For some reason libvirt doesn't accept client certificates without this,
even though TLS client authentication doesn't involve encipherting keys.
[tls-client-extensions]
basicConstraints = critical, CA:FALSE
[tls-client-extensions]
basicConstraints = critical, CA:FALSE
-keyUsage = critical, digitalSignature
+keyUsage = critical, digitalSignature, keyEncipherment
extendedKeyUsage = clientAuth
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer:always
extendedKeyUsage = clientAuth
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer:always