I tried generating a LE cert from a CSR that contained
X509v3 Extended Key Usage:
TLS Web Server Authentication, 184.108.40.206.220.127.116.11.2
the number is used for “IP Security IKE Intermediate” which is recommended for my use-case where this cert will end up on an ipsec server.
however I end up with a generated certificate that has
X509v3 extensions: X509v3 Extended Key Usage: TLS Web Server Authentication, TLS Web Client Authentication
so the Extended Key Usage gets completely rewritten. is this the intended behavior?
could the generated certs follow the CSR more closely by using a special API call?
for a bit of context, I am using a modified acme.sh client.