From 3ecb6a7c3ff91e6ad50891cf3083ee804a9f9562 Mon Sep 17 00:00:00 2001
From: Mike Reeves <mike.reeves@securityonionsolutions.com>
Date: Mon, 21 Oct 2019 17:55:06 -0400
Subject: [PATCH] SSL Issue 79 - Add extended type to all certs

---
 salt/ca/files/signing_policies.conf | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/salt/ca/files/signing_policies.conf b/salt/ca/files/signing_policies.conf
index b0dd33868..fb79a3cc2 100644
--- a/salt/ca/files/signing_policies.conf
+++ b/salt/ca/files/signing_policies.conf
@@ -10,6 +10,7 @@ x509_signing_policies:
     - keyUsage: "digitalSignature, nonRepudiation"
     - subjectKeyIdentifier: hash
     - authorityKeyIdentifier: keyid,issuer:always
+    - extendedKeyUsage: serverAuth
     - days_valid: 820
     - copypath: /etc/pki/issued_certs/
   registry:
@@ -23,6 +24,7 @@ x509_signing_policies:
     - keyUsage: "critical keyEncipherment"
     - subjectKeyIdentifier: hash
     - authorityKeyIdentifier: keyid,issuer:always
+    - extendedKeyUsage: serverAuth
     - days_valid: 820
     - copypath: /etc/pki/issued_certs/
   masterssl:
@@ -50,6 +52,7 @@ x509_signing_policies:
     - keyUsage: "critical keyEncipherment"
     - subjectKeyIdentifier: hash
     - authorityKeyIdentifier: keyid,issuer:always
+    - extendedKeyUsage: serverAuth
     - days_valid: 820
     - copypath: /etc/pki/issued_certs/
   fleet:
@@ -63,5 +66,6 @@ x509_signing_policies:
     - keyUsage: "critical keyEncipherment"
     - subjectKeyIdentifier: hash
     - authorityKeyIdentifier: keyid,issuer:always
+    - extendedKeyUsage: serverAuth
     - days_valid: 820
     - copypath: /etc/pki/issued_certs/