From 7ec3a3739d2c3ae7cda87eeffdefde39583b62df Mon Sep 17 00:00:00 2001
From: do <do@maketank.net>
Date: Fri, 12 Feb 2021 19:19:23 +0100
Subject: [PATCH] keyUsage and intca for all

---
 base/pki/host.sls              | 1 +
 base/pki/signing_policies.conf | 4 ++--
 2 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/base/pki/host.sls b/base/pki/host.sls
index 1b4ced3..f464441 100644
--- a/base/pki/host.sls
+++ b/base/pki/host.sls
@@ -38,6 +38,7 @@
     - append
     - sources:
       - /etc/pki/{{ cn }}.crt
+      - /etc/pki/intca.crt
       - /etc/pki/private.key
     - require:
       - file: /etc/pki/chain
diff --git a/base/pki/signing_policies.conf b/base/pki/signing_policies.conf
index 85b94fe..63dec1d 100644
--- a/base/pki/signing_policies.conf
+++ b/base/pki/signing_policies.conf
@@ -11,8 +11,8 @@ x509_signing_policies:
     - ST: Berlin
     - L: Berlin
     - basicConstraints: "critical CA:false"
-    - keyUsage: "critical keyEncipherment"
+    - keyUsage: "nonRepudiation, digitalSignature, keyEncipherment"
     - subjectKeyIdentifier: hash
     - authorityKeyIdentifier: keyid,issuer:always
-    - days_valid: 360
+    - days_valid: 365
     - copypath: /etc/pki/issued_certs/