Update CHANGELOG for 1.17.2.

CHANGELOG

@@ -1,5 +1,17 @@
 CHANGELOG
 
+v1.17.2 - 2025-11-21
+
+Note: 1.17.2 was a mangled release.
+
+Changed:
+- certlib: fix request configs in testdata.
+
+v1.17.1 - 2025-11-21
+
+Changed:
+- certlib: various code cleanups.
+
 v1.17.0 - 2025-11-21
 
 Added:

certlib/bundler/bundler.go

@@ -448,13 +448,13 @@ func encodeCertsToFiles(
 				derContent = append(derContent, cert.Raw...)
 			}
 			files = append(files, fileEntry{
-				name:    baseName + ".crt",
+				name:    baseName + ".cer",
 				content: derContent,
 			})
 		} else if len(certs) > 0 {
 			// Individual DER file (should only have one cert)
 			files = append(files, fileEntry{
-				name:    baseName + ".crt",
+				name:    baseName + ".cer",
 				content: certs[0].Raw,
 			})
 		}
@@ -472,17 +472,17 @@ func encodeCertsToFiles(
 				derContent = append(derContent, cert.Raw...)
 			}
 			files = append(files, fileEntry{
-				name:    baseName + ".crt",
+				name:    baseName + ".cer",
 				content: derContent,
 			})
 		} else if len(certs) > 0 {
 			files = append(files, fileEntry{
-				name:    baseName + ".crt",
+				name:    baseName + ".cer",
 				content: certs[0].Raw,
 			})
 		}
 	default:
-		return nil, fmt.Errorf("unsupported encoding: %s (must be 'pem', 'der', or 'both')", encoding)
+		return nil, fmt.Errorf("unsupported encoding: %s (must be 'pem', 'der', 'both', 'crt', 'pemcrt')", encoding)
 	}
 
 	return files, nil

certlib/certgen/config.go

@@ -60,7 +60,7 @@ type Subject struct {
 	Province           string   `yaml:"province"`
 	Organization       string   `yaml:"organization"`
 	OrganizationalUnit string   `yaml:"organizational_unit"`
-	Email              string   `yaml:"email"`
+	Email              []string `yaml:"email"`
 	DNSNames           []string `yaml:"dns"`
 	IPAddresses        []string `yaml:"ips"`
 }
@@ -92,14 +92,11 @@ func (cs CertificateRequest) Request(priv crypto.PrivateKey) (*x509.CertificateR
 		PublicKeyAlgorithm: 0,
 		PublicKey:          getPublic(priv),
 		Subject:            subject,
+		EmailAddresses:     cs.Subject.Email,
 		DNSNames:           cs.Subject.DNSNames,
 		IPAddresses:        ipAddresses,
 	}
 
-	if cs.Subject.Email != "" {
-		req.EmailAddresses = []string{cs.Subject.Email}
-	}
-
 	reqBytes, err := x509.CreateCertificateRequest(rand.Reader, req, priv)
 	if err != nil {
 		return nil, fmt.Errorf("failed to create certificate request: %w", err)
@@ -130,7 +127,7 @@ func (cs CertificateRequest) Generate() (crypto.PrivateKey, *x509.CertificateReq
 type Profile struct {
 	IsCA         bool     `yaml:"is_ca"`
 	PathLen      int      `yaml:"path_len"`
-	KeyUse       string   `yaml:"key_uses"`
+	KeyUse       []string `yaml:"key_uses"`
 	ExtKeyUsages []string `yaml:"ext_key_usages"`
 	Expiry       string   `yaml:"expiry"`
 }
@@ -161,15 +158,17 @@ func (p Profile) templateFromRequest(req *x509.CertificateRequest) (*x509.Certif
 		IPAddresses:           req.IPAddresses,
 	}
 
-	var ok bool
-	certTemplate.KeyUsage, ok = keyUsageStrings[p.KeyUse]
-	if !ok {
-		return nil, fmt.Errorf("invalid key usage: %s", p.KeyUse)
+	for _, sku := range p.KeyUse {
+		ku, ok := keyUsageStrings[sku]
+		if !ok {
+			return nil, fmt.Errorf("invalid key usage: %s", p.KeyUse)
+		}
+
+		certTemplate.KeyUsage |= ku
 	}
 
-	var eku x509.ExtKeyUsage
 	for _, extKeyUsage := range p.ExtKeyUsages {
-		eku, ok = extKeyUsageStrings[extKeyUsage]
+		eku, ok := extKeyUsageStrings[extKeyUsage]
 		if !ok {
 			return nil, fmt.Errorf("invalid extended key usage: %s", extKeyUsage)
 		}

certlib/testdata/ec-ca.yaml

@@ -9,5 +9,6 @@ subject:
 profile:
   is_ca: true
   path_len: 3
-  key_uses: cert sign
+  key_uses:
+    - cert sign
   expiry: 20y

certlib/testdata/rsa-ca.yaml

@@ -9,5 +9,6 @@ subject:
 profile:
   is_ca: true
   path_len: 3
-  key_uses: cert sign
+  key_uses:
+    - cert sign
   expiry: 20y