From 8694f488d7f501f0ebc2bb3822ba12790386ddb0 Mon Sep 17 00:00:00 2001
From: Felix Fontein <felix@fontein.de>
Date: Fri, 11 Apr 2025 14:09:01 +0200
Subject: [PATCH] CI: fix certificates for HTTPS connection tests (#1066)

* Try to fix CA cert for HTTPS connection tests.

* Try to fix leaf certificate.

* Add more properties.
---
 .../generic_connection_tests/tasks/main.yml       | 15 +++++++++++++--
 1 file changed, 13 insertions(+), 2 deletions(-)

diff --git a/tests/integration/targets/generic_connection_tests/tasks/main.yml b/tests/integration/targets/generic_connection_tests/tasks/main.yml
index e43833b8..63600e62 100644
--- a/tests/integration/targets/generic_connection_tests/tasks/main.yml
+++ b/tests/integration/targets/generic_connection_tests/tasks/main.yml
@@ -71,9 +71,19 @@
       community.crypto.openssl_csr:
         path: '{{ remote_tmp_dir }}/ca.csr'
         privatekey_path: '{{ remote_tmp_dir }}/ca.key'
+        subject:
+          commonName: Ansible test CA for Docker HTTPS connection tests
+        useCommonNameForSAN: false
         basic_constraints:
-        - 'CA:TRUE'
+          - 'CA:TRUE'
         basic_constraints_critical: true
+        key_usage:
+          - digitalSignature
+          - Certificate Sign
+        key_usage_critical: true
+        extended_key_usage:
+          - serverAuth  # the same as "TLS Web Server Authentication"
+        extended_key_usage_critical: true
 
     - name: Create CA certificate
       community.crypto.x509_certificate:
@@ -87,7 +97,8 @@
         path: '{{ remote_tmp_dir }}/cert.csr'
         privatekey_path: '{{ remote_tmp_dir }}/cert.key'
         subject_alt_name:
-        - DNS:daemon-tls.ansible.com
+          - DNS:daemon-tls.ansible.com
+        subject_alt_name_critical: true
 
     - name: Create frontend certificate
       community.crypto.x509_certificate: