br/lightning: add basicConstraints to test ca (#50129)

close pingcap/tidb#50150

br/tests/_utils/generate_certs

@@ -21,7 +21,7 @@ mkdir -p $TEST_DIR/certs
 openssl ecparam -out "$TEST_DIR/certs/ca.key" -name prime256v1 -genkey
 # CA's Common Name must not be the same as signed certificate.
 openssl req -new -batch -sha256 -subj '/CN=br_tests' -key "$TEST_DIR/certs/ca.key" -out "$TEST_DIR/certs/ca.csr"
-openssl x509 -req -sha256 -days 2 -in "$TEST_DIR/certs/ca.csr" -signkey "$TEST_DIR/certs/ca.key" -out "$TEST_DIR/certs/ca.pem"
+openssl x509 -req -sha256 -days 2 -in "$TEST_DIR/certs/ca.csr" -extfile "${cur_dir}/../config/rootca.conf" -extensions ext -signkey "$TEST_DIR/certs/ca.key" -out "$TEST_DIR/certs/ca.pem"
 for cluster in tidb pd tikv lightning tiflash curl ticdc br; do
     openssl ecparam -out "$TEST_DIR/certs/$cluster.key" -name prime256v1 -genkey
     openssl req -new -batch -sha256 -subj '/CN=localhost' -key "$TEST_DIR/certs/$cluster.key" -out "$TEST_DIR/certs/$cluster.csr"

br/tests/config/rootca.conf

@@ -0,0 +1,2 @@
+[ext]
+basicConstraints=CA:TRUE,pathlen:0