Add Authority Key Identifier to locally signed certificate

[Q69K]

No description provided.

[hashicorp-cla]

Thank you for your submission! We require that all contributors sign our Contributor License Agreement ("CLA") before we can accept the contribution. Read and sign the agreement

Learn more about why HashiCorp requires a CLA and what the CLA includes

---

Alex Hasselbach seems not to be a GitHub user.
You need a GitHub account to be able to sign the CLA. If you already have a GitHub account, please add the email address used for this commit to your account.

_{Have you signed the CLA already but the status is still pending? Recheck it.}

[iosifnicolae2]

Any news on this functionality?

[karelorigin]

Encountered this issue when trying to import a Terraform generated CA intermediate into Vault. It's been open for years, would be nice if we could get this merged :)

Looks like the PR author still needs to sign the CLA agreement. CC: @Q69K

[irigon]

Found this issue, as some certificates stop working as we updated the OpenSSL version.
When both CA and server CSR have the same subject, the field Key Identifier is omitted in the certificate.
After OpenSSL 1.1.1k (I am testing with 1.1.1n), additional checks seem to be merged resulting in an SSL error: "error 18 at 0 depth lookup: self signed certificate".
As a workaround for the ones having the same issue while it is not fixed, changing the CN on the server certificate CSR or adding additional fields to the subject was enough to cause the X509v3 Authority Key Identifier field to the added to the certificate.

[detro]

Hello and thanks for the contribution.

Because no example was provided to reproduce this, I have tested it and found that, for tls_locally_signed_cert, if the provided CA carries a value for SubjectKeyId, than the underlying x509.CreateCertificate function will indeed populate the AuthorityKeyIdentifier (please see here).

Additionally, local testing where I tried to reproduce, showed that the behaviour is what the x509 library correctly does.

This is NOT the case for tls_self_signed_cert, where in the current implementation the AuthorityKeyIdentifier is indeed not set (as reported in #56).

As I started working on this together with #56, I'll have a PR incoming that will close both.
But I just wanted to emphasize that the issue reported here lies in the provided CA to the tls_locally_signed_cert resource, not the resource itself.

Thank you.

[github-actions]

I'm going to lock this pull request because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active contributions.
If you have found a problem that seems related to this change, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.