From 76dc96c518ac4ac46e50d9c417a787df55cbf4c8 Mon Sep 17 00:00:00 2001
From: Joachim Zobel <jz-2017@heute-morgen.de>
Date: Wed, 15 Jan 2025 06:58:57 +0100
Subject: [PATCH] Fixed issue in CA cert. creation

---
 test/ssl/openssl.cnf | 6 ++----
 1 file changed, 2 insertions(+), 4 deletions(-)

diff --git a/test/ssl/openssl.cnf b/test/ssl/openssl.cnf
index fc6fd8457c..db12bb8893 100644
--- a/test/ssl/openssl.cnf
+++ b/test/ssl/openssl.cnf
@@ -291,14 +291,12 @@ authorityKeyIdentifier=keyid:always,issuer
 
 # This is what PKIX recommends but some broken software chokes on critical
 # extensions.
-#basicConstraints = critical,CA:true
-# So we do this instead.
-basicConstraints = CA:true
+basicConstraints = critical,CA:true
 
 # Key usage: this is typical for a CA certificate. However since it will
 # prevent it being used as an test self-signed certificate it is best
 # left out by default.
-# keyUsage = cRLSign, keyCertSign
+keyUsage = cRLSign, keyCertSign
 
 # Some might want this also
 # nsCertType = sslCA, emailCA