From 6614a4e3fe0a2598c12bb03d6a9d0396a314b0ed Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Christer=20War=C3=A9n?= <cwchristerw@gmail.com>
Date: Wed, 10 Sep 2025 13:55:09 +0300
Subject: [PATCH] Add missing basicConstraints to use certificate as CA in
 OpenSSL tasks

---
 tasks/deployer.yml | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/tasks/deployer.yml b/tasks/deployer.yml
index d5e6620..a02b977 100644
--- a/tasks/deployer.yml
+++ b/tasks/deployer.yml
@@ -486,6 +486,12 @@
     organizationName: "{{ config.openssl.certificates[cert].organization.name }}"
     organizationalUnitName: "{{ config.openssl.certificates[cert].organization.unit }}"
     countryName: FI
+    basicConstraints:
+      - 'CA:TRUE'
+    basic_constraints_critical: true
+    key_usage:
+      - keyCertSign
+    key_usage_critical: true
   loop: "{{ config.openssl.certificates.keys() | list }}"
   loop_control:
     label: "{{ cert }}"
@@ -508,6 +514,12 @@
     stateOrProvinceName: "{{ config.openssl.certificates[cert].location.providence }}"
     localityName: "{{ config.openssl.certificates[cert].location.city }}"
     countryName: FI
+    basicConstraints:
+      - 'CA:TRUE'
+    basic_constraints_critical: true
+    key_usage:
+      - keyCertSign
+    key_usage_critical: true
   loop: "{{ config.openssl.certificates.keys() | list }}"
   loop_control:
     label: "{{ cert }}"