From 667c2b8c62af59bd9eb5d4976ed949e92dac2523 Mon Sep 17 00:00:00 2001
From: Nik Mitev <nik@mitev.net>
Date: Thu, 15 Feb 2024 12:26:31 +0000
Subject: [PATCH] easyrsa modified and working

---
 easyrsa3/easyrsa             |  5 +++++
 easyrsa3/openssl-easyrsa.cnf |  9 +++++----
 easyrsa3/x509-types/COMMON   |  5 +++--
 easyrsa3/x509-types/ca       |  5 +++--
 easyrsa3/x509-types/client   | 10 +++++++---
 easyrsa3/x509-types/ocsp     |  8 ++++++++
 6 files changed, 31 insertions(+), 11 deletions(-)
 create mode 100644 easyrsa3/x509-types/ocsp

diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa
index c26d21c..215574d 100755
--- a/easyrsa3/easyrsa
+++ b/easyrsa3/easyrsa
@@ -3807,6 +3807,7 @@ Run easyrsa without commands for usage and command help."
 	cipher=-aes256
 	want_ca=1
 	want_key=1
+	legacy=""
 	unset -v nokeys friendly_name
 	while [ "$1" ]; do
 		case "$1" in
@@ -3826,6 +3827,9 @@ Run easyrsa without commands for usage and command help."
 			usefn)
 				friendly_name="$file_name_base"
 			;;
+			legacy)
+				legacy=-legacy
+			;;
 			*) warn "Ignoring unknown command option: '$1'"
 		esac
 		shift
@@ -3941,6 +3945,7 @@ Missing User Certificate, expected at:
 
 		# export the p12:
 		easyrsa_openssl pkcs12 -export \
+			${legacy} \
 			-in "$crt_in" \
 			-out "$pkcs_out" \
 			${nokeys} \
diff --git a/easyrsa3/openssl-easyrsa.cnf b/easyrsa3/openssl-easyrsa.cnf
index 391bcff..f3462ea 100644
--- a/easyrsa3/openssl-easyrsa.cnf
+++ b/easyrsa3/openssl-easyrsa.cnf
@@ -16,6 +16,7 @@ new_certs_dir	= $dir/certs_by_serial	# default place for new certs.
 certificate	= $dir/ca.crt		# The CA certificate
 serial		= $dir/serial		# The current serial number
 crl		= $dir/crl.pem		# The current CRL
+crlnumber      = $dir/crlnumber
 private_key	= $dir/private/ca.key	# The private key
 RANDFILE	= $dir/.rand		# private random number file
 
@@ -116,7 +117,7 @@ serialNumber_default	= $ENV::EASYRSA_REQ_SERIAL
 [ basic_exts ]
 basicConstraints	= CA:FALSE
 subjectKeyIdentifier	= hash
-authorityKeyIdentifier	= keyid,issuer:always
+authorityKeyIdentifier	= keyid:always
 
 # The Easy-RSA CA extensions
 [ easyrsa_ca ]
@@ -124,15 +125,15 @@ authorityKeyIdentifier	= keyid,issuer:always
 # PKIX recommendations:
 
 subjectKeyIdentifier=hash
-authorityKeyIdentifier=keyid:always,issuer:always
+authorityKeyIdentifier=keyid:always
 
 # This could be marked critical, but it's nice to support reading by any
 # broken clients who attempt to do so.
-basicConstraints = CA:true
+basicConstraints = critical, CA:true
 
 # Limit key usage to CA tasks. If you really want to use the generated pair as
 # a self-signed cert, comment this out.
-keyUsage = cRLSign, keyCertSign
+keyUsage = critical, cRLSign, keyCertSign
 
 # nsCertType omitted by default. Let's try to let the deprecated stuff die.
 # nsCertType = sslCA
diff --git a/easyrsa3/x509-types/COMMON b/easyrsa3/x509-types/COMMON
index a9867db..53ca8f4 100644
--- a/easyrsa3/x509-types/COMMON
+++ b/easyrsa3/x509-types/COMMON
@@ -4,9 +4,10 @@
 # It could be used to add values every cert should have, such as a CDP as
 # demonstrated in the following example:
 
-#crlDistributionPoints = URI:http://example.net/pki/my_ca.crl
+crlDistributionPoints = URI:http://localhost:5858/pki/ca.crl
+
 
 # The authority information access extension gives details about how to access
 # certain information relating to the CA.
 
-#authorityInfoAccess = caIssuers;URI:http://example.net/pki/my_ca.crt
+#authorityInfoAccess = caIssuers;URI:http://localhost:5858/pki/ca.crt
diff --git a/easyrsa3/x509-types/ca b/easyrsa3/x509-types/ca
index 0eeeb20..766b41d 100644
--- a/easyrsa3/x509-types/ca
+++ b/easyrsa3/x509-types/ca
@@ -6,7 +6,8 @@
 #
 # basicConstraints = CA:TRUE, pathlen:1
 
-basicConstraints = CA:TRUE
+#basicConstraints = CA:TRUE
+basicConstraints = critical, CA:TRUE, pathlen:0
 subjectKeyIdentifier = hash
 authorityKeyIdentifier = keyid:always,issuer:always
-keyUsage = cRLSign, keyCertSign
+keyUsage = critical, cRLSign, keyCertSign
diff --git a/easyrsa3/x509-types/client b/easyrsa3/x509-types/client
index aed0065..17bd474 100644
--- a/easyrsa3/x509-types/client
+++ b/easyrsa3/x509-types/client
@@ -1,7 +1,11 @@
 # X509 extensions for a client
 
-basicConstraints = CA:FALSE
+#basicConstraints = CA:FALSE
+basicConstraints = critical, CA:FALSE
 subjectKeyIdentifier = hash
-authorityKeyIdentifier = keyid,issuer:always
+#authorityKeyIdentifier = keyid,issuer:always
+authorityKeyIdentifier = keyid:always
 extendedKeyUsage = clientAuth
-keyUsage = digitalSignature
+keyUsage = critical, digitalSignature
+#keyUsage = digitalSignature
+#certificatePolicies = ia5org,@cpStandard
diff --git a/easyrsa3/x509-types/ocsp b/easyrsa3/x509-types/ocsp
new file mode 100644
index 0000000..fcb8a8e
--- /dev/null
+++ b/easyrsa3/x509-types/ocsp
@@ -0,0 +1,8 @@
+# X509 extensions for an OCSP Responder
+basicConstraints = critical, CA:FALSE
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid:always
+extendedKeyUsage = critical, OCSPSigning
+keyUsage = critical, digitalSignature
+certificatePolicies = ia5org
+noCheck = ignored