Bug - generated CA cert is not a valid CA #16
Description
The commit a36dedb tried to workaround the bug voxpupuli/puppet-openssl#230 which created puppet run errors and was introduced with v3.0.0.
Now with openssl 3.2.2 (RedHat 9.5) the openssl_ca.cnf creates CA certs which are not marked as CA certs anymore:
# openssl x509 -noout -in ca.crt -purpose
Certificate purposes:
SSL client : Yes
SSL client CA : No
SSL server : Yes
SSL server CA : No
[...]
# openssl s_client -connect "$(hostname -f):636"
[...]
depth=1 DC=<fqdn>, CN=<hostname>CA
verify error:num=26:unsuitable certificate purpose
[...]
---
SSL handshake has read 2894 bytes and written 414 bytes
Verification error: unsuitable certificate purpose
---
[...]
When the v3_req section has the same content as the v3_ca this would also work and the result would be an valid CA cert:
[ v3_ca ]
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer:always
basicConstraints = CA:true
[ v3_req ]
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer:always
basicConstraints = CA:true
# openssl x509 -noout -in ca.crt -purpose
Certificate purposes:
SSL client : Yes
SSL client CA : No
SSL server : Yes
SSL server CA : No
[...]
I suggest to wait for a new release of voxpupuli/puppet-openssl (> 4.1.0) and then remove the unneeded v3_req section again from openssl_ca.cnf.