From 9252439816bb983e9754a011cd9fe19f737df04d Mon Sep 17 00:00:00 2001
From: Sergey Matveev <stargrave@stargrave.org>
Date: Mon, 20 Mar 2023 11:29:50 +0300
Subject: [PATCH] No need in digitalSignature KeyUsage for CA certificate

---
 cmd/cer-selfsigned-example/main.go | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/cmd/cer-selfsigned-example/main.go b/cmd/cer-selfsigned-example/main.go
index 942de48..8b79359 100644
--- a/cmd/cer-selfsigned-example/main.go
+++ b/cmd/cer-selfsigned-example/main.go
@@ -191,7 +191,6 @@ func main() {
 	spki = spki[:20]
 
 	cerTmpl := x509.Certificate{
-		KeyUsage:           x509.KeyUsageDigitalSignature,
 		NotBefore:          notBefore,
 		NotAfter:           notAfter,
 		SerialNumber:       sn,
@@ -202,9 +201,10 @@ func main() {
 	if *ca {
 		cerTmpl.BasicConstraintsValid = true
 		cerTmpl.IsCA = true
-		cerTmpl.KeyUsage |= x509.KeyUsageCertSign
+		cerTmpl.KeyUsage = x509.KeyUsageCertSign
 	} else {
 		cerTmpl.DNSNames = []string{*cn}
+		cerTmpl.KeyUsage = x509.KeyUsageDigitalSignature
 	}
 
 	if caCer == nil {
-- 
2.48.1