Added KeyUsage DigitalSignature to CA certs.

[bkstein]

DigitalSignature MUST be set in SCEP CA certificates according to RFC 8894:

2.1.2. Certificate Authority

A SCEP CA is the entity that signs client certificates. A CA may
enforce policies and apply them to certificate requests, and it may
reject a request for any reason.

Since the client is expected to perform signature verification and
optionally encryption using the CA certificate, the keyUsage
extension in the CA certificate MUST indicate that it is valid for
digitalSignature and keyEncipherment (if the key is to be used for
en/decryption) alongside the usual CA usages of keyCertSign and/or
cRLSign.

This is also what I see in other SCEP CAs (e.g. LANCOM, EJBCA). It makes sense, as the PKCS7 replies are signed by the CA and the KeyCertSign KeyUsage is not meant for this (thats only for the included new certificate).

[bkstein]

Added the RFC paragraph mentioning the keyUsage for SCEP CA certificates.

[jessepeterson]

Apologies for the (very late!) delay on this. Would you be willing to rebase this PR? You can drop the Makefile mods since they . If not, no worries — I can add the keyUsage separately. Cheers, thanks and sorry again.

[bkstein]

Updated to current main. Merging should be possible now. Thanks!