From d3ded5059988ce8a09c5c99a5c3e6b0e413d448c Mon Sep 17 00:00:00 2001
From: Russ Allbery <rra@lsst.org>
Date: Wed, 11 Dec 2024 15:31:50 -0800
Subject: [PATCH] Add key usage to the Kafka test CA

Under Python 3.13, Kafka tests were failing because no key usage
extension was defined on the CA certificate. Add the appropriate
flag to `openssl` to define an appropriate key usage extension for
the CA.
---
 safir/tests/support/kafka/data/generate-kafka-secrets.bash | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/safir/tests/support/kafka/data/generate-kafka-secrets.bash b/safir/tests/support/kafka/data/generate-kafka-secrets.bash
index 0a1a7d58..c213579d 100755
--- a/safir/tests/support/kafka/data/generate-kafka-secrets.bash
+++ b/safir/tests/support/kafka/data/generate-kafka-secrets.bash
@@ -26,7 +26,7 @@ mkdir -p "${OUT_DIR}"
 cd "${OUT_DIR}" || exit
 
 # PEM CA cert and key
-openssl req -new -x509 -keyout ${CA_KEY} -out ${CA_CERT} -days 365 -subj "/CN=ca" -nodes
+openssl req -new -x509 -addext 'keyUsage=critical, cRLSign, digitalSignature, keyCertSign' -keyout ${CA_KEY} -out ${CA_CERT} -days 365 -subj "/CN=ca" -nodes
 
 # Server truststore CA cert
 keytool -keystore ${SERVER_TRUSTSTORE} -alias CARoot -storepass ${PASSWORD} -importcert -file ${CA_CERT} -noprompt