When signing a request, EasyRSA ALWAYS defaults to the CA defined
Distinguished Name field order, as defined by openssl-easyrsa.cnf
configuration file.
In the unlikely event that a CSR is received with a different DN-
field order, that order can be preserved for the signed certificate.
Command 'sign-req', now has a command option 'preserve' for this.
Additional:
Use of 'preserve = yes' in openssl-easyrsa.cnf has no effect for
EasyRSA.
Testing OpenSSL directly indicates that this option may have no effect
when used in OpenSSL default configuration file openssl.cnf
Also, OpenSSL documentation for command 'ca', option '-preserveDN'
does NOT infer that this option can be used in the configuration file.
None of which is important to EasyRSA because only foreign CSRs can
have a different DN-field order, so default behavior can remain.
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
Squashed commit of the following:
commit c27825c3bc5dddaeb3749d7a315a77239146ad22
Merge: 02f13f6 93da550
Author: Richard T Bonhomme <tincantech@protonmail.com>
Date: Tue Oct 25 20:50:44 2022 +0100
Merge branch 'vars-remove-req-cn' of ssh://github.com/TinCanTech/easy-rsa into TinCanTech-vars-remove-req-cn
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
commit 93da55003cee29695616d01243aecddcf7954c25
Author: Richard T Bonhomme <tincantech@protonmail.com>
Date: Fri Oct 21 21:10:08 2022 +0100
vars.example: Minor corrections and formatting
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
commit 9976f3f0d13a73827052f490438b95153a1b7576
Author: Richard T Bonhomme <tincantech@protonmail.com>
Date: Fri Oct 21 20:57:07 2022 +0100
vars.example: Remove EASYRSA_TEMP_FILE
Closes: #729
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
commit 8a35375f84ab88b6f009e5971ddb7358f6619a03
Author: Richard T Bonhomme <tincantech@protonmail.com>
Date: Fri Oct 21 20:44:53 2022 +0100
vars.example: Remove EASYRSA_REQ_CN
Closes: #730
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
Since the introduction of 'escape_hazard()' function, all characters
except (`) backtick are supported.
This patch brings vars.example in line with the warning in easyrsa and
also only warns about backtick.
It is possible that curly brace '{}' may also cause OpenSSL to behave
strangely. However, the strange behaviour, which I previously observed,
may have been rectified by OpenSSL.
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
The initial idea was to mask the actual certificate creation date.
The reason was to further anonymise user certificates. (YMMV)
There is now a second part to this date "fixing":
* This allows for all certificates to expire on the same day.
Using command option '--fix-offset=nnn', all certificates will be created
* with a 'notBefore' date of January 1st of the current year.
* with a 'notAfter' date of the day-of-year number from '--fix-offset',
in the final year, as per EASYRSA_CERT_EXPIRE (Default 825 days).
The default 825 days results in 2 years plus the offset given.
This can also be set in the 'vars' file, for convenience.
The default day-of-year offered is 183; either July 2 or 3 (leap year).
Follow-up to: #550 (Replaces 'nodatetime' with '--fix-offset')
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
In 'org' mode, fields such as EASYRSA_REQ_ORG can be abused.
If the field contains single quote ('), ampersand (&), back-tick (`),
dollar sign ($) or hash (#) then the result is undefined.
Due to EasyRSA running on Linux and Windows and supporting multiple
SSL Libraries, it is not feasible to support these characters.
Add a check to determine if any unsupported characters are found in
the vars file and issue a warning if they are found.
Add a sub-shell test to source vars. If the test fails then exit
gracefully, with a specific error message.
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
Manually managing temp files into fixes variables (EASYRSA_TEMP_FILE_*),
can result in errors like in build_ca that reused EASYRSA_TEMP_FILE_3.
A temporary directory simplify the cleanup.
A configurable directory for temp files (var EASYRSA_TEMP_DIR) also
allows the user to define a different temporary directory. This is
important for devices using flash disks that have limited number of
writes.
Signed-off-by: Luiz Angelo Daros de Luca <luizluca@gmail.com>
This clarifies the use of the file as specific to EasyRSA while also
closing the loop on the openssl version chase. No reason to have a
configuration file that is specific to openssl version at this point.
If the need arises, we'll do so in a sane fashion.
Resolves#159
Signed-off-by: Eric F Crist <ecrist@secure-computing.net>
The --batch CLI arg now takes no options and enables batch-mode when
present.
init-pki no longer takes a 'force' value which did the same as --batch.
Signed-off-by: Josh Cepek <josh.cepek@usa.net>
Add documentation & help output; add quoting; add error messages; put
the ecparams dir under PKI dir with env-var tunable.
Signed-off-by: Josh Cepek <josh.cepek@usa.net>
