Note: --req-cn can only be used when building a CA/subCA.
When building All other certificates --req-cn is not honoured.
Reported-in: #659
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
Processing vars at init-pki was intentionally kept to minimum, due to
complications with user expectations verses Easy-RSA preferences.
This overhaul aims to finalise Easy-RSA interference with vars.
1. Prefer that vars is in the PKI but only force that at init-pki,
when no other vars files can be found. Otherwise, do not create a
template vars and leave it to the user, with appropriate messages.
2. Fail all commands, except init-pki, if more than one vars exists.
3. Take special care of 'init-pki soft'.
4. For existing PKIs, be aware that vars may NOT exist.
This patch is less complicated than it appears to be.
Most of the changes are either comments or user messages.
There are some new state flags to manage the location of vars,
which are used to decide when a new vars is created and control
user messages.
Closes: #651
New message for "Using x509-types directory: $EASYRSA_EXT_DIR"
Closes: #654
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
Since the introduction of 'escape_hazard()' function, all characters
except (`) backtick are supported.
This patch brings vars.example in line with the warning in easyrsa and
also only warns about backtick.
It is possible that curly brace '{}' may also cause OpenSSL to behave
strangely. However, the strange behaviour, which I previously observed,
may have been rectified by OpenSSL.
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
Add warning for new password status, prior to renewal.
Add reminder to replace certificate AND key files, after renewal.
Correct input check for option 'nopass'
Closes: m#644
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
Previously, testing vars for unsupported characters was only done if
vars was in the PKI. This test can now be done for all vars files.
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
The 3 definitions of $prog_dir:
- foo -> prog_dir=/search/path ## Not $PWD
- ./foo -> prog_dir=. ## $PWD
- /full/path/foo -> prog_dir=/full/path ## Could be $PWD
'/full/path' was previously missing from the check.
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
Since relaxing the rules concerning the location of vars file,
commit f4a604438d3ce5fe67a1f4db956dc42fc4ae5588, it is no longer
necessary to prohibit the use of --vars=file with 'init-pki'.
This initial prohibition was only a temporary measure and has
proven to be of no value.
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
'shift 2' was moved above the parameter check in previous commit:
1d227736e404b805e84b8949aa238a240c4ad5eb
Move it back to after the check and reword user output for clarity.
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
If verify_ca_init fails then the error message states that: 'serial
is missing'. While this is true, it is not 'user friendly'.
Reorder the checks so that if verify_ca_init fails then the error
message will "probably" state that: 'ca.crt is missing', which makes
more sense if the CA has not been initialised.
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
The command 'sign-req COMMON client1 nopass' would generate an invalid
certificate. Do not allow COMMON as a $cert_type.
Also, improve comment and user output for existing certificate check.
Closese: #634
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
If a user breaks out [Ctrl-C] from generating a DH parameters file
then there is an empty dh.pem file left over.
Output the DH parameters to a temp-file and move it upon validation
and completion.
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
Prefer /usr/local/share over /usr/share
and move /etc/easy-rsa to last place.
Tidy up a 'case', no functional change.
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
The utility script 'make-cadir' creates a CA directory with a vars file.
This vars file conflicts with the preferred PKI-vars file.
This patch changes 'init-pki' to allow make-cadir vars file to over-ride
the preferred PKI-vars file, without error.
Closes: #633
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
