Looking on various certificates contents and the ones generated through the standard openssl procedure i noticed that the AutorityKeyIdentifier was set, for the openssl root certificate, to itself. Probably there is a way to overcome that...but i don't know it...
Then i developed a small application with Java11 & BouncyCastle to generate root certificates and keys, now on github: https://github.com/kendarorg/JavaCaCertGenerator
The root certificates generated with this tool DOES NOT CONTAINS the AuthorityKeyIdentifier and can be installed with keytool directly on the cacert store. When i create then the csr and the ext file with the domain names this will be validated against the cacert store containing the root.. and no more handshake exceptions!
May be the cacert does not allow a recursive AuthorityKeyIdentifier? I don'know but i'll appreciate some review :)