distribute intca to /etc/ssl/certs also

base/pki/cert.sls

@@ -8,3 +8,14 @@
 /etc/pki/intca.crt:
   x509.pem_managed:
     - text: {{ salt['mine.get']('tumor.chaos', 'x509.get_pem_entries')['tumor.chaos']['/etc/pki/ca.crt']|replace('\n', '') }}
+
+/etc/ssl/certs/intca.crt:
+  x509.pem_managed:
+    - text: {{ salt['mine.get']('tumor.chaos', 'x509.get_pem_entries')['tumor.chaos']['/etc/pki/ca.crt']|replace('\n', '') }}
+
+    
+/usr/sbin/update-ca-certificates:
+  cmd.run:
+    - onchanges:
+      - x509: /etc/ssl/certs/intca.crt
+    

base/pki/signing_policies.conf

@@ -11,7 +11,8 @@ x509_signing_policies:
     - ST: Berlin
     - L: Berlin
     - basicConstraints: "critical CA:false"
-    - keyUsage: "nonRepudiation, digitalSignature, keyEncipherment"
+    - keyUsage: "nonRepudiation, digitalSignature, keyEncipherment, keyAgreement"
+    - extendedKeyUsage: "serverAuth, clientAuth"
     - subjectKeyIdentifier: hash
     - authorityKeyIdentifier: keyid,issuer:always
     - days_valid: 365