Is it possible to change value of X509v3 Extended Key Usage?

My domain

The operating system my web server runs on is (include version): Windows Subsystem for Linux 2

Hi, everyone.

Is it possible to change the value of Extended Key Usage from an existing certificate or specify the value when request the certificate?

I noticed that the default value is TLS Web Server Authentication, TLS Web Client Authentication requested from Let's Encrypt.

And I would like to secure docker daemon and client by enable TLS authentication.
It requires the value being serverAuth and clientAuth instead of TLS Web Server Authentication, TLS Web Client Authentication.

How can I achieve this?

Can I specify a custom extfile.cnf ?

Thank you in advance.


Hi @krave1986,

You don't have to change anything - serverAuth is, in fact, TLS Web Server Authentication and clientAuth is TLS Web Client Authentication. If you check relevant RFC document (RFC5280), on page 44 (section you will find definitions of id-kp-serverAuth and id-kp-clientAuth and their "user-friendly" descriptions.

But, be careful! I'm not familiar with Docker's TLS-based client authentication, but in many cases (other software) configuring certificate-based client authentication may cause server to accept ALL certificates from specified CA as valid client certificates (and I guess you don't want do allow all Let's Encrypt certificates to successfully authenticate to your Docker daemon). Additional configuration may be required and sometimes it is easier to go with your own self-signed CA in that case (remember that Let's Encrypt certificates require renewal every 90 days and you can't change that).



You don't need to do anything.
I concur with @damisanet, they are one and the same.


You can double check it based on the OID numbers in the cert: (Server Auth) (Client Auth)

I believe the actual descriptions are arbitrary but the OID is set in stone.


You are right. I can confirm that

  1. certificates created with serverAuth include TLS Web Server Authentication as X509v3 Extended Key Usage.
  2. certificates created with clientAuth include TLS Web Client Authentication as X509v3 Extended Key Usage.

The difference between config file - extfile.cnf and certificate is a little confusing.

1 Like

Could you please share some info about how to check OID numbers in certs?

In Windows using Chrome you can click the padlock icon, click Certificate >

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.