acme: set correct KeyUsage and ExtKeyUsage

A certificate must have the Server Auth Extended Key Usage to be used
for TLS, and an ECDSA certificate must have the Digital Signature Key
Usage to be used at all (you can't encrypt to an ECDSA key).

crypto/tls ignores (E)KUs when serving certificates, and most browsers
do as well, so it works, but OpenSSL would refuse to serve these
certificates, and clients would be allowed to reject them.

Change-Id: I699e58e613f01077e6b67fdb9e789d46e1672112
Run-TryBot: Alex Vaghin <>
TryBot-Result: Gobot Gobot <>
Reviewed-by: Alex Vaghin <>
1 file changed