Any CA certificate, no matter if its a root of an intermediate, must have the `keyCertSign` extension. If you want to sign a revocation list (CRL) with the CA certificate as well (you usually do want that), than you have to add `cRLSign` as well. Any other keyUsages can and should be avoided for CA certificates. 

The list of values accepted by openssl is [documented here](https://www.openssl.org/docs/apps/x509v3_config.html#).

You don't need to use `nsCertType`. Those, along with all the other ns* extensions, where defined by Netscape ages ago and should not be used anymore. You probably won't find any software around still using them.