Update: add AIA URL support in make_ca and make_cert functions

README.md

@@ -4,6 +4,8 @@
 
 `simple-ca.sh` is a Bash script that provides functions for creating and managing a simple Certificate Authority (CA) and generating certificates. It can create a single or two-level CA hierarchy, and generate client-server TLS certificates. The script is designed to be simple and easy to use, making it suitable for testing and development purposes, where a self-signed certificate is not sufficient.
 
+All certificates generated by this script have a random serial number.
+
 ## Functions
 
 ### `make_ca()`
@@ -16,8 +18,8 @@ Usage:
 make_ca  [--days <validity_days>] [--issuing-ca <name>] <ca_directory> <ca_name>
 ```
 
-- `ca_directory`: The directory where the CA files will be stored.
-- `ca_name`: The name of the CA.
+- `<ca_directory>`: The directory where the CA files will be stored.
+- `<ca_name>`: The name of the CA.
 - `--days <validity_days>`: Optional. The number of days the CA certificate will be valid. Default is 3650 days (10 years).
 - `--issuing-ca <name>`: Optional. If specified, creates an intermediate CA with <ca_name> as the intermediate CA name and using <name> as certificate and key file prefix for the issuing CA (instead of root's `ca`).
 
@@ -33,9 +35,9 @@ Usage:
 make_cert --ca-dir <ca_directory> [--days <validity_days>] [--issuing-ca <name>] <cert_directory> <subject_name>
 ```
 
-- `ca_directory`: The directory where the CA files are stored (used to find the CA certificate and key for signing).
-- `cert_directory`: The directory where the generated certificate and key will be stored.
-- `subject_name`: The subject name (Common Name) for the certificate.
+- `<ca_directory>`: The directory where the CA files are stored (used to find the CA certificate and key for signing).
+- `<cert_directory>`: The directory where the generated certificate and key will be stored.
+- `<subject_name>`: The subject name (Common Name) for the certificate.
 - `--days <validity_days>`: Optional. The number of days the certificate will be valid. Default is 365 days.
 - `--issuing-ca <name>`: Optional. If specified, uses the CA with the key `<name>_key.pem` and certificate `<name>_cert.pem` for signing instead of the root CA.
 
@@ -49,7 +51,7 @@ Usage:
 make_pfx --ca-dir <ca_directory> [--issuing-ca <file_prefix>] --path <pfx_file_path> [--password <pfx_password>]
 ```
 
-- `ca_directory`: The directory where the CA files are stored (used to find the CA certificate for the chain).
-- `<file_prefix>`: The file prefix of the issuing CA to include in the chain.
-- `<pfx_file_path>`: The path where the generated PFX file will be saved.
-- `<pfx_password>`: Optional. The custom password to protect the PFX, instead of the default `changeit`.
+- `--ca-dir <ca_directory>`: The directory where the CA files are stored (used to find the CA certificate for the chain).
+- `--issuing-ca <file_prefix>`: The file prefix of the issuing CA to include in the chain.
+- `--path <pfx_file_path>`: The path where the generated PFX file will be saved.
+- `--password <pfx_password>`: Optional. The custom password to protect the PFX, instead of the default `changeit`.

simple-ca.sh

@@ -42,6 +42,7 @@ function make_ca() {
 
     # CA defaults to the main CA if not specified, but can be overridden with --issuing-ca
     local CA_FILE_PREFIX="ca"
+    local AIA_BASE_URL=""
 
     while [[ $# -gt 0 ]]; do
         case "$1" in
@@ -65,6 +66,14 @@ function make_ca() {
                 CA_FILE_PREFIX="$2"
                 shift 2
                 ;;
+            --aia-base-url)
+                if [[ -z "$2" ]]; then
+                    echo "ERROR: Missing value for --aia-base-url." >&2
+                    return 1
+                fi
+                AIA_BASE_URL="$2"
+                shift 2
+                ;;
             *)
                 break
                 ;;
@@ -81,6 +90,10 @@ function make_ca() {
         return 1
     fi
 
+    if [[ -z "$AIA_BASE_URL" && -f "$CA_DIR/aia_base_url.txt" ]]; then
+        AIA_BASE_URL="$(cat "$CA_DIR/aia_base_url.txt")"
+    fi
+
     local ROOT_CA_CERT="ca_cert.pem"
     local ROOT_CA_KEY="ca_key.pem"
     local CA_CERT="${CA_FILE_PREFIX}_cert.pem"
@@ -113,6 +126,10 @@ function make_ca() {
         # Make a "hash" symlink for the CA certificate to allow OpenSSL to find it when verifying other certificates
         make_hash_link "$CA_DIR/$ROOT_CA_CERT"
 
+        if [[ -n "$AIA_BASE_URL" ]]; then
+            echo "$AIA_BASE_URL" > "$CA_DIR/aia_base_url.txt"
+        fi
+
         return 0
     fi
 
@@ -124,6 +141,7 @@ function make_ca() {
             -noenc \
             -subj "/CN=${CA_NAME}" \
             -addext "basicConstraints=critical,CA:TRUE,pathlen:0" \
+            ${AIA_BASE_URL:+-addext "authorityInfoAccess=caIssuers;URI:${AIA_BASE_URL}/ca_cert.crt"} \
         | openssl x509 \
             -req \
             -CA "$CA_DIR/$ROOT_CA_CERT" \
@@ -140,6 +158,10 @@ function make_ca() {
     # Make a "hash" symlink for the issuing CA certificate to allow OpenSSL to find it when verifying other certificates
     make_hash_link "$CA_DIR/${CA_CERT}"
 
+    if [[ -n "$AIA_BASE_URL" ]]; then
+        echo "$AIA_BASE_URL" > "$CA_DIR/aia_base_url.txt"
+    fi
+
     return 0
 }
 
@@ -204,6 +226,12 @@ function make_cert() {
 
     CA_DIR="${CA_DIR:-$CERT_DIR}"
 
+    local AIA_BASE_URL_FILE="$CA_DIR/aia_base_url.txt"
+    local AIA_URL=""
+    if [[ -f "$AIA_BASE_URL_FILE" ]]; then
+        AIA_URL="$(cat "$AIA_BASE_URL_FILE")/${CA_FILE_PREFIX}_cert.crt"
+    fi
+
     local CA_CERT="${CA_FILE_PREFIX}_cert.pem"
     local CA_KEY="${CA_FILE_PREFIX}_key.pem"
 
@@ -271,6 +299,7 @@ function make_cert() {
             -addext "keyUsage=digitalSignature,keyEncipherment" \
             -addext "extendedKeyUsage=serverAuth,clientAuth" \
             -addext "$SANS_EXT" \
+            ${AIA_URL:+-addext "authorityInfoAccess=caIssuers;URI:${AIA_URL}"} \
         | openssl x509 \
             -req \
             -CA "$CA_DIR/$CA_CERT" \
@@ -401,3 +430,4 @@ function make_pfx() {
 
     return 0
 }
+