diff --git a/ChangeLog b/ChangeLog index 4245ad9..ad4e7d0 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,5 +1,8 @@ Easy-RSA 3 ChangeLog +3.1.6 (2023-10-13) + * sign-req: Allow the CSR DN-field order to be preserved (#970) + 3.1.5 (2023-06-10) * Build Update: script now supports signing and verifying * Automate support-file creation (Free packaging) (#964) diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa index 5ca32cf..e6f6646 100755 --- a/easyrsa3/easyrsa +++ b/easyrsa3/easyrsa @@ -128,7 +128,7 @@ cmd_help() { ;; sign|sign-req) text=" -* sign-req +* sign-req [ cmd-opts ] Sign a certificate request of the defined type. must be a known type, such as: 'client', 'server', 'serverClient', or 'ca' (or a user-added type). @@ -136,6 +136,8 @@ cmd_help() { This request file must exist in the reqs/ dir and have a .req file extension. See import-req below for importing reqs from other sources." + opts=" + * preserve - When signing a request, 'preserve' the DN-field order of the CSR." ;; build|build-client-full|build-server-full|build-serverClient-full) text=" @@ -2243,6 +2245,15 @@ sign_req() { Incorrect number of arguments provided to sign-req: expected 2, got $# (see command help for usage)" + # Check for preserve-dn + if [ "$3" ]; then + case "$3" in + preserve*) export EASYRSA_PRESERVE_DN=1 ;; + *) + warn "Ignoring unknown option '$3'" + esac + fi + # Cert type must exist under the EASYRSA_EXT_DIR [ -e "$EASYRSA_EXT_DIR/$crt_type" ] || warn "\ Missing X509-type '$crt_type'" @@ -2512,6 +2523,7 @@ $(display_dn req "$req_in") easyrsa_openssl ca -utf8 -batch \ -in "$req_in" -out "$crt_out_tmp" \ -extfile "$ext_tmp" \ + ${EASYRSA_PRESERVE_DN:+ -preserveDN} \ ${EASYRSA_PASSIN:+ -passin "$EASYRSA_PASSIN"} \ ${EASYRSA_NO_TEXT:+ -notext} \ ${EASYRSA_CERT_EXPIRE:+ -days "$EASYRSA_CERT_EXPIRE"} \ diff --git a/easyrsa3/openssl-easyrsa.cnf b/easyrsa3/openssl-easyrsa.cnf index f637147..391bcff 100644 --- a/easyrsa3/openssl-easyrsa.cnf +++ b/easyrsa3/openssl-easyrsa.cnf @@ -31,6 +31,9 @@ crl_extensions = crl_ext default_days = $ENV::EASYRSA_CERT_EXPIRE # how long to certify for default_crl_days = $ENV::EASYRSA_CRL_DAYS # how long before next CRL default_md = $ENV::EASYRSA_DIGEST # use public key default MD + +# Note: preserve=no|yes, does nothing for EasyRSA. +# Use sign-req command option 'preserve' instead. preserve = no # keep passed DN ordering # This allows to renew certificates which have not been revoked diff --git a/easyrsa3/vars.example b/easyrsa3/vars.example index 43b3329..bababf1 100644 --- a/easyrsa3/vars.example +++ b/easyrsa3/vars.example @@ -105,6 +105,12 @@ fi #set_var EASYRSA_REQ_EMAIL "me@example.net" #set_var EASYRSA_REQ_OU "My Organizational Unit" +# Preserve the Distinguished Name field order +# of the certificate signing request +# *Only* effective in --dn-mode=org +# +#set_var EASYRSA_PRESERVE_DN 1 + # Set no password mode - This will create the entire PKI without passwords. # This can be better managed by choosing which entity private keys should be # encrypted with the following command line options: