From 7c9cc4e53262f8e4e3b83296cfe6a741f5609aeb Mon Sep 17 00:00:00 2001
From: Youfu Zhang <zhangyoufu@gmail.com>
Date: Fri, 25 Mar 2022 14:05:03 +0800
Subject: [PATCH] add digitalSignature keyUsage to CA, for signing OCSP
 response

Signed-off-by: Youfu Zhang <zhangyoufu@gmail.com>
---
 easyrsa3/openssl-easyrsa.cnf | 2 +-
 easyrsa3/x509-types/ca       | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/easyrsa3/openssl-easyrsa.cnf b/easyrsa3/openssl-easyrsa.cnf
index bc8a97e8e..40282e628 100644
--- a/easyrsa3/openssl-easyrsa.cnf
+++ b/easyrsa3/openssl-easyrsa.cnf
@@ -123,7 +123,7 @@ basicConstraints = critical, CA:true
 
 # Limit key usage to CA tasks. If you really want to use the generated pair as
 # a self-signed cert, comment this out.
-keyUsage = critical, cRLSign, keyCertSign
+keyUsage = critical, cRLSign, digitalSignature, keyCertSign
 
 # nsCertType omitted by default. Let's try to let the deprecated stuff die.
 # nsCertType = sslCA
diff --git a/easyrsa3/x509-types/ca b/easyrsa3/x509-types/ca
index a9b4fbb58..775ec6488 100644
--- a/easyrsa3/x509-types/ca
+++ b/easyrsa3/x509-types/ca
@@ -9,4 +9,4 @@
 basicConstraints = critical, CA:TRUE
 subjectKeyIdentifier = hash
 authorityKeyIdentifier = keyid:always,issuer:always
-keyUsage = critical, cRLSign, keyCertSign
+keyUsage = critical, cRLSign, digitalSignature, keyCertSign