openssl_certificate/csr(_info): add support for SubjectKeyIdentifier and AuthorityKeyIdentifier (#60741)

* Add support for SubjectKeyIdentifier and AuthorityKeyIdentifier to _info modules.

* Adding SubjectKeyIdentifier and AuthorityKeyIdentifier support to openssl_certificate and openssl_csr.

* Fix type of authority_cert_issuer.

* Add basic tests.

* Add changelog.

* Added proper tests for _info modules.

* Fix docs bug.

* Make sure new features are only used when cryptography backend for openssl_csr is available.

* Work around jinja2 being too old on some CI hosts.

* Add tests for openssl_csr.

* Add openssl_certificate tests.

* Fix idempotence test.

* Move one level up.

* Add ownca_create_authority_key_identifier option.

* Add ownca_create_authority_key_identifier option.

* Add idempotency check.

* Apparently the function call expected different args for cryptography < 2.7.

* Fix copy'n'paste errors and typos.

* string -> general name.

* Add disclaimer.

* Implement always_create / create_if_not_provided / never_create for openssl_certificate.

* Update changelog and porting guide.

* Add comments for defaults.

changelogs/fragments/60741-openssl-cert-csr-key-identifier.yml

@@ -0,0 +1,6 @@
+minor_changes:
+- "openssl_certificate - add support for subject key identifier and authority key identifier extensions. Subject key identifiers are created by default when not explicitly disabled."
+- "openssl_certificate - the ``ownca`` provider creates authority key identifiers if not explicitly disabled with ``ownca_create_authority_key_identifier: no``."
+- "openssl_certificate_info - add support for subject key identifier and authority key identifier extensions."
+- "openssl_csr - add support for subject key identifier and authority key identifier extensions."
+- "openssl_csr_info - add support for subject key identifier and authority key identifier extensions."

docs/docsite/rst/porting_guides/porting_guide_2.9.rst

@@ -306,6 +306,8 @@ Noteworthy module changes
 * `mysql_db <mysql_db_module>` returns new `db_list` parameter in addition to `db` parameter. This `db_list` parameter refers to list of database names. `db` parameter will be deprecated in version `2.13`.
 * `snow_record <snow_record_module>` and `snow_record_find <snow_record_find_module>` now takes environment variables for `instance`, `username` and `password` parameters. This change marks these parameters as optional.
 * The deprecated ``force`` option in ``win_firewall_rule`` has been removed.
+* :ref:`openssl_certificate <openssl_certificate_module>`'s ``ownca`` provider creates authority key identifiers if not explicitly disabled with ``ownca_create_authority_key_identifier: no``. This is only the case for the ``cryptography`` backend, which is selected by default if the ``cryptography`` library is available.
+* :ref:`openssl_certificate <openssl_certificate_module>`'s ``ownca`` and ``selfsigned`` providers create subject key identifiers if not explicitly disabled with ``ownca_create_subject_key_identifier: never_create`` resp. ``selfsigned_create_subject_key_identifier: never_create``. If a subject key identifier is provided by the CSR, it is taken; if not, it is created from the public key. This is only the case for the ``cryptography`` backend, which is selected by default if the ``cryptography`` library is available.
 
 
 Plugins

lib/ansible/modules/crypto/openssl_certificate.py

@@ -138,6 +138,21 @@ options:
         default: +3650d
         aliases: [ selfsigned_notAfter ]
 
+    selfsigned_create_subject_key_identifier:
+        description:
+            - Whether to create the Subject Key Identifier (SKI) from the public key.
+            - A value of C(create_if_not_provided) (default) only creates a SKI when the CSR does not
+              provide one.
+            - A value of C(always_create) always creates a SKI. If the CSR provides one, that one is
+              ignored.
+            - A value of C(never_create) never creates a SKI. If the CSR provides one, that one is used.
+            - This is only used by the C(selfsigned) provider.
+            - Note that this is only supported if the C(cryptography) backend is used!
+        type: str
+        choices: [create_if_not_provided, always_create, never_create]
+        default: create_if_not_provided
+        version_added: "2.9"
+
     ownca_path:
         description:
             - Remote absolute path of the CA (Certificate Authority) certificate.
@@ -204,6 +219,33 @@ options:
         default: +3650d
         version_added: "2.7"
 
+    ownca_create_subject_key_identifier:
+        description:
+            - Whether to create the Subject Key Identifier (SKI) from the public key.
+            - A value of C(create_if_not_provided) (default) only creates a SKI when the CSR does not
+              provide one.
+            - A value of C(always_create) always creates a SKI. If the CSR provides one, that one is
+              ignored.
+            - A value of C(never_create) never creates a SKI. If the CSR provides one, that one is used.
+            - This is only used by the C(ownca) provider.
+            - Note that this is only supported if the C(cryptography) backend is used!
+        type: str
+        choices: [create_if_not_provided, always_create, never_create]
+        default: create_if_not_provided
+        version_added: "2.9"
+
+    ownca_create_authority_key_identifier:
+        description:
+            - Create a Authority Key Identifier from the CA's certificate. If the CSR provided
+              a authority key identifier, it is ignored.
+            - The Authority Key Identifier is generated from the CA certificate's Subject Key Identifier,
+              if available. If it is not available, the CA certificate's public key will be used.
+            - This is only used by the C(ownca) provider.
+            - Note that this is only supported if the C(cryptography) backend is used!
+        type: bool
+        default: yes
+        version_added: "2.9"
+
     acme_accountkey_path:
         description:
             - The path to the accountkey for the C(acme) provider.
@@ -843,6 +885,11 @@ class Certificate(crypto_utils.OpenSSLObject):
         self.backend = backend
         self.module = module
 
+        # The following are default values which make sure check() works as
+        # before if providers do not explicitly change these properties.
+        self.create_subject_key_identifier = 'never_create'
+        self.create_authority_key_identifier = False
+
         self.backup = module.params['backup']
         self.backup_file = None
 
@@ -918,13 +965,21 @@ class Certificate(crypto_utils.OpenSSLObject):
             if self.csr.subject != self.cert.subject:
                 return False
             # Check extensions
-            cert_exts = self.cert.extensions
+            cert_exts = list(self.cert.extensions)
-            csr_exts = self.csr.extensions
+            csr_exts = list(self.csr.extensions)
+            if self.create_subject_key_identifier != 'never_create':
+                # Filter out SubjectKeyIdentifier extension before comparison
+                cert_exts = list(filter(lambda x: not isinstance(x.value, x509.SubjectKeyIdentifier), cert_exts))
+                csr_exts = list(filter(lambda x: not isinstance(x.value, x509.SubjectKeyIdentifier), csr_exts))
+            if self.create_authority_key_identifier:
+                # Filter out AuthorityKeyIdentifier extension before comparison
+                cert_exts = list(filter(lambda x: not isinstance(x.value, x509.AuthorityKeyIdentifier), cert_exts))
+                csr_exts = list(filter(lambda x: not isinstance(x.value, x509.AuthorityKeyIdentifier), csr_exts))
             if len(cert_exts) != len(csr_exts):
                 return False
             for cert_ext in cert_exts:
                 try:
-                    csr_ext = csr_exts.get_extension_for_oid(cert_ext.oid)
+                    csr_ext = self.csr.extensions.get_extension_for_oid(cert_ext.oid)
                     if cert_ext != csr_ext:
                         return False
                 except cryptography.x509.ExtensionNotFound as dummy:
@@ -966,6 +1021,29 @@ class Certificate(crypto_utils.OpenSSLObject):
             if not self._validate_csr():
                 return False
 
+        # Check SubjectKeyIdentifier
+        if self.backend == 'cryptography' and self.create_subject_key_identifier != 'never_create':
+            # Get hold of certificate's SKI
+            try:
+                ext = self.cert.extensions.get_extension_for_class(x509.SubjectKeyIdentifier)
+            except cryptography.x509.ExtensionNotFound as dummy:
+                return False
+            # Get hold of CSR's SKI for 'create_if_not_provided'
+            csr_ext = None
+            if self.create_subject_key_identifier == 'create_if_not_provided':
+                try:
+                    csr_ext = self.csr.extensions.get_extension_for_class(x509.SubjectKeyIdentifier)
+                except cryptography.x509.ExtensionNotFound as dummy:
+                    pass
+            if csr_ext is None:
+                # If CSR had no SKI, or we chose to ignore it ('always_create'), compare with created SKI
+                if ext.value.digest != x509.SubjectKeyIdentifier.from_public_key(self.cert.public_key()).digest:
+                    return False
+            else:
+                # If CSR had SKI and we didn't ignore it ('create_if_not_provided'), compare SKIs
+                if ext.value.digest != csr_ext.value.digest:
+                    return False
+
         return True
 
 
@@ -995,6 +1073,7 @@ class SelfSignedCertificateCryptography(Certificate):
     """Generate the self-signed certificate, using the cryptography backend"""
     def __init__(self, module):
         super(SelfSignedCertificateCryptography, self).__init__(module, 'cryptography')
+        self.create_subject_key_identifier = module.params['selfsigned_create_subject_key_identifier']
         self.notBefore = self.get_relative_time_option(module.params['selfsigned_not_before'], 'selfsigned_not_before')
         self.notAfter = self.get_relative_time_option(module.params['selfsigned_not_after'], 'selfsigned_not_after')
         self.digest = crypto_utils.select_message_digest(module.params['selfsigned_digest'])
@@ -1043,8 +1122,18 @@ class SelfSignedCertificateCryptography(Certificate):
                 cert_builder = cert_builder.not_valid_before(self.notBefore)
                 cert_builder = cert_builder.not_valid_after(self.notAfter)
                 cert_builder = cert_builder.public_key(self.privatekey.public_key())
+                has_ski = False
                 for extension in self.csr.extensions:
+                    if isinstance(extension.value, x509.SubjectKeyIdentifier):
+                        if self.create_subject_key_identifier == 'always_create':
+                            continue
+                        has_ski = True
                     cert_builder = cert_builder.add_extension(extension.value, critical=extension.critical)
+                if not has_ski and self.create_subject_key_identifier != 'never_create':
+                    cert_builder = cert_builder.add_extension(
+                        x509.SubjectKeyIdentifier.from_public_key(self.privatekey.public_key()),
+                        critical=False
+                    )
             except ValueError as e:
                 raise CertificateError(str(e))
 
@@ -1098,6 +1187,8 @@ class SelfSignedCertificate(Certificate):
 
     def __init__(self, module):
         super(SelfSignedCertificate, self).__init__(module, 'pyopenssl')
+        if module.params['selfsigned_create_subject_key_identifier'] != 'create_if_not_provided':
+            module.fail_json(msg='selfsigned_create_subject_key_identifier cannot be used with the pyOpenSSL backend!')
         self.notBefore = self.get_relative_time_option(module.params['selfsigned_not_before'], 'selfsigned_not_before')
         self.notAfter = self.get_relative_time_option(module.params['selfsigned_not_after'], 'selfsigned_not_after')
         self.digest = module.params['selfsigned_digest']
@@ -1187,6 +1278,8 @@ class OwnCACertificateCryptography(Certificate):
     """Generate the own CA certificate. Using the cryptography backend"""
     def __init__(self, module):
         super(OwnCACertificateCryptography, self).__init__(module, 'cryptography')
+        self.create_subject_key_identifier = module.params['ownca_create_subject_key_identifier']
+        self.create_authority_key_identifier = module.params['ownca_create_authority_key_identifier']
         self.notBefore = self.get_relative_time_option(module.params['ownca_not_before'], 'ownca_not_before')
         self.notAfter = self.get_relative_time_option(module.params['ownca_not_after'], 'ownca_not_after')
         self.digest = crypto_utils.select_message_digest(module.params['ownca_digest'])
@@ -1243,8 +1336,34 @@ class OwnCACertificateCryptography(Certificate):
             cert_builder = cert_builder.not_valid_before(self.notBefore)
             cert_builder = cert_builder.not_valid_after(self.notAfter)
             cert_builder = cert_builder.public_key(self.csr.public_key())
+            has_ski = False
             for extension in self.csr.extensions:
+                if isinstance(extension.value, x509.SubjectKeyIdentifier):
+                    if self.create_subject_key_identifier == 'always_create':
+                        continue
+                    has_ski = True
+                if self.create_authority_key_identifier and isinstance(extension.value, x509.AuthorityKeyIdentifier):
+                    continue
                 cert_builder = cert_builder.add_extension(extension.value, critical=extension.critical)
+            if not has_ski and self.create_subject_key_identifier != 'never_create':
+                cert_builder = cert_builder.add_extension(
+                    x509.SubjectKeyIdentifier.from_public_key(self.csr.public_key()),
+                    critical=False
+                )
+            if self.create_authority_key_identifier:
+                try:
+                    ext = self.ca_cert.extensions.get_extension_for_class(x509.SubjectKeyIdentifier)
+                    cert_builder = cert_builder.add_extension(
+                        x509.AuthorityKeyIdentifier.from_issuer_subject_key_identifier(ext.value)
+                        if CRYPTOGRAPHY_VERSION >= LooseVersion('2.7') else
+                        x509.AuthorityKeyIdentifier.from_issuer_subject_key_identifier(ext),
+                        critical=False
+                    )
+                except cryptography.x509.ExtensionNotFound:
+                    cert_builder = cert_builder.add_extension(
+                        x509.AuthorityKeyIdentifier.from_issuer_public_key(self.ca_cert.public_key()),
+                        critical=False
+                    )
 
             certificate = cert_builder.sign(
                 private_key=self.ca_private_key, algorithm=self.digest,
@@ -1264,6 +1383,32 @@ class OwnCACertificateCryptography(Certificate):
         if module.set_fs_attributes_if_different(file_args, False):
             self.changed = True
 
+    def check(self, module, perms_required=True):
+        """Ensure the resource is in its desired state."""
+
+        if not super(OwnCACertificateCryptography, self).check(module, perms_required):
+            return False
+
+        # Check AuthorityKeyIdentifier
+        if self.create_authority_key_identifier:
+            try:
+                ext = self.ca_cert.extensions.get_extension_for_class(x509.SubjectKeyIdentifier)
+                expected_ext = (
+                    x509.AuthorityKeyIdentifier.from_issuer_subject_key_identifier(ext.value)
+                    if CRYPTOGRAPHY_VERSION >= LooseVersion('2.7') else
+                    x509.AuthorityKeyIdentifier.from_issuer_subject_key_identifier(ext)
+                )
+            except cryptography.x509.ExtensionNotFound:
+                expected_ext = x509.AuthorityKeyIdentifier.from_issuer_public_key(self.ca_cert.public_key())
+            try:
+                ext = self.cert.extensions.get_extension_for_class(x509.AuthorityKeyIdentifier)
+                if ext.value != expected_ext:
+                    return False
+            except cryptography.x509.ExtensionNotFound as dummy:
+                return False
+
+        return True
+
     def dump(self, check_mode=False):
 
         result = {
@@ -1303,6 +1448,10 @@ class OwnCACertificate(Certificate):
         self.digest = module.params['ownca_digest']
         self.version = module.params['ownca_version']
         self.serial_number = randint(1000, 99999)
+        if module.params['ownca_create_subject_key_identifier'] != 'create_if_not_provided':
+            module.fail_json(msg='ownca_create_subject_key_identifier cannot be used with the pyOpenSSL backend!')
+        if module.params['ownca_create_authority_key_identifier']:
+            module.warn('ownca_create_authority_key_identifier is ignored by the pyOpenSSL backend!')
         self.ca_cert_path = module.params['ownca_path']
         self.ca_privatekey_path = module.params['ownca_privatekey_path']
         self.ca_privatekey_passphrase = module.params['ownca_privatekey_passphrase']
@@ -2268,6 +2417,11 @@ def main():
             selfsigned_digest=dict(type='str', default='sha256'),
             selfsigned_not_before=dict(type='str', default='+0s', aliases=['selfsigned_notBefore']),
             selfsigned_not_after=dict(type='str', default='+3650d', aliases=['selfsigned_notAfter']),
+            selfsigned_create_subject_key_identifier=dict(
+                type='str',
+                default='create_if_not_provided',
+                choices=['create_if_not_provided', 'always_create', 'never_create']
+            ),
 
             # provider: ownca
             ownca_path=dict(type='path'),
@@ -2277,6 +2431,12 @@ def main():
             ownca_version=dict(type='int', default=3),
             ownca_not_before=dict(type='str', default='+0s'),
             ownca_not_after=dict(type='str', default='+3650d'),
+            ownca_create_subject_key_identifier=dict(
+                type='str',
+                default='create_if_not_provided',
+                choices=['create_if_not_provided', 'always_create', 'never_create']
+            ),
+            ownca_create_authority_key_identifier=dict(type='bool', default=True),
 
             # provider: acme
             acme_accountkey_path=dict(type='path'),

lib/ansible/modules/crypto/openssl_certificate_info.py

@@ -238,10 +238,45 @@ valid_at:
                  or not.
     returned: success
     type: dict
+subject_key_identifier:
+    description:
+        - The certificate's subject key identifier.
+        - The identifier is returned in hexadecimal, with C(:) used to separate bytes.
+        - Is C(none) if the C(SubjectKeyIdentifier) extension is not present.
+    returned: success and if the pyOpenSSL backend is I(not) used
+    type: str
+    sample: '00:11:22:33:44:55:66:77:88:99:aa:bb:cc:dd:ee:ff:00:11:22:33'
+    version_added: "2.9"
+authority_key_identifier:
+    description:
+        - The certificate's authority key identifier.
+        - The identifier is returned in hexadecimal, with C(:) used to separate bytes.
+        - Is C(none) if the C(AuthorityKeyIdentifier) extension is not present.
+    returned: success and if the pyOpenSSL backend is I(not) used
+    type: str
+    sample: '00:11:22:33:44:55:66:77:88:99:aa:bb:cc:dd:ee:ff:00:11:22:33'
+    version_added: "2.9"
+authority_cert_issuer:
+    description:
+        - The certificate's authority cert issuer as a list of general names.
+        - Is C(none) if the C(AuthorityKeyIdentifier) extension is not present.
+    returned: success and if the pyOpenSSL backend is I(not) used
+    type: list
+    sample: "[DNS:www.ansible.com, IP:1.2.3.4]"
+    version_added: "2.9"
+authority_cert_serial_number:
+    description:
+        - The certificate's authority cert serial number.
+        - Is C(none) if the C(AuthorityKeyIdentifier) extension is not present.
+    returned: success and if the pyOpenSSL backend is I(not) used
+    type: int
+    sample: '12345'
+    version_added: "2.9"
 '''
 
 
 import abc
+import binascii
 import datetime
 import os
 import traceback
@@ -392,6 +427,14 @@ class CertificateInfo(crypto_utils.OpenSSLObject):
     def _get_public_key(self, binary):
         pass
 
+    @abc.abstractmethod
+    def _get_subject_key_identifier(self):
+        pass
+
+    @abc.abstractmethod
+    def _get_authority_key_identifier(self):
+        pass
+
     @abc.abstractmethod
     def _get_serial_number(self):
         pass
@@ -437,6 +480,21 @@ class CertificateInfo(crypto_utils.OpenSSLObject):
         pk = self._get_public_key(binary=True)
         result['public_key_fingerprints'] = crypto_utils.get_fingerprint_of_bytes(pk) if pk is not None else dict()
 
+        if self.backend != 'pyopenssl':
+            ski = self._get_subject_key_identifier()
+            if ski is not None:
+                ski = to_native(binascii.hexlify(ski))
+                ski = ':'.join([ski[i:i + 2] for i in range(0, len(ski), 2)])
+            result['subject_key_identifier'] = ski
+
+            aki, aci, acsn = self._get_authority_key_identifier()
+            if aki is not None:
+                aki = to_native(binascii.hexlify(aki))
+                aki = ':'.join([aki[i:i + 2] for i in range(0, len(aki), 2)])
+            result['authority_key_identifier'] = aki
+            result['authority_cert_issuer'] = aci
+            result['authority_cert_serial_number'] = acsn
+
         result['serial_number'] = self._get_serial_number()
         result['extensions_by_oid'] = self._get_all_extensions()
 
@@ -563,6 +621,23 @@ class CertificateInfoCryptography(CertificateInfo):
             serialization.PublicFormat.SubjectPublicKeyInfo
         )
 
+    def _get_subject_key_identifier(self):
+        try:
+            ext = self.cert.extensions.get_extension_for_class(x509.SubjectKeyIdentifier)
+            return ext.value.digest
+        except cryptography.x509.ExtensionNotFound:
+            return None
+
+    def _get_authority_key_identifier(self):
+        try:
+            ext = self.cert.extensions.get_extension_for_class(x509.AuthorityKeyIdentifier)
+            issuer = None
+            if ext.value.authority_cert_issuer is not None:
+                issuer = [crypto_utils.cryptography_decode_name(san) for san in ext.value.authority_cert_issuer]
+            return ext.value.key_identifier, issuer, ext.value.authority_cert_serial_number
+        except cryptography.x509.ExtensionNotFound:
+            return None, None, None
+
     def _get_serial_number(self):
         return self.cert.serial_number
 
@@ -675,6 +750,14 @@ class CertificateInfoPyOpenSSL(CertificateInfo):
                 self.module.warn('Your pyOpenSSL version does not support dumping public keys. '
                                  'Please upgrade to version 16.0 or newer, or use the cryptography backend.')
 
+    def _get_subject_key_identifier(self):
+        # Won't be implemented
+        return None
+
+    def _get_authority_key_identifier(self):
+        # Won't be implemented
+        return None, None, None
+
     def _get_serial_number(self):
         return self.cert.get_serial_number()
 

lib/ansible/modules/crypto/openssl_csr.py

@@ -200,6 +200,66 @@ options:
         type: bool
         default: no
         version_added: "2.8"
+    create_subject_key_identifier:
+        description:
+            - Create the Subject Key Identifier from the public key.
+            - "Please note that commercial CAs can ignore the value, respectively use a value of
+               their own choice instead. Specifying this option is mostly useful for self-signed
+               certificates or for own CAs."
+            - Note that this is only supported if the C(cryptography) backend is used!
+        type: bool
+        default: no
+        version_added: "2.9"
+    subject_key_identifier:
+        description:
+            - The subject key identifier as a hex string, where two bytes are separated by colons.
+            - "Example: C(00:11:22:33:44:55:66:77:88:99:aa:bb:cc:dd:ee:ff:00:11:22:33)"
+            - "Please note that commercial CAs ignore this value, respectively use a value of their
+               own choice. Specifying this option is mostly useful for self-signed certificates
+               or for own CAs."
+            - Note that this option can only be used if I(create_subject_key_identifier) is C(no).
+            - Note that this is only supported if the C(cryptography) backend is used!
+        type: str
+        version_added: "2.9"
+    authority_key_identifier:
+        description:
+            - The authority key identifier as a hex string, where two bytes are separated by colons.
+            - "Example: C(00:11:22:33:44:55:66:77:88:99:aa:bb:cc:dd:ee:ff:00:11:22:33)"
+            - If specified, I(authority_cert_issuer) must also be specified.
+            - "Please note that commercial CAs ignore this value, respectively use a value of their
+               own choice. Specifying this option is mostly useful for self-signed certificates
+               or for own CAs."
+            - Note that this is only supported if the C(cryptography) backend is used!
+            - The C(AuthorityKeyIdentifier) will only be added if at least one of I(authority_key_identifier),
+              I(authority_cert_issuer) and I(authority_cert_serial_number) is specified.
+        type: str
+        version_added: "2.9"
+    authority_cert_issuer:
+        description:
+            - Names that will be present in the authority cert issuer field of the certificate signing request.
+            - Values must be prefixed by their options. (i.e., C(email), C(URI), C(DNS), C(RID), C(IP), C(dirName),
+              C(otherName) and the ones specific to your CA)
+            - "Example: C(DNS:ca.example.org)"
+            - If specified, I(authority_key_identifier) must also be specified.
+            - "Please note that commercial CAs ignore this value, respectively use a value of their
+               own choice. Specifying this option is mostly useful for self-signed certificates
+               or for own CAs."
+            - Note that this is only supported if the C(cryptography) backend is used!
+            - The C(AuthorityKeyIdentifier) will only be added if at least one of I(authority_key_identifier),
+              I(authority_cert_issuer) and I(authority_cert_serial_number) is specified.
+        type: list
+        version_added: "2.9"
+    authority_cert_serial_number:
+        description:
+            - The authority cert serial number.
+            - Note that this is only supported if the C(cryptography) backend is used!
+            - "Please note that commercial CAs ignore this value, respectively use a value of their
+               own choice. Specifying this option is mostly useful for self-signed certificates
+               or for own CAs."
+            - The C(AuthorityKeyIdentifier) will only be added if at least one of I(authority_key_identifier),
+              I(authority_cert_issuer) and I(authority_cert_serial_number) is specified.
+        type: int
+        version_added: "2.9"
 extends_documentation_fragment:
 - files
 notes:
@@ -329,6 +389,7 @@ backup_file:
 '''
 
 import abc
+import binascii
 import os
 import traceback
 from distutils.version import LooseVersion
@@ -406,9 +467,17 @@ class CertificateSigningRequestBase(crypto_utils.OpenSSLObject):
         self.basicConstraints_critical = module.params['basic_constraints_critical']
         self.ocspMustStaple = module.params['ocsp_must_staple']
         self.ocspMustStaple_critical = module.params['ocsp_must_staple_critical']
+        self.create_subject_key_identifier = module.params['create_subject_key_identifier']
+        self.subject_key_identifier = module.params['subject_key_identifier']
+        self.authority_key_identifier = module.params['authority_key_identifier']
+        self.authority_cert_issuer = module.params['authority_cert_issuer']
+        self.authority_cert_serial_number = module.params['authority_cert_serial_number']
         self.request = None
         self.privatekey = None
 
+        if self.create_subject_key_identifier and self.subject_key_identifier is not None:
+            module.fail_json(msg='subject_key_identifier cannot be specified if create_subject_key_identifier is true')
+
         self.backup = module.params['backup']
         self.backup_file = None
 
@@ -432,6 +501,18 @@ class CertificateSigningRequestBase(crypto_utils.OpenSSLObject):
                     self.subjectAltName = ['DNS:%s' % sub[1]]
                     break
 
+        if self.subject_key_identifier is not None:
+            try:
+                self.subject_key_identifier = binascii.unhexlify(self.subject_key_identifier.replace(':', ''))
+            except Exception as e:
+                raise CertificateSigningRequestError('Cannot parse subject_key_identifier: {0}'.format(e))
+
+        if self.authority_key_identifier is not None:
+            try:
+                self.authority_key_identifier = binascii.unhexlify(self.authority_key_identifier.replace(':', ''))
+            except Exception as e:
+                raise CertificateSigningRequestError('Cannot parse authority_key_identifier: {0}'.format(e))
+
     @abc.abstractmethod
     def _generate_csr(self):
         pass
@@ -496,6 +577,11 @@ class CertificateSigningRequestBase(crypto_utils.OpenSSLObject):
 class CertificateSigningRequestPyOpenSSL(CertificateSigningRequestBase):
 
     def __init__(self, module):
+        if module.params['create_subject_key_identifier']:
+            module.fail_json(msg='You cannot use create_subject_key_identifier with the pyOpenSSL backend!')
+        for o in ('subject_key_identifier', 'authority_key_identifier', 'authority_cert_issuer', 'authority_cert_serial_number'):
+            if module.params[o] is not None:
+                module.fail_json(msg='You cannot use {0} with the pyOpenSSL backend!'.format(o))
         super(CertificateSigningRequestPyOpenSSL, self).__init__(module)
 
     def _generate_csr(self):
@@ -691,6 +777,23 @@ class CertificateSigningRequestCryptography(CertificateSigningRequestBase):
                     critical=self.ocspMustStaple_critical
                 )
 
+        if self.create_subject_key_identifier:
+            csr = csr.add_extension(
+                cryptography.x509.SubjectKeyIdentifier.from_public_key(self.privatekey.public_key()),
+                critical=False
+            )
+        elif self.subject_key_identifier is not None:
+            csr = csr.add_extension(cryptography.x509.SubjectKeyIdentifier(self.subject_key_identifier), critical=False)
+
+        if self.authority_key_identifier is not None or self.authority_cert_issuer is not None or self.authority_cert_serial_number is not None:
+            issuers = None
+            if self.authority_cert_issuer is not None:
+                issuers = [crypto_utils.cryptography_get_name(n) for n in self.authority_cert_issuer]
+            csr = csr.add_extension(
+                cryptography.x509.AuthorityKeyIdentifier(self.authority_key_identifier, issuers, self.authority_cert_serial_number),
+                critical=False
+            )
+
         digest = None
         if self.digest == 'sha256':
             digest = cryptography.hazmat.primitives.hashes.SHA256()
@@ -806,11 +909,42 @@ class CertificateSigningRequestCryptography(CertificateSigningRequestBase):
             else:
                 return tlsfeature_ext is None
 
+        def _check_subject_key_identifier(extensions):
+            ext = _find_extension(extensions, cryptography.x509.SubjectKeyIdentifier)
+            if self.create_subject_key_identifier or self.subject_key_identifier is not None:
+                if not ext or ext.critical:
+                    return False
+                if self.create_subject_key_identifier:
+                    digest = cryptography.x509.SubjectKeyIdentifier.from_public_key(self.privatekey.public_key()).digest
+                    return ext.value.digest == digest
+                else:
+                    return ext.value.digest == self.subject_key_identifier
+            else:
+                return ext is None
+
+        def _check_authority_key_identifier(extensions):
+            ext = _find_extension(extensions, cryptography.x509.AuthorityKeyIdentifier)
+            if self.authority_key_identifier is not None or self.authority_cert_issuer is not None or self.authority_cert_serial_number is not None:
+                if not ext or ext.critical:
+                    return False
+                aci = None
+                csr_aci = None
+                if self.authority_cert_issuer is not None:
+                    aci = [str(crypto_utils.cryptography_get_name(n)) for n in self.authority_cert_issuer]
+                if ext.value.authority_cert_issuer is not None:
+                    csr_aci = [str(n) for n in ext.value.authority_cert_issuer]
+                return (ext.value.key_identifier == self.authority_key_identifier
+                        and csr_aci == aci
+                        and ext.value.authority_cert_serial_number == self.authority_cert_serial_number)
+            else:
+                return ext is None
+
         def _check_extensions(csr):
             extensions = csr.extensions
             return (_check_subjectAltName(extensions) and _check_keyUsage(extensions) and
                     _check_extenededKeyUsage(extensions) and _check_basicConstraints(extensions) and
-                    _check_ocspMustStaple(extensions))
+                    _check_ocspMustStaple(extensions) and _check_subject_key_identifier(extensions) and
+                    _check_authority_key_identifier(extensions))
 
         def _check_signature(csr):
             if not csr.is_signature_valid:
@@ -865,8 +999,14 @@ def main():
             ocsp_must_staple=dict(type='bool', default=False, aliases=['ocspMustStaple']),
             ocsp_must_staple_critical=dict(type='bool', default=False, aliases=['ocspMustStaple_critical']),
             backup=dict(type='bool', default=False),
+            create_subject_key_identifier=dict(type='bool', default=False),
+            subject_key_identifier=dict(type='str'),
+            authority_key_identifier=dict(type='str'),
+            authority_cert_issuer=dict(type='list', elements='str'),
+            authority_cert_serial_number=dict(type='int'),
             select_crypto_backend=dict(type='str', default='auto', choices=['auto', 'cryptography', 'pyopenssl']),
         ),
+        required_together=[('authority_cert_issuer', 'authority_cert_serial_number')],
         add_file_common_args=True,
         supports_check_mode=True,
     )

lib/ansible/modules/crypto/openssl_csr_info.py

@@ -160,10 +160,45 @@ public_key_fingerprints:
     type: dict
     sample: "{'sha256': 'd4:b3:aa:6d:c8:04:ce:4e:ba:f6:29:4d:92:a3:94:b0:c2:ff:bd:bf:33:63:11:43:34:0f:51:b0:95:09:2f:63',
               'sha512': 'f7:07:4a:f0:b0:f0:e6:8b:95:5f:f9:e6:61:0a:32:68:f1..."
+subject_key_identifier:
+    description:
+        - The CSR's subject key identifier.
+        - The identifier is returned in hexadecimal, with C(:) used to separate bytes.
+        - Is C(none) if the C(SubjectKeyIdentifier) extension is not present.
+    returned: success and if the pyOpenSSL backend is I(not) used
+    type: str
+    sample: '00:11:22:33:44:55:66:77:88:99:aa:bb:cc:dd:ee:ff:00:11:22:33'
+    version_added: "2.9"
+authority_key_identifier:
+    description:
+        - The CSR's authority key identifier.
+        - The identifier is returned in hexadecimal, with C(:) used to separate bytes.
+        - Is C(none) if the C(AuthorityKeyIdentifier) extension is not present.
+    returned: success and if the pyOpenSSL backend is I(not) used
+    type: str
+    sample: '00:11:22:33:44:55:66:77:88:99:aa:bb:cc:dd:ee:ff:00:11:22:33'
+    version_added: "2.9"
+authority_cert_issuer:
+    description:
+        - The CSR's authority cert issuer as a list of general names.
+        - Is C(none) if the C(AuthorityKeyIdentifier) extension is not present.
+    returned: success and if the pyOpenSSL backend is I(not) used
+    type: list
+    sample: "[DNS:www.ansible.com, IP:1.2.3.4]"
+    version_added: "2.9"
+authority_cert_serial_number:
+    description:
+        - The CSR's authority cert serial number.
+        - Is C(none) if the C(AuthorityKeyIdentifier) extension is not present.
+    returned: success and if the pyOpenSSL backend is I(not) used
+    type: int
+    sample: '12345'
+    version_added: "2.9"
 '''
 
 
 import abc
+import binascii
 import os
 import traceback
 from distutils.version import LooseVersion
@@ -258,6 +293,14 @@ class CertificateSigningRequestInfo(crypto_utils.OpenSSLObject):
     def _get_public_key(self, binary):
         pass
 
+    @abc.abstractmethod
+    def _get_subject_key_identifier(self):
+        pass
+
+    @abc.abstractmethod
+    def _get_authority_key_identifier(self):
+        pass
+
     @abc.abstractmethod
     def _get_all_extensions(self):
         pass
@@ -285,6 +328,21 @@ class CertificateSigningRequestInfo(crypto_utils.OpenSSLObject):
         pk = self._get_public_key(binary=True)
         result['public_key_fingerprints'] = crypto_utils.get_fingerprint_of_bytes(pk) if pk is not None else dict()
 
+        if self.backend != 'pyopenssl':
+            ski = self._get_subject_key_identifier()
+            if ski is not None:
+                ski = to_native(binascii.hexlify(ski))
+                ski = ':'.join([ski[i:i + 2] for i in range(0, len(ski), 2)])
+            result['subject_key_identifier'] = ski
+
+            aki, aci, acsn = self._get_authority_key_identifier()
+            if aki is not None:
+                aki = to_native(binascii.hexlify(aki))
+                aki = ':'.join([aki[i:i + 2] for i in range(0, len(aki), 2)])
+            result['authority_key_identifier'] = aki
+            result['authority_cert_issuer'] = aci
+            result['authority_cert_serial_number'] = acsn
+
         result['extensions_by_oid'] = self._get_all_extensions()
 
         result['signature_valid'] = self._is_signature_valid()
@@ -394,6 +452,23 @@ class CertificateSigningRequestInfoCryptography(CertificateSigningRequestInfo):
             serialization.PublicFormat.SubjectPublicKeyInfo
         )
 
+    def _get_subject_key_identifier(self):
+        try:
+            ext = self.csr.extensions.get_extension_for_class(x509.SubjectKeyIdentifier)
+            return ext.value.digest
+        except cryptography.x509.ExtensionNotFound:
+            return None
+
+    def _get_authority_key_identifier(self):
+        try:
+            ext = self.csr.extensions.get_extension_for_class(x509.AuthorityKeyIdentifier)
+            issuer = None
+            if ext.value.authority_cert_issuer is not None:
+                issuer = [crypto_utils.cryptography_decode_name(san) for san in ext.value.authority_cert_issuer]
+            return ext.value.key_identifier, issuer, ext.value.authority_cert_serial_number
+        except cryptography.x509.ExtensionNotFound:
+            return None, None, None
+
     def _get_all_extensions(self):
         return crypto_utils.cryptography_get_extensions_from_csr(self.csr)
 
@@ -486,6 +561,14 @@ class CertificateSigningRequestInfoPyOpenSSL(CertificateSigningRequestInfo):
                 self.module.warn('Your pyOpenSSL version does not support dumping public keys. '
                                  'Please upgrade to version 16.0 or newer, or use the cryptography backend.')
 
+    def _get_subject_key_identifier(self):
+        # Won't be implemented
+        return None
+
+    def _get_authority_key_identifier(self):
+        # Won't be implemented
+        return None, None, None
+
     def _get_all_extensions(self):
         return crypto_utils.pyopenssl_get_extensions_from_csr(self.csr)
 

test/integration/targets/openssl_certificate/tasks/ownca.yml

@@ -308,4 +308,134 @@
     select_crypto_backend: '{{ select_crypto_backend }}'
   register: ownca_backup_5
 
+- name: (OwnCA, {{select_crypto_backend}}) Create subject key identifier
+  openssl_certificate:
+    path: '{{ output_dir }}/ownca_cert_ski.pem'
+    csr_path: '{{ output_dir }}/csr_ecc.csr'
+    ownca_path: '{{ output_dir }}/ca_cert.pem'
+    ownca_privatekey_path: '{{ output_dir }}/privatekey.pem'
+    provider: ownca
+    ownca_digest: sha256
+    ownca_create_subject_key_identifier: always_create
+    select_crypto_backend: '{{ select_crypto_backend }}'
+  when: select_crypto_backend != 'pyopenssl'
+  register: ownca_subject_key_identifier_1
+
+- name: (OwnCA, {{select_crypto_backend}}) Create subject key identifier (idempotency)
+  openssl_certificate:
+    path: '{{ output_dir }}/ownca_cert_ski.pem'
+    csr_path: '{{ output_dir }}/csr_ecc.csr'
+    ownca_path: '{{ output_dir }}/ca_cert.pem'
+    ownca_privatekey_path: '{{ output_dir }}/privatekey.pem'
+    provider: ownca
+    ownca_digest: sha256
+    ownca_create_subject_key_identifier: always_create
+    select_crypto_backend: '{{ select_crypto_backend }}'
+  when: select_crypto_backend != 'pyopenssl'
+  register: ownca_subject_key_identifier_2
+
+- name: (OwnCA, {{select_crypto_backend}}) Create subject key identifier (remove)
+  openssl_certificate:
+    path: '{{ output_dir }}/ownca_cert_ski.pem'
+    csr_path: '{{ output_dir }}/csr_ecc.csr'
+    ownca_path: '{{ output_dir }}/ca_cert.pem'
+    ownca_privatekey_path: '{{ output_dir }}/privatekey.pem'
+    provider: ownca
+    ownca_digest: sha256
+    ownca_create_subject_key_identifier: never_create
+    select_crypto_backend: '{{ select_crypto_backend }}'
+  when: select_crypto_backend != 'pyopenssl'
+  register: ownca_subject_key_identifier_3
+
+- name: (OwnCA, {{select_crypto_backend}}) Create subject key identifier (remove idempotency)
+  openssl_certificate:
+    path: '{{ output_dir }}/ownca_cert_ski.pem'
+    csr_path: '{{ output_dir }}/csr_ecc.csr'
+    ownca_path: '{{ output_dir }}/ca_cert.pem'
+    ownca_privatekey_path: '{{ output_dir }}/privatekey.pem'
+    provider: ownca
+    ownca_digest: sha256
+    ownca_create_subject_key_identifier: never_create
+    select_crypto_backend: '{{ select_crypto_backend }}'
+  when: select_crypto_backend != 'pyopenssl'
+  register: ownca_subject_key_identifier_4
+
+- name: (OwnCA, {{select_crypto_backend}}) Create subject key identifier (re-enable)
+  openssl_certificate:
+    path: '{{ output_dir }}/ownca_cert_ski.pem'
+    csr_path: '{{ output_dir }}/csr_ecc.csr'
+    ownca_path: '{{ output_dir }}/ca_cert.pem'
+    ownca_privatekey_path: '{{ output_dir }}/privatekey.pem'
+    provider: ownca
+    ownca_digest: sha256
+    ownca_create_subject_key_identifier: always_create
+    select_crypto_backend: '{{ select_crypto_backend }}'
+  when: select_crypto_backend != 'pyopenssl'
+  register: ownca_subject_key_identifier_5
+
+- name: (OwnCA, {{select_crypto_backend}}) Create authority key identifier
+  openssl_certificate:
+    path: '{{ output_dir }}/ownca_cert_aki.pem'
+    csr_path: '{{ output_dir }}/csr_ecc.csr'
+    ownca_path: '{{ output_dir }}/ca_cert.pem'
+    ownca_privatekey_path: '{{ output_dir }}/privatekey.pem'
+    provider: ownca
+    ownca_digest: sha256
+    ownca_create_authority_key_identifier: yes
+    select_crypto_backend: '{{ select_crypto_backend }}'
+  when: select_crypto_backend != 'pyopenssl'
+  register: ownca_authority_key_identifier_1
+
+- name: (OwnCA, {{select_crypto_backend}}) Create authority key identifier (idempotency)
+  openssl_certificate:
+    path: '{{ output_dir }}/ownca_cert_aki.pem'
+    csr_path: '{{ output_dir }}/csr_ecc.csr'
+    ownca_path: '{{ output_dir }}/ca_cert.pem'
+    ownca_privatekey_path: '{{ output_dir }}/privatekey.pem'
+    provider: ownca
+    ownca_digest: sha256
+    ownca_create_authority_key_identifier: yes
+    select_crypto_backend: '{{ select_crypto_backend }}'
+  when: select_crypto_backend != 'pyopenssl'
+  register: ownca_authority_key_identifier_2
+
+- name: (OwnCA, {{select_crypto_backend}}) Create authority key identifier (remove)
+  openssl_certificate:
+    path: '{{ output_dir }}/ownca_cert_aki.pem'
+    csr_path: '{{ output_dir }}/csr_ecc.csr'
+    ownca_path: '{{ output_dir }}/ca_cert.pem'
+    ownca_privatekey_path: '{{ output_dir }}/privatekey.pem'
+    provider: ownca
+    ownca_digest: sha256
+    ownca_create_authority_key_identifier: no
+    select_crypto_backend: '{{ select_crypto_backend }}'
+  when: select_crypto_backend != 'pyopenssl'
+  register: ownca_authority_key_identifier_3
+
+- name: (OwnCA, {{select_crypto_backend}}) Create authority key identifier (remove idempotency)
+  openssl_certificate:
+    path: '{{ output_dir }}/ownca_cert_aki.pem'
+    csr_path: '{{ output_dir }}/csr_ecc.csr'
+    ownca_path: '{{ output_dir }}/ca_cert.pem'
+    ownca_privatekey_path: '{{ output_dir }}/privatekey.pem'
+    provider: ownca
+    ownca_digest: sha256
+    ownca_create_authority_key_identifier: no
+    select_crypto_backend: '{{ select_crypto_backend }}'
+  when: select_crypto_backend != 'pyopenssl'
+  register: ownca_authority_key_identifier_4
+
+- name: (OwnCA, {{select_crypto_backend}}) Create authority key identifier (re-add)
+  openssl_certificate:
+    path: '{{ output_dir }}/ownca_cert_aki.pem'
+    csr_path: '{{ output_dir }}/csr_ecc.csr'
+    ownca_path: '{{ output_dir }}/ca_cert.pem'
+    ownca_privatekey_path: '{{ output_dir }}/privatekey.pem'
+    provider: ownca
+    ownca_digest: sha256
+    ownca_create_authority_key_identifier: yes
+    select_crypto_backend: '{{ select_crypto_backend }}'
+  when: select_crypto_backend != 'pyopenssl'
+  register: ownca_authority_key_identifier_5
+
 - import_tasks: ../tests/validate_ownca.yml

test/integration/targets/openssl_certificate/tasks/selfsigned.yml

@@ -308,4 +308,64 @@
     select_crypto_backend: '{{ select_crypto_backend }}'
   register: selfsigned_backup_5
 
+- name: (Selfsigned, {{select_crypto_backend}}) Create subject key identifier test
+  openssl_certificate:
+    path: '{{ output_dir }}/selfsigned_cert_ski.pem'
+    csr_path: '{{ output_dir }}/csr_ecc.csr'
+    privatekey_path: '{{ output_dir }}/privatekey_ecc.pem'
+    provider: selfsigned
+    selfsigned_digest: sha256
+    selfsigned_create_subject_key_identifier: always_create
+    select_crypto_backend: '{{ select_crypto_backend }}'
+  when: select_crypto_backend != 'pyopenssl'
+  register: selfsigned_subject_key_identifier_1
+
+- name: (Selfsigned, {{select_crypto_backend}}) Create subject key identifier test (idempotency)
+  openssl_certificate:
+    path: '{{ output_dir }}/selfsigned_cert_ski.pem'
+    csr_path: '{{ output_dir }}/csr_ecc.csr'
+    privatekey_path: '{{ output_dir }}/privatekey_ecc.pem'
+    provider: selfsigned
+    selfsigned_digest: sha256
+    selfsigned_create_subject_key_identifier: always_create
+    select_crypto_backend: '{{ select_crypto_backend }}'
+  when: select_crypto_backend != 'pyopenssl'
+  register: selfsigned_subject_key_identifier_2
+
+- name: (Selfsigned, {{select_crypto_backend}}) Create subject key identifier test (remove)
+  openssl_certificate:
+    path: '{{ output_dir }}/selfsigned_cert_ski.pem'
+    csr_path: '{{ output_dir }}/csr_ecc.csr'
+    privatekey_path: '{{ output_dir }}/privatekey_ecc.pem'
+    provider: selfsigned
+    selfsigned_digest: sha256
+    selfsigned_create_subject_key_identifier: never_create
+    select_crypto_backend: '{{ select_crypto_backend }}'
+  when: select_crypto_backend != 'pyopenssl'
+  register: selfsigned_subject_key_identifier_3
+
+- name: (Selfsigned, {{select_crypto_backend}}) Create subject key identifier test (remove idempotency)
+  openssl_certificate:
+    path: '{{ output_dir }}/selfsigned_cert_ski.pem'
+    csr_path: '{{ output_dir }}/csr_ecc.csr'
+    privatekey_path: '{{ output_dir }}/privatekey_ecc.pem'
+    provider: selfsigned
+    selfsigned_digest: sha256
+    selfsigned_create_subject_key_identifier: never_create
+    select_crypto_backend: '{{ select_crypto_backend }}'
+  when: select_crypto_backend != 'pyopenssl'
+  register: selfsigned_subject_key_identifier_4
+
+- name: (Selfsigned, {{select_crypto_backend}}) Create subject key identifier test (re-enable)
+  openssl_certificate:
+    path: '{{ output_dir }}/selfsigned_cert_ski.pem'
+    csr_path: '{{ output_dir }}/csr_ecc.csr'
+    privatekey_path: '{{ output_dir }}/privatekey_ecc.pem'
+    provider: selfsigned
+    selfsigned_digest: sha256
+    selfsigned_create_subject_key_identifier: always_create
+    select_crypto_backend: '{{ select_crypto_backend }}'
+  when: select_crypto_backend != 'pyopenssl'
+  register: selfsigned_subject_key_identifier_5
+
 - import_tasks: ../tests/validate_selfsigned.yml

test/integration/targets/openssl_certificate/tests/validate_ownca.yml

@@ -120,3 +120,23 @@
       - ownca_backup_4.backup_file is string
       - ownca_backup_5 is not changed
       - ownca_backup_5.backup_file is undefined
+
+- name: Check create subject key identifier
+  assert:
+    that:
+      - ownca_subject_key_identifier_1 is changed
+      - ownca_subject_key_identifier_2 is not changed
+      - ownca_subject_key_identifier_3 is changed
+      - ownca_subject_key_identifier_4 is not changed
+      - ownca_subject_key_identifier_5 is changed
+  when: select_crypto_backend != 'pyopenssl'
+
+- name: Check create authority key identifier
+  assert:
+    that:
+      - ownca_authority_key_identifier_1 is changed
+      - ownca_authority_key_identifier_2 is not changed
+      - ownca_authority_key_identifier_3 is changed
+      - ownca_authority_key_identifier_4 is not changed
+      - ownca_authority_key_identifier_5 is changed
+  when: select_crypto_backend != 'pyopenssl'

test/integration/targets/openssl_certificate/tests/validate_selfsigned.yml

@@ -126,3 +126,13 @@
       - selfsigned_backup_4.backup_file is string
       - selfsigned_backup_5 is not changed
       - selfsigned_backup_5.backup_file is undefined
+
+- name: Check create subject key identifier
+  assert:
+    that:
+      - selfsigned_subject_key_identifier_1 is changed
+      - selfsigned_subject_key_identifier_2 is not changed
+      - selfsigned_subject_key_identifier_3 is changed
+      - selfsigned_subject_key_identifier_4 is not changed
+      - selfsigned_subject_key_identifier_5 is changed
+  when: select_crypto_backend != 'pyopenssl'

test/integration/targets/openssl_certificate_info/tasks/impl.yml

@@ -18,6 +18,19 @@
       - "['organizationalUnitName', 'Crypto Department'] in result.subject_ordered"
       - "['organizationalUnitName', 'ACME Department'] in result.subject_ordered"
 
+- name: Check SubjectKeyIdentifier and AuthorityKeyIdentifier
+  assert:
+    that:
+      - result.subject_key_identifier == "00:11:22:33"
+      - result.authority_key_identifier == "44:55:66:77"
+      - result.authority_cert_issuer == expected_authority_cert_issuer
+      - result.authority_cert_serial_number == 12345
+  vars:
+    expected_authority_cert_issuer:
+      - "DNS:ca.example.org"
+      - "IP:1.2.3.4"
+  when: select_crypto_backend != 'pyopenssl' and cryptography_version.stdout is version('1.3', '>=')
+
 - name: Update result list
   set_fact:
     info_results: "{{ info_results + [result] }}"
@@ -47,6 +60,18 @@
     select_crypto_backend: '{{ select_crypto_backend }}'
   register: result
 
+- name: Check AuthorityKeyIdentifier
+  assert:
+    that:
+      - result.authority_key_identifier is none
+      - result.authority_cert_issuer == expected_authority_cert_issuer
+      - result.authority_cert_serial_number == 12345
+  vars:
+    expected_authority_cert_issuer:
+      - "DNS:ca.example.org"
+      - "IP:1.2.3.4"
+  when: select_crypto_backend != 'pyopenssl' and cryptography_version.stdout is version('1.3', '>=')
+
 - name: Update result list
   set_fact:
     info_results: "{{ info_results + [result] }}"
@@ -57,6 +82,14 @@
     select_crypto_backend: '{{ select_crypto_backend }}'
   register: result
 
+- name: Check AuthorityKeyIdentifier
+  assert:
+    that:
+      - result.authority_key_identifier == "44:55:66:77"
+      - result.authority_cert_issuer is none
+      - result.authority_cert_serial_number is none
+  when: select_crypto_backend != 'pyopenssl' and cryptography_version.stdout is version('1.3', '>=')
+
 - name: Update result list
   set_fact:
     info_results: "{{ info_results + [result] }}"

test/integration/targets/openssl_certificate_info/tasks/main.yml

@@ -69,6 +69,14 @@
       - "pathlen:23"
     basic_constraints_critical: yes
     ocsp_must_staple: yes
+    subject_key_identifier: '{{ "00:11:22:33" if cryptography_version.stdout is version("1.3", ">=") else omit }}'
+    authority_key_identifier: '{{ "44:55:66:77" if cryptography_version.stdout is version("1.3", ">=") else omit }}'
+    authority_cert_issuer: '{{ value_for_authority_cert_issuer if cryptography_version.stdout is version("1.3", ">=") else omit }}'
+    authority_cert_serial_number: '{{ 12345 if cryptography_version.stdout is version("1.3", ">=") else omit }}'
+  vars:
+    value_for_authority_cert_issuer:
+      - "DNS:ca.example.org"
+      - "IP:1.2.3.4"
 
 - name: Generate CSR 2
   openssl_csr:
@@ -90,12 +98,19 @@
       - "IP:DEAD:BEEF::1"
     basic_constraints:
       - "CA:FALSE"
+    authority_cert_issuer: '{{ value_for_authority_cert_issuer if cryptography_version.stdout is version("1.3", ">=") else omit }}'
+    authority_cert_serial_number: '{{ 12345 if cryptography_version.stdout is version("1.3", ">=") else omit }}'
+  vars:
+    value_for_authority_cert_issuer:
+      - "DNS:ca.example.org"
+      - "IP:1.2.3.4"
 
 - name: Generate CSR 4
   openssl_csr:
     path: '{{ output_dir }}/csr_4.csr'
     privatekey_path: '{{ output_dir }}/privatekey.pem'
     useCommonNameForSAN: no
+    authority_key_identifier: '{{ "44:55:66:77" if cryptography_version.stdout is version("1.3", ">=") else omit }}'
 
 - name: Generate selfsigned certificates
   openssl_certificate:
@@ -147,7 +162,14 @@
   - name: Compare results
     assert:
       that:
-      - item.0 == item.1
+      - '  (item.0 | dict2items | rejectattr("key", "in", keys_to_ignore) | list | items2dict)
+        == (item.1 | dict2items | rejectattr("key", "in", keys_to_ignore) | list | items2dict)'
       quiet: yes
     loop: "{{ pyopenssl_info_results | zip(cryptography_info_results) | list }}"
   when: pyopenssl_version.stdout is version('0.15', '>=') and cryptography_version.stdout is version('1.6', '>=')
+  vars:
+    keys_to_ignore:
+      - subject_key_identifier
+      - authority_key_identifier
+      - authority_cert_issuer
+      - authority_cert_serial_number

test/integration/targets/openssl_certificate_info/test_plugins/jinja_compatibility.py

@@ -0,0 +1,15 @@
+from __future__ import (absolute_import, division, print_function)
+__metaclass__ = type
+
+
+def compatibility_in_test(a, b):
+    return a in b
+
+
+class TestModule:
+    ''' Ansible math jinja2 tests '''
+
+    def tests(self):
+        return {
+            'in': compatibility_in_test,
+        }

test/integration/targets/openssl_csr/tasks/impl.yml

@@ -339,6 +339,179 @@
     select_crypto_backend: '{{ select_crypto_backend }}'
   register: csr_backup_5
 
+- name: Generate CSR with subject key identifier
+  openssl_csr:
+    path: '{{ output_dir }}/csr_ski.csr'
+    privatekey_path: '{{ output_dir }}/privatekey.pem'
+    subject:
+      commonName: www.ansible.com
+    subject_key_identifier: "00:11:22:33"
+    select_crypto_backend: '{{ select_crypto_backend }}'
+  when: select_crypto_backend != 'pyopenssl'
+  register: subject_key_identifier_1
+
+- name: Generate CSR with subject key identifier (idempotency)
+  openssl_csr:
+    path: '{{ output_dir }}/csr_ski.csr'
+    privatekey_path: '{{ output_dir }}/privatekey.pem'
+    subject:
+      commonName: www.ansible.com
+    subject_key_identifier: "00:11:22:33"
+    select_crypto_backend: '{{ select_crypto_backend }}'
+  when: select_crypto_backend != 'pyopenssl'
+  register: subject_key_identifier_2
+
+- name: Generate CSR with subject key identifier (change)
+  openssl_csr:
+    path: '{{ output_dir }}/csr_ski.csr'
+    privatekey_path: '{{ output_dir }}/privatekey.pem'
+    subject:
+      commonName: www.ansible.com
+    subject_key_identifier: "44:55:66:77:88"
+    select_crypto_backend: '{{ select_crypto_backend }}'
+  when: select_crypto_backend != 'pyopenssl'
+  register: subject_key_identifier_3
+
+- name: Generate CSR with subject key identifier (auto-create)
+  openssl_csr:
+    path: '{{ output_dir }}/csr_ski.csr'
+    privatekey_path: '{{ output_dir }}/privatekey.pem'
+    subject:
+      commonName: www.ansible.com
+    create_subject_key_identifier: yes
+    select_crypto_backend: '{{ select_crypto_backend }}'
+  when: select_crypto_backend != 'pyopenssl'
+  register: subject_key_identifier_4
+
+- name: Generate CSR with subject key identifier (auto-create idempotency)
+  openssl_csr:
+    path: '{{ output_dir }}/csr_ski.csr'
+    privatekey_path: '{{ output_dir }}/privatekey.pem'
+    subject:
+      commonName: www.ansible.com
+    create_subject_key_identifier: yes
+    select_crypto_backend: '{{ select_crypto_backend }}'
+  when: select_crypto_backend != 'pyopenssl'
+  register: subject_key_identifier_5
+
+- name: Generate CSR with subject key identifier (remove)
+  openssl_csr:
+    path: '{{ output_dir }}/csr_ski.csr'
+    privatekey_path: '{{ output_dir }}/privatekey.pem'
+    subject:
+      commonName: www.ansible.com
+    select_crypto_backend: '{{ select_crypto_backend }}'
+  when: select_crypto_backend != 'pyopenssl'
+  register: subject_key_identifier_6
+
+- name: Generate CSR with authority key identifier
+  openssl_csr:
+    path: '{{ output_dir }}/csr_aki.csr'
+    privatekey_path: '{{ output_dir }}/privatekey.pem'
+    subject:
+      commonName: www.ansible.com
+    authority_key_identifier: "00:11:22:33"
+    select_crypto_backend: '{{ select_crypto_backend }}'
+  when: select_crypto_backend != 'pyopenssl'
+  register: authority_key_identifier_1
+
+- name: Generate CSR with authority key identifier (idempotency)
+  openssl_csr:
+    path: '{{ output_dir }}/csr_aki.csr'
+    privatekey_path: '{{ output_dir }}/privatekey.pem'
+    subject:
+      commonName: www.ansible.com
+    authority_key_identifier: "00:11:22:33"
+    select_crypto_backend: '{{ select_crypto_backend }}'
+  when: select_crypto_backend != 'pyopenssl'
+  register: authority_key_identifier_2
+
+- name: Generate CSR with authority key identifier (change)
+  openssl_csr:
+    path: '{{ output_dir }}/csr_aki.csr'
+    privatekey_path: '{{ output_dir }}/privatekey.pem'
+    subject:
+      commonName: www.ansible.com
+    authority_key_identifier: "44:55:66:77:88"
+    select_crypto_backend: '{{ select_crypto_backend }}'
+  when: select_crypto_backend != 'pyopenssl'
+  register: authority_key_identifier_3
+
+- name: Generate CSR with authority key identifier (remove)
+  openssl_csr:
+    path: '{{ output_dir }}/csr_aki.csr'
+    privatekey_path: '{{ output_dir }}/privatekey.pem'
+    subject:
+      commonName: www.ansible.com
+    select_crypto_backend: '{{ select_crypto_backend }}'
+  when: select_crypto_backend != 'pyopenssl'
+  register: authority_key_identifier_4
+
+- name: Generate CSR with authority cert issuer / serial number
+  openssl_csr:
+    path: '{{ output_dir }}/csr_acisn.csr'
+    privatekey_path: '{{ output_dir }}/privatekey.pem'
+    subject:
+      commonName: www.ansible.com
+    authority_cert_issuer:
+      - "DNS:ca.example.org"
+      - "IP:1.2.3.4"
+    authority_cert_serial_number: 12345
+    select_crypto_backend: '{{ select_crypto_backend }}'
+  when: select_crypto_backend != 'pyopenssl'
+  register: authority_cert_issuer_sn_1
+
+- name: Generate CSR with authority cert issuer / serial number (idempotency)
+  openssl_csr:
+    path: '{{ output_dir }}/csr_acisn.csr'
+    privatekey_path: '{{ output_dir }}/privatekey.pem'
+    subject:
+      commonName: www.ansible.com
+    authority_cert_issuer:
+      - "DNS:ca.example.org"
+      - "IP:1.2.3.4"
+    authority_cert_serial_number: 12345
+    select_crypto_backend: '{{ select_crypto_backend }}'
+  when: select_crypto_backend != 'pyopenssl'
+  register: authority_cert_issuer_sn_2
+
+- name: Generate CSR with authority cert issuer / serial number (change issuer)
+  openssl_csr:
+    path: '{{ output_dir }}/csr_acisn.csr'
+    privatekey_path: '{{ output_dir }}/privatekey.pem'
+    subject:
+      commonName: www.ansible.com
+    authority_cert_issuer:
+      - "IP:1.2.3.4"
+      - "DNS:ca.example.org"
+    authority_cert_serial_number: 12345
+    select_crypto_backend: '{{ select_crypto_backend }}'
+  when: select_crypto_backend != 'pyopenssl'
+  register: authority_cert_issuer_sn_3
+
+- name: Generate CSR with authority cert issuer / serial number (change serial number)
+  openssl_csr:
+    path: '{{ output_dir }}/csr_acisn.csr'
+    privatekey_path: '{{ output_dir }}/privatekey.pem'
+    subject:
+      commonName: www.ansible.com
+    authority_cert_issuer:
+      - "IP:1.2.3.4"
+      - "DNS:ca.example.org"
+    authority_cert_serial_number: 54321
+    select_crypto_backend: '{{ select_crypto_backend }}'
+  when: select_crypto_backend != 'pyopenssl'
+  register: authority_cert_issuer_sn_4
+
+- name: Generate CSR with authority cert issuer / serial number (remove)
+  openssl_csr:
+    path: '{{ output_dir }}/csr_acisn.csr'
+    privatekey_path: '{{ output_dir }}/privatekey.pem'
+    subject:
+      commonName: www.ansible.com
+  when: select_crypto_backend != 'pyopenssl'
+  register: authority_cert_issuer_sn_5
+
 - name: Generate CSR with everything
   openssl_csr:
     path: '{{ output_dir }}/csr_everything.csr'
@@ -396,7 +569,15 @@
       - "pathlen:23"
     basic_constraints_critical: yes
     ocsp_must_staple: yes
+    subject_key_identifier: '{{ "00:11:22:33" if select_crypto_backend != "pyopenssl" else omit }}'
+    authority_key_identifier: '{{ "44:55:66:77" if select_crypto_backend != "pyopenssl" else omit }}'
+    authority_cert_issuer: '{{ value_for_authority_cert_issuer if select_crypto_backend != "pyopenssl" else omit }}'
+    authority_cert_serial_number: '{{ 12345 if select_crypto_backend != "pyopenssl" else omit }}'
     select_crypto_backend: '{{ select_crypto_backend }}'
+  vars:
+    value_for_authority_cert_issuer:
+      - "DNS:ca.example.org"
+      - "IP:1.2.3.4"
   register: everything_1
 
 - name: Generate CSR with everything (idempotent, check mode)
@@ -456,7 +637,15 @@
       - "pathlen:23"
     basic_constraints_critical: yes
     ocsp_must_staple: yes
+    subject_key_identifier: '{{ "00:11:22:33" if select_crypto_backend != "pyopenssl" else omit }}'
+    authority_key_identifier: '{{ "44:55:66:77" if select_crypto_backend != "pyopenssl" else omit }}'
+    authority_cert_issuer: '{{ value_for_authority_cert_issuer if select_crypto_backend != "pyopenssl" else omit }}'
+    authority_cert_serial_number: '{{ 12345 if select_crypto_backend != "pyopenssl" else omit }}'
     select_crypto_backend: '{{ select_crypto_backend }}'
+  vars:
+    value_for_authority_cert_issuer:
+      - "DNS:ca.example.org"
+      - "IP:1.2.3.4"
   check_mode: yes
   register: everything_2
 
@@ -517,5 +706,13 @@
       - "pathlen:23"
     basic_constraints_critical: yes
     ocsp_must_staple: yes
+    subject_key_identifier: '{{ "00:11:22:33" if select_crypto_backend != "pyopenssl" else omit }}'
+    authority_key_identifier: '{{ "44:55:66:77" if select_crypto_backend != "pyopenssl" else omit }}'
+    authority_cert_issuer: '{{ value_for_authority_cert_issuer if select_crypto_backend != "pyopenssl" else omit }}'
+    authority_cert_serial_number: '{{ 12345 if select_crypto_backend != "pyopenssl" else omit }}'
     select_crypto_backend: '{{ select_crypto_backend }}'
+  vars:
+    value_for_authority_cert_issuer:
+      - "DNS:ca.example.org"
+      - "IP:1.2.3.4"
   register: everything_3

test/integration/targets/openssl_csr/tasks/main.yml

@@ -16,6 +16,8 @@
       select_crypto_backend: pyopenssl
 
   - import_tasks: ../tests/validate.yml
+    vars:
+      select_crypto_backend: pyopenssl
 
   when: pyopenssl_version.stdout is version('0.15', '>=')
 
@@ -36,5 +38,7 @@
       select_crypto_backend: cryptography
 
   - import_tasks: ../tests/validate.yml
+    vars:
+      select_crypto_backend: pyopenssl
 
   when: cryptography_version.stdout is version('1.3', '>=')

test/integration/targets/openssl_csr/tests/validate.yml

@@ -125,6 +125,36 @@
     that:
       - output_broken is changed
 
+- name: Verify that subject key identifier handling works
+  assert:
+    that:
+      - subject_key_identifier_1 is changed
+      - subject_key_identifier_2 is not changed
+      - subject_key_identifier_3 is changed
+      - subject_key_identifier_4 is changed
+      - subject_key_identifier_5 is not changed
+      - subject_key_identifier_6 is not changed
+  when: select_crypto_backend != 'pyopenssl'
+
+- name: Verify that authority key identifier handling works
+  assert:
+    that:
+      - authority_key_identifier_1 is changed
+      - authority_key_identifier_2 is not changed
+      - authority_key_identifier_3 is changed
+      - authority_key_identifier_4 is changed
+  when: select_crypto_backend != 'pyopenssl'
+
+- name: Verify that authority cert issuer / serial number handling works
+  assert:
+    that:
+      - authority_cert_issuer_sn_1 is changed
+      - authority_cert_issuer_sn_2 is not changed
+      - authority_cert_issuer_sn_3 is changed
+      - authority_cert_issuer_sn_4 is changed
+      - authority_cert_issuer_sn_5 is changed
+  when: select_crypto_backend != 'pyopenssl'
+
 - name: Check backup
   assert:
     that:

test/integration/targets/openssl_csr_info/tasks/impl.yml

@@ -15,6 +15,19 @@
       - "['organizationalUnitName', 'Crypto Department'] in result.subject_ordered"
       - "['organizationalUnitName', 'ACME Department'] in result.subject_ordered"
 
+- name: Check SubjectKeyIdentifier and AuthorityKeyIdentifier
+  assert:
+    that:
+      - result.subject_key_identifier == "00:11:22:33"
+      - result.authority_key_identifier == "44:55:66:77"
+      - result.authority_cert_issuer == expected_authority_cert_issuer
+      - result.authority_cert_serial_number == 12345
+  vars:
+    expected_authority_cert_issuer:
+      - "DNS:ca.example.org"
+      - "IP:1.2.3.4"
+  when: select_crypto_backend != 'pyopenssl' and cryptography_version.stdout is version('1.3', '>=')
+
 - name: Update result list
   set_fact:
     info_results: "{{ info_results + [result] }}"
@@ -35,6 +48,18 @@
     select_crypto_backend: '{{ select_crypto_backend }}'
   register: result
 
+- name: Check AuthorityKeyIdentifier
+  assert:
+    that:
+      - result.authority_key_identifier is none
+      - result.authority_cert_issuer == expected_authority_cert_issuer
+      - result.authority_cert_serial_number == 12345
+  vars:
+    expected_authority_cert_issuer:
+      - "DNS:ca.example.org"
+      - "IP:1.2.3.4"
+  when: select_crypto_backend != 'pyopenssl' and cryptography_version.stdout is version('1.3', '>=')
+
 - name: Update result list
   set_fact:
     info_results: "{{ info_results + [result] }}"
@@ -45,6 +70,14 @@
     select_crypto_backend: '{{ select_crypto_backend }}'
   register: result
 
+- name: Check AuthorityKeyIdentifier
+  assert:
+    that:
+      - result.authority_key_identifier == "44:55:66:77"
+      - result.authority_cert_issuer is none
+      - result.authority_cert_serial_number is none
+  when: select_crypto_backend != 'pyopenssl' and cryptography_version.stdout is version('1.3', '>=')
+
 - name: Update result list
   set_fact:
     info_results: "{{ info_results + [result] }}"

test/integration/targets/openssl_csr_info/tasks/main.yml

@@ -69,6 +69,14 @@
       - "pathlen:23"
     basic_constraints_critical: yes
     ocsp_must_staple: yes
+    subject_key_identifier: '{{ "00:11:22:33" if cryptography_version.stdout is version("1.3", ">=") else omit }}'
+    authority_key_identifier: '{{ "44:55:66:77" if cryptography_version.stdout is version("1.3", ">=") else omit }}'
+    authority_cert_issuer: '{{ value_for_authority_cert_issuer if cryptography_version.stdout is version("1.3", ">=") else omit }}'
+    authority_cert_serial_number: '{{ 12345 if cryptography_version.stdout is version("1.3", ">=") else omit }}'
+  vars:
+    value_for_authority_cert_issuer:
+      - "DNS:ca.example.org"
+      - "IP:1.2.3.4"
 
 - name: Generate CSR 2
   openssl_csr:
@@ -90,12 +98,19 @@
       - "IP:DEAD:BEEF::1"
     basic_constraints:
       - "CA:FALSE"
+    authority_cert_issuer: '{{ value_for_authority_cert_issuer if cryptography_version.stdout is version("1.3", ">=") else omit }}'
+    authority_cert_serial_number: '{{ 12345 if cryptography_version.stdout is version("1.3", ">=") else omit }}'
+  vars:
+    value_for_authority_cert_issuer:
+      - "DNS:ca.example.org"
+      - "IP:1.2.3.4"
 
 - name: Generate CSR 4
   openssl_csr:
     path: '{{ output_dir }}/csr_4.csr'
     privatekey_path: '{{ output_dir }}/privatekey.pem'
     useCommonNameForSAN: no
+    authority_key_identifier: '{{ "44:55:66:77" if cryptography_version.stdout is version("1.3", ">=") else omit }}'
 
 - name: Prepare result list
   set_fact:
@@ -132,7 +147,14 @@
   - name: Compare results
     assert:
       that:
-      - item.0 == item.1
+      - '  (item.0 | dict2items | rejectattr("key", "in", keys_to_ignore) | list | items2dict)
+        == (item.1 | dict2items | rejectattr("key", "in", keys_to_ignore) | list | items2dict)'
       quiet: yes
     loop: "{{ pyopenssl_info_results | zip(cryptography_info_results) | list }}"
   when: pyopenssl_version.stdout is version('0.15', '>=') and cryptography_version.stdout is version('1.3', '>=')
+  vars:
+    keys_to_ignore:
+      - subject_key_identifier
+      - authority_key_identifier
+      - authority_cert_issuer
+      - authority_cert_serial_number

test/integration/targets/openssl_csr_info/test_plugins/jinja_compatibility.py

@@ -0,0 +1,15 @@
+from __future__ import (absolute_import, division, print_function)
+__metaclass__ = type
+
+
+def compatibility_in_test(a, b):
+    return a in b
+
+
+class TestModule:
+    ''' Ansible math jinja2 tests '''
+
+    def tests(self):
+        return {
+            'in': compatibility_in_test,
+        }