nik/easyrsa
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Update help: Standardise output; Improve code; Reprioritise options

Browse Source 
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
This commit is contained in:
Richard T Bonhomme 2022-11-23 21:42:03 +00:00
parent aa9a3d44fa
commit dbe894dec6
No known key found for this signature in database
GPG Key ID: 2D767DB92FB6C246
1 changed files with 65 additions and 73 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

130
easyrsa3/easyrsa
View File

@ -57,11 +57,6 @@ Here is the list of commands available with a short syntax reminder. Use the
export-p12 <file_name_base> [ cmd-opts ] export-p12 <file_name_base> [ cmd-opts ]
set-pass <file_name_base> [ cmd-opts ] set-pass <file_name_base> [ cmd-opts ]
upgrade <type> upgrade <type>
Deprecated commands:
set-rsa-pass <file_name_base> [ cmd-opts ]
set-ec-pass <file_name_base> [ cmd-opts ]
set-ed-pass <file_name_base> [ cmd-opts ]
" "
# collect/show dir status: # collect/show dir status:
@ -89,11 +84,11 @@ cmd_help() {
text=" text="
* init-pki [ cmd-opts ] * init-pki [ cmd-opts ]
Removes & re-initializes the PKI dir for a clean PKI" Removes & re-initializes the PKI directory for a new PKI"
opts=" opts="
* hard-reset - Recursively deletes the PKI directory if it exists. * hard - Recursively delete the PKI directory (default).
* soft-reset - Keeps the vars file and the PKI directory itself intact." * soft - Keep the named PKI directory and PKI 'vars' file intact."
;; ;;
build-ca) build-ca)
text=" text="
@ -102,11 +97,11 @@ cmd_help() {
Creates a new CA" Creates a new CA"
opts=" opts="
* nopass - do not encrypt the CA key (default is encrypted) * nopass - Do not encrypt the private key (default is encrypted)
Equivalent to global option '--nopass|--no-pass' (Equivalent to global option '--nopass|--no-pass')
* subca - create an intermediate CA keypair and request * subca - Create an intermediate CA keypair and request
(default is a root CA) (default is a root CA)
* intca - alias to the above" * intca - Alias to the above"
;; ;;
gen-dh) gen-dh)
text=" text="
@ -123,8 +118,8 @@ cmd_help() {
This request is suitable for sending to a remote CA for signing." This request is suitable for sending to a remote CA for signing."
opts=" opts="
* nopass - do not encrypt the private key (default is encrypted) * nopass - Do not encrypt the private key (default is encrypted)
Equivalent to global option '--nopass|--no-pass' (Equivalent to global option '--nopass|--no-pass')
* text - Include certificate text in request" * text - Include certificate text in request"
;; ;;
sign|sign-req) sign|sign-req)
@ -149,9 +144,9 @@ cmd_help() {
This mode uses the <file_name_base> as the X509 CN." This mode uses the <file_name_base> as the X509 CN."
opts=" opts="
* nopass - do not encrypt the private key (default is encrypted) * nopass - Do not encrypt the private key (default is encrypted)
Equivalent to global option '--nopass|--no-pass' (Equivalent to global option '--nopass|--no-pass')
* inline - create an inline credentials file for this node" * inline - Create an inline credentials file for this node"
;; ;;
revoke) revoke)
text=" text="
@ -188,8 +183,8 @@ cmd_help() {
Rebuild a certificate and key specified by <file_name_base>" Rebuild a certificate and key specified by <file_name_base>"
opts=" opts="
* nopass - do not encrypt the private key (default is encrypted) * nopass - Do not encrypt the private key (default is encrypted)
Equivalent to global option '--nopass|--no-pass'" (Equivalent to global option '--nopass|--no-pass')"
;; ;;
renew) renew)
text=" text="
@ -310,10 +305,11 @@ cmd_help() {
specified by <file_name_base>" specified by <file_name_base>"
opts=" opts="
* nopass - use no password and leave the key unencrypted * nopass - Do not encrypt the private key (default is encrypted)
* noca - do not include the ca.crt file in the PKCS12 output (Equivalent to global option '--nopass|--no-pass')
* nokey - do not include the private key in the PKCS12 output * noca - Do not include the ca.crt file in the PKCS12 output
* usefn - use <file_name_base> as friendly name" * nokey - Do not include the private key in the PKCS12 output
* usefn - Use <file_name_base> as friendly name"
;; ;;
export-p7) export-p7)
text=" text="
@ -323,7 +319,7 @@ cmd_help() {
specified by <file_name_base>" specified by <file_name_base>"
opts=" opts="
* noca - do not include the ca.crt file in the PKCS7 output" * noca - Do not include the ca.crt file in the PKCS7 output"
;; ;;
export-p8) export-p8)
text=" text="
@ -333,7 +329,8 @@ cmd_help() {
specified by <file_name_base>" specified by <file_name_base>"
opts=" opts="
* nopass - do not encrypt the private key (default is encrypted)" * nopass - Do not encrypt the private key (default is encrypted)
(Equivalent to global option '--nopass|--no-pass')"
;; ;;
export-p1) export-p1)
text=" text="
@ -343,7 +340,8 @@ cmd_help() {
specified by <file_name_base>" specified by <file_name_base>"
opts=" opts="
* nopass - do not encrypt the private key (default is encrypted)" * nopass - Do not encrypt the private key (default is encrypted)
(Equivalent to global option '--nopass|--no-pass')"
;; ;;
set-pass|set-ed-pass|set-rsa-pass|set-ec-pass) set-pass|set-ed-pass|set-rsa-pass|set-ec-pass)
text=" text="
@ -354,9 +352,9 @@ cmd_help() {
DEPRECATED: 'set-rsa-pass' and 'set-ec-pass'" DEPRECATED: 'set-rsa-pass' and 'set-ec-pass'"
opts=" opts="
* nopass - use no password and leave the key unencrypted * nopass - Do not encrypt the private key (default is encrypted)
(Equivalent to global option '--nopass|--no-pass') (Equivalent to global option '--nopass|--no-pass')
* file - (advanced) treat the file as a raw path, not a short-name" * file - (Advanced) Treat the file as a raw path, not a short-name"
;; ;;
upgrade) upgrade)
text=" text="
@ -430,22 +428,15 @@ cmd_help() {
print "${err_text}${NL}" print "${err_text}${NL}"
else else
# display the help text # display the help text
[ "$text" ] && print "${text}${NL}" [ "$text" ] && print "${text}"
if [ "$text_only" ]; then if [ "$text_only" ]; then
: # ok - No opts message required : # ok - No opts message required
elif [ "$opts" ]; then
print "\
Available command-options (cmd-opts):
$opts
"
else else
print "\ print "
Available command-options (cmd-opts): Available command options [ cmd-opts ]:
${opts:-
* No supported command-options * No supported command options}"
"
fi fi
fi fi
} # => cmd_help() } # => cmd_help()
@ -462,21 +453,26 @@ non-empty values to options are mandatory.
General options: General options:
--version : prints EasyRSA version and build information, then exits --version : Prints EasyRSA version and build information
--batch : set automatic (no-prompts when possible) mode --batch : Set automatic (no-prompts when possible) mode
-s|--silent : Disable all Warnings and Notices --silent|-s : Disable all warnings, notices and information
--sbatch : Combined --silent and --batch operating mode --sbatch : Combined --silent and --batch operating mode
-q|--quiet : Quiet mode, disable information messages only --quiet|-q : Quiet mode, disable information messages only
--nopass : Do not use passwords, over-rides --passin and --passout --no-pass : Do not use passwords
--passin=ARG : set -passin ARG for openssl (eg: pass:xEasyRSAy) Can not be used with --passin or --passout
--passout=ARG : set -passout ARG for openssl (eg: pass:xEasyRSAy) --passin=ARG : Set -passin ARG for openssl (eg: pass:xEasyRSAy)
--ssl-conf=FILE : define a specific OpenSSL config file for Easy-RSA to use --passout=ARG : Set -passout ARG for openssl (eg: pass:xEasyRSAy)
--vars=FILE : define a specific 'vars' file to use for Easy-RSA config --vars=FILE : Define a specific 'vars' file to use for Easy-RSA config
--pki-dir=DIR : declare the PKI directory (Default vars file is in the EasyRSA PKI directory)
--pki-dir=DIR : Declare the PKI directory
(Default PKI directory is sub-directory 'pki')
--ssl-conf=FILE : Define a specific OpenSSL config file for Easy-RSA to use
(Default config file is in the EasyRSA PKI directory)
--tmp-dir=DIR : declare the temporary directory --tmp-dir=DIR : Declare the temporary directory
(Default temporary directory is the EasyRSA PKI directory)
--keep-tmp=NAME : Keep the original temporary session by name: NAME --keep-tmp=NAME : Keep the original temporary session by name: NAME
NAME is a sub-directory of the dir declared by --tmp-dir NAME is a sub-directory of the dir declared by --tmp-dir
This option ALWAYS over-writes a sub-dir of the same name. This option ALWAYS over-writes a sub-dir of the same name.
@ -484,18 +480,17 @@ General options:
Certificate & Request options: (these impact cert/req field values) Certificate & Request options: (these impact cert/req field values)
--no-text : Create certificates without human readable text --no-text : Create certificates without human readable text
--days=# : sets the signing validity to the specified number of days --days=# : Sets the signing validity to the specified number of days
Also applies to renewal period. For details, see: 'help days' Also applies to renewal period. For details, see: 'help days'
--fix-offset=# : Generate certificate with fixed start and end dates. --fix-offset=# : Generate certificate with fixed start and end dates
Range 1 to 365 Start-date is 01 January 00:00:01 of the current year
start-date is 01 January 00:00:01 of the current year plus the --fix-offset=# number of days (Range 1 to 365)
plus the --fix-offset=# number of days.
end-date is configured via --days=# (Default: 825 days) end-date is configured via --days=# (Default: 825 days)
--digest=ALG : digest to use in the requests & certificates --digest=ALG : Digest to use in the requests & certificates
--keysize=# : size in bits of keypair to generate (RSA Only) --keysize=# : Size in bits of keypair to generate (RSA Only)
--use-algo=ALG : crypto alg to use: choose rsa (default), ec or ed --use-algo=ALG : Crypto alg to use: choose rsa (default), ec or ed
--curve=NAME : for elliptic curve, sets the named curve to use --curve=NAME : For elliptic curve, sets the named curve (Default: secp384r1)
--subca-len=# : Path length of signed intermediate CA certificates --subca-len=# : Path length of signed intermediate CA certificates
--copy-ext : Copy included request X509 extensions (namely subjAltName) --copy-ext : Copy included request X509 extensions (namely subjAltName)
@ -510,7 +505,7 @@ Distinguished Name mode:
--req-cn=NAME : Set CSR commonName to NAME. For details, see: 'help req-cn' --req-cn=NAME : Set CSR commonName to NAME. For details, see: 'help req-cn'
Distinguished Name Organizational options: (only used with '--dn-mode=org') Distinguished Name Organizational options: (only used with '--dn-mode=org')
--req-c=CC : country code (2-letters) --req-c=CC : Country code (2-letters)
--req-st=NAME : State/Province --req-st=NAME : State/Province
--req-city=NAME : City/Locality --req-city=NAME : City/Locality
--req-org=NAME : Organization --req-org=NAME : Organization
@ -521,8 +516,7 @@ Distinguished Name mode:
Deprecated features: Deprecated features:
--ns-cert : Include deprecated Netscape extensions --ns-cert : Include deprecated Netscape extensions
--ns-comment=COMMENT : Include deprecated Netscape comment (may be blank) --ns-comment=COMMENT : Include deprecated Netscape comment (may be blank)"
"
} # => opt_usage() } # => opt_usage()
# Wrapper around printf - clobber print since it's not POSIX anyway # Wrapper around printf - clobber print since it's not POSIX anyway
@ -567,8 +561,8 @@ information() {
[ "$EASYRSA_SILENT" ] && return [ "$EASYRSA_SILENT" ] && return
[ "$EASYRSA_BATCH" ] && return [ "$EASYRSA_BATCH" ] && return
[ "$EASYRSA_QUIET" ] && return [ "$EASYRSA_QUIET" ] && return
print "* $1 print "
" * $1"
} # => information() } # => information()
# Verbose status reports # Verbose status reports
@ -734,12 +728,10 @@ Temporary session not preserved."
*) warn "Host OS undefined." *) warn "Host OS undefined."
esac esac
if [ "$1" = ok ] || [ "$EASYRSA_BATCH" ] || \ if [ "$EASYRSA_BATCH" ] || [ "$EASYRSA_SILENT" ]; then
[ "$EASYRSA_SILENT" ] || [ "$EASYRSA_QUIET" ]
then
: # ok : # ok
else else
print # just to get a clean line print # To get a clean line after terminal echo is disabled
fi fi
# Exit with error 1, if an error ocured... # Exit with error 1, if an error ocured...