Debugging TLS certificate key usage error with kubectl and curl

Hello, I’m lost at a problem I’m not able to debug further, maybe I can find help here.

In a new cluster v1.29 I can do

curl -k
--cacert /etc/pki/root_ca/k8s_intermediate_ca/test-k8s-controller-1-admin/test-k8s-controller-1-admin.chain
--cert /etc/pki/root_ca/k8s_intermediate_ca/test-k8s-controller-1-admin/test-k8s-controller-1-admin.pem
--key /etc/pki/root_ca/k8s_intermediate_ca/test-k8s-controller-1-admin/test-k8s-controller-1-admin-key.pem
<https://localhost:6443/api/v1/namespaces/default/pods>

successfully

but if I use

kubectl --kubeconfig /root/.kube/admin.kubeconfig get pods with the config create from the same certs I get

couldn't get current server API group list: Get "<https://localhost:6443/api?timeout=32s>": tls: failed to verify certificate: x509: certificate specifies an incompatible key usage

To be honest I’m not sure about the key usage that the admin should have, I used “digital signature”, “key encipherment”, “client auth”, “server auth”, would be great to receive a pointer to were this info are documented
any idea?

crap just figure out that I’ve been curling with the -k switch ignoring cert validation

In the end was the key usage on the server side