Added AKI to CA certificate

Author: o-afanasenko

certificate-manager/src/main/java/io/strimzi/certs/OpenSslCertManager.java

@@ -307,17 +307,18 @@ private void generateCaCert(File issuerCaKeyFile, File issuerCaCertFile,
                 opt.optArg("-cert", issuerCaCertFile);
                 opt.optArg("-keyfile", issuerCaKeyFile);
             }
-            sna = buildConfigFile(subject, false, true);
             opt.optArg("-in", csrFile)
                     .optArg("-out", subjectCertFile)
                     .optArg("-startdate", notBefore)
                     .optArg("-enddate", notAfter)
                     .optArg("-subj", subject)
-                    .optArg("-config", sna)
+                    .optArg("-config", defaultConfig)
+                    .optArg("-extensions", "strimzi_x509_extensions")
                     .database(database, attr)
                     .newCertsDir(newCertsDir)
                     .basicConstraints("critical,CA:true,pathlen:" + pathLength)
                     .keyUsage("critical,keyCertSign,cRLSign")
+                    .authorityKeyIdentifier()
                     .exec(false);
 
             if (keyInPkcs1) {
@@ -636,6 +637,10 @@ public OpensslArgs keyUsage(String keyUsage) {
             pb.environment().put("STRIMZI_keyUsage", keyUsage);
             return this;
         }
+        public OpensslArgs authorityKeyIdentifier() {
+            pb.environment().put("STRIMZI_authorityKeyIdentifier", "keyid,issuer");
+            return this;
+        }
         public OpensslArgs database(Path database, Path attr) throws IOException {
             // Some versions of openssl require the presence of a index.txt.attr file
             // https://serverfault.com/questions/857131/odd-error-while-using-openssl
@@ -666,6 +671,9 @@ public void exec(boolean failOnNonZero) throws IOException {
             if (!pb.environment().containsKey("STRIMZI_new_certs_dir")) {
                 pb.environment().put("STRIMZI_new_certs_dir", "/dev/null");
             }
+            if (!pb.environment().containsKey("STRIMZI_authorityKeyIdentifier")) {
+                pb.environment().put("STRIMZI_authorityKeyIdentifier", "none");
+            }
 
             Path out = null;
             try {

certificate-manager/src/main/resources/openssl.conf

@@ -19,8 +19,9 @@ commonName           = optional
 
 [ strimzi_x509_extensions ]
 subjectKeyIdentifier = hash
-basicConstraints     = ${ENV::STRIMZI_basicConstraints}
-keyUsage             = ${ENV::STRIMZI_keyUsage}
+basicConstraints       = ${ENV::STRIMZI_basicConstraints}
+keyUsage               = ${ENV::STRIMZI_keyUsage}
+authorityKeyIdentifier = ${ENV::STRIMZI_authorityKeyIdentifier}
 
 [ server_ext ]
 basicConstraints     = critical,CA:false