Add a *final* layer of granularity to X509 Distinguished Name.
Only used if --req-serial="<PRINTABLE>user data" is specified.
To minimize the noise to the user by this new field, change the way
that OpenSSL is called to build a CA: Always use '-batch' mode.
User visible change when building a CA:
* Instead of being prompted for each individual DN field, now the
user is presented with a read-out of how the fields are currently
set. There is now only a single confirmation that all fields are
correct.
* If '--req-serial' is not used then 'serialNumber' is not displayed.
PRINTABLE: a-z,A-Z,0-9, -+/=.,?:()
Closes: OpenVPN#462 - The original proposal and prototype code.
Closes: OpenVPN#598 - Supersedes: Introduce 1.organizationalUnitName
Closes: OpenVPN#600 - Bugfix: Remove unused 'name' definition from SSL conf.
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
To sign a request, easyrsa uses 'openssl ca', which does support -extfile.
To create a CA, easyrsa uses 'openssl req', which does not support -extfile.
Therefore, the x509-types 'ca' and COMMON files cannot be specified using
-extfile to create a CA. Instead, they must be included within the SSL
config file, which 'openssl req' does support.
Using the same awk script from gen_req(), with New Token '#%X509_TYPES%',
the x509-types files 'ca' and COMMON are inserted into the SSL config file.
Closes: #525
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
This clarifies the use of the file as specific to EasyRSA while also
closing the loop on the openssl version chase. No reason to have a
configuration file that is specific to openssl version at this point.
If the need arises, we'll do so in a sane fashion.
Resolves#159
Signed-off-by: Eric F Crist <ecrist@secure-computing.net>
