It appears that having a Key Usage ext on CSR triggers failure to parse the CSR on boulder side. Not always though, but only if “critical” is set. For example:
Requested Extensions:
X509v3 Key Usage:
Digital Signature, Key Encipherment
Works. But:
Requested Extensions:
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
Fails.
Could anyone on the dev team please confirm? Note - this is not the CSR generated by the client, this is an actual use case of CSR used with the client but generated by a specific networking equipment.