From b5332f2d86b933dda2c753f9c0deb12c75f0c12e Mon Sep 17 00:00:00 2001
From: Jesper Noordsij <jesper@sslleiden.nl>
Date: Mon, 19 May 2025 15:10:30 +0200
Subject: [PATCH 1/2] Add extendedKeyUsage = serverAuth to dind generated
 server cert

Matches upstream documentation recommendations on https://docs.docker.com/engine/security/protect-access/#use-tls-https-to-protect-the-docker-daemon-socket
---
 28/dind/dockerd-entrypoint.sh | 1 +
 dockerd-entrypoint.sh         | 1 +
 2 files changed, 2 insertions(+)

diff --git a/28/dind/dockerd-entrypoint.sh b/28/dind/dockerd-entrypoint.sh
index 6c06bb811..bc66308ec 100755
--- a/28/dind/dockerd-entrypoint.sh
+++ b/28/dind/dockerd-entrypoint.sh
@@ -53,6 +53,7 @@ _tls_generate_certs() {
 			-subj '/CN=docker:dind server'
 		cat > "$dir/server/openssl.cnf" <<-EOF
 			[ x509_exts ]
+			extendedKeyUsage = serverAuth
 			subjectAltName = $(_tls_san)
 		EOF
 		openssl x509 -req \
diff --git a/dockerd-entrypoint.sh b/dockerd-entrypoint.sh
index 6c06bb811..bc66308ec 100755
--- a/dockerd-entrypoint.sh
+++ b/dockerd-entrypoint.sh
@@ -53,6 +53,7 @@ _tls_generate_certs() {
 			-subj '/CN=docker:dind server'
 		cat > "$dir/server/openssl.cnf" <<-EOF
 			[ x509_exts ]
+			extendedKeyUsage = serverAuth
 			subjectAltName = $(_tls_san)
 		EOF
 		openssl x509 -req \

From 52c8bfa9869c9c5605c6c03dc9a82cfe426ace77 Mon Sep 17 00:00:00 2001
From: Jesper Noordsij <jesper@sslleiden.nl>
Date: Mon, 19 May 2025 15:33:06 +0200
Subject: [PATCH 2/2] Add keyUsage extension to dind generated CA cert

Required for compliance with X.509 RFCs
---
 28/dind/dockerd-entrypoint.sh | 5 ++++-
 dockerd-entrypoint.sh         | 5 ++++-
 2 files changed, 8 insertions(+), 2 deletions(-)

diff --git a/28/dind/dockerd-entrypoint.sh b/28/dind/dockerd-entrypoint.sh
index bc66308ec..8a291dfa5 100755
--- a/28/dind/dockerd-entrypoint.sh
+++ b/28/dind/dockerd-entrypoint.sh
@@ -41,7 +41,10 @@ _tls_generate_certs() {
 		_tls_ensure_private "$dir/ca/key.pem"
 		openssl req -new -key "$dir/ca/key.pem" \
 			-out "$dir/ca/cert.pem" \
-			-subj '/CN=docker:dind CA' -x509 -days "$certValidDays"
+			-subj '/CN=docker:dind CA' \
+			-x509 \
+			-days "$certValidDays" \
+			-addext keyUsage=critical,digitalSignature,keyCertSign
 	fi
 
 	if [ -s "$dir/ca/key.pem" ]; then
diff --git a/dockerd-entrypoint.sh b/dockerd-entrypoint.sh
index bc66308ec..8a291dfa5 100755
--- a/dockerd-entrypoint.sh
+++ b/dockerd-entrypoint.sh
@@ -41,7 +41,10 @@ _tls_generate_certs() {
 		_tls_ensure_private "$dir/ca/key.pem"
 		openssl req -new -key "$dir/ca/key.pem" \
 			-out "$dir/ca/cert.pem" \
-			-subj '/CN=docker:dind CA' -x509 -days "$certValidDays"
+			-subj '/CN=docker:dind CA' \
+			-x509 \
+			-days "$certValidDays" \
+			-addext keyUsage=critical,digitalSignature,keyCertSign
 	fi
 
 	if [ -s "$dir/ca/key.pem" ]; then