tl;dr: is it possible to have a Let’Encrypt certificate issued with the keyCertSign bit set?
I have generated a certificate through the acmebot on Azure with the intention of signing additional certificates for subdomains with it. After lots of fruitless experimentation I realized that I could never have succeeded since the cert does not have the keyCertSign bit set, so it cannot be used as an intermediate cert to sign other certificates.
Is it possible to request a Let’s Encrypt certifiace with that bit set so that I can use it as an intermediary? If so, how can I do that?
BTW: I did tests on ptlfoo.p.getportal.org. You can see the connection failure when visiting that domain. Here is the report of an SSL server test and under “certification paths” it tells you “Not trusted (CA key usage check failed: keyCertSign bit is not set)”