Description
File: [nitrokeys/features/openpgp-card/certificate-authority.rst] https://docs.nitrokey.com/nitrokeys/features/openpgp-card/certificate-authority.html
As it is right now, the tutorial seems to fail (tested and verified twice) to correctly document how to create the intermediate CA.
The X509v3 Authority Key Identifier points to the root CA, which is most definitely not the desired outcome (the whole point of the intermediate CA is to be the identified issuer in the certificates).
A workaround is to remove the always keyword for issuer (In sign_server_csrs.cnf):
[ server_cert ]
# Extensions for server certificates (`man x509v3_config`).
basicConstraints = CA:FALSE
nsCertType = server
nsComment = "OpenSSL Generated Server Certificate"
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer
keyUsage = critical, digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth,clientAuth
This might break things, and certainly does not make debugging certificate problems easier for people who expect text instead of the bare fingerprint.
Note: the DN is not required and AFAIK there is no consensus on using it at all, since it cannot be verified normally. Still, it's a confusing tidbit that should be properly documented.