From 7f2936caf9511ecbf614613f9fdb9e73b6454789 Mon Sep 17 00:00:00 2001
From: Olliver Schinagl <oliver@schinagl.nl>
Date: Fri, 17 May 2019 10:15:46 +0200
Subject: [PATCH 1/2] doc: Add signing example to the readme.

While it is documented in the quickstart, it was missing from the
readme, which is confusing as all other commands are shown with an
example in the document.

Signed-off-by: Olliver Schinagl <oliver@schinagl.nl>
---
 doc/EasyRSA-Readme.md | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/doc/EasyRSA-Readme.md b/doc/EasyRSA-Readme.md
index bece589..06431e3 100644
--- a/doc/EasyRSA-Readme.md
+++ b/doc/EasyRSA-Readme.md
@@ -193,6 +193,8 @@ Using Easy-RSA as a CA
   * server - A TLS server, suitable for a VPN or web server
   * ca - A subordinate CA, used when chaining multiple CAs together
 
+    ./easyrsa sign-req <type> nameOfRequest
+
   Additional types of certs may be defined by local sites as needed; see the
   advanced documentation for details.
 

From e21ed159a114808051ad3d589beb848cc84565dd Mon Sep 17 00:00:00 2001
From: Olliver Schinagl <oliver@schinagl.nl>
Date: Fri, 17 May 2019 10:20:00 +0200
Subject: [PATCH 2/2] Use intermediate CA rather then sub CA

The term 'sub-ca' seems to be coined and used mostly/only by easyrsa.
More commonly, this type of certificate is called an intermediate CA
[0]. The term sub-ca, while logical is actually a Microsoft CA term [1].

The command itself remains the same for now, as it is shorter/easier to
type.

[0] https://en.wikipedia.org/w/index.php?title=Intermediate_certificate_authorities
[1] https://en.wikipedia.org/wiki/Public_key_infrastructure

Signed-off-by: Olliver Schinagl <oliver@schinagl.nl>
---
 README.md             |  2 +-
 doc/EasyRSA-Readme.md |  2 +-
 easyrsa3/easyrsa      | 12 +++++++-----
 3 files changed, 9 insertions(+), 7 deletions(-)

diff --git a/README.md b/README.md
index c064076..6b03d03 100644
--- a/README.md
+++ b/README.md
@@ -2,7 +2,7 @@
 
 easy-rsa is a CLI utility to build and manage a PKI CA. In laymen's terms,
 this means to create a root certificate authority, and request and sign 
-certificates, including sub-CAs and certificate revocation lists (CRL).
+certificates, including intermediate CAs and certificate revocation lists (CRL).
 
 # Downloads
 
diff --git a/doc/EasyRSA-Readme.md b/doc/EasyRSA-Readme.md
index 06431e3..d866e20 100644
--- a/doc/EasyRSA-Readme.md
+++ b/doc/EasyRSA-Readme.md
@@ -191,7 +191,7 @@ Using Easy-RSA as a CA
 
   * client - A TLS client, suitable for a VPN user or web browser (web client)
   * server - A TLS server, suitable for a VPN or web server
-  * ca - A subordinate CA, used when chaining multiple CAs together
+  * ca - A intermediate CA, used when chaining multiple CAs together
 
     ./easyrsa sign-req <type> nameOfRequest
 
diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa
index f2ea99a..246c88e 100755
--- a/easyrsa3/easyrsa
+++ b/easyrsa3/easyrsa
@@ -73,7 +73,8 @@ cmd_help() {
       Creates a new CA"
       			opts="
         nopass  - do not encrypt the CA key (default is encrypted)
-        subca   - create a sub-CA keypair and request (default is a root CA)" ;;
+        subca   - create an intermediate CA keypair and request (default is a root CA)
+        intca   - alias to the above" ;;
 		gen-dh) text="
   gen-dh
       Generates DH (Diffie-Hellman) parameters" ;;
@@ -221,7 +222,7 @@ Certificate & Request options: (these impact cert/req field values)
 --dn-mode=MODE  : DN mode to use (cn_only or org)
 --keysize=#     : size in bits of keypair to generate
 --req-cn=NAME   : default CN to use
---subca-len=#   : path length of signed sub-CA certs; must be >= 0 if used
+--subca-len=#   : path length of signed intermediate CA certs; must be >= 0 if used
 --subject-alt-name : Add a subjectAltName. For more info and syntax, see:
                      ./easyrsa help altname
 --use-algo=ALG  : crypto alg to use: choose rsa (default) or ec
@@ -527,6 +528,7 @@ build_ca() {
 	crypto="-aes256"
 	while [ -n "$1" ]; do
 		case "$1" in
+			intca) sub_ca=1 ;;
 			subca) sub_ca=1 ;;
 			nopass) nopass=1 ;;
 			*) warn "Ignoring unknown command option: '$1'" ;;
@@ -537,7 +539,7 @@ build_ca() {
 	verify_pki_init
 	[ "$EASYRSA_ALGO" = "ec" ] && verify_curve
 
-	# setup for the simpler sub-CA situation and overwrite with root-CA if needed:
+	# setup for the simpler intermediate CA situation and overwrite with root-CA if needed:
 	out_file="$EASYRSA_PKI/reqs/ca.req"
 	out_key="$EASYRSA_PKI/private/ca.key"
 	if [ ! $sub_ca ]; then
@@ -551,7 +553,7 @@ build_ca() {
 Unable to create a CA as you already seem to have one set up.
 If you intended to start a new CA, run init-pki first."
 	fi
-	# If a private key exists here, a sub-ca was created but not signed.
+	# If a private key exists here, a intermediate ca was created but not signed.
 	# Notify the user and require a signed ca.crt or a init-pki:
 	[ -f "$out_key" ] && \
 		die "\
@@ -630,7 +632,7 @@ current CA keypair. If you intended to start a new CA, run init-pki first."
 	# Success messages
 	if [ $sub_ca ]; then
 		notice "\
-NOTE: Your sub-CA request is at $out_file
+NOTE: Your intermediate CA request is at $out_file
 and now must be sent to your parent CA for signing. Place your resulting cert
 at $EASYRSA_PKI/ca.crt prior to signing operations.
 "