Fixed a certificate issue with newer OpenSSL (#3775)

nvidianz · chesterxgchen · IsaacYangSLA · web-flow · commit c0def1ae43ca · 2025-10-14T10:31:29.000+08:00
### Description

Newer OpenSSL (from Ubuntu 25.04) doesn't accept the certs generated by
provision.
This PR fixed the problem by adding Authority Key ID and Key Usage to
the cert extensions.

### Types of changes
&lt;!--- Put an `x` in all the boxes that apply, and remove the not
applicable items --&gt;
- [x] Non-breaking change (fix or new feature that would not break
existing functionality).
- [ ] Breaking change (fix or new feature that would cause existing
functionality to change).
- [ ] New tests added to cover the changes.
- [ ] Quick tests passed locally by running `./runtest.sh`.
- [ ] In-line docstrings updated.
- [ ] Documentation updated.

---------

Co-authored-by: Chester Chen &lt;512707+chesterxgchen@users.noreply.github.com&gt;
Co-authored-by: Isaac Yang &lt;isaacy@nvidia.com&gt;
diff --git a/nvflare/lighter/utils.py b/nvflare/lighter/utils.py
@@ -61,18 +61,30 @@ def generate_cert(
         .serial_number(x509.random_serial_number())
         .not_valid_before(datetime.datetime.utcnow())
         .not_valid_after(datetime.datetime.utcnow() + datetime.timedelta(days=valid_days))
+        .add_extension(
+            x509.SubjectKeyIdentifier.from_public_key(subject_pub_key),
+            critical=False,
+        )
+        .add_extension(
+            x509.AuthorityKeyIdentifier.from_issuer_public_key(signing_pri_key.public_key()),
+            critical=False,
+        )
     )
+
     if ca:
-        builder = (
-            builder.add_extension(
-                x509.SubjectKeyIdentifier.from_public_key(subject_pub_key),
-                critical=False,
-            )
-            .add_extension(
-                x509.AuthorityKeyIdentifier.from_issuer_public_key(subject_pub_key),
-                critical=False,
-            )
-            .add_extension(x509.BasicConstraints(ca=True, path_length=None), critical=False)
+        builder = builder.add_extension(x509.BasicConstraints(ca=True, path_length=None), critical=True).add_extension(
+            x509.KeyUsage(
+                digital_signature=True,
+                content_commitment=True,
+                key_encipherment=True,
+                data_encipherment=True,
+                key_agreement=True,
+                key_cert_sign=True,
+                crl_sign=True,
+                encipher_only=False,
+                decipher_only=False,
+            ),
+            critical=False,
         )
 
     if server_default_host:
