From 8325eeff06ef97a97d03add619db21a86c6303c0 Mon Sep 17 00:00:00 2001 From: Tobias Brunner Date: Thu, 23 Feb 2023 16:54:51 +0100 Subject: [PATCH] pki: Allow overriding EKU flags from certificate request via command line The flags encoded in the PKCS#10 structure (or derived from the encoded profile name) might not be appropriate in some instances. This allows overriding them without having to issue a new certificate request. --- src/pki/commands/issue.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/src/pki/commands/issue.c b/src/pki/commands/issue.c index 023f0536ab..ad4f13d22d 100644 --- a/src/pki/commands/issue.c +++ b/src/pki/commands/issue.c @@ -482,8 +482,11 @@ static int issue() } req = (pkcs10_t*)cert_req; - /* Add Extended Key Usage (EKU) flags */ - flags |= req->get_flags(req); + /* Add Extended Key Usage (EKU) flags if not overridden */ + if (!flags) + { + flags = req->get_flags(req); + } /* Add subjectAltNames from PKCS#10 certificate request */ enumerator = req->create_subjectAltName_enumerator(req); -- 2.47.2