Skip to content

Commit 5f73e1f

Browse files
o-afanasenkoo-afanasenko
committed
Added AKI to CA certificate
1 parent 8c0c2d4 commit 5f73e1f

File tree

2 files changed

+11
-2
lines changed

2 files changed

+11
-2
lines changed

certificate-manager/src/main/java/io/strimzi/certs/OpenSslCertManager.java

+8
Original file line numberDiff line numberDiff line change
@@ -318,6 +318,7 @@ private void generateCaCert(File issuerCaKeyFile, File issuerCaCertFile,
318318
.newCertsDir(newCertsDir)
319319
.basicConstraints("critical,CA:true,pathlen:" + pathLength)
320320
.keyUsage("critical,keyCertSign,cRLSign")
321+
.authorityKeyIdentifier()
321322
.exec(false);
322323

323324
if (keyInPkcs1) {
@@ -636,6 +637,10 @@ public OpensslArgs keyUsage(String keyUsage) {
636637
pb.environment().put("STRIMZI_keyUsage", keyUsage);
637638
return this;
638639
}
640+
public OpensslArgs authorityKeyIdentifier() {
641+
pb.environment().put("STRIMZI_authorityKeyIdentifier", "keyid,issuer");
642+
return this;
643+
}
639644
public OpensslArgs database(Path database, Path attr) throws IOException {
640645
// Some versions of openssl require the presence of a index.txt.attr file
641646
// https://serverfault.com/questions/857131/odd-error-while-using-openssl
@@ -666,6 +671,9 @@ public void exec(boolean failOnNonZero) throws IOException {
666671
if (!pb.environment().containsKey("STRIMZI_new_certs_dir")) {
667672
pb.environment().put("STRIMZI_new_certs_dir", "/dev/null");
668673
}
674+
if (!pb.environment().containsKey("STRIMZI_authorityKeyIdentifier")) {
675+
pb.environment().put("STRIMZI_authorityKeyIdentifier", "none");
676+
}
669677

670678
Path out = null;
671679
try {

certificate-manager/src/main/resources/openssl.conf

+3-2
Original file line numberDiff line numberDiff line change
@@ -19,8 +19,9 @@ commonName = optional
1919

2020
[ strimzi_x509_extensions ]
2121
subjectKeyIdentifier = hash
22-
basicConstraints = ${ENV::STRIMZI_basicConstraints}
23-
keyUsage = ${ENV::STRIMZI_keyUsage}
22+
basicConstraints = ${ENV::STRIMZI_basicConstraints}
23+
keyUsage = ${ENV::STRIMZI_keyUsage}
24+
authorityKeyIdentifier = ${ENV::STRIMZI_authorityKeyIdentifier}
2425

2526
[ server_ext ]
2627
basicConstraints = critical,CA:false

0 commit comments

Comments
 (0)