Remove Issuer/Serial from AKI in certutil/certgen (elastic/x-pack-elasticsearch#3931)

The Issuer and Serial number are optional and can cause problems with chain validation when using OpenSSL based tools relates elastic/x-pack-elasticsearch#3915 Original commit: elastic/x-pack-elasticsearch@defcdd934f
2018-02-14 23:15:11 +11:00 · 2018-02-14 23:15:11 +11:00 · e7e3584560
parent 245a063492
commit e7e3584560
1 changed files with 2 additions and 3 deletions
--- a/plugin/core/src/main/java/org/elasticsearch/xpack/core/ssl/CertUtils.java
+++ b/plugin/core/src/main/java/org/elasticsearch/xpack/core/ssl/CertUtils.java
@ -459,11 +459,10 @@ public class CertUtils {
                throw new IllegalArgumentException("ca certificate is not a CA!");
            }
            issuer = X500Name.getInstance(caCert.getIssuerX500Principal().getEncoded());
-            authorityKeyIdentifier = extUtils.createAuthorityKeyIdentifier(caCert);
+            authorityKeyIdentifier = extUtils.createAuthorityKeyIdentifier(caCert.getPublicKey());
        } else {
            issuer = subject;
-            authorityKeyIdentifier =
-                    extUtils.createAuthorityKeyIdentifier(keyPair.getPublic(), new X500Principal(issuer.toString()), serial);
+            authorityKeyIdentifier = extUtils.createAuthorityKeyIdentifier(keyPair.getPublic());
        }

        JcaX509v3CertificateBuilder builder =