diff --git a/src/ZB.MOM.WW.MxGateway.Server/Security/Tls/SelfSignedCertificateProvider.cs b/src/ZB.MOM.WW.MxGateway.Server/Security/Tls/SelfSignedCertificateProvider.cs index 1816d5b..271ab55 100644 --- a/src/ZB.MOM.WW.MxGateway.Server/Security/Tls/SelfSignedCertificateProvider.cs +++ b/src/ZB.MOM.WW.MxGateway.Server/Security/Tls/SelfSignedCertificateProvider.cs @@ -39,7 +39,7 @@ public sealed class SelfSignedCertificateProvider request.CertificateExtensions.Add(new X509BasicConstraintsExtension(false, false, 0, true)); request.CertificateExtensions.Add(new X509KeyUsageExtension( - X509KeyUsageFlags.DigitalSignature | X509KeyUsageFlags.KeyEncipherment, + X509KeyUsageFlags.DigitalSignature, critical: true)); request.CertificateExtensions.Add(new X509EnhancedKeyUsageExtension( [new Oid(ServerAuthOid, "Server Authentication")], diff --git a/src/ZB.MOM.WW.MxGateway.Tests/Security/Tls/SelfSignedCertificateProviderTests.cs b/src/ZB.MOM.WW.MxGateway.Tests/Security/Tls/SelfSignedCertificateProviderTests.cs index e376118..986bffb 100644 --- a/src/ZB.MOM.WW.MxGateway.Tests/Security/Tls/SelfSignedCertificateProviderTests.cs +++ b/src/ZB.MOM.WW.MxGateway.Tests/Security/Tls/SelfSignedCertificateProviderTests.cs @@ -27,6 +27,12 @@ public sealed class SelfSignedCertificateProviderTests string sans = ReadSubjectAltNames(cert); Assert.Contains("localhost", sans); Assert.Contains("gw.internal", sans); + Assert.Contains(Environment.MachineName, sans); + // Format() renders IP SANs as "IP Address:"; the IPv6 loopback may appear + // as "::1" or its expanded form depending on the platform crypto library. + Assert.Contains("127.0.0.1", sans); + Assert.True(sans.Contains("::1") || sans.Contains("0:0:0:0:0:0:0:1"), + $"Expected IPv6 loopback in SANs but got: {sans}"); X509EnhancedKeyUsageExtension eku = cert.Extensions.OfType().Single(); Assert.Contains(eku.EnhancedKeyUsages.Cast(),