Create a certificate with key usage server authentication only


#1

I want to know if it is possible to generate a certificate with enhanced key usage = server authentication only. By default, this field is server authentication and client authentication.

My domain is:
commandjrmain.usgoviowa.cloudapp.usgovcloudapi.net

I ran this command:

DOMAIN=“commandjrmain.usgoviowa.cloudapp.usgovcloudapi.net
CA_AUTHORITY=“https://acme-v02.api.letsencrypt.org/directory

sudo docker run -it --rm --name certbot
-v “$HOME/certbot/etc/letsencrypt:/etc/letsencrypt”
-v “$HOME/certbot/var/lib/letsencrypt:/var/lib/letsencrypt”
-v “$HOME/certbot/.secrets/certbot:/secrets/certbot”
certbot/dns-cloudflare certonly
–dns-cloudflare
–dns-cloudflare-credentials /secrets/certbot/cloudflare.ini
-d “$DOMAIN”
–server $CA_AUTHORITY

The operating system my web server runs on is (include version):
Windows Server 2016


#2

Hi @phalcon30964,

Unfortunately it is not possible. The Let’s Encrypt CA software chooses the Extended Key Usage (EKU) for the issued certificate, not the ACME client software.

If you need more control over the EKU you probably need to consider using an internal PKI.