From cefabdc7db5a186e69144556951ebc696cd6f6c6 Mon Sep 17 00:00:00 2001
From: Jens Langhammer <jens@goauthentik.io>
Date: Fri, 26 Dec 2025 16:10:21 +0100
Subject: [PATCH] crypto: self-sign with CA constraint

Signed-off-by: Jens Langhammer <jens@goauthentik.io>
---
 authentik/crypto/builder.py | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/authentik/crypto/builder.py b/authentik/crypto/builder.py
index acac14e5b934..211f4b5ac450 100644
--- a/authentik/crypto/builder.py
+++ b/authentik/crypto/builder.py
@@ -93,6 +93,18 @@ def build(
             .not_valid_after(datetime.datetime.today() + datetime.timedelta(days=validity_days))
             .serial_number(int(uuid.uuid4()))
             .public_key(self.__public_key)
+            .add_extension(
+                x509.SubjectKeyIdentifier.from_public_key(self.__private_key.public_key()),
+                critical=False,
+            )
+            .add_extension(
+                x509.AuthorityKeyIdentifier.from_issuer_public_key(self.__private_key.public_key()),
+                critical=False,
+            )
+            .add_extension(
+                x509.BasicConstraints(ca=True, path_length=None),
+                critical=True,
+            )
         )
         if alt_names:
             self.__builder = self.__builder.add_extension(