From 4f8577a98829f23372a1e573dd5146a7f56e0d8b Mon Sep 17 00:00:00 2001
From: Nicolas Williams <nico@twosigma.com>
Date: Tue, 3 Dec 2019 00:13:08 -0600
Subject: [PATCH] hxtool: add cert type: https-negotiate-server

---
 lib/hx509/hxtool.c | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

diff --git a/lib/hx509/hxtool.c b/lib/hx509/hxtool.c
index d55035d28..c934e5a14 100644
--- a/lib/hx509/hxtool.c
+++ b/lib/hx509/hxtool.c
@@ -1674,6 +1674,16 @@ https_server(hx509_context contextp, hx509_ca_tbs tbs, struct cert_type_opt *opt
     return hx509_ca_tbs_add_eku(contextp, tbs, &asn1_oid_id_pkix_kp_serverAuth);
 }
 
+static int
+https_negotiate_server(hx509_context contextp, hx509_ca_tbs tbs, struct cert_type_opt *opt)
+{
+    int ret = hx509_ca_tbs_add_eku(contextp, tbs, &asn1_oid_id_pkekuoid);
+    if (ret == 0)
+        ret = hx509_ca_tbs_add_eku(contextp, tbs, &asn1_oid_id_pkix_kp_serverAuth);
+    opt->pkinit++;
+    return ret;
+}
+
 static int
 https_client(hx509_context contextp, hx509_ca_tbs tbs, struct cert_type_opt *opt)
 {
@@ -1747,6 +1757,11 @@ struct {
 	"Certificates used for Kerberos PK-INIT KDC certificates",
 	pkinit_kdc
     },
+    {
+	"https-negotiate-server",
+	"Used for HTTPS server and many other TLS server certificate types",
+	https_negotiate_server
+    },
     {
 	"peap-server",
 	"Certificate used for Radius PEAP (Protected EAP)",