[feature] Allow changing default certificate settings, e.g. set x509 extensions for automatic tunnel provisioning

[kosli]

To be able to use the OpenVPN remote-cert-tls server option (see the OpenVPN manual), the server certificate needs to be created with an extended key usage of "TLS Web Server Authentication". When manually creating a certificate in OpenWISP, the Extensions field can be used with the below settings to add the needed extended key usage:

[ {
"name": "extendedKeyUsage",
"critical": true,
"value": "serverAuth"
} ]

Unfortunately the extension cannot be set on the certificate created via the "Automatic tunnel provisioning" feature -> it would be great if there would be an option to change the settings of the automatically created certificates. e.g. if one use the automatically created certificates not just for the OpenVPN client but also as a OpenVPN server certificate.

[nemesifier]

Sounds good, although if it's for VPNs I think we could just update the logic in the VPN model of openwisp-controller, which already has something like that but for a deprecated extension (which we could leave just for backward compatibility a little longer):

• https://github.com/openwisp/openwisp-controller/blob/ce8d27c4db640f6dc163063e0e0d48f93911f203/openwisp_controller/config/base/vpn.py#L270-L272
• https://github.com/openwisp/openwisp-controller/blob/ce8d27c4db640f6dc163063e0e0d48f93911f203/openwisp_controller/config/base/vpn.py#L723-L725

Adding the possibility of defining additional extensions added automatically sounds interesting though so I would leave this issue here and create a new one in OpenWISP Controller.

[kosli]

Sounds good to me too. Whereas for OpenVPN the extended usage extension should be added anyways. As for the --remote-cert client option OpenVPN checks for "TLS Web Client Authentication". And for --remote-cert server it checks for "TLS Web Server Authentication" -> the one that I have added.