diff --git a/README.md b/README.md index c064076..6b03d03 100644 --- a/README.md +++ b/README.md @@ -2,7 +2,7 @@ easy-rsa is a CLI utility to build and manage a PKI CA. In laymen's terms, this means to create a root certificate authority, and request and sign -certificates, including sub-CAs and certificate revocation lists (CRL). +certificates, including intermediate CAs and certificate revocation lists (CRL). # Downloads diff --git a/doc/EasyRSA-Readme.md b/doc/EasyRSA-Readme.md index bece589..d866e20 100644 --- a/doc/EasyRSA-Readme.md +++ b/doc/EasyRSA-Readme.md @@ -191,7 +191,9 @@ Using Easy-RSA as a CA * client - A TLS client, suitable for a VPN user or web browser (web client) * server - A TLS server, suitable for a VPN or web server - * ca - A subordinate CA, used when chaining multiple CAs together + * ca - A intermediate CA, used when chaining multiple CAs together + + ./easyrsa sign-req nameOfRequest Additional types of certs may be defined by local sites as needed; see the advanced documentation for details. diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa index e6e243d..c6eedb0 100755 --- a/easyrsa3/easyrsa +++ b/easyrsa3/easyrsa @@ -74,7 +74,8 @@ cmd_help() { Creates a new CA" opts=" nopass - do not encrypt the CA key (default is encrypted) - subca - create a sub-CA keypair and request (default is a root CA)" ;; + subca - create an intermediate CA keypair and request (default is a root CA) + intca - alias to the above" ;; gen-dh) text=" gen-dh Generates DH (Diffie-Hellman) parameters" ;; @@ -228,7 +229,7 @@ Certificate & Request options: (these impact cert/req field values) --dn-mode=MODE : DN mode to use (cn_only or org) --keysize=# : size in bits of keypair to generate --req-cn=NAME : default CN to use ---subca-len=# : path length of signed sub-CA certs; must be >= 0 if used +--subca-len=# : path length of signed intermediate CA certs; must be >= 0 if used --subject-alt-name : Add a subjectAltName. For more info and syntax, see: ./easyrsa help altname --use-algo=ALG : crypto alg to use: choose rsa (default) or ec @@ -567,6 +568,7 @@ build_ca() { crypto="-aes256" while [ -n "$1" ]; do case "$1" in + intca) sub_ca=1 ;; subca) sub_ca=1 ;; nopass) nopass=1 ;; *) warn "Ignoring unknown command option: '$1'" ;; @@ -577,7 +579,7 @@ build_ca() { verify_pki_init [ "$EASYRSA_ALGO" = "ec" ] && verify_curve - # setup for the simpler sub-CA situation and overwrite with root-CA if needed: + # setup for the simpler intermediate CA situation and overwrite with root-CA if needed: out_file="$EASYRSA_PKI/reqs/ca.req" out_key="$EASYRSA_PKI/private/ca.key" if [ ! $sub_ca ]; then @@ -591,7 +593,7 @@ build_ca() { Unable to create a CA as you already seem to have one set up. If you intended to start a new CA, run init-pki first." fi - # If a private key exists here, a sub-ca was created but not signed. + # If a private key exists here, a intermediate ca was created but not signed. # Notify the user and require a signed ca.crt or a init-pki: [ -f "$out_key" ] && \ die "\ @@ -670,7 +672,7 @@ current CA keypair. If you intended to start a new CA, run init-pki first." # Success messages if [ $sub_ca ]; then notice "\ -NOTE: Your sub-CA request is at $out_file +NOTE: Your intermediate CA request is at $out_file and now must be sent to your parent CA for signing. Place your resulting cert at $EASYRSA_PKI/ca.crt prior to signing operations. "