From: Guilhem Moulin Date: Wed, 6 Mar 2024 14:37:29 +0100 Subject: tests/certs/generate: Generate X.509 version 3 CA. And pass CA:TRUE as basic constraint. This fixes the test suite with OpenSSL 3.2 with defaults to X.509v3 and CA:FALSE. Origin: https://git.guilhem.org/interimap/commit/?id=eb254348085047702ee37e405d171d894dc5ffff Bug-Debian: https://bugs.debian.org/1065529 --- tests/certs/generate | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/tests/certs/generate b/tests/certs/generate index 8e9c451..f449764 100755 --- a/tests/certs/generate +++ b/tests/certs/generate @@ -22,7 +22,12 @@ genpkey() { # generate CA (we intentionally throw away the private key and serial # file to avoid reuse) genpkey "$cadir/ca.key" -algorithm RSA -openssl req -new -x509 -rand /dev/urandom -subj "/OU=$OU/CN=Fake Root CA" -key "$cadir/ca.key" -out ./ca.crt +openssl req -new -x509 -rand /dev/urandom \ + -subj "/OU=$OU/CN=Fake Root CA" \ + -addext subjectKeyIdentifier="hash" \ + -addext authorityKeyIdentifier="keyid:always,issuer" \ + -addext basicConstraints="critical,CA:TRUE" \ + -key "$cadir/ca.key" -out ./ca.crt SERIAL=1 new() {