Add AKI to child CA certificates

newsfragments/642.bugfix.rst

@@ -0,0 +1 @@
+Add the Authority Key Identifier extension to child CA certificates.

src/trustme/__init__.py

@@ -246,18 +246,27 @@ def __init__(
         )
         issuer = name
         sign_key = self._private_key
+        aki: Optional[x509.AuthorityKeyIdentifier]
         if parent_cert is not None:
             sign_key = parent_cert._private_key
             parent_certificate = parent_cert._certificate
             issuer = parent_certificate.subject
-
-        self._certificate = (
+            ski_ext = parent_certificate.extensions.get_extension_for_class(
+                x509.SubjectKeyIdentifier)
+            aki = x509.AuthorityKeyIdentifier.from_issuer_subject_key_identifier(ski_ext.value)
+        else:
+            aki = None
+        cert_builder = (
             _cert_builder_common(name, issuer, self._private_key.public_key())
             .add_extension(
                 x509.BasicConstraints(ca=True, path_length=path_length),
                 critical=True,
             )
-            .add_extension(
+        )
+        if aki:
+            cert_builder = cert_builder.add_extension(aki, critical=False)
+        self._certificate = (
+            cert_builder.add_extension(
                 x509.KeyUsage(
                     digital_signature=True,  # OCSP
                     content_commitment=False,

tests/test_trustme.py

@@ -200,6 +200,11 @@ def test_intermediate() -> None:
     assert_is_ca(child_ca_cert)
     assert child_ca_cert.issuer == ca_cert.subject
     assert _path_length(child_ca_cert) == 8
+    aki = child_ca_cert.extensions.get_extension_for_class(x509.AuthorityKeyIdentifier)
+    assert aki.critical is False
+    expected_aki_key_id = ca_cert.extensions.get_extension_for_class(
+        x509.SubjectKeyIdentifier).value.digest
+    assert aki.value.key_identifier == expected_aki_key_id
 
     child_server = child_ca.issue_cert("test-host.example.org")
     assert len(child_server.cert_chain_pems) == 2