Add AKI on certificate generation for brokers

[o-afanasenko]

Type of change

Bugfix

Description

Closes #11375
This PR changes generation of secrets with alternative names which happens for broker and cruise control certificates (they have IP or DNS name). For them it adds AKI (authorityKeyIdentifier) which is required by Python >=3.13 Before this PR Python scripts failed on connection with exception

[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: Missing Authority Key Identifier (_ssl.c:1020)

This could be fixed by flag VERIFY_X509_STRICT=false.

Checklist

Please go through this checklist and make sure all applicable tasks have been done

• Write tests
• Make sure all tests pass
• Update documentation
• Check RBAC rights for Kubernetes / OpenShift roles
• Try your changes from Pod inside your Kubernetes and OpenShift cluster, not just locally
• Reference relevant issue(s) and close them after merging
• Update CHANGELOG.md
• Supply screenshots for visual changes, such as Grafana dashboards

[ppatierno]

We can use true here right? Because it's going to add a AKI extension to the CA cert which will point just to itself as reported in the SKI.

[o-afanasenko]

No, here CSR (request) is generated. I tried to put true here and got exceptions for all tests

Error adding request extensions from section v3_req
808C170602000000:error:11000079:X509 V3 routines:v2i_AUTHORITY_KEYID:no issuer certificate:crypto/x509/v3_akid.c:156:
808C170602000000:error:11000080:X509 V3 routines:X509V3_EXT_nconf_int:error in extension:crypto/x509/v3_conf.c:48:section=v3_req, name=authorityKeyIdentifier, value=keyid,issuer

For CA certificate is generated starting from line 299 (301) but it uses defaultConfig. Do you want to add AKI to CA cert?

[ppatierno]

Sorry, I lost the CSR generation above.

Do you want to add AKI to CA cert?

I would do it for consistency across all the certificates generated by Strimzi. I know it's going to be a redundant copy of the SKI but it makes all the certificates looking the same from this pov. Do you see any drawbacks in doing it?

[o-afanasenko]

Yes, it is possible to add AKI to all certificates. I did the minimal changes to fix the problem. But if you want I can change PR to do this. What is better for you: add another openssl.conf to generate CSR or programatically remove authorityKeyIdentifier for CSR?

[o-afanasenko]

No drawbacks, maybe little redundant for CA but may be useful for client certificates

[ppatierno]

I think that the current programmatic approach would be better.

[scholzj]

Aside from my comment on the issue ... how does this diff it against the existing certificate to know that it needs to be recreated? If it is used only for new certificates, it can create pretty wierd mess with some certs having it, some not etc.

[o-afanasenko]

Aside from my comment on the issue ... how does this diff it against the existing certificate to know that it needs to be recreated? If it is used only for new certificates, it can create pretty wierd mess with some certs having it, some not etc.

This code itself doesn't cause rotation of certificates. To fix the issue I removed secret <cluster-name>_-kafka-brokers in Kafka namespace and strimzi operator recreated it. With new broker certificates the problem was fixed

[scholzj]

Well, that is pretty random and might break things in some scenarios. Also, while that might work for you, it means that for most users the change would actually happen in a very undeterministic fashion during the next year or more after it is introduced while some new certs might get ot earlier before the old certs. So again, I think this needs to be discussed and considered.

…

On Tue, May 6, 2025, 06:55 o-afanasenko ***@***.***> wrote: *o-afanasenko* left a comment (strimzi/strimzi-kafka-operator#11399) <#11399 (comment)> Aside from my comment on the issue ... how does this diff it against the existing certificate to know that it needs to be recreated? If it is used only for new certificates, it can create pretty wierd mess with some certs having it, some not etc. This code itself doesn't cause rotation of certificates. To fix the issue I removed secret <cluster-name>_-kafka-brokers in Kafka namespace and strimzi operator recreated it. With new broker certificates the problem was fixed — Reply to this email directly, view it on GitHub <#11399 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/ABLFORYJF4KPJMFN2OHI74D25BFFFAVCNFSM6AAAAAB4HXRAX2VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDQNJTGM2TSNZYGE> . You are receiving this because you commented.Message ID: ***@***.***>