Add basic constraints to certificate

Author: sethmlarson

tests/lib/certs.py

@@ -25,6 +25,10 @@ def make_tls_cert(hostname: str) -> Tuple[x509.Certificate, rsa.RSAPrivateKey]:
         .serial_number(x509.random_serial_number())
         .not_valid_before(datetime.utcnow())
         .not_valid_after(datetime.utcnow() + timedelta(days=10))
+        .add_extension(
+            x509.BasicConstraints(ca=True, path_length=9),
+            critical=True,
+        )
         .add_extension(
             x509.SubjectAlternativeName([x509.DNSName(hostname)]),
             critical=False,