CSRs for Intermediary CAs are missing the basic constraint for CA, that should be set to true #5539
Description
The cert-manager generated CSR for an intermediary CA fails validation, as it doesn't comply to standards as required by RFC 5280: 4.2.1.3 & 4.2.1.9
For example:
Creating the following CA certificate (with isCA set to true):
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: root-ca
namespace: default
spec:
secretName: root-ca
subject:
organizationalUnits:
- "Demo"
commonName: "Some Common Name"
dnsNames:
- "*.some.domain"
isCA: true
encodeUsagesInRequest: true
duration: 87600h
renewBefore: 744h
issuerRef:
group: cas-issuer.jetstack.io
kind: GoogleCASClusterIssuer
name: some-isuer
You get a CSR that when inspected you'll see that it lacks the basic constraint for CA set to true. I.e. the part below is missing:
Requested Extensions:
# ...
X509v3 Basic Constraints: critical
CA:TRUE
Thus, for example, integration with google-cas-issuer fails due to the CSR being invalid. As shown by the logs of that controller:
2022-10-27T09:48:19.186Z ERROR controller-runtime.manager.controller.certificaterequest Reconciler error {"reconciler group": "cert-manager.io", "reconciler kind": "CertificateRequest", "name": "root-ca-zkf9g", "namespace": "gloo-mesh", "error": "casClient.CreateCertificate failed: rpc error: code = InvalidArgument desc = untrustedSignAndLint failed: generic::invalid_argument: lint failed for certificate: invalid certificate: [RFC 5280: 4.2.1.3 & 4.2.1.9]: if the keyCertSign bit is asserted, then the cA bit in the basic constraints extension MUST also be asserted"}
Expected result: Set the basic constraint CA:TRUE when isCA is set to true.