# 更新至 Python 3.13 导致的自签名 CA 出现 [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: Missing Authority Key Identifier

# 排查

	openssl verify -x509_strict -CAfile /data/ca.crt /data/web/web1.crt

	# error 92 at 1 depth lookup: CA cert does not include key usage extension
	# error /data/web/web1.crt: verification failed

重新根据 ca.key 生成 ca.crt，只需替换 ca.crt 即可，已经颁发的证书仍正常使用。

sudo cp /etc/ssl/openssl.cnf openssl_ca.cnf

编辑 openssl_ca.cnf 并将其中 [ v3_ca ] 下的 keyUsage = cRLSign, keyCertSign 解除注释

	[ v3_ca ]

	# Key usage: this is typical for a CA certificate. However since it will
	# prevent it being used as an test self-signed certificate it is best
	# left out by default.
	keyUsage = cRLSign, keyCertSign

生成证书请求文件 csr，需要使用原 ca.crt 和 ca.key

openssl x509 -x509toreq -in ca.crt -signkey ca.key -out new-ca.csr

openssl x509 -req -days 3650 -extfile openssl_ca.cnf -extensions v3_ca -in new-ca.csr -signkey ca.key -out new-ca.crt

	openssl verify -x509_strict -CAfile new-ca.crt /data/web/web1.crt

	# /data/web/web1.crt: OK

	sudo cp new-ca.crt /usr/local/share/ca-certificates/
	sudo update-ca-certificates
	# Updating certificates in /etc/ssl/certs...
	# 0 added, 0 removed; done.
	# Running hooks in /etc/ca-certificates/update.d...
	# Processing triggers for ca-certificates-java (20240118) ...
	# done.
	# done.