fix: add missing OpenSSL certificate extensions to init_pki.sh

- Add usr_cert section for client certificates with proper extensions
- Add server_cert section for server certificates with proper extensions
- Resolves external deployment issue: "Error checking extension section usr_cert"
- Ensures PKI initialization creates complete OpenSSL configuration
- Makes deployments self-contained without manual configuration files

Fixes external server certificate signing by providing all required
extension sections that the certificate signing process expects.

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>

Author: atlas-form

crates/capsula-pki-server/init_pki.sh

@@ -118,6 +118,24 @@ subjectKeyIdentifier = hash
 authorityKeyIdentifier = keyid:always,issuer
 basicConstraints = critical, CA:true, pathlen:0
 keyUsage = critical, digitalSignature, cRLSign, keyCertSign
+
+[ usr_cert ]
+basicConstraints = CA:FALSE
+nsCertType = client, email
+nsComment = "OpenSSL Generated Client Certificate"
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid,issuer
+keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment
+extendedKeyUsage = clientAuth, emailProtection
+
+[ server_cert ]
+basicConstraints = CA:FALSE
+nsCertType = server
+nsComment = "OpenSSL Generated Server Certificate"
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid,issuer:always
+keyUsage = critical, digitalSignature, keyEncipherment
+extendedKeyUsage = serverAuth
 EOF
 
     log "Intermediate CA configuration created"