From 2bc89f765811a03871ea7f7db2e46acb80f3e797 Mon Sep 17 00:00:00 2001 From: Richard T Bonhomme Date: Mon, 13 Jun 2022 20:32:35 +0100 Subject: [PATCH] DEPRECATE(1) '--req-cn' - Change default certificate 'renew' to 90 days Option '--renew-days=#', variable $EASYRSA_CERT_RENEW was used to enforce a "grace" period, *outside of which* 'renew' was prohibited. Default: 30days. This prohibition is no longer enforced: * https://github.com/OpenVPN/easy-rsa/issues/593 Option '--renew-days=#' now represents the cut-off date for EasyRSA status report 'show-expire'. This report *only* lists those certificates which will expire within the given $EASYRSA_CERT_RENEW number of days 'from now'. This also effects the command 'renewable'. (Only supports GNU 'date') Updates to 'help options'. (1) Official notice of "intention to deprecate" option: '--req-cn' EasyRSA has *never* supported '--req-cn'. For "type" server/client 'Build-$type-full' AlWAYS explicitly sets variable EASYRSA_REQ_CN to $2 from the command line. Always over-riding the option. 'gen-req' explicitly sets 'EASYRSA_REQ_CN="$1"'. Always over-riding .. 'sign-req' explicitly sets 'crt_out="$EASYRSA_PKI/issued/$2.crt"' .. ditto. 'build-ca' requires specific code review to understand. Labeled as: "May have tried but gave up.." This is *only* a notice of "intention to deprecate". The main goal of the option '--req-cn' is to achieve a disconnect between certificate 'commonName' verses the 'file-name' of the certificate. Eg: file-name: mmjd0101.crt | commonName: "mass-murderer John Doe (#0101)" There is "merit" to this functionality but then .. EasyRSA is Free-OSS. "If You need this functionality then You should help provide it." Signed-off-by: Richard T Bonhomme --- easyrsa3/easyrsa | 58 +++++++++++++++++++++++++----------------------- 1 file changed, 30 insertions(+), 28 deletions(-) diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa index 1fd110c..b091b4f 100755 --- a/easyrsa3/easyrsa +++ b/easyrsa3/easyrsa @@ -421,8 +421,8 @@ General options: --silent : Disable all Warnings and Notices --sbatch : Combined --silent and --batch operating mode ---passin=ARG : set -passin ARG for openssl ---passout=ARG : set -passout ARG for openssl +--passin=ARG : set -passin ARG for openssl (eg: pass:xEasyRSAy) +--passout=ARG : set -passout ARG for openssl (eg: pass:xEasyRSAy) --ssl-conf=FILE : define a specific OpenSSL config file for Easy-RSA to use --vars=FILE : define a specific 'vars' file to use for Easy-RSA config @@ -436,44 +436,46 @@ General options: Certificate & Request options: (these impact cert/req field values) --days=# : sets the signing validity to the specified number of days +--renew-days=# : Number of days grace to search for expiring certificates + Only effects reporting as a cut-off date for the commands + 'renewable' and 'show-expire' (Default: 90 days) +--fix-offset=# : Generate certificate with fixed start and end dates. + Range 1 to 365 + start-date is 01 January 00:00:01 of the current year + plus the --fix-offset=# number of days. + end-date is configured via --days=# (Default: 825 days) --digest=ALG : digest to use in the requests & certificates ---dn-mode=MODE : DN mode to use (cn_only or org) ---keysize=# : size in bits of keypair to generate ---req-cn=NAME : default CN to use ---subca-len=# : path length of signed intermediate CA certs; must be >= 0 if used ---subject-alt-name ---san : Add a subjectAltName. - : For more info and syntax, see: 'easyrsa help altname' +--keysize=# : size in bits of keypair to generate (RSA Only) --use-algo=ALG : crypto alg to use: choose rsa (default), ec or ed --curve=NAME : for elliptic curve, sets the named curve to use + +--subca-len=# : path length of signed intermediate CA certs; must be >= 0 if used --copy-ext : Copy included request X509 extensions (namely subjAltName) +--san|--subject-alt-name + : Add a subjectAltName. + For more info and syntax, see: 'easyrsa help altname' -Organizational DN options: (only used with the 'org' DN mode) - (values may be blank for org DN options) +Distinguished Name mode: ---req-c=CC : country code (2-letters) ---req-st=NAME : State/Province ---req-city=NAME : City/Locality ---req-org=NAME : Organization ---req-email=NAME : Email addresses ---req-ou=NAME : Organizational Unit + --dn-mode=MODE : Distinguished Name mode to use 'cn_only' or 'org' + (Default: 'cn_only') + + --req-cn=NAME : default CN to use (DEPRECATED) + + Distinguished Name Organizational options: (only used with '--dn-mode=org') + --req-c=CC : country code (2-letters) + --req-st=NAME : State/Province + --req-city=NAME : City/Locality + --req-org=NAME : Organization + --req-email=NAME : Email addresses + --req-ou=NAME : Organizational Unit Deprecated features: --ns-cert=YES/NO : yes or no to including deprecated NS extensions --ns-comment=COMMENT : NS comment to include (value may be blank) " - -: << OLD_OPTS ---renew-days=# : Number of days grace period before allowing renewal ---fix-offset=# : Generate certificate with fixed start and end dates. - : Range 1 to 365 - : start date: 01 January 00:00:00 of the current year - : end date: off-set days 01:00:00 of the final year - : Final year is configured via --days (Default: 825 days, 2 years) -OLD_OPTS - } # => opt_usage() # Wrapper around printf - clobber print since it's not POSIX anyway @@ -3708,7 +3710,7 @@ Move your vars file to your PKI folder, where it is safe!" set_var EASYRSA_EC_DIR "$EASYRSA_PKI/ecparams" set_var EASYRSA_CA_EXPIRE 3650 set_var EASYRSA_CERT_EXPIRE 825 # new default of 36 months - set_var EASYRSA_CERT_RENEW 30 + set_var EASYRSA_CERT_RENEW 90 set_var EASYRSA_CRL_DAYS 180 set_var EASYRSA_NS_SUPPORT no set_var EASYRSA_NS_COMMENT "Easy-RSA (~VER~) Generated Certificate"