Remove id-kp-clientAuth from intermediate ceremony (#8265)

Fixes #8264

Author: aarongable

cmd/ceremony/cert.go

@@ -305,12 +305,11 @@ func makeTemplate(randReader io.Reader, profile *certProfile, pubKey []byte, tbc
 	case crlCert:
 		cert.IsCA = false
 	case requestCert, intermediateCert:
-		// id-kp-serverAuth and id-kp-clientAuth are included in intermediate
-		// certificates in order to technically constrain them. id-kp-serverAuth
-		// is required by 7.1.2.2.g of the CABF Baseline Requirements, but
-		// id-kp-clientAuth isn't. We include id-kp-clientAuth as we also include
-		// it in our end-entity certificates.
-		cert.ExtKeyUsage = []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth, x509.ExtKeyUsageServerAuth}
+		// id-kp-serverAuth is included in intermediate certificates, as required by
+		// Section 7.1.2.10.6 of the CA/BF Baseline Requirements.
+		// id-kp-clientAuth is excluded, as required by section 3.2.1 of the Chrome
+		// Root Program Requirements.
+		cert.ExtKeyUsage = []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth}
 		cert.MaxPathLenZero = true
 	case crossCert:
 		cert.ExtKeyUsage = tbcs.ExtKeyUsage

cmd/ceremony/cert_test.go

@@ -133,9 +133,8 @@ func TestMakeTemplateRoot(t *testing.T) {
 	cert, err = makeTemplate(randReader, profile, pubKey, nil, intermediateCert)
 	test.AssertNotError(t, err, "makeTemplate failed when everything worked as expected")
 	test.Assert(t, cert.MaxPathLenZero, "MaxPathLenZero not set in intermediate template")
-	test.AssertEquals(t, len(cert.ExtKeyUsage), 2)
-	test.AssertEquals(t, cert.ExtKeyUsage[0], x509.ExtKeyUsageClientAuth)
-	test.AssertEquals(t, cert.ExtKeyUsage[1], x509.ExtKeyUsageServerAuth)
+	test.AssertEquals(t, len(cert.ExtKeyUsage), 1)
+	test.AssertEquals(t, cert.ExtKeyUsage[0], x509.ExtKeyUsageServerAuth)
 }
 
 func TestMakeTemplateRestrictedCrossCertificate(t *testing.T) {