Amend HSM cert usage (#151)

There was an issue with invalid key types when verifying
cosign signed registry sigs with a fulcio cert generated using
the fuclio createca command

This PR makes the resulting createca generated cert have partity
to GCA generated certs

The result is a HSM / createca root cert can be used to both sign
and verify registry entries

Resolves: #150

Signed-off-by: Luke Hinds <[email protected]>

Author: lukehinds

cmd/app/createca.go

@@ -91,9 +91,8 @@ certificate authority for an instance of sigstore fulcio`,
 			NotBefore:             time.Now(),
 			NotAfter:              time.Now().AddDate(10, 0, 0),
 			IsCA:                  true,
-			ExtKeyUsage:           []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth, x509.ExtKeyUsageServerAuth},
-			KeyUsage:              x509.KeyUsageDigitalSignature | x509.KeyUsageCertSign,
-			BasicConstraintsValid: true,
+			KeyUsage:              x509.KeyUsageCertSign | x509.KeyUsageCRLSign,
+			BasicConstraintsValid: true, MaxPathLen: 1,
 		}
 
 		caBytes, err := x509.CreateCertificate(rand.Reader, rootCA, rootCA, pubKey, privKey)