Make ra.matchesCSR slightly less strict

ra/ra.go

@@ -764,7 +764,12 @@ func (ra *RegistrationAuthorityImpl) matchesCSR(parsedCertificate *x509.Certific
 	if parsedCertificate.IsCA {
 		return berrors.InternalServerError("generated certificate can sign other certificates")
 	}
-	if !slices.Equal(parsedCertificate.ExtKeyUsage, []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth, x509.ExtKeyUsageClientAuth}) {
+	for _, eku := range parsedCertificate.ExtKeyUsage {
+		if eku != x509.ExtKeyUsageServerAuth && eku != x509.ExtKeyUsageClientAuth {
+			return berrors.InternalServerError("generated certificate doesn't have correct key usage extensions")
+		}
+	}
+	if !slices.Contains(parsedCertificate.ExtKeyUsage, x509.ExtKeyUsageServerAuth) {
 		return berrors.InternalServerError("generated certificate doesn't have correct key usage extensions")
 	}