The operating system my web server runs on is (include version): Windows Subsystem for Linux 2
Hi, everyone.
Is it possible to change the value of Extended Key Usage from an existing certificate or specify the value when request the certificate?
I noticed that the default value is TLS Web Server Authentication, TLS Web Client Authentication requested from Let's Encrypt.
And I would like to secure docker daemon and client by enable TLS authentication.
It requires the value being serverAuth and clientAuth instead of TLS Web Server Authentication, TLS Web Client Authentication.
You don't have to change anything - serverAuth is, in fact, TLS Web Server Authentication and clientAuth is TLS Web Client Authentication. If you check relevant RFC document (RFC5280), on page 44 (section 4.2.1.12) you will find definitions of id-kp-serverAuth and id-kp-clientAuth and their "user-friendly" descriptions.
But, be careful! I'm not familiar with Docker's TLS-based client authentication, but in many cases (other software) configuring certificate-based client authentication may cause server to accept ALL certificates from specified CA as valid client certificates (and I guess you don't want do allow all Let's Encrypt certificates to successfully authenticate to your Docker daemon). Additional configuration may be required and sometimes it is easier to go with your own self-signed CA in that case (remember that Let's Encrypt certificates require renewal every 90 days and you can't change that).
