Cleaned up EKUs
The EKU logic is now simpler, and it follows the following rules
- if an IP address, DNS name, or URI SAN is present, serverAuth is included
- if
-client
is used, clientAuth is included - if an email address SAN in present, emailProtection is included
Certificate generation based on CSRs is now consistent with standard certificate generation.
Releases are now built from GitHub Actions.