OpenSSL: add keyUsage extension in CA config

[kulikov-a]

Hi!
ref. and hopefully closes #5912
Thanks!

[AdSchellevis]

@kulikov-a thanks, I think this would be a good addition indeed, since this only affects new CA's I don't think this has a very high impact, as this seems to be the advised setting anyway. Looking at https://openssl-ca.readthedocs.io/en/latest/intermediate-configuration-file.html and some other references, apparently the basicConstraints should append critical too (basicConstraints = critical, CA:true), what's your take on that?

[kulikov-a]

@AdSchellevis Thanks!
yes, reading (https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.9):
Conforming CAs MUST include this extension in all CA certificates that contain public keys used to validate digital signatures on certificates and MUST mark the extension as critical in such certificates.
Im pretty sure that basicConstraints = critical, CA:true is the right choice. but there is a comment:
# This is what PKIX recommends but some broken software chokes on critical extensions.
so i decided it was intentional and well reasoned

[AdSchellevis]

@kulikov-a I read the same note as well, no clue if this is still relevant to be honest, but let's keep it as is for now until someone opens a ticket.

[kulikov-a]

@AdSchellevis yep, a comment googling shows that such a line appeared in the configurations a very long time ago (16! years ago? https://community.oracle.com/tech/developers/discussion/comment/6431917/#Comment_6431917 ) and is still found in many templates )

[AdSchellevis]

@kulikov-a I'm not surprised, if we are going to change defaults anyway, we might as well change this one while there.

[kulikov-a]

@AdSchellevis yes, i would change it now if we try to follow the rfc in other places anyway and there are no reasoned objections. should i make a pr for this?

[AdSchellevis]

@kulikov-a yes please :)