我有一个python应用程序，在其中生成一个自签名的X509证书，如下所示：

# Generate private key
privKey = rsa.generate_private_key(public_exponent=65537,\
                                   key_size=2048,\
                                   backend=default_backend())

# Definition of certificate subject and issuer (since this a self-signed certificate,
# subject and issuer coincide).
issuer = x509.Name([
         x509.NameAttribute(NameOID.COUNTRY_NAME, 'CH'),
         x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, 'TmsProvName'),
         x509.NameAttribute(NameOID.LOCALITY_NAME, 'TmsLocName'),
         x509.NameAttribute(NameOID.ORGANIZATION_NAME, 'TmsOrgName'),
         x509.NameAttribute(NameOID.COMMON_NAME, 'TmsCommonName'),])
subject = issuer

cert = x509.CertificateBuilder()
cert = cert.subject_name(subject)
cert = cert.issuer_name(issuer)
cert = cert.public_key(privKey.public_key())
cert = cert.serial_number(x509.random_serial_number())
cert = cert.not_valid_before(datetime.datetime.utcnow())
cert = cert.not_valid_after(datetime.datetime.utcnow() + datetime.timedelta(days=365))

# Sign the certificate (self-signature)
cert = cert.sign(privKey, hashes.SHA384(), default_backend())

此证书既没有“使用者密钥标识符”（SKID）也没有“授权密钥标识符”（AKID）。我用它作为CA证书在一个封闭系统中签署其他证书。到目前为止，没有打滑和AKID并不是一个问题。然而，今天我开始怀疑PHP函数openssl_csr_sign实际上期望设置SKID和AKID

因此，我的问题是：我应该如何修改上面的python代码来生成带有SKID和AKID的X509证书？如果可能的话，我希望避免修改openSSL配置文件openssl.cnf