From 0a37ac79aa27f962cdf5f0720defdc558d6936bc Mon Sep 17 00:00:00 2001
From: D3Hunter <jujj603@gmail.com>
Date: Mon, 8 Jan 2024 11:00:22 +0800
Subject: [PATCH] br/lightning: add basicConstraints to test ca (#50129)

close pingcap/tidb#50150
---
 br/tests/_utils/generate_certs | 2 +-
 br/tests/config/rootca.conf    | 2 ++
 2 files changed, 3 insertions(+), 1 deletion(-)
 create mode 100644 br/tests/config/rootca.conf

diff --git a/br/tests/_utils/generate_certs b/br/tests/_utils/generate_certs
index a968e8a7d2263..f7343f153d78f 100755
--- a/br/tests/_utils/generate_certs
+++ b/br/tests/_utils/generate_certs
@@ -21,7 +21,7 @@ mkdir -p $TEST_DIR/certs
 openssl ecparam -out "$TEST_DIR/certs/ca.key" -name prime256v1 -genkey
 # CA's Common Name must not be the same as signed certificate.
 openssl req -new -batch -sha256 -subj '/CN=br_tests' -key "$TEST_DIR/certs/ca.key" -out "$TEST_DIR/certs/ca.csr"
-openssl x509 -req -sha256 -days 2 -in "$TEST_DIR/certs/ca.csr" -signkey "$TEST_DIR/certs/ca.key" -out "$TEST_DIR/certs/ca.pem"
+openssl x509 -req -sha256 -days 2 -in "$TEST_DIR/certs/ca.csr" -extfile "${cur_dir}/../config/rootca.conf" -extensions ext -signkey "$TEST_DIR/certs/ca.key" -out "$TEST_DIR/certs/ca.pem"
 for cluster in tidb pd tikv lightning tiflash curl ticdc br; do
     openssl ecparam -out "$TEST_DIR/certs/$cluster.key" -name prime256v1 -genkey
     openssl req -new -batch -sha256 -subj '/CN=localhost' -key "$TEST_DIR/certs/$cluster.key" -out "$TEST_DIR/certs/$cluster.csr"
diff --git a/br/tests/config/rootca.conf b/br/tests/config/rootca.conf
new file mode 100644
index 0000000000000..b4ca5d22ab5da
--- /dev/null
+++ b/br/tests/config/rootca.conf
@@ -0,0 +1,2 @@
+[ext]
+basicConstraints=CA:TRUE,pathlen:0