Cert. Manager should validate EKUs on importing a certificate authority
Currently, you can import any certificate as a CA, even ones that are actually unusable as a CA. Subsequently, you can select that in packages that require a usable CA to sign their own certificates, such as Squid.
(Found randomly when debugging a Squid issue with a user, see https://forum.pfsense.org/index.php?topic=136883.msg749056#msg749056)