Allow x5c to take certificate without KeyUsageCertSign

[rmb938]

Hello!

• Vote on this issue by adding a 👍 reaction
• If you want to implement this feature, comment to let us know (we'll work with you on design, scheduling, etc.)

Issue details

Currently the CLI checks for KeyUsageCertSign when trying to create a x5c provisioner

cli/command/ca/provisioner/add.go

Line 628 in 6d65706

if r.KeyUsage&x509.KeyUsageCertSign == 0 {

However the API does not require this enforcement. The only requirement is for the client certificate to have Digital Signature in it's Key Usage so it can sign the tokens.

Why is this needed?

The step API allows creating a x5c provisioner with certificates without KeyUsageCertSign. This is very useful if I want to create a X5C provisioner that is valid for only a single certificate and not every certificate signed by a CA.

This currently works as expected when creating a X5C provisioner via the API. i.e I can create a self-signed certificate and create a X5C provisioner via the API with it's public key. Then use the certificate in step ca certificate flags --x5c-cert and --x5c-key and it authenticates correctly while denying all other certificates.

I can make a PR to change this section of code to not require KeyUsageCertSign if folks think this is acceptable.