[GH-ISSUE #504] Missing Extended Key Usage #304

New issue

Open

opened 2026-02-25 22:33:04 +03:00 by kerem · 2 comments

kerem commented

2026-02-25 22:33:04 +03:00

Owner

Originally created by @efa2d19 on GitHub (Feb 6, 2023).
Original GitHub issue: https://github.com/FiloSottile/mkcert/issues/504

Environment

Operating system (including version): MacOS 13.1
mkcert version (from mkcert -version): v1.4.4
Server (where the certificate is loaded): Locally
Client (e.g. browser, CLI tool, or script): Proxyman

What you did

mkcert -install
added root ca to Proxyman
launched Proxyman

What went wrong

Basically nothing, everything still works fine, but Proxyman always throws an error in my face at launch

It turns out that EKU is required for MacOS ≥10.15 link to apple article

Originally created by @efa2d19 on GitHub (Feb 6, 2023). Original GitHub issue: https://github.com/FiloSottile/mkcert/issues/504 ## Environment * Operating system (including version): MacOS 13.1 * mkcert version (from `mkcert -version`): v1.4.4 * Server (where the certificate is loaded): Locally * Client (e.g. browser, CLI tool, or script): Proxyman ## What you did * `mkcert -install` * added root ca to *Proxyman* * launched *Proxyman* ## What went wrong Basically nothing, everything still works fine, but Proxyman always throws an error in my face at launch It turns out that EKU is required for MacOS ≥10.15 [link to apple article](https://support.apple.com/en-us/HT210176) ![EKU_proxyman](https://user-images.githubusercontent.com/44712637/216970546-fa286563-53b8-464f-ae2f-7c2f269eee8e.png)

kerem commented

2026-02-25 22:33:04 +03:00

Author

Owner

@lublak commented on GitHub (Mar 3, 2023):

@Drugsosos i think only ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth}, should also work.
Based on this description: TLS server certificates must contain an ExtendedKeyUsage (EKU) extension containing the id-kp-serverAuth OID.

@lublak commented on GitHub (Mar 3, 2023): @Drugsosos i think only `ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth},` should also work. Based on this description: `TLS server certificates must contain an ExtendedKeyUsage (EKU) extension containing the id-kp-serverAuth OID.`

kerem commented

2026-02-25 22:33:04 +03:00

Author

Owner

@goldstar611 commented on GitHub (Apr 28, 2023):

I think you just skipped a step of generating a leaf cert after you generated the CA cert because it kind of looks like you're using your root CA as your server certificate.

You'll find x509.ExtKeyUsageServerAuth in both makeCert and makeCertFromCSR

@goldstar611 commented on GitHub (Apr 28, 2023): I think you just skipped a step of generating a leaf cert after you generated the CA cert because it kind of looks like you're using your root CA as your server certificate. You'll find `x509.ExtKeyUsageServerAuth` in both [makeCert](https://github.com/FiloSottile/mkcert/blob/2a46726cebac0ff4e1f133d90b4e4c42f1edf44a/cert.go#L50) and [makeCertFromCSR](https://github.com/FiloSottile/mkcert/blob/2a46726cebac0ff4e1f133d90b4e4c42f1edf44a/cert.go#L50)