 @@ impl CA {
             None,
             Some(&builder.x509v3_context(None, None)),
             "extendedKeyUsage",
-            "critical,serverAuth",
+            "critical,serverAuth,clientAuth",
         )?)?;
 
         builder.append_extension(X509Extension::new(

From c6d04feea10ba57295c0405fbe33676d87a69d99 Mon Sep 17 00:00:00 2001
From: Nathaniel Clark <nclark@whamcloud.com>
Date: Mon, 24 Apr 2023 14:17:16 -0400
Subject: [PATCH 2/2] Use openssl extensions instead of manual creating

Signed-off-by: Nathaniel Clark <nclark@whamcloud.com>
---
 src/acme/ca.rs | 47 ++++++++++++++++++++++-------------------------
 1 file changed, 22 insertions(+), 25 deletions(-)

diff --git a/src/acme/ca.rs b/src/acme/ca.rs
index fdddcf6..ff48949 100644
--- a/src/acme/ca.rs
+++ b/src/acme/ca.rs
@@ -12,7 +12,7 @@ use openssl::{
     hash::MessageDigest,
     pkey::{PKey, Private},
     rsa::Rsa,
-    x509::{X509Extension, X509Name, X509Req, X509},
+    x509::{extension, X509Extension, X509Name, X509Req, X509},
 };
 use tokio::sync::RwLock;
 
@@ -79,33 +79,30 @@ impl CA {
             }
         }
 
-        builder.append_extension(X509Extension::new(
-            None,
-            Some(&builder.x509v3_context(None, None)),
-            "keyUsage",
-            "critical,keyEncipherment,digitalSignature",
-        )?)?;
+        builder.append_extension(
+            extension::KeyUsage::new()
+                .critical()
+                .key_encipherment()
+                .digital_signature()
+                .build()?,
+        )?;
 
-        builder.append_extension(X509Extension::new(
-            None,
-            Some(&builder.x509v3_context(None, None)),
-            "extendedKeyUsage",
-            "critical,serverAuth,clientAuth",
-        )?)?;
+        builder.append_extension(
+            extension::ExtendedKeyUsage::new()
+                .server_auth()
+                .client_auth()
+                .build()?,
+        )?;
 
-        builder.append_extension(X509Extension::new(
-            None,
-            Some(&builder.x509v3_context(None, None)),
-            "authorityKeyIdentifier",
-            "issuer",
-        )?)?;
+        builder.append_extension(
+            extension::AuthorityKeyIdentifier::new()
+                .keyid(false)
+                .build(&builder.x509v3_context(Some(&self.certificate), None))?,
+        )?;
 
-        builder.append_extension(X509Extension::new(
-            None,
-            Some(&builder.x509v3_context(None, None)),
-            "subjectKeyIdentifier",
-            "hash",
-        )?)?;
+        builder.append_extension(
+            extension::SubjectKeyIdentifier::new().build(&builder.x509v3_context(Some(&self.certificate), None))?,
+        )?;
 
         builder.append_extension(X509Extension::new(
             None,