After successfully uploading my csr and signing it with my root CA, I realize the certificate obtained is a leaf certificate, rather than a CA certificate.
The certificate page http://pkiaas.internal/se/paas/cert/5 shows indeed the following:
This is weird. I made new attempts at signing the .csr, carefully checking each step. There is nowhere I could specify if the certificate should be an intermediate CA. I thought maybe PKIAAS doesn’t support overriding the CSR, but the csr specifically requested the following extensions:
X509v3 Key Usage: critical
Digital Signature, Certificate Sign, CRL Sign
X509v3 Basic Constraints: critical
CA:TRUE
There must be something I am missing, but what?