Changes to valet CA to resolve Missing Authority Key Identifier error

[Tugzrida]

I've recently encountered some issues with valet certificates not passing OpenSSL's strict mode x509 validation, which is now enabled by default in python 3.13. This makes it difficult to develop python apps that need to communicate with a valet-run copy of a php app.

As valet's leaf certificates don't contain the issuer key ID in their Authority Key Identifier extension, OpenSSL throws an X509_V_ERR_MISSING_AUTHORITY_KEY_IDENTIFIER error when trying to connect with strict mode enabled.

While poking around trying to fix this, I've discovered there's also issues with the valet CA certificate that cause it to fail strict validation, including missing basicConstraints, keyUsage, and subjectKeyIdentifier extensions.

I've run out of time to dig into this for now and have just added a flag to my python app to disable strict mode in development environments, but given the whole point of using local HTTPS while developing is to avoid these kinds of workarounds, I would like to come back and look what can be changed in valet so its certificates pass strict validation. If anyone else wants to start pulling on this thread in the meantime, please feel free. I'm happy to test out any proposals 😄

[Tugzrida]

(for my own reference, I believe adding -addext "basicConstraints=critical,CA:TRUE" -addext "keyUsage=critical,digitalSignature,keyCertSign" -addext "subjectKeyIdentifier=hash" to the CA generation command, and authorityKeyIdentifier = keyid to openssl.conf solves most of the issues, but there are migration considerations here as users who installed valet previously won't have a CA with a SKID, which will cause leaf signing to fail and will require logic to re-generate the CA)