Create self-signed certificate with proper constraints and usages

usr/lib/python3.8/vmmgr/crypto.py

@@ -27,8 +27,8 @@ def create_selfsigned_cert(domain):
         .add_extension(x509.SubjectAlternativeName((x509.DNSName(domain), x509.DNSName(f'*.{domain}'))), critical=False) \
         .add_extension(x509.SubjectKeyIdentifier.from_public_key(public_key), critical=False) \
         .add_extension(x509.AuthorityKeyIdentifier.from_issuer_public_key(public_key), critical=False) \
-        .add_extension(x509.BasicConstraints(ca=False, path_length=None), critical=True) \
-        .add_extension(x509.KeyUsage(digital_signature=True, content_commitment=False, key_encipherment=False, data_encipherment=False, key_agreement=False, key_cert_sign=False, crl_sign=False, encipher_only=False, decipher_only=False), critical=True) \
+        .add_extension(x509.BasicConstraints(ca=True, path_length=None), critical=True) \
+        .add_extension(x509.KeyUsage(digital_signature=True, content_commitment=False, key_encipherment=False, data_encipherment=False, key_agreement=False, key_cert_sign=True, crl_sign=True, encipher_only=False, decipher_only=False), critical=True) \
         .add_extension(x509.ExtendedKeyUsage((ExtendedKeyUsageOID.SERVER_AUTH, ExtendedKeyUsageOID.CLIENT_AUTH)), critical=False) \
         .sign(private_key, hashes.SHA256(), default_backend())
     with open(paths.CERT_PUB_FILE, 'wb') as f: