From de4c8c228930b0455b4bec7121b14be472556c7a Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Christer=20War=C3=A9n?= <cwchristerw@gmail.com>
Date: Wed, 10 Sep 2025 13:47:22 +0300
Subject: [PATCH] Add missing basicConstraints to use certificate as CA in
 OpenSSL tasks

---
 tasks/deployer.yml | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/tasks/deployer.yml b/tasks/deployer.yml
index d5e6620..a9d84c6 100644
--- a/tasks/deployer.yml
+++ b/tasks/deployer.yml
@@ -486,6 +486,9 @@
     organizationName: "{{ config.openssl.certificates[cert].organization.name }}"
     organizationalUnitName: "{{ config.openssl.certificates[cert].organization.unit }}"
     countryName: FI
+    basicConstraints:
+      - CA
+    basic_constraints_critical: true
   loop: "{{ config.openssl.certificates.keys() | list }}"
   loop_control:
     label: "{{ cert }}"
@@ -508,6 +511,9 @@
     stateOrProvinceName: "{{ config.openssl.certificates[cert].location.providence }}"
     localityName: "{{ config.openssl.certificates[cert].location.city }}"
     countryName: FI
+    basicConstraints:
+      - CA
+    basic_constraints_critical: true
   loop: "{{ config.openssl.certificates.keys() | list }}"
   loop_control:
     label: "{{ cert }}"