easyrsa modified and working

easyrsa3/easyrsa

@@ -3807,6 +3807,7 @@ Run easyrsa without commands for usage and command help."
 	cipher=-aes256
 	want_ca=1
 	want_key=1
+	legacy=""
 	unset -v nokeys friendly_name
 	while [ "$1" ]; do
 		case "$1" in
@@ -3826,6 +3827,9 @@ Run easyrsa without commands for usage and command help."
 			usefn)
 				friendly_name="$file_name_base"
 			;;
+			legacy)
+				legacy=-legacy
+			;;
 			*) warn "Ignoring unknown command option: '$1'"
 		esac
 		shift
@@ -3941,6 +3945,7 @@ Missing User Certificate, expected at:
 
 		# export the p12:
 		easyrsa_openssl pkcs12 -export \
+			${legacy} \
 			-in "$crt_in" \
 			-out "$pkcs_out" \
 			${nokeys} \

easyrsa3/openssl-easyrsa.cnf

@@ -16,6 +16,7 @@ new_certs_dir	= $dir/certs_by_serial	# default place for new certs.
 certificate	= $dir/ca.crt		# The CA certificate
 serial		= $dir/serial		# The current serial number
 crl		= $dir/crl.pem		# The current CRL
+crlnumber      = $dir/crlnumber
 private_key	= $dir/private/ca.key	# The private key
 RANDFILE	= $dir/.rand		# private random number file
 
@@ -116,7 +117,7 @@ serialNumber_default	= $ENV::EASYRSA_REQ_SERIAL
 [ basic_exts ]
 basicConstraints	= CA:FALSE
 subjectKeyIdentifier	= hash
-authorityKeyIdentifier	= keyid,issuer:always
+authorityKeyIdentifier	= keyid:always
 
 # The Easy-RSA CA extensions
 [ easyrsa_ca ]
@@ -124,15 +125,15 @@ authorityKeyIdentifier	= keyid,issuer:always
 # PKIX recommendations:
 
 subjectKeyIdentifier=hash
-authorityKeyIdentifier=keyid:always,issuer:always
+authorityKeyIdentifier=keyid:always
 
 # This could be marked critical, but it's nice to support reading by any
 # broken clients who attempt to do so.
-basicConstraints = CA:true
+basicConstraints = critical, CA:true
 
 # Limit key usage to CA tasks. If you really want to use the generated pair as
 # a self-signed cert, comment this out.
-keyUsage = cRLSign, keyCertSign
+keyUsage = critical, cRLSign, keyCertSign
 
 # nsCertType omitted by default. Let's try to let the deprecated stuff die.
 # nsCertType = sslCA

easyrsa3/x509-types/COMMON

@@ -4,9 +4,10 @@
 # It could be used to add values every cert should have, such as a CDP as
 # demonstrated in the following example:
 
-#crlDistributionPoints = URI:http://example.net/pki/my_ca.crl
+crlDistributionPoints = URI:http://localhost:5858/pki/ca.crl
+
 
 # The authority information access extension gives details about how to access
 # certain information relating to the CA.
 
-#authorityInfoAccess = caIssuers;URI:http://example.net/pki/my_ca.crt
+#authorityInfoAccess = caIssuers;URI:http://localhost:5858/pki/ca.crt

easyrsa3/x509-types/ca

@@ -6,7 +6,8 @@
 #
 # basicConstraints = CA:TRUE, pathlen:1
 
-basicConstraints = CA:TRUE
+#basicConstraints = CA:TRUE
+basicConstraints = critical, CA:TRUE, pathlen:0
 subjectKeyIdentifier = hash
 authorityKeyIdentifier = keyid:always,issuer:always
-keyUsage = cRLSign, keyCertSign
+keyUsage = critical, cRLSign, keyCertSign

easyrsa3/x509-types/client

@@ -1,7 +1,11 @@
 # X509 extensions for a client
 
-basicConstraints = CA:FALSE
+#basicConstraints = CA:FALSE
+basicConstraints = critical, CA:FALSE
 subjectKeyIdentifier = hash
-authorityKeyIdentifier = keyid,issuer:always
+#authorityKeyIdentifier = keyid,issuer:always
+authorityKeyIdentifier = keyid:always
 extendedKeyUsage = clientAuth
-keyUsage = digitalSignature
+keyUsage = critical, digitalSignature
+#keyUsage = digitalSignature
+#certificatePolicies = ia5org,@cpStandard

easyrsa3/x509-types/ocsp

@@ -0,0 +1,8 @@
+# X509 extensions for an OCSP Responder
+basicConstraints = critical, CA:FALSE
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid:always
+extendedKeyUsage = critical, OCSPSigning
+keyUsage = critical, digitalSignature
+certificatePolicies = ia5org
+noCheck = ignored