HSM documentation incorrect: certificates are not signed with correct X509v3 Authority Key Identifier for the intermediate CA

[thedeadliestcatch]

File: [nitrokeys/features/openpgp-card/certificate-authority.rst] https://docs.nitrokey.com/nitrokeys/features/openpgp-card/certificate-authority.html

As it is right now, the tutorial seems to fail (tested and verified twice) to correctly document how to create the intermediate CA.
The X509v3 Authority Key Identifier points to the root CA, which is most definitely not the desired outcome (the whole point of the intermediate CA is to be the identified issuer in the certificates).

A workaround is to remove the always keyword for issuer (In sign_server_csrs.cnf):

[ server_cert ]
# Extensions for server certificates (`man x509v3_config`).
basicConstraints = CA:FALSE
nsCertType = server
nsComment = "OpenSSL Generated Server Certificate"
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer
keyUsage = critical, digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth,clientAuth

This might break things, and certainly does not make debugging certificate problems easier for people who expect text instead of the bare fingerprint.

Note: the DN is not required and AFAIK there is no consensus on using it at all, since it cannot be verified normally. Still, it's a confusing tidbit that should be properly documented.