Hallo @aheinzel
Welcome to the IPFire community.
I have confirmed the result that you found.
This has come in with a bug fix in openssl-3.2.x
According to that openssl issue link you provided the CSR should not have the SKID and AKID present but due to a previous bug they were ignored. Now with the bug fixed in openssl the presence of the AKID causes the failure.
Thanks very much for finding this and reporting it.
Could you please raise a bug for this and I will have a look at how to deal with it.
https://www.ipfire.org/docs/devel/bugzilla
Your IPFire community login email address and password will act as your login credentials for the IPFire Bugzilla.
When there is an OpenSSL version change I always test out the OpenVPN RW and N2N processes with existing connections and with creating new ones.
From now on I will also test out the generation of a new X509 set.