As workaround I’ve added this line in the openssl.cnf:
[ v3_req ] [...] extendedKeyUsage = serverAuth,clientAuth [...]
Afterwards I’ve recreated the certificate: