.gitlab/ci/build_archiso.sh creates a certificate unsuitable for iPXE

create_ephemeral_codesigning_keys creates a certificate request with the custom defined codesigning extensions, but the CA instead issues one with v3_intermediate_ca.

Certificate Details:
        Serial Number: 4096 (0x1000)
        Validity
            Not Before: Sep 27 09:08:11 2022 GMT
            Not After : Sep 24 09:08:11 2032 GMT
        Subject:
            countryName               = DE
            stateOrProvinceName       = Berlin
            organizationName          = Arch Linux
            organizationalUnitName    = Release Engineering
            commonName                = archlinux.org
        X509v3 extensions:
            X509v3 Subject Key Identifier:
                F0:3E:90:FA:AC:ED:30:12:A8:B9:E5:CE:82:92:3C:76:78:FA:D5:D5
            X509v3 Authority Key Identifier:
                keyid:12:37:9F:09:61:3C:CC:85:61:E0:9F:A0:16:26:AC:9F:9C:24:A6:88

            X509v3 Basic Constraints: critical
                CA:TRUE, pathlen:0
            X509v3 Key Usage: critical
                Digital Signature, Certificate Sign, CRL Sign
Certificate is to be certified until Sep 24 09:08:11 2032 GMT (3650 days)

The result is that the issued certificate lacks a extendedKeyUsage section with codeSigning. This makes it not confirm to the iPXE requirements.