slawek/simple-ca
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
main
simple-ca/README.md
Slawomir Koszewski 677e9add5b
All checks were successful
/ test (push) Successful in 13s
Details
Update: add AIA URL support in make_ca and make_cert functions
2026-03-05 07:14:37 +01:00

3.3 KiB
Raw Permalink Blame History

Simple CA

test

simple-ca.sh is a Bash script that provides functions for creating and managing a simple Certificate Authority (CA) and generating certificates. It can create a single or two-level CA hierarchy, and generate client-server TLS certificates. The script is designed to be simple and easy to use, making it suitable for testing and development purposes, where a self-signed certificate is not sufficient.

All certificates generated by this script have a random serial number.

Functions

make_ca()

This function creates a root CA certificate and private key. It can optionally create an intermediate CA certificate and private key, which is signed by the root CA. The function takes several parameters to customize the CA creation process, such as the CA name, validity period, and whether to create an intermediate CA.

Usage:

make_ca  [--days <validity_days>] [--issuing-ca <name>] <ca_directory> <ca_name>
  • <ca_directory>: The directory where the CA files will be stored.
  • <ca_name>: The name of the CA.
  • --days <validity_days>: Optional. The number of days the CA certificate will be valid. Default is 3650 days (10 years).
  • --issuing-ca <name>: Optional. If specified, creates an intermediate CA with <ca_name> as the intermediate CA name and using as certificate and key file prefix for the issuing CA (instead of root's ca).

It also creates a hash link symbolic link for the CA certificate, which is required by OpenSSL when using the verify command with -CApath option.

make_cert()

This function generates a certificate and private key with TLS Web Server Authentication and Client Authentication EKUs. The certificate is signed by the specified CA (either root or intermediate).

Usage:

make_cert --ca-dir <ca_directory> [--days <validity_days>] [--issuing-ca <name>] <cert_directory> <subject_name>
  • <ca_directory>: The directory where the CA files are stored (used to find the CA certificate and key for signing).
  • <cert_directory>: The directory where the generated certificate and key will be stored.
  • <subject_name>: The subject name (Common Name) for the certificate.
  • --days <validity_days>: Optional. The number of days the certificate will be valid. Default is 365 days.
  • --issuing-ca <name>: Optional. If specified, uses the CA with the key <name>_key.pem and certificate <name>_cert.pem for signing instead of the root CA.

make_pfx()

This function creates a PKCS#12 (PFX) file containing the certificate, private key, and CA certificate chain. This is useful for importing the certificate into applications that require a PFX file.

Usage:

make_pfx --ca-dir <ca_directory> [--issuing-ca <file_prefix>] --path <pfx_file_path> [--password <pfx_password>]
  • --ca-dir <ca_directory>: The directory where the CA files are stored (used to find the CA certificate for the chain).
  • --issuing-ca <file_prefix>: The file prefix of the issuing CA to include in the chain.
  • --path <pfx_file_path>: The path where the generated PFX file will be saved.
  • --password <pfx_password>: Optional. The custom password to protect the PFX, instead of the default changeit.
Reference in New Issue View Git Blame Copy Permalink