+ ("extnID", id_ce_keyUsage),
+ ("critical", Boolean(True)),
+ ("extnValue", OctetString(KeyUsage(
+ ("keyCertSign" if args.ca else "digitalSignature",),
+ ).encode())),
+ )),
+]
+if args.ca:
+ exts.append(Extension((
+ ("extnID", id_ce_basicConstraints),
+ ("critical", Boolean(True)),
+ ("extnValue", OctetString(BasicConstraints((
+ ("cA", Boolean(True)),
+ )).encode())),
+ )))
+else:
+ exts.append(Extension((