From 677e9add5b1a016a62be106a43404a94dfe408db Mon Sep 17 00:00:00 2001 From: Slawomir Koszewski Date: Thu, 5 Mar 2026 07:14:37 +0100 Subject: [PATCH] Update: add AIA URL support in make_ca and make_cert functions --- README.md | 20 +++++++++++--------- simple-ca.sh | 30 ++++++++++++++++++++++++++++++ 2 files changed, 41 insertions(+), 9 deletions(-) diff --git a/README.md b/README.md index c491304..f2db23c 100644 --- a/README.md +++ b/README.md @@ -4,6 +4,8 @@ `simple-ca.sh` is a Bash script that provides functions for creating and managing a simple Certificate Authority (CA) and generating certificates. It can create a single or two-level CA hierarchy, and generate client-server TLS certificates. The script is designed to be simple and easy to use, making it suitable for testing and development purposes, where a self-signed certificate is not sufficient. +All certificates generated by this script have a random serial number. + ## Functions ### `make_ca()` @@ -16,8 +18,8 @@ Usage: make_ca [--days ] [--issuing-ca ] ``` -- `ca_directory`: The directory where the CA files will be stored. -- `ca_name`: The name of the CA. +- ``: The directory where the CA files will be stored. +- ``: The name of the CA. - `--days `: Optional. The number of days the CA certificate will be valid. Default is 3650 days (10 years). - `--issuing-ca `: Optional. If specified, creates an intermediate CA with as the intermediate CA name and using as certificate and key file prefix for the issuing CA (instead of root's `ca`). @@ -33,9 +35,9 @@ Usage: make_cert --ca-dir [--days ] [--issuing-ca ] ``` -- `ca_directory`: The directory where the CA files are stored (used to find the CA certificate and key for signing). -- `cert_directory`: The directory where the generated certificate and key will be stored. -- `subject_name`: The subject name (Common Name) for the certificate. +- ``: The directory where the CA files are stored (used to find the CA certificate and key for signing). +- ``: The directory where the generated certificate and key will be stored. +- ``: The subject name (Common Name) for the certificate. - `--days `: Optional. The number of days the certificate will be valid. Default is 365 days. - `--issuing-ca `: Optional. If specified, uses the CA with the key `_key.pem` and certificate `_cert.pem` for signing instead of the root CA. @@ -49,7 +51,7 @@ Usage: make_pfx --ca-dir [--issuing-ca ] --path [--password ] ``` -- `ca_directory`: The directory where the CA files are stored (used to find the CA certificate for the chain). -- ``: The file prefix of the issuing CA to include in the chain. -- ``: The path where the generated PFX file will be saved. -- ``: Optional. The custom password to protect the PFX, instead of the default `changeit`. +- `--ca-dir `: The directory where the CA files are stored (used to find the CA certificate for the chain). +- `--issuing-ca `: The file prefix of the issuing CA to include in the chain. +- `--path `: The path where the generated PFX file will be saved. +- `--password `: Optional. The custom password to protect the PFX, instead of the default `changeit`. diff --git a/simple-ca.sh b/simple-ca.sh index 62f3b6a..4ee7e0f 100755 --- a/simple-ca.sh +++ b/simple-ca.sh @@ -42,6 +42,7 @@ function make_ca() { # CA defaults to the main CA if not specified, but can be overridden with --issuing-ca local CA_FILE_PREFIX="ca" + local AIA_BASE_URL="" while [[ $# -gt 0 ]]; do case "$1" in @@ -65,6 +66,14 @@ function make_ca() { CA_FILE_PREFIX="$2" shift 2 ;; + --aia-base-url) + if [[ -z "$2" ]]; then + echo "ERROR: Missing value for --aia-base-url." >&2 + return 1 + fi + AIA_BASE_URL="$2" + shift 2 + ;; *) break ;; @@ -81,6 +90,10 @@ function make_ca() { return 1 fi + if [[ -z "$AIA_BASE_URL" && -f "$CA_DIR/aia_base_url.txt" ]]; then + AIA_BASE_URL="$(cat "$CA_DIR/aia_base_url.txt")" + fi + local ROOT_CA_CERT="ca_cert.pem" local ROOT_CA_KEY="ca_key.pem" local CA_CERT="${CA_FILE_PREFIX}_cert.pem" @@ -113,6 +126,10 @@ function make_ca() { # Make a "hash" symlink for the CA certificate to allow OpenSSL to find it when verifying other certificates make_hash_link "$CA_DIR/$ROOT_CA_CERT" + if [[ -n "$AIA_BASE_URL" ]]; then + echo "$AIA_BASE_URL" > "$CA_DIR/aia_base_url.txt" + fi + return 0 fi @@ -124,6 +141,7 @@ function make_ca() { -noenc \ -subj "/CN=${CA_NAME}" \ -addext "basicConstraints=critical,CA:TRUE,pathlen:0" \ + ${AIA_BASE_URL:+-addext "authorityInfoAccess=caIssuers;URI:${AIA_BASE_URL}/ca_cert.crt"} \ | openssl x509 \ -req \ -CA "$CA_DIR/$ROOT_CA_CERT" \ @@ -140,6 +158,10 @@ function make_ca() { # Make a "hash" symlink for the issuing CA certificate to allow OpenSSL to find it when verifying other certificates make_hash_link "$CA_DIR/${CA_CERT}" + if [[ -n "$AIA_BASE_URL" ]]; then + echo "$AIA_BASE_URL" > "$CA_DIR/aia_base_url.txt" + fi + return 0 } @@ -204,6 +226,12 @@ function make_cert() { CA_DIR="${CA_DIR:-$CERT_DIR}" + local AIA_BASE_URL_FILE="$CA_DIR/aia_base_url.txt" + local AIA_URL="" + if [[ -f "$AIA_BASE_URL_FILE" ]]; then + AIA_URL="$(cat "$AIA_BASE_URL_FILE")/${CA_FILE_PREFIX}_cert.crt" + fi + local CA_CERT="${CA_FILE_PREFIX}_cert.pem" local CA_KEY="${CA_FILE_PREFIX}_key.pem" @@ -271,6 +299,7 @@ function make_cert() { -addext "keyUsage=digitalSignature,keyEncipherment" \ -addext "extendedKeyUsage=serverAuth,clientAuth" \ -addext "$SANS_EXT" \ + ${AIA_URL:+-addext "authorityInfoAccess=caIssuers;URI:${AIA_URL}"} \ | openssl x509 \ -req \ -CA "$CA_DIR/$CA_CERT" \ @@ -401,3 +430,4 @@ function make_pfx() { return 0 } +