Steps to reproduce We have a .csr with the following: X509v3 Key Usage: critical Digital Signature, Certificate Sign, CRL Sign X509v3 Basic Constraints: critical CA:TRUE Actual results PKIAAS delivers a .crt with the following: X…

sc-hsm March 14, 2025, 8:45am 4

That use case (mixed setup with an external Sub-CA) is just no well supported. But it is on the ToDo list.

User experience with Nitrokey HSM2 for a root CA

CA certificates delivered by PKIAAS do not match the expected key usage extension