Expand 'show-renew' to include certs which have been renewed the old way.
These are stored in 'renewed/certs_by_serial' and require 'rewind-renew'
before they can be revoked.
Also, introduce option '-v|--verbose' to make all status reports (only)
more verbose.
In this particular use case, verbose message detail expected serialNumber
mismatches, which can then be verified. The previous code returned with
out an error, even though the test suggests that an error had occurred.
This verbosity for reports helps to verify that the report is correct.
Manually tested on a PKI with a mix of v1/v2 style renews.
Closese: 699
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
Since EasyRSA version 3.1 there is a NEW insert-marker for X509 type 'ca'.
* New insert-marker: '^#%CA_X509_TYPES_EXTRA_EXTS%' [BRE]
This is only required to build a new CA or Sub-CA. However, without this
check, an old version of openssl-easyrsa.cnf will silently FAIL to include
the X509 types for 'ca' and 'COMMON', when builing a new CA.
EasyRSA 'init-pki soft' does leave 'openssl-easyrsa.cnf' in place, which
means that this is a known possible failure.
For consistency, check for All EasyRSA insert-markers, when used.
* Standard insert-markers: '^#%EXTRA_EXTS%' and '^#%COPY_EXTS%' [BRE]
Tested manually.
Closes: #693
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
Document the various EasyRSA version differences of renewal and revocation.
Closes: #626
Authors comment:
It has taken good luck, hard work and co-operation to save
EasyRSA "renewal and revocation".
I am pleased to have provided the solution presented here.
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
The old 'renew' always created a new private key at the CA signing side.
This forces the entity private key to be exposed, unnecessarily.
Only certificates expire, therefore, only certificates can be renewed.
For those reasons, the old 'renew' has been renamed to 'rebuild'.
The new 'renew' creates a new certificate only from the existing CSR.
The existing CSR will always exist, allowing a certificate to be renewed
indefinitely.
Both 'rebuild' and 'renew' use the renewed/ folders to temporarily store
the old certificate, where it can be revoked with 'revoke-renewed' command.
Manually tested.
Closes: #684
Notes:
* renew version 1 did not have a command to revoke old certificates.
* renew version 2 allowed old certificates to be revoked via command
'revoke-renewed'.
* renew version 3 only renews the certificate.
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
The extentions temp-file is part of the session temp-dir and is otherwise
removed by cleanup() on successful completion.
Part-of: #667Closes: #676
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
Due to my previous misunderstanding of the intended use of --req-cn,
it is no longer possible to set commonName for command gen-req.
Ref: #524#456
This commit restores v30x series behavior:
* --req-cn can only be used in batch mode.
* --req-cn can only be used by commands build-ca and gen-req.
* SSL layer prompts are restored to original behavior.
Important: The use of internal batch mode is no longer required
for command sign_req(), when called by build_full(). This code
has been disabled but remains in place. This is a considerable
change under the hood but there is no user observable difference.
Also, minor improvements to help and EasyRSA-Advanced.md
Tested manually and thoroughly.
Closes: #668
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
Option alias '--days=NUMBER' can now be used for all other options which
indicate a validity period.
* Option: --days
This global option is an alias for one of the following:
* Expiry days for a new CA.
eg: '--days=3650 build-ca'
* Expiry days for new/renewed certificate.
eg: '--days=1095 renew server'
* Expiry days for certificate revokation list.
eg: '--days=180 gen-crl'
* Cutoff days for commands: show-expire or renewable.
eg: '--days=90 show-expire'"
The alias '--days' is now ONLY applied to the variable which requires it.
eg: If building a certificate then the appropriate variable for that type
is set. The other possible uses are not set by the same use.
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
--keep-tmp=NAME : Keep the original temporary session by name: NAME
NAME is a sub-directory of the dir declared by --tmp-dir
This option ALWAYS over-writes a sub-dir of the same name.
Closes: #610
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
