From ade4983d6dbc2062cecd2117a4311508488f0bc0 Mon Sep 17 00:00:00 2001
From: mmerrill3 <michael.merrill@vonage.com>
Date: Mon, 16 Mar 2020 14:03:02 -0400
Subject: [PATCH] Adding client usage extension for server cert (#305)

Signed-off-by: mmerrill3 <michael.merrill@vonage.com>
---
 pkg/etcd/pki.go | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/pkg/etcd/pki.go b/pkg/etcd/pki.go
index dd953763..7eb051a3 100644
--- a/pkg/etcd/pki.go
+++ b/pkg/etcd/pki.go
@@ -61,9 +61,11 @@ func (p *etcdProcess) createKeypairs(peersCA *pki.Keypair, clientsCA *pki.Keypai
 		keypairs := pki.Keypairs{Store: store}
 		keypairs.SetCA(clientsCA)
 
+		// The server cert is used by the gRPC library of etcd as a client cert for meta checks, like health
+		// See https://github.com/etcd-io/etcd/issues/9785
 		certConfig := certutil.Config{
 			CommonName: me.Name,
-			Usages:     []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth},
+			Usages:     []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth, x509.ExtKeyUsageClientAuth},
 		}
 
 		if err := addAltNames(&certConfig, me.ClientUrls); err != nil {