Generate test certificates that pass python 3.13 criteria

Python 3.13 has started requiring the authorityKeyIdentifier field as per python/cpython#107361 . After iterating a bit, it appears that we only need to pass "-addext keyUsage=keyCertSign" to openssl during CA certificate creation and the server certificate will have the proper field. It's also possible to use something like `trustme` to generate the certificates but that would have been a much larger change and more work (maybe leading to most of the script being dropped however).
adrien-n · Jan 8, 2025 · a3982b5 · a3982b5
1 parent e38f88b
commit a3982b5
Showing 1 changed file with 2 additions and 0 deletions.
diff --git a/breezy/tests/ssl_certs/create_ssls.py b/breezy/tests/ssl_certs/create_ssls.py
@@ -131,6 +131,8 @@ def build_ca_certificate():
     _openssl(
         [
             "req",
+            "-addext",
+            "keyUsage = keyCertSign",
             "-passin",
             "stdin",
             "-new",