[GH-ISSUE #273] Client certs also specify Server usage #177

New issue

Open

opened 2026-02-25 22:32:48 +03:00 by kerem · 3 comments

kerem commented

2026-02-25 22:32:48 +03:00

Owner

Originally created by @travisgroth on GitHub (Jun 29, 2020).
Original GitHub issue: https://github.com/FiloSottile/mkcert/issues/273

Using the -client flag results in a certificate valid for both Client and Server usage. This can lead to some unexpected validation scenarios. I think they should be mutually exclusive in practice.

Originally created by @travisgroth on GitHub (Jun 29, 2020). Original GitHub issue: https://github.com/FiloSottile/mkcert/issues/273 Using the `-client` flag results in a certificate valid for both Client and Server usage. This can lead to some unexpected validation scenarios. I think they should be mutually exclusive in practice.

kerem commented

2026-02-25 22:32:48 +03:00

Author

Owner

@FiloSottile commented on GitHub (Oct 25, 2020):

mTLS certificates are often used for both the client and server sides. What's a use case where the extra serverAuth usage is a problem rather than just superfluous?

@FiloSottile commented on GitHub (Oct 25, 2020): mTLS certificates are often used for both the client and server sides. What's a use case where the extra serverAuth usage is a problem rather than just superfluous?

kerem commented

2026-02-25 22:32:48 +03:00

Author

Owner

@travisgroth commented on GitHub (Oct 25, 2020):

If you're using mkcert for test certificates, you can unintentionally write code that is only validating the client certificate against Server usage, and looks correct until faced with real world client-only certs. This is the scenario I encountered.

I'm not sure I've directly seen any client certs also marked for server usage, but you are correct; that probably happens in mTLS services that aren't on the edge of a system. Maybe it's best to have additional control over both usages. The least surprising behavior would probably be:

if no usage flags passed, default to server
if usage flags are set, only set the ones present. eg, current behavior would require --client and --server

@travisgroth commented on GitHub (Oct 25, 2020): If you're using mkcert for test certificates, you can unintentionally write code that is only validating the client certificate against Server usage, and looks correct until faced with real world client-only certs. This is the scenario I encountered. I'm not sure I've directly seen any client certs also marked for server usage, but you are correct; that probably happens in mTLS services that aren't on the edge of a system. Maybe it's best to have additional control over both usages. The least surprising behavior would probably be: - if no usage flags passed, default to server - if usage flags are set, only set the ones present. eg, current behavior would require `--client` and `--server`

kerem commented

2026-02-25 22:32:48 +03:00

Author

Owner

@moparisthebest commented on GitHub (Mar 24, 2022):

The real issue is that server certs should set client usage too, to match LetsEncrypt (and most other CAs ?)

@moparisthebest commented on GitHub (Mar 24, 2022): The real issue is that [server certs should set client usage too](https://github.com/FiloSottile/mkcert/pull/274#issuecomment-1077026786), to match LetsEncrypt (and most other CAs ?)