Fix key usage for issued certificates

The key usage should be Digital Signature, not Key Cert Sign. The latter
requires that isCA also be asserted. The certificate's key is only used
to verify signatures, not certificates.

Note that this does not affect the GCP CA.

Signed-off-by: Hayden Blauzvern <hblauzvern@google.com>

pkg/api/grpc_server_test.go

@@ -1225,8 +1225,8 @@ func verifyResponse(resp *protobuf.SigningCertificate, eca *ephemeralca.Ephemera
 	if len(leafCert.SubjectKeyId) != 20 {
 		t.Fatalf("expected certificate subject key ID to be of length 20 bytes, got %d", len(leafCert.SubjectKeyId))
 	}
-	if leafCert.KeyUsage != x509.KeyUsageCertSign {
-		t.Fatalf("unexpected key usage, expected %v, got %v", x509.KeyUsageCertSign, leafCert.KeyUsage)
+	if leafCert.KeyUsage != x509.KeyUsageDigitalSignature {
+		t.Fatalf("unexpected key usage, expected %v, got %v", x509.KeyUsageDigitalSignature, leafCert.KeyUsage)
 	}
 	if len(leafCert.ExtKeyUsage) != 1 {
 		t.Fatalf("unexpected length of extended key usage, expected 1, got %d", len(leafCert.ExtKeyUsage))

pkg/ca/x509ca/common.go

@@ -55,7 +55,7 @@ func MakeX509(subject *challenges.ChallengeResult) (*x509.Certificate, error) {
 		NotAfter:     time.Now().Add(time.Minute * 10),
 		SubjectKeyId: skid,
 		ExtKeyUsage:  []x509.ExtKeyUsage{x509.ExtKeyUsageCodeSigning},
-		KeyUsage:     x509.KeyUsageCertSign,
+		KeyUsage:     x509.KeyUsageDigitalSignature,
 	}
 
 	switch subject.TypeVal {