From 48201132bd1502d5244cc7a87108762d6ea43456 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Mika=C3=ABl=20Cluseau?= <mikael.cluseau@gmail.com>
Date: Sun, 29 Jun 2025 08:25:28 +0200
Subject: [PATCH] relax cert verification constraints

we have more than just server auth!
---
 cmd/dkl-local-server/tls-ca.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/cmd/dkl-local-server/tls-ca.go b/cmd/dkl-local-server/tls-ca.go
index 21e647a..5f7d43f 100644
--- a/cmd/dkl-local-server/tls-ca.go
+++ b/cmd/dkl-local-server/tls-ca.go
@@ -148,7 +148,7 @@ func getUsableKeyCert(cluster, caName, name, profile, label string, req *csr.Cer
 					return
 				}
 
-				_, err = cert.Verify(x509.VerifyOptions{Roots: pool})
+				_, err = cert.Verify(x509.VerifyOptions{Roots: pool, KeyUsages: []x509.ExtKeyUsage{x509.ExtKeyUsageAny}})
 				return
 			}()
 			if err == nil {