feat: generate a subject key identifier when creating a certificate (#6379) (#8329)

mergify[bot] · kruskall · michalpristas · web-flow · commit 84539781356b · 2025-06-04T13:28:44.000Z
* feat: generate a subject key identifier when creating a certificate If a subject key id is omitted, go will generate one using sha1. This is described as method 1 in RFC 5280 Section 4.2.1.2. When sha1 is not available (e.g. fips only mode) this method will panic. Update the code to explicitly pass a subject key id to avoid calling sha1 functions. The new SubjectKeyId is generated using method 1 in RFC 7093 Section 2 which takes 160-bits of the SHA-256 hash. * Update ca.go --------- (cherry picked from commit 2d22996) Co-authored-by: kruskall <99559985+kruskall@users.noreply.github.com> Co-authored-by: Michal Pristas <michal.pristas@gmail.com>
diff --git a/internal/pkg/core/authority/ca.go b/internal/pkg/core/authority/ca.go
@@ -140,6 +140,8 @@ func (c *CertificateAuthority) GeneratePairWithName(name string) (*Pair, error)
 	privateKey, _ := rsa.GenerateKey(rand.Reader, 2048)
 	publicKey := &privateKey.PublicKey
 
+	certTemplate.SubjectKeyId = generateSubjectKeyID(publicKey)
+
 	// Sign the certificate
 	certBytes, err := x509.CreateCertificate(rand.Reader, certTemplate, c.caCert, publicKey, c.privateKey)
 	if err != nil {
