There are several server applications out there (both Windows- & Linux-based) that test if a certificate's key usage is flagged for "TLS server authentication". If the attribute ("extended key usage") isn't present, or if it doesn't contain the flag for "TLS server authentication", such software won't allow the use of such a certificate.

Unfortunately the certificates created by "univention-certificate" don't include that attribute in the request. The script "/usr/share/univention-ssl/make-certificates.sh" contains the function "mk_config" which hardcodes the whole "openssl.cnf" content, and there simply are no provisions for "extendedKeyUsage".

Therefore if one wants to use a certificate provided by the UCS CA with such software one has to:

- edit /etc/univention/ssl/<name>/openssl.cnf
- add "extendedKeyUsage = serverAuth" in the section "[v3_req]" section
- re-create the request
- re-sign the request

Steps 3 & 4 are most likely completely outside the scope of knowledge for a lot of admins. Therefore it would be really nice if that attribute could either be set by default or be specified as a parameter to "univention-certificate".