-
Notifications
You must be signed in to change notification settings - Fork 8
AIA CA Issuers
The Authority Information Access (AIA) CA Issuers extension allows clients to download intermediate CA certificates for chain building during TLS verification.
When clients validate a TLS server certificate, they need the complete certificate chain from the end-entity certificate up to a trusted root. The AIA CA Issuers extension provides a URL where the issuing CA's certificate can be downloaded automatically.
- Client receives a server certificate during TLS handshake
- Client reads the AIA CA Issuers URL from the certificate
- Client downloads the intermediate CA certificate from that URL
- Client builds the full chain and validates trust
Authority Information Access:
OCSP - URI:http://your-server:8080/ocsp
CA Issuers - URI:http://your-server:8080/ca/{ca_refid}.cer
Both OCSP and CA Issuers are part of the same AIA extension (OID 1.3.6.1.5.5.7.1.1).
- Navigate to CRL/OCSP page in the sidebar
- Select a CA from the table
- In the detail panel, find the AIA CA Issuers section
- Toggle Enable AIA CA Issuers to ON
- The URL is auto-generated — copy it with the clipboard button
- All new certificates issued by this CA will include the AIA CA Issuers extension
# Check current status
curl -s https://your-server:8443/api/v2/cas/{ca_id} | jq '.data.aia_ca_issuers_enabled'
# Enable
curl -X PUT https://your-server:8443/api/v2/cas/{ca_id} \
-H 'Content-Type: application/json' \
-d '{"aia_ca_issuers_enabled": true}'
⚠️ Note: Enabling AIA CA Issuers only affects newly issued certificates. Existing certificates must be reissued to include the extension.
UCM serves CA certificates via public endpoints (no authentication required):
GET /ca/{ca_refid}.cer-
Content-Type:
application/pkix-cert -
Cache-Control:
public, max-age=86400 - Preferred format for AIA extension
curl http://your-server:8080/ca/550e8400-e29b-41d4-a716-446655440000.cer -o ca.cer
openssl x509 -in ca.cer -inform DER -text -nooutGET /ca/{ca_refid}.pem-
Content-Type:
application/x-pem-file -
Cache-Control:
public, max-age=86400
curl http://your-server:8080/ca/550e8400-e29b-41d4-a716-446655440000.pem -o ca.pemBoth endpoints also accept the legacy numeric CA ID:
curl http://your-server:8080/ca/1.cer
curl http://your-server:8080/ca/1.pemAIA CA Issuers URLs should use HTTP (not HTTPS) to avoid circular TLS dependencies. UCM serves these via the HTTP protocol server on port 8080 (same server used for CDP and OCSP).
http://your-server:8080/ca/{ca_refid}.cer ← Recommended
https://your-server:8443/ca/{ca_refid}.cer ← Also works
See CRL & CDP — HTTP Protocol Server for configuration details.
openssl x509 -in cert.pem -text -noout | grep -A 5 "Authority Information Access"Expected output:
Authority Information Access:
OCSP - URI:http://your-server:8080/ocsp
CA Issuers - URI:http://your-server:8080/ca/550e8400-e29b-41d4-a716-446655440000.cer
# Extract CA Issuers URL from certificate
AIA_URL=$(openssl x509 -in cert.pem -text -noout | grep "CA Issuers" | sed 's/.*URI://')
# Download CA certificate
curl -o issuer.cer "$AIA_URL"
# Verify chain
openssl verify -CAfile root-ca.pem -untrusted issuer.cer cert.pem| Feature | CDP (CRL) | OCSP | AIA CA Issuers |
|---|---|---|---|
| Purpose | Revocation list | Real-time revocation | CA certificate download |
| RFC | RFC 5280 §4.2.1.13 | RFC 6960 | RFC 5280 §4.2.2.1 |
| Endpoint | /cdp/{refid}.crl |
/ocsp |
/ca/{refid}.cer |
| Protocol | HTTP recommended | HTTP recommended | HTTP recommended |
| Authentication | None (public) | None (public) | None (public) |
| Content | Revoked serial numbers | Single cert status | CA certificate (DER/PEM) |
💡 Best practice: Enable all three mechanisms on intermediate CAs for maximum client compatibility.
- ✅ Verify firewall allows port 8080 (HTTP protocol server)
- ✅ Test locally:
curl http://localhost:8080/ca/{ca_refid}.cer - ✅ Check DNS resolution:
nslookup your-server - ✅ In Docker, ensure
-p 8080:8080is set
- ✅ AIA CA Issuers must be enabled before certificate issuance
- ✅ Existing certificates don't get AIA extension (reissue required)
- ✅ Verify in CA detail panel: CRL/OCSP → AIA CA Issuers → Enabled
- ✅ Verify the CA has a certificate (
crtfield is not null) - ✅ Check endpoint returns correct content type:
application/pkix-cert - ✅ Try PEM format if DER doesn't work:
/ca/{refid}.pem
Last Updated: 2026-03-26