From a9643b477417029db73aacbfcf5778cedd97cd95 Mon Sep 17 00:00:00 2001
From: Andrey Smirnov <andrey.smirnov@talos-systems.com>
Date: Mon, 19 Dec 2022 14:33:42 +0400
Subject: [PATCH] fix: use proper key usage for apid client certificate

This command is referenced from PKI recovery documentation.

Signed-off-by: Andrey Smirnov <andrey.smirnov@talos-systems.com>
---
 cmd/talosctl/cmd/mgmt/gen/crt.go | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/cmd/talosctl/cmd/mgmt/gen/crt.go b/cmd/talosctl/cmd/mgmt/gen/crt.go
index 294d534de9..76de67b892 100644
--- a/cmd/talosctl/cmd/mgmt/gen/crt.go
+++ b/cmd/talosctl/cmd/mgmt/gen/crt.go
@@ -76,7 +76,11 @@ var genCrtCmd = &cobra.Command{
 			return fmt.Errorf("error parsing CSR: %s", err)
 		}
 
-		signedCrt, err := x509.NewCertificateFromCSR(caCrt, caKey, ccsr, x509.NotAfter(time.Now().Add(time.Duration(genCrtCmdFlags.hours)*time.Hour)))
+		signedCrt, err := x509.NewCertificateFromCSR(caCrt, caKey, ccsr,
+			x509.NotAfter(time.Now().Add(time.Duration(genCrtCmdFlags.hours)*time.Hour)),
+			x509.KeyUsage(stdlibx509.KeyUsageDigitalSignature),
+			x509.ExtKeyUsage([]stdlibx509.ExtKeyUsage{stdlibx509.ExtKeyUsageClientAuth}),
+		)
 		if err != nil {
 			return fmt.Errorf("error signing certificate: %s", err)
 		}