Added AKI to CA certificate

Author: o-afanasenko

certificate-manager/src/main/java/io/strimzi/certs/OpenSslCertManager.java

@@ -318,6 +318,7 @@ private void generateCaCert(File issuerCaKeyFile, File issuerCaCertFile,
                     .newCertsDir(newCertsDir)
                     .basicConstraints("critical,CA:true,pathlen:" + pathLength)
                     .keyUsage("critical,keyCertSign,cRLSign")
+                    .authorityKeyIdentifier()
                     .exec(false);
 
             if (keyInPkcs1) {
@@ -636,6 +637,10 @@ public OpensslArgs keyUsage(String keyUsage) {
             pb.environment().put("STRIMZI_keyUsage", keyUsage);
             return this;
         }
+        public OpensslArgs authorityKeyIdentifier() {
+            pb.environment().put("STRIMZI_authorityKeyIdentifier", "keyid,issuer");
+            return this;
+        }
         public OpensslArgs database(Path database, Path attr) throws IOException {
             // Some versions of openssl require the presence of a index.txt.attr file
             // https://serverfault.com/questions/857131/odd-error-while-using-openssl
@@ -666,6 +671,9 @@ public void exec(boolean failOnNonZero) throws IOException {
             if (!pb.environment().containsKey("STRIMZI_new_certs_dir")) {
                 pb.environment().put("STRIMZI_new_certs_dir", "/dev/null");
             }
+            if (!pb.environment().containsKey("STRIMZI_authorityKeyIdentifier")) {
+                pb.environment().put("STRIMZI_authorityKeyIdentifier", "none");
+            }
 
             Path out = null;
             try {

certificate-manager/src/main/resources/openssl.conf

@@ -19,8 +19,9 @@ commonName           = optional
 
 [ strimzi_x509_extensions ]
 subjectKeyIdentifier = hash
-basicConstraints     = ${ENV::STRIMZI_basicConstraints}
-keyUsage             = ${ENV::STRIMZI_keyUsage}
+basicConstraints       = ${ENV::STRIMZI_basicConstraints}
+keyUsage               = ${ENV::STRIMZI_keyUsage}
+authorityKeyIdentifier = ${ENV::STRIMZI_authorityKeyIdentifier}
 
 [ server_ext ]
 basicConstraints     = critical,CA:false