excessive extention usage on CA certificates

[necheffa]

When GoCA generates a certificate authority (either root or intermediate) the TLS Web Client Authentication and TLS Web Server Authentication extensions are set. CA certificates should be limited to CA activities (Digital Signature, Certificate Sign, CRL Sign).

This behavior can be validated via visual inspection of a certificate with the OpenSSL command: openssl x509 -noout -text -in myca.crt

[necheffa]

cert.CreateCACert() appears to be where we setup the usage extensions for CA certificates. Should just be a matter of pruning excessive uses from the ExtKeyUsage and KeyUsage fields.

I want to do some more research to make sure our extension selection meets best practices and to design a test case or two.