In short, I'd like to be able to accomplish what is outlined in http://openvpn.net/index.php/open-source/documentation/howto.html#mitm in the bulleted section "OpenVPN 2.1 and above". Thanks.

This will be possible when IPA would support multiple certificate profiles.

attachment
pki-ftweedal-0002-Add-EKU-constraint-to-all-relevant-profiles.patch

attachment
pki-ftweedal-0003-Copy-Extended-Key-Usage-from-CSR-when-present.patch

Linked to Bugzilla bug: https://bugzilla.redhat.com/show_bug.cgi?id=1200694 (Red Hat Enterprise Linux 7)

Not required for GA.

This can now be achieved with different (custom) profiles.

Whilst that is not what is specifically asked for in the ticket, accepting
user-specified (in CSR) EKU in default profile would require creating a new
Dogtag profile policy default that does something along the lines of:

• use intersection of CSR EKU and default EKU when CSR contains
  EKU request extension
• use default EKU when CSR does not contain EKU request extension

And the default profile would have to be updated to use this new component.

I think specifying a profile with the exact EKU that is appropriate for
a given use case is the most sensible approach (and it is now supported).
Therefore I propose closing this ticket and, if necessary, updating
guides and documentation that refer to getcert '-U' option to indicate
that this is not the intended way to get a particular EKU with FreeIPA.

Closing WONTFIX per above comments and lack of objections.

Feel free to reopen the discussion if custom profiles don't meet a
particular use case involving EKU.